Update: A new report in The Intercept claims that Gemalto is drastically downplaying the effects of this attack. In the report, several security researchers came to the conclusion that "the company made sweeping, overly-optimistic statements about the security and stability of Gemalto's networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees."
Original story: Digital security vendor Gemalto revealed its findings today following last week's report of an incursion by the NSA and the GCHQ into the vendor's SIM card encryption keys. While Gemalto noted that an operation by NSA and GCHQ "probably happened" in 2010 and 2011, the intrusion could not have resulted in a "massive theft" of SIM card encryption keys as the breach affected the company's office network and not its secure networks.
Gemalto mentioned that the SIM card encryption keys were not stored in the networks that were breached:
These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.
Access to the keys would have allowed the US and UK government agencies the ability to listen in on phone conversations and install malware on any Gemalto-issued SIM card. With an annual production of 2 billion SIM cards and association with most major carriers in the world including US carriers such as AT&T, Sprint, and Verizon, any security breach at the vendor would have global consequences. Here's what Gemalto found in its investigation into the hack:
The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened
The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys
The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft
In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack
None of our other products were impacted by this attack
The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator
According to Gemalto, even if the SIM card encryption keys were stolen, it would have resulted in the US and UK intelligence networks spying on 2G networks, making most users in developed countries prone to intrusion by covert agencies. However, The Intercept – the publication that first broke the news of the hack – noted that the target countries for the NSA and GCHQ's spying activities included Afghanistan, Iceland, India, Iran, Pakistan, Serbia, Somalia, Serbia,Tajikistan and Yemen, where 2G networks are still the norm. Gemalto stated that its secure data transfer system was in use at that time, which would have deterred hackers from gaining access to the encryption keys.
Head to the link below to read all of Gemalto's findings.
Source: Gemalto
Read more
The NSA and GCHQ have a direct line into your phone
According to new documents leaked by Edward Snowden, the NSA and its UK counterpart, Government Communications Headquarters (GCHQ), hacked into the computers of Gemalto, a company that manufactures SIM cards for a large number of carriers around the world. In doing so, the intelligence agencies acquired encryption keys that would allow them to intercept communications from customers of...
How Go Talk intends to be the BlackBerry of mobile carriers
Identity theft often goes through an unexpected route: conning the carrier. Go Talk Wireless wants to stamp out SIM swap fraud at the source.
It's time for my family to take the plunge on a VPN
A good VPN isn't as complicated as it used to be, but it's still a pretty big step for a "regular" user to take. But it's time to get my family used to it. Their data may depend on it.
PRIV named one of the most secure Android smartphones of 2016
Google's annual Android Security Review names PRIV one of the most secure smartphones of last year. While rather unsurprising to most of us here, there are some areas of the report that BlackBerry's software efforts receive some substantial kudos.