If you were following the SIM card encryption key news stories buzzing around, you’ll have recognised that industry heavyweight, Gemalto, was mentioned quite a bit.
They’ve done their analysis and published their findings — and it makes excellent reading. Here are the key bullet points:
- The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened
- The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys
- The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft
- In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack
- None of our other products were impacted by this attack
- The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator
I think they’ve done a very comprehensive job. Nice work Gemalto.
Other commentators have a more skeptical view of Gemalto’s rather rushed “investigation” which they describe as more damage limitation/Investor-Press relations than a thorough piece of work