U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says

U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says

By MARK SCOTT FEB. 25, 2015

LONDON — Gemalto, a French-Dutch digital security company, said on Wednesday that it believed that American and British intelligence agencies had most likely hacked into the company’s networks in an attempt to gain access to worldwide mobile phone communications. But it said that the intrusions had only limited effect.

Gemalto said that the attacks had occurred over two years, starting in 2010, but that the National Security Agency of the United States and its British counterpart, the Government Communications Headquarters, or GCHQ, had failed to gain wholesale access to the company’s SIM card encryption codes.

The company is the world’s largest producer of cellphone SIM cards — the small chips that hold an individual’s personal security and identity information — and its networks could have given American and British intelligence agencies the ability to collect mobile voice and data communications without the permission of governments or telecommunications providers.

This hacking was first reported last week by the website The Intercept based on documents from 2010 provided by Edward J. Snowden, the former N.S.A. contractorwhose leak of agency documents has set off a national debate over the proper limits of government surveillance.

“At the time, we were not able to identify the perpetrators of the attacks,” Patrick Lacruche, Gemalto’s head of security, said at a news conference in Paris on Wednesday. “We now think that they could have been linked to the GCHQ. and N.S.A. operation.”

The leaked documents from Mr. Snowden suggested that millions of SIM cards could have been affected. Olivier Piou, Gemalto’s chief executive, disputed that claim, but he declined to provide an exact figure.

“At the very most, very little,” said Mr. Piou when questioned by reporters about how many SIM cards were potentially infiltrated.

The company’s share price rose about 3 percent in afternoon trading in Amsterdam. Last week, analysts had warned that the suspected government hacking could affect Gemalto’s operations, though the company’s stock has fallen only about 2 percent since The Intercept published its article late Thursday.

A GCHQ spokesman declined to comment on the intelligence matters, and the N.S.A. did not respond to requests for comment.

Gemalto, whose customers include some of the world’s largest carriers, including Verizon Wireless and China Mobile, started its investigation into the possible hacking by the intelligence agencies after the company’s share price fell on Friday in the wake of the revelations. It was impossible to independently verify the company’s internal investigation into the hacking.

The revelations are the latest in a series of suspected hacking activities by American and British intelligence agencies that were made public by Mr. Snowden.

Targets of the surveillance programs have included high-profile figures like Angela Merkel, the German chancellor, whose cellphone conversations American intelligence agencies are suspected of monitoring. The services of a number of the world’s largest tech companies, including Google and Facebook, were also infiltrated, according to the Snowden leaks.

The tapping of people’s online communications has led to widespread criticism of what is perceived as overreaching by American and British intelligence agencies.

“Trust in the security of our communications systems are essential for our society and for businesses to operate with confidence,” Eric King, deputy director of Privacy International, an advocacy group based in London, said in a statement on Wednesday. “The impact of these latest revelations will have ripples all over the world.”

Gemalto said in a news release that it had experienced many attacks in 2010 and 2011 and that it detected “two particularly sophisticated intrusions which could be related to the operation.” But it said that the attacks “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.”

In June 2010, an unknown third party, which Gemalto said it now believed was either an American or British intelligence agency, had tried to spy on its communications network. A month later, Gemalto said, emails containing malware were sent to some of its customers, many of which are the world’s largest cellphone carriers. The emails had pretended to come from Gemalto’s employees.

“We immediately informed the customer, and also notified the relevant authorities both of the incident itself and the type of malware used,” Gemalto said, adding that it had detected several attempts to gain access to its employees’ computers during that time.

The company said that its SIM encryption codes and other customer data had not been stored on the networks that were targets of the attack, and that it had upgraded its internal security software beginning in 2010 to limit the impact of future hacking.

Gemalto did admit, however, that the hacking attempts in 2010 may have given some access to SIM cards based on outdated telecom technology, known as 2G.

American and British intelligence agencies are suspected of targeting SIM cards used by carriers in hot spots like Afghanistan, Iran and Yemen, which still mainly used 2G SIM cards in 2010, according to the leaked documents. This technology did not offer the same security protection as the SIM cards that are typically used in Western countries, Gemalto warned.

“If the 2G SIM card encryption keys were to be intercepted by the intelligence services,” Gemalto said, “it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone.”

Aurelien Breeden contributed reporting from Paris.

By. Jeanine Duron 3°A