Dutch-based chip maker Gemalto has acknowledged that American and British spy agencies tried hacking its systems years ago, but critics have slammed that response as denial and damage control.
In a statement Wednesday, the multinational corporation confirmed last week’s revelations of hacking by the United States National Security Agency and Britain’s GCHQ in 2010 and 2011, claiming they “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys” as reported.
Reporters who uncovered the hacking attempts have criticized Gemalto’s statement, saying the company only learned about the attacks last week when reached for comment, and that a proper investigation in just five days was simply not possible.
The Intercept magazine, which published the original investigation into the Gemalto hacks, quoted several security experts who characterized the company’s statement as “a lot of effort…to minimize and deny the impact of some old attacks,” and more of a “damage assessment” than a proper investigation.
“A true forensic investigation in such a complex environment is not possible in this time frame,” Ronald Prins of the Dutch firm Fox IT told The Intercept.
Last week, The Intercept published an investigation into the hacks by Jeremy Scahill and Josh Begley, based on the revelations by Edward Snowden, a former contractor for the NSA. Snowden’s documents provided insight into how and why the surveillance services targeted the Dutch-based multinational. Gemalto makes some two billion SIM cards for 450 wireless providers around the world, as well as chips for luxury cars and biometric US passports. Its security technology is used by more than 3,000 financial institutions and 80 government organizations.
Gemalto’s statement claims no breaches were found in the secure networks “running our SIM activity,”or “our other products such as banking cards, ID cards or electronic passports.”
However, documents cited by The Intercept directly contradict this: We “believe we have their entire network,” the author of a secret GCHQ slide reportedly boasted.
The Intercept’s investigation reported that the hacks targeted SIM cards belonging to mobile operators in “Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan.”Gemalto acknowledged this, but claimed these cards were using the obsolete, 2G technology, and that current users in the West – who rely on 3G, 4G and LTE technology – were “not affected.”
Targeting the manufacturer of SIM cards, used in most mobile devices around the world, would give the US and UK intelligence agencies the ability to collect mobile communications without government warrants or the permission of service providers.
Theft of the SIM keys “enables the bulk, low-risk surveillance of encrypted communications,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Intercept. Gemalto and its employees were targeted by spies “not because they did anything wrong, but because they could be used as a means to an end,” he added.
According to The Intercept, fixing the security flaws in the current mobile phone system that intelligence agencies “regularly exploit” would take “billions of dollars, significant political pressure, and several years.” Jeremy Scahill, one of the authors of the original article, was disappointed by Gemalto’s denials as much as the media’s willingness to take them at face value.
Eric King, deputy director of the London-based advocacy group Privacy International, called trust in the security of communications systems “essential for our society and for businesses to operate with confidence” in a statement on Wednesday, adding that “The impact of these latest revelations will have ripples all over the world.”
China appears to have taken notice already. Citing security concerns over Western hardware, the government in Beijing has dropped a number of Western companies from its approved state purchase lists. Cisco, Apple, Citrix, and Intel’s McAfee security software are among the affected.
However, unnamed technology executives told Reuters that security concerns were only a pretext, and that the “real objective was to nurture China’s domestic tech industry and subsequently support its expansion overseas.”