Gemalto confirms spy agency network intrusion

Dutch authentication and security vendor Gemalto has acknowledged that its networks were 'probably' broken into by US and UK spy agencies, but said the intrusion did not result in a massive theft of SIM card encryption keys.

Documents from the United States National Security Agency (NSA) and Britain's Government Communications Headquarters (GCHQ) leaked by Edward Snowden suggesting the intelligence bodies had raided Gemalto were published by media earlier this month.

The company today said it detected two "particularly sophisticated intrusions" in 2010 and 2011 that could be related to the NSA and GCHQ operation. 

One of Gemalto's French sites was targeted by "a third party" that attempted to spy on the company's office network in one attack.

In a second strike, fake emails with attachments containing malicious code were sent from spoofed Gemalto addresses to a mobile operator customer of the Dutch company. 

Gemalto said it detected both attacks immediately and moved to to counter the threats, which it now believes were the actions of the NSA and GCHQ.

However, Gemalto said at a media conference in Paris that SIM encryption keys and customer data were not stored in the targeted external networks.

Instead, keys and sensitive data are kept in isolated storage on secure networks, and Gemalto said no intrusions were detected there.

It remains possible that spy agencies were able to tap into unsecured data transfers between mobile operators and Gemalto in isolated cases four years ago. Older 2G encryption used during this time could be broken by spy agencies, the company admitted.

Custom algorithms added to 2G and the introduction of 3G and 4G, which use more complex encryption techniques, would stop intelligence agencies from listening in on mobile communications now, Gemalto claimed.

Gemalto said it is aware that "the most eminent state agencies" have resources and legal support that go far beyond that of hackers and criminal organisations, and said it is concerned that they might be involved in what it described as indiscriminate operations against private companies.

It hinted at pressure from governments to introduce alternative technologies that would limit the ability of mobile telcos to customise their security mechanisms.

"Such technology would make it simpler to organise mass surveillance should the technology unfortunately be compromised or fail," the company stated.

The company also noted that the documents leaked by Snowden indicate that other SIM card vendors were targeted by NSA and GCHQ, suggesting encryption keys were also stolen from non-Gemalto customer telcos.