Gemalto Denies Spy Agencies Stole Encryption Keys

Dutch chipmaker admits US and UK intelligence agencies probably hacked into its network but denies they stole encryption keys.

Iain Morris, International Editor

February 25, 2015

3 Min Read
Gemalto Denies Spy Agencies Stole Encryption Keys

Dutch chipmaker Gemalto reckons US and UK intelligence agencies may have hacked into its network but denies they were able to steal encryption keys allowing them to eavesdrop on phone and Internet communications globally.

The denial comes after The Intercept last week reported that spies at the US National Security Agency (NSA) and the UK's Government Communications Headquarters (GCHQ) had been able to breach Gemalto 's systems and steal encryption keys used to protect communications on billions of mobile phones. (See Eurobites: Telekom Austria Tests Virtual CPE.)

The original source of that report is US whistleblower and fugitive Edward Snowden, a former contractor with the NSA who previously revealed evidence of similar subterfuge by the NSA and GCHQ.

Gemalto admits that it was probably the target of cyberattacks carried out by the two agencies in 2010 and 2011 but insists these attacks did not breach the systems used to protect its encryption keys.

In June 2010 the company says it took action after detecting that a third party was trying to spy on the office network at one of its French sites. A month later, it noticed that fake emails "spoofing" legitimate Gemalto email addresses were being sent to one of its mobile operator customers. Those fake emails included an attachment containing malicious code.

At the time, Gemalto was unable to identify the source of the attacks, but it now believes the NSA and GCHQ could have been responsible, describing the intrusions as "particularly sophisticated" in their nature.

However, Gemalto was at pains to emphasize that encryption keys are not stored on office networks and remained secure throughout this period.

Gemalto reckons intelligence agencies targeted its office and external communications because their plan was to intercept encryption keys while they were being sent between mobile operators and their suppliers globally.

As the company notes, this means the NSA and GCHQ were targeting numerous other players.

For all the latest news from the wireless networking and services sector, check out our dedicated Mobile content channel here on Light Reading.

Since 2010 Gemalto claims to have been using a secure transfer system when communicating with third parties -- to reduce the risk of data being intercepted -- but it says that "certain operators and suppliers had opted not to use" these data transmission methods at the time of the cyberattacks.

According to Gemalto, even if hackers had been able to obtain the encryption keys, they would not have been able to spy on 3G and 4G communications because of additional security measures used to protect those technologies, leaving only 2G communications vulnerable to surveillance.

The Dutch company also takes issue with some of the details in The Intercept report, noting that it has never sold SIM cards to four of the 12 operators listed in accompanying documents. A list published by The Intercept purports to show the locations of Gemalto's personalization centers, but Gemalto insists that it did not operate centers in Japan, Colombia and Italy -- all of which appear on that list -- when the attacks were carried out.

Gemalto ships about 2 billion SIM cards every year and reported revenues of approximately €2.4 billion ($2.7 billion) in 2013. Its share price took a beating last week after publication of The Intercept's report but has subsequently recovered and had risen by more than 2.5% in Amsterdam today.

— Iain Morris, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profile, News Editor, Light Reading

Read more about:


About the Author(s)

Iain Morris

International Editor, Light Reading

Iain Morris joined Light Reading as News Editor at the start of 2015 -- and we mean, right at the start. His friends and family were still singing Auld Lang Syne as Iain started sourcing New Year's Eve UK mobile network congestion statistics. Prior to boosting Light Reading's UK-based editorial team numbers (he is based in London, south of the river), Iain was a successful freelance writer and editor who had been covering the telecoms sector for the past 15 years. His work has appeared in publications including The Economist (classy!) and The Observer, besides a variety of trade and business journals. He was previously the lead telecoms analyst for the Economist Intelligence Unit, and before that worked as a features editor at Telecommunications magazine. Iain started out in telecoms as an editor at consulting and market-research company Analysys (now Analysys Mason).

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like