Earlier this month reports surfaced suggesting that US and UK intelligence agencies were able to successfully infiltrate the world’s largest SIM card maker and steal its encryption keys. After conducting its own investigation, Gemalto has now confirmed it has “reasonable ground” to believe an intrusion by the NSA and GCHQ did occur between 2010 and 2011, but said the breach did not result in the large-scale theft being reported.
The hack allegedly breached Gemalto’s office networks using phishing techniques on employees. This network, however, is separate from the network used to handle SIM card encryption keys and could not have resulted in a massive theft. Moreover, the company says it started using highly secure key-exchange techniques with operators since 2010, which would have left it vulnerable only in "rare cases" -- specifically, those involving 2G SIM cards.
According to the company, the security level of this 1980s technology was already considered weak and outdated by 2010, while 3G and 4G networks were not vulnerable to the attack methods described in documents leaked by Snowden. The security flaws in the original 2G standards have since been removed with proprietary algorithms that continue to be used by major carriers.
It should be noted that 2G networks were widely in use in countries like China and India at the time of the breach, while according to research from the GSMA (via TechCrunch), about 25% of the U.S. and 50% of Western Europe still relied on 2G connections. Gemalto was quick to downplay this, though, saying “most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months."
The company also clarified that four of the twelve affected operators mentioned in the report were not their clients, particularly the Somali carrier where a reported 300,000 keys were stolen, suggesting other SIM card manufacturers were targeted.