February 19, 2015
Sim Card Giant Probes Spy Theft Claims
Hannah Kuchler in San Francisco
The world’s largest manufacturer of Sim cards is investigating whether its encryption keys may have been stolen by US and UK spies, allowing them to snoop on cell phone communications.
Gemalto, a Netherlands-based security company that develops Sim cards, bank cards and electronic passports, said it had “detected, logged and mitigated” many types of attacks over the years but had no evidence that its encryption keys had been stolen by the US National Security Agency and the UK’s Government Communications Headquarters (GCHQ).
The company was responding to a report in The Intercept, based on documents received from former NSA contractor Edward Snowden, which purported to show that Gemalto was the target for intelligence agencies looking to get information from people’s mobile phones without a warrant or a wiretap.
Gemalto said it understood that the target was to reach as many mobile phones as possible, not Gemalto specifically. The company’s customers include AT&T, T-Mobile, Verizon and Sprint — the US’s four largest wireless groups — and several major European telecoms groups.
“We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated techniques to try to obtain Sim card data,” a Gemalto spokeswoman said.
“There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and among businesses, this truly emphasises how serious cyber security is in this day and age.”
Paul Beverly, Gemalto’s executive vice-president, told The Intercept that he was “disturbed” that the company’s security had been compromised. He said that “the most important thing for us now is to understand the degree” of the breach.
The NSA and GCHQ could not be reached for comment.
Sophie in ’t Veld, a Dutch Member of the European Parliament, called on the European Commission to investigate the allegations, which she said could be a breach of European data protection legislation, including acting against the UK, an EU member state, if it is found to have committed “illegal hacking activities”.
The report comes in the same week as Kaspersky Lab, a Russian cyber security company, claimed to have found evidence that a state-backed attacker, which it said was most likely to be from the US, had compromised the security of hard drives made by companies including Toshiba, Western Digital, Seagate and IBM.
Kaspersky Lab said the devices were used in 30 countries including Iran, Pakistan, Russia and China, long priorities for US intelligence agencies. It said the group, which it dubbed The Equation Group, had created spyware “that surpasses anything known in terms of complexity and sophistication of techniques”.
US technology companies are still reeling from the impact of the Edward Snowden leaks, released in 2013, which included slides that showed infiltration of major internet companies including Google and Facebook and evidence that pointed to the manipulation of hardware belonging to Cisco.
This has resulted in concerns in some European countries about whether companies and individuals should entrust their ever more valuable data to US data centres.