Have British and American intelligence agencies been caught with their collective hands in the cookie jar?
Well, yes, is the conclusion of a “thorough investigation” of the illegal hacking of computer systems belonging to SIM card manufacturer Gemalto.
The investigation came after The Intercept claimed last week to have received information from whistleblower Edward Snowden of a joint operation between GCHQ and the US National Security Agency (NSA) that took place in 2010 to steal thousands of encryption codes from Gemalto.
Both the UK and US intelligence agencies were accused of illegally hacking the systems of SIM card manufacturer Gemalto to try and gain the encryption keys that could allow the interception of some of the world’s voice, text and data traffic.
At the time, Gemalto said that it could not “verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation.”
But now, Gemalto has published the results of its investigation into the matter, and it has concluded that GCHQ and the NSA was probably behind the attack in 2010 and 2011.
“As a digital security company, people try to hack Gemalto on a regular basis,” said the company. These intrusion attempts are more or less sophisticated and we are used to dealing with them. Most are not successful while only a few penetrate the outer level of our highly secure network architecture.”
“If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks,” Gemalto said. “In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation.”
Gemalto said that it noticed suspicious activity in June 2010 in one of its French sites where a third party was trying to spy on the office network. Gemalto immediately took action to counter this threat. Then a month later in July 2010, a second incident happened, which involved fake emails sent to one of its mobile operator customers that spoofed a legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code. Again, Gemalto reacted quickly to close down the vulnerability and reported the malware to both the customer and authorities.
And Gemalto said that during the same period, it also detected several attempts to access the PCs of Gemalto staffers who had regular contact with customers.
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” said Gemalto. “These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks.”
And even if the encryption keys had been stolen, the intelligence services would only be able to spy on communications on 2G mobile networks, because 3G and 4G networks aren’t vulnerable to this type of attack, Gemalto said.
“It is extremely difficult to remotely attack a large number of SIM cards on an individual basis,” said the company. “This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”
“We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations,” said the Franco Dutch firm. “And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.”
Shhh! Don’t look at our whistleblowers quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…