Dutch-based chip maker Gemalto has acknowledged that American and British spy agencies tried hacking its systems years ago, but critics have slammed that response as denial and damage control.
In a statement Wednesday, the multinational corporation confirmed last week’s revelations of hacking by the United States National Security Agency and Britain’s GCHQ in 2010 and 2011, claiming they “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys” as reported.
Reporters who uncovered the hacking attempts have criticized Gemalto’s statement, saying the company only learned about the attacks last week when reached for comment, and that a proper investigation in just five days was simply not possible.
The Intercept magazine, which published the original investigation into the Gemalto hacks, quoted several security experts who characterized the company’s statement as “a lot of effort…to minimize and deny the impact of some old attacks,” and more of a “damage assessment” than a proper investigation.
“A true forensic investigation in such a complex environment is not possible in this time frame,” Ronald Prins of the Dutch firm Fox IT told The Intercept.
Last week, The Intercept published an investigation into the hacks by Jeremy Scahill and Josh Begley, based on the revelations by Edward Snowden, a former contractor for the NSA. Snowden’s documents provided insight into how and why the surveillance services targeted the Dutch-based multinational. Gemalto makes some two billion SIM cards for 450 wireless providers around the world, as well as chips for luxury cars and biometric US passports. Its security technology is used by more than 3,000 financial institutions and 80 government organizations.
Gemalto’s statement claims no breaches were found in the secure networks “running our SIM activity,”or “our other products such as banking cards, ID cards or electronic passports.”
However, documents cited by The Intercept directly contradict this: We “believe we have their entire network,” the author of a secret GCHQ slide reportedly boasted.
The Intercept’s investigation reported that the hacks targeted SIM cards belonging to mobile operators in “Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan.”Gemalto acknowledged this, but claimed these cards were using the obsolete, 2G technology, and that current users in the West – who rely on 3G, 4G and LTE technology – were “not affected.”
Targeting the manufacturer of SIM cards, used in most mobile devices around the world, would give the US and UK intelligence agencies the ability to collect mobile communications without government warrants or the permission of service providers.
Theft of the SIM keys “enables the bulk, low-risk surveillance of encrypted communications,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Intercept. Gemalto and its employees were targeted by spies “not because they did anything wrong, but because they could be used as a means to an end,” he added.
According to The Intercept, fixing the security flaws in the current mobile phone system that intelligence agencies “regularly exploit” would take “billions of dollars, significant political pressure, and several years.” Jeremy Scahill, one of the authors of the original article, was disappointed by Gemalto’s denials as much as the media’s willingness to take them at face value.
Eric King, deputy director of the London-based advocacy group Privacy International, called trust in the security of communications systems “essential for our society and for businesses to operate with confidence” in a statement on Wednesday, adding that “The impact of these latest revelations will have ripples all over the world.”
China appears to have taken notice already. Citing security concerns over Western hardware, the government in Beijing has dropped a number of Western companies from its approved state purchase lists. Cisco, Apple, Citrix, and Intel’s McAfee security software are among the affected.
However, unnamed technology executives told Reuters that security concerns were only a pretext, and that the “real objective was to nurture China’s domestic tech industry and subsequently support its expansion overseas.”
AMAZON ERROR ALLOWED ALEXA USER TO EAVESDROP ON ANOTHER HOME
A user of Amazon’s Alexa voice assistant in Germany got access to more than a thousand recordings from another user because of “a human error” by the company.
The customer had asked to listen back to recordings of his own activities made by Alexa but he was also able to access 1,700 audio files from a stranger when Amazon sent him a link, German trade publication c’t reported.
“This unfortunate case was the result of a human error and an isolated single case,” an Amazon spokesman said.
The first customer had initially got no reply when he told Amazon about the access to the other recordings, the report said. The files were then deleted from the link provided by Amazon but he had already downloaded them on to his computer, added the report from c’t, part of German tech publisher Heise.
CRYPTOCURRENCY INDUSTRY FACES INSURANCE HURDLE TO MAINSTREAM AMBITIONS
Cryptocurrency exchanges and traders in Asia are struggling to insure themselves against the risk of hacks and theft, a factor they claim is deterring large fund managers from investing in a nascent market yet to be embraced by regulators.
Getting the buy-in from insurers would mark an important step in crypto industry efforts to show that it has solved the problem of storing digital assets safely following the reputational damage of a series of thefts, and allow it to attract investment from mainstream asset managers.
“Most institutionally minded crypto firms want to buy proper insurance, and in many cases, getting adequate insurance coverage is a regulatory or legal requirement,” said Henri Arslanian, PwC fintech and crypto leader for Asia.
“However, getting such coverage is almost impossible despite their best efforts.”
Many asset managers are interested in digital assets. A Greenwich Associates survey, published in September, said 72% of institutional investors who responded to the research firm believe crypto has a place in the future.
Last month, Mohamed El-Erian, Allianz’s chief economic adviser said that cryptocurrencies would gain wider acceptance as institutions began to invest in the space.
Most have held off investing so far however, citing regulatory uncertainty and a lack of faith in existing market infrastructure for storing and trading digital assets following a series of hacks, as well the plunge in prices.
The total market capitalisation of crypto currencies is currently estimated at approximately US$120bil (RM502bil) compared to over US$800bil (RM3.3tril) at its peak in January.
“Institutional investors who are interested in investing in crypto will have various requirements, including reliable custody and risk management arrangements,” said Hoi Tak Leung, a senior lawyer in Ashurst’s digital economy practice.
“Insufficient insurance coverage, particularly in a volatile industry such as crypto, will be a significant impediment to greater ‘institutionalisation’ of crypto investments.”
Regulatory uncertainty is another problem for large asset managers. While crypto currencies raise a number of concerns for regulators, including money laundering risks, few have set out clear frameworks for how cryptocurrencies should be traded, and by whom.
Insurance might allay some of the regulators’ concerns around cyber security. Hong Kong’s Securities and Futures Commission recently said it was exploring regulating crypto exchanges, and signalled that the vast majority of the virtual assets held by a regulated exchange would need insurance cover.
Keeping crypto assets secure involves storing a 64 character alphanumeric private key. If the key is lost, the assets are effectively lost too.
Assets can be stored online, in so-called hot wallets, which are convenient to trade though vulnerable to being hacked, or in ‘cold’ offline storage solutions, safe from hacks, but often inconvenient to access frequently.
Over US$800mil worth of crypto currencies were stolen in the first half of this year according to data from Autonomous NEXT, a financial research firm.
Some institutions have started working to solve this problem, and may provide fierce competition to the incumbent players.
This year, Fidelity, and a group including Japanese investment bank Nomura have launched platforms that will offer custody services for digital assets.
Despite the industry’s complaints, insurers say that they do offer cover. Risk advisor Aon, received some two dozen inquiries this year from exchanges and crypto vaults seeking insurance, according to Thomas Cain, regional director, commercial risk solutions, at Aon’s Asian financial services and professions group.
“It is not difficult to insure companies that hold large amounts of crypto assets, but given the newness of the asset class and the publicity some of the crypto breaches have received, applicants need to make an effort to distinguish themselves,” Cain said.
The industry also says it is getting closer to solving the custody problem.
“This year there have been a number of developments, and some providers have developed custody solutions suitable for institutional clients’ needs,” said Tony Gravanis, managing director investments at blockchain investment firm Kenetic Capital.
“Players at the top end of the market have also been able to get insurance,” he said.
But this is not the case for all.
One cryptocurrency broker, declining to be named because of the subject’s sensitivity, said insurers struggled to understand the new technology and its implications, and that even those who were prepared to provide insurance would only offer limited cover. “We’ve not yet found an insurer who will offer coverage of a meaningful enough size to make it worthwhile,” he said. – Reuters
CTECH’S THURSDAY ROUNDUP OF ISRAELI TECH NEWS
Scrapped London Skyscraper set to dominate Tel Aviv skyline. A tower ditched mid-construction in London due to the economic downturn of 2008 is now being resurrected in Tel Aviv in the midst of the city’s unprecedented tech boom. Watch the video
Acquisition by Medtronic complete, Mazor delists. Medtronic paid $1.3 billion in cash for the Israeli surgical robotics company. Including Medtronic’s existing stake, the deal is valued at $1.7 billion. Read more
Israelis receive 8.5 spam calls a month, according to Truecaller. The country ranked last among the top 20 countries affected by spam calls in 2018, according to a new report released by the company. Read more
Innoviz expands globally, sets up a commercial manufacturing line in China.The Israel-based LiDAR maker has doubled its employee count in the past year and intends to recruit additional personnel for research and development, business and sales. Read more
Particle analyzer company PML sold following liquidation. The company developed electro-optical systems for monitoring and measuring fluid particle sizes and concentration.