Domain: gemalto.com
Stories and comments across the archive that link to gemalto.com.
Comments · 4
-
Re:Let me guess
I know this is the second, uh, let's-just-say-"story" about Blackphone in four days, but I think it should be noted that the stolen Gemalto keys may have included "OTA keys" that can be used for over-the-air SIM card upgrades:
Access to these encryption keys do not give governmental agencies only the power to monitor cellular communications, including calls and data, but they also come with additional perks, such as the power of instructing a device to install specific programs.
Spyware could be installed on the SIM card itself, and then it could be used to install additional spy apps on a phone without the user's knowledge, or to retrieve data from it.
From the Verge story:
Manufacturers can send a binary text message directly to the SIM card, and as long as it's signed with the proper OTA key, the card will install the attached software without question. If those keys were compromised, it would give an attacker carte blanche to install all manner of spyware.
So apparently it does matter.
-
Re:2G?
It works on most 2G GSM phones since '95. See SIM Application Toolkit.
-
Banking secrecy lawsNot a theoretical concern, but a very real one.
Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.
When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.
You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.
The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.
Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.
And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.
-
Re:Let governments handle SSLBe careful what you wish for.
The result:
- Usage of this CA will be compulsory for securing interacting with the government
- Usage of this CA will be compulsory for securing interacting with all banks of the country
- Actually, this CA is not really a government entity, but a for-profit company that likes to make you pay through the nose
- This government-sponsored monopoly likes to prop up other monopolies or create other monopolies
- You'll be paying through the nose for gizmos such as signing sticks that don't actually work as expected.
- If you try to fuck with them, you'll be left with ugly stains on the backseat of your car