SIM card maker Gemalto wants answers on alleged hacks by US, UK spies
Gemalto says it's looking into a report that its SIM card encryption keys were hacked by the NSA and British surveillance agency GCHQ.
Did the US and UK hack their way into SIM cards used in mobile phones? That's the question one SIM card maker is trying to investigate.
Dutch company Gemalto manufactures SIM cards for mobile phones, which it sells to around 450 carriers throughout the world, including AT&T, Verizon, T-Mobile and Sprint. The cards certain personal and normally secure information, including your phone number, billing information, contacts and text messages. These cards are protected by encryption keys to resist hacking.
But a story published Thursday by The Intercept claims that a joint unit of spies from the US's National Security Agency and the UK's Government Communications Headquarters, or GCHQ, hacked into the internal network of Gemalto and stole the encryption keys used to secure the company's SIM cards. If true, that means the agencies would've been able to access personal data and tap into mobile phone voice and data communications from users around the world. Citing documents from former NSA contractor-turned-whistleblower Edward Snowden, the publication -- founded by Glenn Greenwald, the journalist through whom Snowden's revelations first were channeled -- said the hacking occurred in 2010 and 2011.
The issue of government surveillance has been an undercurrent of concern over the two decades since the Internet began to become a part of everyday life for businesses and private citizens. But those worries exploded into a mainstream matter after Snowden's first revelations two years ago, and others have taken up the torch. Just last week, for instance, security company Kaspersky raised a red flag over reports that the NSA can infect hard drives with surveillance software to spy on computers.
Reacting to the claims about its SIM cards, Gemalto issued a statement Friday saying that it is looking into the matter.
"We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques," the company said. "We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation."
Gemalto's stock dove around 10 percent in early trading after The Intercept reported the hack.
But Gemalto wasn't the only target, according to The Intercept, saying that the goal was to hit as many mobile phones as possible. The overall aim was to spy on mobile communications without the consent or knowledge of users or mobile carriers, The Intercept added. Calling itself the "world leader in digital security," Gemalto said that it has detected and mitigated other hacking attempts over the years but for now can't prove any link between the past attempts and the one reported by The Intercept.
"I'm disturbed, quite concerned that this has happened," Paul Beverly, a Gemalto executive vice president, told The Intercept. "The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again, and also to make sure that there's no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers."
Neither Gemalto nor the NSA immediately responded to CNET's request for comment. But a spokesperson for the GCHQ sent the following statement:
It is longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position. In addition, the UK's interception regime is entirely compatible with the European Convention on Human Rights.