Gemalto denies massive SIM breach, says NSA attacked SIMs but on a small scale
Gemalto has confirmed that US and UK intelligence services likely attacked it, but says it could not have resulted in a massive theft of SIM encryption keys.
The SIM chip maker said that a “sophisticated” intrusion by the intelligence agencies did occur in 2010-11 for the purpose of intercepting encryption keys sent to carriers.
It revealed that the attacks consisted of email “phishing” and spying on office networks, and added that several attempts were made to access the PCs of individual Gemalto employees.
None of the spying “could have resulted in a massive theft of SIM encryption keys,” the company concluded.
The company also added that they used a secure transfer system between operators starting in 2010, which would have left it vulnerable only in “rare cases.” Finally, it said that if any keys were stolen, agencies could only track 2G networks, since 3G and 4G networks “are not vulnerable to this type of attack.”
Operators should be using customized SIM-encryption algorithms, and individuals should “systematically encrypt” stored and tramsmitted data, the company concluded.