Gemalto denies knowledge of GCHQ and NSA Sim card hack

Gemalto says it cannot verify a report that it was hacked by the NSA and GCHQ to steal encryption keys

The world’s largest maker of Sim cards, Gemalto, says it cannot verify a report that it was hacked by UK and US spy agencies to steal encryption keys used to protect the privacy of mobile phone communications.

The report comes less than three months after reports that the US National Security Agency (NSA) spied on the GSM Association to identify and exploit security vulnerabilities in mobile phone networks, raising concerns about the security of the world’s mobile networks.

Gemalto said in a statement that it had no knowledge of the alleged NSA and GCHQ hack in 2010 prior to a report by The Intercept, which attributes the claim to documents leaked by whistleblower Edward Snowden.

A Sim (subscriber identity module) card is an integrated circuit that securely stores the international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers on mobile devices.

According to the report, the spy agencies wanted to cast the widest net possible to monitor mobile communications without the knowledge of mobile network operators and users by targeting Gemalto, which operates in 85 countries and has more than 40 manufacturing facilities.

Gemalto makes Sim cards for mobile phones and provides global mobile network operators with the encryption keys to keep the text, voice and internet data for each phone private.

According to the Snowden documents, Gemalto was targeted by the joint NSA and GCHQ mobile handset exploitation team (MHET) created in 2010 to target vulnerabilities in mobile phones.

The Intercept reports that the leaked documents show that GCHQ boasted it had planted malware on several of Gemalto’s computers, giving GHCQ access to “their entire network”.

The company has responded to the report by saying that, as a world leader in digital security, it is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempt over the years.

“At present we cannot prove a link between those past attempts and what was reported [by The Intercept],” the company said.

However, Gemalto said it is taking the report “very seriously” and will devote “all resources necessary” to investigate and understand fully the scope of such sophisticated techniques.

“There have been many reported state-sponsored attacks of late, that have all gained attention both in the media and among businesses. This truly emphasises how serious cyber security is in this day and age,” the company said.

According to The Intercept, the alleged hack gave US and UK spy agencies “the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data”.

The report claims that Gemalto’s customers include AT&T, T-Mobile, Verizon, Sprint and about 450 wireless network providers around the world.

Mobile security experts say the alleged hack is a major compromise of worldwide mobile phone security as the encryption keys would allow the agencies to decode all mobile communications.

Commentators said the latest allegations are likely to further tarnish the reputation of the US and UK intelligence agencies and further undermine public trust in the NSA and GCHQ.

News of unfettered access to billions of cellphones around the globe could spark another international row about the over-reach of spy agencies, according to The Guardian.

The Obama administration faced intense criticism from Germany, Brazil and other nations following the Snowden leaks and has been working hard to repair the damage, the paper said.

According to documents leaked by Snowden in December 2014, the NSA intercepted confidential emails between hundreds of companies and organisations internationally to find security weaknesses in mobile phone technology.

In 2013, the Washington Post revealed that the NSA had broken the most commonly used mobile phone encryption algorithm, known as A5/1.

But, according to the Snowden documents, the information collected by NSA enabled the agency to look at ways of circumventing newer and stronger versions of A5 cellphone encryption, such as A5/3.

The documents also reveal how the NSA works to attack cellphone encryption technology, and plans to secretly introduce new flaws into communication systems so that they can be tapped into.

Read more on Privacy and data protection