Following its own investigation, SIM card vendor Gemalto admitted it was “probably” hacked by US and UK security services but said the attacks “could not have resulted in a massive theft of SIM encryption keys”.
A report last week claimed the National Security Agency and Government Communications Headquarters (GCHQ) hacked Gemalto’s internal network in 2010 and 2011 to steal the encryption keys for SIM cards.
But, despite the evidence, the company will not take legal action against US and UK security agencies, said CEO Olivier Piou during a press conference.
“As a digital security company, people try to hack Gemalto on a regular basis,” the company earlier said in a statement. And it experienced two particularly sophisticated intrusions in 2010-11 that could be the work of the security services. One was an attempt to spy on its office network and the second involved fake emails sent to a mobile operator customer.
During the same period, Gemalto also detected several attempts to hack the PCs of its employees who had regular contact with customers.
The attacks only breached the firm’s office networks and could not have resulted in a massive threat to SIM card encryption keys because they are not stored on these networks, the firm said.
No breaches were found in the infrastructure running its SIM activity or in other parts of the secure network handling products such as banking cards, ID cards or electronic passports, it added.
The attacks were aimed at operators in Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan.
When secure data exchange methods were used, no interception occurred, said Gemalto.
However, the company alludes to rivals being at risk. “In 2010 though, these data transmission methods were not universally used and certain operators and suppliers had opted not to use them,” said Gemalto.
The firm has never sold SIM cards to four of the 12 operators mentioned in the operators.
In addition, a list of Gemalto personalisation centres mentions Japan, Colombia and Italy. But the company did not have centres in these countries at the time.
Rival G&D yesterday said it had no knowledge of SIM card keys being stolen until last week’s report but has subsequently reviewed its security, and that of its customers.