Olivier Piou, CEO of Dutch SIM-card maker Gemalto, said the failed attempt by UK and US intelligence agencies to make off with its encryption keys was a vindication of SIM system strength.
In an interview with Mobile Word Live, Piou pointed out that leaked documents from former NSA contractor-turned-whistleblower Edward Snowden, which revealed the attack on Gemalto’s private network, also reported UK security services as saying SIM cards were a “very effective protection mechanism”.
Piou rejected the idea, however, that the leaked documents pointed to a trend by governments and security agencies to gather more data on consumers, but rather the attack was more focused on certain countries to gather intelligence on terrorist activities.
“We don’t see massive attempts to get to people. Security services have the rights, with warrants, to get access to data through a judge, which they normally take to a mobile operator, not Gemalto,” he said. “Security services want to do their job, so they want everything, while privacy activists on the other side don’t want to give anything away.”
The Gemalto chief, however, does not plan any legal action in the wake of the leaked documents. “It’s very difficult to fight against the state,” he said. “It’s long, costly and uncertain.”
The IoT challenge
While Piou said today’s phone security systems are “extremely strong” with SIM cards, the proliferation of devices, courtesy of the Internet of Things (IoT), is posing new challenges.
As well as the requirement of miniaturisation – not all wearable devices will be suitable to accommodate a traditional SIM – Piou spoke of objects that don’t necessarily rely on security, such as watches, but which still rely on the security of the mobile phone. “This makes things more complicated,” he said.
He also posed a question: “How do we provision and manage all those rights and access capabilities over-the-air after the object has been produced? This is a challenge for mobile operators and the industry in general.”
The problem is made harder, said Piou, by companies coming into IoT which are not as sensitive to the security of their assets as they might be. “With retailers, it took a few scandals and data breaches before they took measures to encrypt data,” he said.