nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Not even GCHQ and NSA can crack our SIM key database, claims Gemalto

If snooping was done, it was done via comms intercept

By Simon Rockman, 25 Feb 2015

SIM card manufacturer Gemalto has given more details of what it understands is behind the reports that GCHQ and the NSA got their mitts on the encryption keys for its SIM cards.

As we reported earlier, the company says it detected intrusions and prevented them, and that at no time were the systems which held information on the keys penetrated. If an intercept took place, it would have been when an actor listened into Gemalto's comms, the firm claims.

“It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks, explains why the intelligence services instead chose to target the data as it was transmitted between suppliers and mobile operators,” says the statement, while at the same time refusing to confirm or deny that the attacks actually took place.

Gemalto goes on to say that while some keys could have been obtained by the security services through interception of communications, it was introducing new security methods at the time of the attacks and that should have thwarted the security services, citing The Intercept’s report that the services could not get data on SIMs sold to a Pakistani operator as evidence of this.

“We can confirm that the transmission of data between Pakistani operators and Gemalto used the highly secure exchange process at that time," the SIM-maker explained. "In 2010, though, these data transmission methods were not universally used and certain operators and suppliers had opted not to use them. In Gemalto's case, the secure transfer system was standard practice and its non-use would only occur in exceptional circumstances.”

Gemalto now wants to draw a line under the hacking issue. “Gemalto will continue to monitor its networks and improve its processes. We do not plan to communicate further on this matter unless a significant development occurs,” the company said.

Whether the stock market will let it rest is another matter. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing