(Image Credit: iStockPhoto/domin_domin)
Last week we reported that personnel from the United States and United Kingdom intelligence agencies had allegedly infiltrated the systems of large SIM card manufacturer Gemalto in an effort to obtain encryption keys used to secure mobile communications worldwide. Gemalto has now completed an investigation and says the intrusion “probably happened,” though the company believes the breach was limited to office networks and that no encryption keys were stolen in that incident.
Gemalto acknowledged that it detected a sophisticated attack during the timeframe referenced in the claims. The company notes the capabilities of major state actors: “We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations.”
If encryption keys had been exfiltrated, the consequences could have been serious. Possession of those keys would have enabled interception of phone calls on 2G networks and potentially the remote installation of malware on devices relying on SIM-based authentication. Given that Gemalto produces roughly two billion SIM cards annually, compromised keys could have provided a large-scale avenue for surveillance.
However, 3G and 4G communications are not vulnerable to the same attack methods, which limits the impact and may explain why the alleged effort did not proceed further. The suspected targets for such operations were countries that still rely heavily on 2G networks, including Afghanistan, Iceland, India, Iran, Pakistan, Serbia, Somalia, Tajikistan and Yemen.
Gemalto emphasizes that mobile operators who work closely with the company have additional protections: “Security is even higher for mobile operators who work with Gemalto to embed custom algorithms in their SIM cards. The variety and fragmentation of algorithmic technologies used by our customers increases the complexity and cost to deploy massive global surveillance systems.” Customization and diversity of algorithms across different operators raise the bar for any party attempting widespread key compromise.
The investigation also found inconsistencies between the published documents and Gemalto’s operations. Certain references in the leaked materials—such as SIM personalization centers in Japan, Colombia and Italy—do not match Gemalto’s facilities at the time of the alleged incident. Additionally, Gemalto reported that it did not supply SIM cards to four of the twelve operators named in the documents.
One notable discrepancy involves a Somalia-based carrier purported to have had 300,000 keys stolen. That detail suggests either errors in the published documents or that another SIM card manufacturer suffered a more successful breach than Gemalto. The possibility that multiple vendors were targeted cannot be ruled out based on the available information.
In summary, Gemalto’s inquiry supports the likelihood that a sophisticated intrusion occurred, primarily affecting internal office systems, but the company found no evidence that encryption keys were taken in this case. The incident underscores the capabilities of powerful state actors and highlights the ongoing importance of robust, diversified security measures for mobile operators—particularly in regions dependent on 2G technology.
Do you think SIM card encryption is secure enough? Let us know in the comments.