Gemalto CEO Olivier Piou (C) arrives for a press conference in Paris, February 25, 2015. Kenzo Tribouillard/AFP/Getty
Gemalto, the Dutch maker of billions of mobile phone SIM cards, confirmed this morning that it was the target of attacks in 2010 and 2011—attacks likely perpetrated by the NSA and British spy agency GCHQ. But even as the the company confirmed the hacks, it downplayed their significance, insisting that the attackers failed to get inside the network where cryptographic keys are stored that protect mobile communications.
Gemalto came to this conclusion after just a weeklong investigation following a news report that the NSA and GCHQ had hacked into the firm’s network in 2011. The news was reported by The Intercept last week, which said the agencies had gained access to huge cache of the cryptographic keys used with its SIM cards.
“The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened,” Gemalto wrote in a press release on Wednesday. But, the company said, “The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.”
Many in the information security community ridiculed Gemalto for asserting this after such a short investigation, particularly since the NSA has been known to deploy malware and techniques capable of completely erasing any signs of an intrusion after the fact to thwart forensic discovery of a breach.
“Very impressive, Gemalto had no idea of any attacks in 2010, one week ago. Now they know exactly what happened,” French developer and security researcher Matt Suiche wrote on Twitter.
Chris Soghoian, chief technologist for the American Civil Liberties Union had the same reaction.
“Gemalto, a company that operates in 85 countries, has figured out how to do a thorough security audit of their systems in 6 days. Remarkable,” he tweeted.
The Intercept alleged in its story that the spy agencies had targeted employees of the Dutch firm, reading their siphoned emails and scouring their Facebook posts to obtain information that would let them hack employee machines. Once on Gemalto’s network, The Intecept reported, the spy agencies planted backdoors and other tools to give them a persistent foothold. We “believe we have their entire network,” boasted the author of a government PowerPoint slide that was leaked by Snowden to journalist Glenn Greenwald.
If true, this would be a damning breach. Gemalto is one of the leading makers of SIM cards; its cards are used in part to help secure the communications of billions of customers phones around the world on AT&T, T-Mobile, Verizon, Sprint and more than 400 other wireless carriers in 85 countries. Stealing the crypto keys would allow the spy agencies to wiretap and decipher encrypted phone communications between mobile handsets and cell towers without the assistance of telecom carriers or the oversight of a court or government.
Edward Snowden criticized the agencies for the hack in an Ask Me Anything session for Reddit on Monday. “When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim),” Snowden wrote, “they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.”
In its statement on Wednesday, however, Gemalto said the intrusions it detected during the relevant time period were not successful, apparently contradicting the NSA slide asserting that the spy agencies had taken over “their entire network.” Gemalto said that in June 2010 it had detected suspicious activity aimed at one of its French outlets “where a third party was trying to spy on the office network.” But the company said “action was immediately taken to counter the threat.”
The following month, the company wrote, a second incident occurred involving a phishing attack, with fake emails sent to one of Gemalto’s mobile operator customers that appeared to come from legitimate Gemalto email addresses. Gemalto said it had “immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used.”
Gemalto also said that the hacking operations of the NSA and GCHQ, as described by The Intercept, were aimed at intercepting encryption keys as they were exchanged between mobile operators and their suppliers, but by 2010, when the hacks occurred, Gemalto had “already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.” Even then, it noted, the number of keys stolen would have been small and their use to the spy agencies would have been limited.
“In the case of an eventual key theft,” Gemalto said Wednesday, “the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack.”
No comments:
Post a Comment