An investigation by Gemalto into the attempted interception of SIM encryption keys has concluded the attacks were likely orchestrated by US and UK intelligence agencies.
The alleged attacks in 2010 and 2011 on Netherlands-based Gemalto were first unearthed by US whistleblower Edward Snowden last week. According leaked documents, US surveillance agency NSA and UK security firm GCHQ attempted to breach Gemalto in order to obtain SIM encryption keys, which would allow the organisations to spy on mobile networks.
Following an investigation into the claims, Gemalto said it was able to identify two “particularly sophisticated” attacks on its office networks in 2010 and 2011, which it said gave “reasonable grounds” to believe that security organisations in the UK and US were responsible.
The company said in a statement: “In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network.
“In July 2010, a second incident was identified by our Security Team. This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code.
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation.”
However, Gemalto said “immediate action” was taken to counter the threats, adding the attacks could not have resulted in a large-scale theft of SIM encryption keys as they only breached the company’s internal network.
The company said: “It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators.”
The company also claimed that any encryption keys that were stolen would only have enabled the security firms to spy on 2G mobile networks.
“[At the time] most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010,” Gemalto said.
“If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms.”
Following the attacks, global SIM card vendor Giesecke & Devrient (G&D) said it had stepped up its security measures, despite the fact that SIM cards themselves were not thought to have been targeted in the attacks.
Stefan Auerbach, Member of the Management Board and Head of the Mobile Security business unit at G&D, said: “Until now G&D has no knowledge that SIM card keys were stolen. Immediately after the attacks were brought to light we did, however, introduce additional measures to review the established security processes together with our customers.”