February 27, 2015

Gemalto hacking shows that NSA and GCHQ are not shy about targeting market leaders to weaken phone encryption security





By: Edwin Mok

On February 19, 2015, The Intercept reported that in 2010-2011 the American and British spy agencies had hacked the world’s largest manufacturer of SIM cards and stolen encryption keys, potentially allowing intelligence agencies to “monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments”. The report was based on top-secret documents provided by NSA whistleblower Edward Snowden. According to a 2010 document, the NSA and the Government Communications Headquarters (GCHQ) – the NSA’s British counterpart – conducted a joint operation targeting Gemalto, which makes chips used in mobile phones and credit cards, and whose clients include “AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world”.

Six days later, on February 25, 2015, Gemalto released a statement confirming that “in 2010 and 2011, [the company] detected two particularly sophisticated intrusions” upon their internal computer networks. It continues: “At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation”. However, Gemalto asserts that the intrusions “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys”. It speculates that its dominance in the SIM card market may have made it the “target of choice for the intelligence services in order to reach the highest number of mobile phones”.

SIM cards store information used to identify and authenticate subscribers on a telecommunications network. They are also used to store information such as contacts, text messages, and phone numbers. Domestically, the FBI and other agencies can force U.S.-based telecommunications companies to give up such information through court orders. However, this sort of data collection is much more difficult at the international level, because foreign governments and companies will not typically allow the NSA or other intelligence agencies to access the communications on their networks. Possession of the encryption keys would, according the The Intercept article, give the NSA “the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted”.

Although Gemalto claims that no encryption keys were stolen – and some experts have expressed serious doubts as to the thoroughness of their investigation – the fact that the hacking attempt occurred is significant. It shows that the NSA and the GCHQ have in the recent past attempted to seriously compromise phone security on a vast and global scale. And it shows that they are not shy about targeting the biggest players in the market. It is notable that Gemalto is headquartered in Amsterdam, that is, not within any country part of the “Five Eyes” intelligence alliance (comprised of Australia, Canada, New Zealand, the U.K., and the U.S.). It seems, at the very least, the NSA and the GCHQ view any company based outside of those five countries as fair game.

There is an additional important wrinkle to this story. The article by The Intercept resulted in a $470 million loss to Gemalto’s stock price. While that stock price has since rebounded (helped no doubt by Gemalto’s assurances that no encryption keys were stolen), this situation raises the specter of state-sanctioned electronic espionage as an economic, investment, and insurance risk for international companies operating in the telecommunications space. It is one thing when such attacks purportedly originate from China or North Korea. It’s quite another to learn that such attacks have been occurring between supposedly friendly nations. And it begs the question: who else has been in the NSA’s crosshairs?

The message is clear. If you are an international company with information viewed as strategic to the NSA or other spy agencies, you’re a potential target. Indeed, they may already have targeted you.