An investigation by Amsterdam-based SIM card manufacturer, Gemalto, has found that an attack by operatives from the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ) in 2010 and 2011 probably happened but the attack only breached its office networks.
The Intercept reported last week that NSA and GCHQ had hacked into the computer network of Gemalto and seized smartphone encryption keys used by customers of a number of mobile phone carriers worldwide.
Telstra, Optus and Vodafone Australia have used SIM cards produced by Gemalto.
According to Gemalto by 2010 it had deployed a secure transfer system with its customers and only rare exceptions to the scheme could have led to encryption key theft.
“In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second-generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack,” a Gemalto spokesperson said in a statement.
However, the accuracy of Gemalto's claims has been questioned.
“If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks,” the Gemalto spokesperson said.
In June 2010, Gemalto noticed suspicious activity at one of its offices in France where a third party was trying to spy on the office network. The office network was used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat, the spokesperson said.
“In July 2010, a second incident was identified by our security team. This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses,” said the spokesperson.
“The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used.”
During 2010, Gemalto also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers.
At the time, the company was unable to identify the attackers but Gemalto now thinks that they “could be related to the NSA and GCHQ operation.”
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world,” said the spokesperson.
“The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.”
According to the spokesperson, no breaches were found in the infrastructure running the company’s SIM activity or in other parts of the secure network which manage other products such as banking cards, ID cards or electronic passports.
“Each of these networks is isolated from one another and they are not connected to external networks.”
“It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents,” the spokesperson added.
Greens Senator Scott Ludlam earlier this week sent a letter to Telstra CEO David Thodey expressing concerns about the use of Gemalto SIM cards by the telco.
In his letter, Ludlam asked Thodey to urgently confirm how many Gemalto SIM cards Telstra uses in its network and to what extent the telco believes the security of its customers’ communications has been compromised by the actions of the NSA and GCHQ.
“I request that you confirm how long Telstra has been aware of this security breach and what remediation steps it will undertake, including the recall of any affected SIM cards,” wrote Ludlam.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia