Gemalto: NSA and GCHQ Probably Hacked Us, But Didn't Get SIM Encryption Keys

An anonymous reader writes: Last week The Intercept published a report saying agents from the NSA and GCHQ penetrated the internal computer network of Gemalto, the world's largest maker of SIM cards. Gemalto has done an internal investigation, and surprisingly decided to post its results publicly. The findings themselves are a bit surprising, too: Gemalto says it has "reasonable grounds to believe that an operation by NSA and GCHQ probably happened."

They say the two agencies were trying to intercept encryption keys that were being exchanged between mobile operators and the companies (like Gemalto) who supplied them with SIM cards. The company said it had noticed several security incidents in 2010 and 2011 that fit the descriptions in The Intercept's documents. Gemalto had no idea who was behind them until now. They add, "These intrusions only affected the outer parts of our networks – our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks." They claim proper use of encryption and isolation of different networks prevented attackers from getting the information they were after.

When groups like this attack you...

[geekmux]

...it's probably a wise assumption that they're not going to stop until they get what they're looking for.

Cute story, but intelligence agencies didn't target them for their super secret oatmeal cookie recipe.

Re:When groups like this attack you...

[DigitAl56K]

Exactly. Their explanation is basically, "we did notice a couple of breaches in the outer layer of our network, this was probably that, nothing serious was taken". Meanwhile the NSA is loading firmware-level rootkits into hard drives via numerous exploit techniques that can remote update and survive reformats, etc.

Yeah, buddy. Just because you didn't notice the intrusion did not mean it didn't happen. If the NSA wants in they're getting in, and they're good enough not to get caught in most cases.

Why would the Snowden materials say they got in if they didn't? It's not as if they were leaked intentionally.

No single point of failure is permissible

[Karmashock]

if the security of the cell network really falls on the security of a single company then that is unacceptable.

Interpretation

[Dan+East]

Translation of what they really said:

The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened

The attacks were sophisticated, thus the fact that we were compromised was justified. We will play the victim card straight off. We presume that because the attacks were sophisticated that it was the NSA and GCHQ, although any hacker group and nation-state would give their left arm for our encryption keys. However NSA and GCHQ are scary acronyms, and so we were supposedly up against the most powerful hacking group in the world, again, justifying the fact that they succeeded.

The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys

The attacks resulted in a theft of our SIM encryption keys, although not a "massive" one, whatever "massive" means.

The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft

Rare exceptions to our scheme led to theft.

In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack

Intelligence services were able to spy on communications on 2G mobile networks, due to this one known particular theft of SIM keys that we managed to discover. Even the most modern cell phones fall back on 3G and 2G mobile networks if 4G is not available, so this could affect any phone.

None of our other products were impacted by this attack

Products of ours were impacted by this particular attack, but at least it wasn't every single product we have.

The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator

We are trying to come up with better counter-measures to prevent them from continuing to access our encryption keys.

Re:Let NSA+GCHQ buy Gemalto since their own their

North Korea hacks Sony => Cyber-Terrorism
USA & Great Britain hacks Gemalto => Patriotic-Duty

Or more accurately:

North Korea hacks Sony, gets some personal info that might hurt several thousand employees => Cyber-Terrorism

USA & Great Britain hacks Gemalto, gets keys that can decrypt the communication of millions => Patriotic-Duty

Nothing to see here, move along, move along...

[Noryungi]

Yeah, sure, Gemalto, as if we are going to believe you, you bunch of wussies.

Here is how it probably went. Cut to Gemalto HQ, and a bunch of crypto and forensic geeks working overnight, going through all the server logs with a fine comb, trying to figure out what really happened, surrounded by cans of Cola and half-eaten pizzas.

Suddenly a phone ring. Pointy-haired manager picks up the phone.

- (PHB) : "Hmmm? Oh, sure Sir, we are making good progress, we may have found... What? Oh."

(Long silence, someone is talking to PHB in hushed, urgent tone)

- (PHB) : "Yes, I understand, sir, but...", (much more quietly, almost whispering) "Oh, that contract too? You mean, every US carrier? Every single one of them? And most UK ones as well?"

(More talking on the phone)

- (PHB): "Yes sir! Right away sir!".

PHB hangs up the phone and slowly turns to the geeks, who have been watching him intently, sensing something is very wrong. PHB swallows hard, trying to look cool.

- (PHB): "Er... Ahem... Thanks for all your hard work, chaps, but upper management has given the all-clear. Nothing really happened and everything is fine. You can all go home now. No, it's OK, the taxi ride home, the drinks and the pizzas are all on me. You will all get a big fat bonus for all the extra hours, with our sincerest thanks."

Meanwhile, somewhere in a US telco HQ:

- (Different PHB): "Hi, Admiral Rogers? How are you doing? Good, good, thank you. Listen, about this SIM thing -- yeah, that one -- it's all set. I got in touch with ____ and ____ at Gemalto and they wisely decided nothing had really happened. Yes, a couple of Brits did, too, along with, you know, ____ and ____. Yeah, him too, believe it or not. (Laughter) So, all of this to say, you guys should be in the clear, nothing ever happened, blah blah blah. Sure. Nah, no biggie, always ready to help. No, no problem at all. You are welcome. Nah, don't worry about it, I'll let you know, say hello from me to ____ and ____, OK? Thanks, bye".

And that, Ladies and Gentlemen, is probably how it happened.

Re:But can we believe them?

[GoddersUK]

Initially I thought we could probably believe that they believed it. But then TFA said this:

...we are conscious that [they] have ... legal support that go[es] far beyond that ... typical. And, we are concerned that they[NSA, GCHQ et al] could be involved in such indiscriminate operations against private companies with no grounds for suspicion....

This seems to be a bit more than simply "you can't prove a negative"; it seems to be a warning carrying overtones of much that's been left unsaid. The reference to legal support seems to suggest that Gemalto have been on the receiving end of a visit from the men in dark glasses. "No grounds for suspicion" sounds like a ominous reference to suppressed truth, rather than just Russell's teapot