Sim card manufacturer Gemalto has claimed that hacks into its network did not result in the theft of any encryption keys, despite leaked documents suggesting that US and UK spy agencies had taken such data.
The claims came to light last week as a result of information leaked by Edward Snowden. The documents said that GCHQ and the US National Security Agency (NSA) had breached Gemalto’s network and stolen encryption data used in Sim cards.
However, Gemalto has now issued its findings into the claim and said that, although there is evidence that the spy agencies may have accessed its internal office network, no Sim card encryption data was gathered.
“The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of Sim encryption keys,” the firm said.
Gemalto added that, even if encryption keys had been taken, the circumstances would have been rare, rather than on a widespread scale, and would have affected only 2G voice services, not 3G or 4G data services.
“The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally," the company said.
"By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.
“In the case of an eventual key theft, the intelligence services would only be able to spy on communications on 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack.”
Gemalto also said that, having reassessed cyber attack incidents that occurred around the time the infiltration was said to have happened in 2010 and 2011, the firm has found evidence of attacks that could have been by the NSA and GCHQ.
“In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. Action was immediately taken to counter the threat,” Gemalto said.
A second event, in July 2010, involved phishing emails being sent to staff containing an attachment that could download malicious code.
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” the firm said.
Gemalto added that the company does all it can to ward off hackers, but is concerned by the notion that government agencies, with vast resources, could have carried out such attacks.
"We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations," it said.
"And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion."
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software