The hackers stole cryptokeys for millions of SIM cards, according to The Intercept, which cited documents released by NSA whistle-blower Edward Snowden.
Gemalto denied any SIM cryptokeys had been stolen and pointed out that its networks holding customer and other sensitive data are isolated from one another, as well as from customer-facing networks.
Gemalto’s logs do indicate there were attacks that could be laid at the spy agencies’ doors. In June 2010, a third party attempted to spy on the office network at one of Gemalto’s French sites, but the company immediately acted to counter the threat.
In July 2010, someone attempted to spearphish one of the company’s mobile operator customers through letters purporting to be sent from its servers, containing attachments that could download malicious code.
Gemalto informed the customer and notified the relevant authorities.
Between 2010 and 2011, there were also several attempts to access the PCs of Gemalto employees who had regular contact with customers, but those were limited to the office networks.
Attackers often breach end-user systems that have access to sensitive systems, noted Adam Ely, CSO and cofounder of Bluebox Security.
They either steal credentials stored on the breached system in order to penetrate the sensitive systems, or they kick off an attack when an individual legitimately accesses the sensitive systems, he told the E-Commerce Times.
“This is not to say Gemalto’s defenses did not work or keep [the hackers] out, but instead shows there is still some possibility of further compromise,” Ely remarked.
Not Our Customers, Nosir!
Stealing data being transmitted between Gemalto and its mobile operator customers would be difficult, because the company’s standard practice since well before 2010 was to use highly secure exchange processes.
Further, Gemalto maintained it had not sold SIM cards to four of the 12 operators listed in The Intercept’s story, including the Somali carrier from which 300,000 SIM cryptokeys reportedly had been stolen.
Gemalto pointed out that it did not have SIM card personalization centers in Japan, Colombia and Italy in 2010 and 2011, contrary to The Intercept’s report.
The NSA and GCHQ presumably could spy on networks in the targeted countries, where most operators used 2G, which has pretty weak security, Gemalto said.
However, most 2G SIMs then used in those countries were prepaid cards, which had a three-to-six-month life cycle, the company pointed out.
3G and 4G technologies are much more secure, Gemalto noted, and they cannot be affected by stolen SIM cryptokeys.
Given Gemalto’s challenges to the accuracy of The Intercept’s report, “at this point it’s anyone’s guess as to what really happened,” said Bluebox’s Ely.
Gemalto did not respond to our request for further details.
Speed Isn’t Always the Answer
The speed with which Gemalto seems to have completed its investigation is surprising.
“Incident investigation is complex, time-consuming, and is often hindered by events that happen over time, such as systems being replaced, rebuilt or modified,” Ely said. “More damage could have occurred that has not yet been discovered.”
Is the company covering up? Could it secretly be working hand-in-glove with various governments, as RSA did in the U.S.?
“Since the NSA and GCHQ have been capturing all this mobile communications data since 2010, possibly the question [arises] as to how is it they haven’t been able to better target known terrorists and pre-empt terrorist attacks,” Secure Channels CEO Richard Blech told the E-Commerce Times.
The NSA for years has been monitoring more than 1,200 email accounts associated with major wireless network operators worldwide in the covert operation Auroragold, The Intercept previously reported.
“They may be able to track everyone, but it is unlikely that they are tracking everyone,” Tirias Research Principal Analyst Jim McGregor told the E-Commerce Times. “Tracking everyone’s information would be a Herculean task that I don’t think anyone truly has the resources to handle.”