Gemalto says it was 'probably' hacked by government spies
World's largest SIM card supplier presents findings of investigation into reports the NSA and GCHQ hacked its network
The world's largest supplier of SIM cards, Gemalto, has admitted it was "probably" hacked by NSA and GCHQ but claims any breach could not have resulted in a massive theft of SIM encryption keys.
Gemalto this morning presented the findings of its investigation a week after documents leaked to Edward Snowden appeared to show that the Dutch firm's internal computer network was hacked by the two intelligence agencies.
According to The Intercept, which published the leaked documents, this gave them potential access to billions of mobile phones through encryption keys.
Following an internal probe, Gemalto said it had "reasonable grounds to believe that an operation by NSA and GCHQ probably happened". This conclusion was based partly on the fact it detected two "sophisticated attacks" in 2010 and 2011.
The attacks "could not have resulted in a massive theft of SIM encryption keys", however, because they only breached its office networks, the vendor said.
Gemalto said it had already widely deployed a secure transfer system with its customers by 2010 and only rare exceptions could have led to theft.
"In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second-generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack," it said.
Gemalto also expressed concern at the NSA and GCHQ's alleged tactics, of which it has already said it had no knowledge.
"Gemalto would like to reiterate its commitment to providing the best security levels for civilian applications," it said.
"...Nevertheless, we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations. And we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion."
Gemalto said it will continue to monitor its networks and improve its processes but that it did not plan to communicate on the matter again "unless a significant development occurs".