SIM card manufacturer Gemalto has published the results of an investigation into an alleged hacking operation by the UK’s GCHQ and the USA’s National Security Agency. A report earlier this month - based on information from former NSA contractor Edward Snowden - claimed that both security agencies had jointly hacked into Gemalto’s network to steal SIM encryption keys. This would have enabled them to decrypt mobile phone calls without needing the cooperation of mobile networks.
According to Gemalto, it detected “two particularly sophisticated intrusions” in 2010 and 2011 that breached its office networks. Although it couldn’t identify the originator at the time, it says it now has “reasonable grounds to believe that an operation by NSA and GCHQ probably happened”.
However, its says the attacks “could not have resulted in a massive theft of SIM encryption keys” and, even if keys had eventually been stolen, this would not have allowed any spying on 3G or 4G communication.
Rival SIM card manufacturer Giesecke & Devrient (G&D) pointed out that “the SIM card is so secure that in the case revealed recently, even intelligence services preferred to steal the key rather than attack the SIM card”.
[Original report: firstlook.org]