British spies did try to hack mobile SIM cards
Mobile SIM company says British and US agencies did try to gain crucial keys for mobile eavesdropping
A leading manufacturer of mobile SIM cards claims British and US intelligence agencies did try to hack into its network, in the hope of being able to eavesdrop on mobile phone calls. However, it’s claimed the operation only had limited success.
Allegations that the US National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) tried to steal the encryption keys for mobile SIM cards, potentially allowing them to monitor phone conversations and text messages of billions of people worldwide, emerged last week. Today, the company at the centre of the attack – Gemalto – confirmed the attack probably did take place.
Gemalto says it detected two sophisticated attempts to break into its network in 2010. “At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” the company says in a statement. “These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks.”
The company says that even if the security services did manage to nab the encryption keys, they would have been of limited use. “In 2010-2011 most operators in the targeted countries were still using 2G networks,” the company claims. “The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone.”
“However, even if the encryption keys were intercepted by the Intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between three and six months.
What’s more, the security weakness was eliminated by the time 3G and 4G SIMs became available. “The security level was further increased with the arrival of 3G and 4G technologies which have additional encryption. If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications.”
Gemalto insists its security withstood the attacks, but admits the NSA and GCHQ “have resources and legal support that go far beyond that of typical hackers and criminal organisations”.
“We are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion,” the company adds.
(Photo credit: Luciano Belviso)