Gemalto: NSA attacked our SIMs, but not on a grand scale

SIM chip maker Gemalto has confirmed that US and UK intelligence services likely attacked it, but said it "could not have resulted in a massive theft of SIM encryption keys." Its comments stemmed from a recent Edward Snowden leak, which revealed a coordinated attack on Gemalto by the NSA and British GCHQ. Following an internal investigation, the previously low-profile company said that a "sophisticated" intrustion by the intelligence agencies did occur in 2010-11 for the purpose of intercepting encyption keys sent to carriers. The attacks consisted of email "phishing" and spying on office networks, and several attempts were made to access the PCs of individual Gemalto employees.

However, the company concluded that none of the spying "could have resulted in a massive theft of SIM encryption keys." For one, Snowden mistakenly said that Gemalto supplied SIMs to operators it doesn't do business with, and identified non-existant Gemalto offices in several nations. The SIM outfit also used a secure transfer system between operators starting in 2010, which would have left it vulnerable only in "rare cases." Finally, Gemalto said that if any keys were stolen, agencies could only track 2G networks, since 3G and 4G networks "are not vulnerable to this type of attack."

Despite that, it recommended that individuals and operators take certain counter-measures. Specifically, it said operators should be using customized SIM-encryption algorithms, and individuals should "systematically encrypt" stored and tramsmitted data.