US and British spies probably hacked into the world’s biggest maker of phone SIM cards in an attempt to steal codes that protect the privacy of billions of mobile phone users, the company said on Wednesday.
The Franco-Dutch firm, Gemalto, was responding to a report on an investigative news website that said the hack allowed Britain's GCHQ and the US National Security Agency (NSA) to potentially monitor the calls, texts and emails of cellphone users around the world.
Gemalto said the attacks “probably happened”, and aimed to intercept encryption codes that unlock mobile phone Subscriber Identity Module (SIM) cards while they were being shipped from its production facilities to mobile network operators worldwide.
But the company - which produces nearly 2 billion SIM cards a year - said the hack “could not have resulted in a massive theft of SIM encryption keys”. SIMs are made of chips that uniquely identify phones and computer data cards on a network.
Its chief executive said it had not contacted the US or British intelligence agencies because doing so would have been a “waste of time” and that it did not plan to take any legal action, as chances of success were virtually non-existent.
"The facts are hard to prove from a legal perspective and ... the history of going after a state shows it is costly, lengthy and rather arbitrary," Olivier Piou told a news conference in Paris to discuss the findings of its own investigation into the alleged hacking in 2010 and 201l.
A spokeswoman for Britain’s GCHQ said on Wednesday that it did not comment on intelligence matters. The NSA could not be immediately reached for comment.
The alleged hacking was reported last week by website The Intercept, which cited documents leaked to it by former NSA contractor Edward Snowden.
Such an incursion, if confirmed, could have expanded the scope of known mass surveillance methods available to U.S. and British spy agencies to include not just email and web traffic, as previously revealed, but also mobile communications.
SOPHISTICATED ATTACKS
The attacks targeted email correspondence between Gemalto and some of the world's largest network equipment makers, including Ericsson and Nokia, but primarily China's Huawei, the documents said.
Stolen key codes were vacuumed up on their way to network operators located mainly in Afghanistan, Somalia, Yemen, Iran and the Gulf States, but also involved countries ranging from Vietnam, Zimbabwe and Italy to Iceland, the documents said.
In the biggest example, the documents say 300,000 SIM codes destined for phone subscribers in Somalia were snatched.
Gemalto said it had never sold SIM cards to four of the 12 operators listed in the documents - naming a Somali carrier as one of those four.
It also said only older model phones that are widely used in emerging markets might have been affected and that more advanced 3G and 4G networks were not vulnerable to this type of attack.
“By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft,” it said.
Even so billions of connections are still made using 2G phones, with GlobalComms forecasting 3.5 billion connections in 2018, almost the same as for 3G phones that handle not just calls and text messages but also video and Web surfing.
Gemalto confirmed that it had experienced many attacks in 2010 and 2011 and that it had found two particularly sophisticated intrusions that only states could muster and which matched the attacks described in the Intercept’s report.
The company's statement outlining the likely limits of the hack helped lift its shares nearly 3 per cent in mid-afternoon trading in Amsterdam to €71.39, marking a full recovery from losses of as much as 10 per cent last Friday following the publication of The Intercept report.
- Reuters