Sim card manufacturer Gemalto has claimed that hacks into its network did not result in the theft of any encryption keys, despite leaked documents suggesting that US and UK spy agencies had taken such data.
The claims came to light last week as a result of information leaked by Edward Snowden. The documents said that GCHQ and the US National Security Agency (NSA) had breached Gemalto’s network and stolen encryption data used in Sim cards.
However, Gemalto has now issued its findings into the claim and said that, although there is evidence that the spy agencies may have accessed its internal office network, no Sim card encryption data was gathered.
“The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of Sim encryption keys,” the firm said.
Gemalto added that, even if encryption keys had been taken, the circumstances would have been rare, rather than on a widespread scale, and would have affected only 2G voice services, not 3G or 4G data services.
“The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally," the company said.
"By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.
“In the case of an eventual key theft, the intelligence services would only be able to spy on communications on 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack.”
Gemalto also said that, having reassessed cyber attack incidents that occurred around the time the infiltration was said to have happened in 2010 and 2011, the firm has found evidence of attacks that could have been by the NSA and GCHQ.
“In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. Action was immediately taken to counter the threat,” Gemalto said.
A second event, in July 2010, involved phishing emails being sent to staff containing an attachment that could download malicious code.
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” the firm said.
Gemalto added that the company does all it can to ward off hackers, but is concerned by the notion that government agencies, with vast resources, could have carried out such attacks.
"We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations," it said.
"And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion."
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment