Gemalto, a SIM card producer for over 450 mobile carriers, has found that a NSA-GCHQ operation did not succeed in compromising the company’s SIM encryption keys.
The international digital security company announced this finding in response to a news report claiming that the NSA had been able to capture and store Gemalto’s encryption keys that protect mobile users’ SIM cards.
According to documents leaked by whistleblower Edward Snowden, the British intelligence agency GCHQ had also allegedly succeeded in decrypting Gemalto’s SIM cards mid-air and remotely implanting malware onto users’ phones in order to steal the encryption keys.
Gemalto has denied these claims, stating that the intelligence agencies only penetrated its “office networks,” or the outer parts of its computer networks where “the SIM encryption keys and other customer data, in general, are not stored.”
The company goes on to explain how in 2010 and 2011, it detected two sophisticated intrusions that may have been staged by the NSA and GCHQ against its office networks.
The first occurred in June 2010, during which time Gemalto identified suspicious activity on a French site where a third-party was attempting to spy on its office networks.
The second attack occurred shortly thereafter and involved fake emails spoofing legitimate company email addresses being sent to mobile operator customers.
As part of its post-investigation report, Gemalto has stated that even if the NSA and GCHQ were able to perpetrate the types of attacks described in the Snowden documents, those intrusions would have affected only a small number of SIM cards.
“It is extremely difficult to remotely attack a large number of SIM cards on an individual basis,” the company writes. “This fact, combined with the complex architecture of our networks, explains why the intelligence services instead chose to target the data as it was transmitted between suppliers and mobile operators, as explained in the documents.”
Both intelligence services have been approached for comment on Gemalto’s investigation.
In a statement, GCHQ said it does not comment on intelligence matters.
It added the following: “Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee.”
The NSA has not yet commented on Gemalto’s findings.