When word of a savvy hack conducted by agents of two intelligence agencies against SIM maker Gemalto broke yesterday, company representatives seemed to be caught completely off-guard. Now, with egg on its face and a security backlash in the offing, Gemalto's publicly pledging to look into The Intercept's scary allegations.
"We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation," the company's statement reads. "We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques."
It was only a matter of time before Gemalto decided to get to the bottom of the things, but plenty of damage has already been done. Starting in 2010, a group of agents from the NSA and Britain's Government Communications Headquarters kicked off a subtle cyberattack against Gemalto (and some of its biggest SIM-making rivals) in a bid to find the encryption keys that keep our mobile communications secure. Normally, those keys are only stored in two places: right on your phone's SIM card and in a data center controlled by your wireless carrier, which means they're out of reach to intelligence agencies unless they go through the hassle of getting strong legal justification to get them.
What the so-called Mobile Handset Exploitation Team managed to do was honestly pretty insane -- it allegedly infiltrated Gemalto's network, spied on key company employees and engineers, and figured out how those keys changed hands between Gemalto and the wireless carriers it partnered up with. Once all that was taken care of, the team intercepted keys for millions of SIM cards, meaning it could decrypt the phone calls and text messages moving from phones to carriers at its leisure. Neither the NSA or the GCHQ has commented on The Intercept's report, but really, did anyone expect them to?