Breaking News Technology

Gemalto Says NSA, GCHQ Hacks Did Not Reach Smartphone Encryption Keys

Gemalto says U.K. and U.S. spies may indeed have hacked its network back in 2010, but the SIM card maker is denying agencies in either country were able to obtain the encryption keys protecting millions of Smartphones.

Gemalto, in a report released today, said its internal investigation showed the breach, courtesy of the National Security Agency and the U.K.’s Government Communications Headquarters, only affected its office network, not the infrastructure used for producing and transmitting SIM card encryption keys, despite claims made in documents from whistleblower Edward Snowden claimed.

Snowden handed over the documents to The Intercept last week in which the NSA bragged that it had access to Gemalto’s entire network.

Gemalto’s report refuted those claims, however, and laid out, chronologically what it believes occurred.

“In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network,” reads the report. “By office network we mean the one used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat.”

A second incident was identified by the company’s security team just one month later. Fake e-mails were sent to a mobile operator customer spoofing real Gemalto e-mail addresses. The e-mails were sent along with an attachment that, if opened, would download malicious code.

“We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used,” Gemalto said.

During that same time, the company also detected a handful of attempts to access the computers of Gemalto employees who had regular contact with customers.

“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” Gemalto said. “These intrusions only affected the outer parts of our networks – our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.”

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”

The company’s analysis  revealed the NSA and GCHQ targeted a number of other parties as well.

Gemalto boasts major companies such as Verizon and AT&T as customers. The company makes Smart chips not only for cellular phones but also for bank cards and passports.

About the author


Jennifer Cowan

Jennifer Cowan is the Managing Editor for SiteProNews.