back to article 'NSA, GCHQ-ransacked' SIM maker Gemalto takes a $500m stock hit

The world's biggest SIM card manufacturer, Gemalto, revealed yesterday to have been hacked by the NSA and GCHQ, has taken a $470m hit in its stock price. Gemalto was caught unawares by the revelation that the US and UK intelligence agencies had compromised its systems, and stole potentially millions of SIM card keys used to …

  1. Nolveys
    Big Brother

    Works For Me

    I feel bad for Gemalto, but I think the only way that the situation with NSA can possibly reach any sort of sanity is if their shenanigans end up messing with corporate bottom lines. It's not as if the NSA has any interest in public opinion and, even if they did, most Americans seem to be a-okay with whatever their government does in the name of "security".

    1. Mark 85

      Re: Works For Me

      "most Americans seem to be a-okay with whatever their government does in the name of "security"

      Citation(s)? I'm curious about what segments actually buy this line.. The Fox News watchers? The Oprah worshippers? The reality show addicts? The Facebookers? Or was there some random phone survey?

      1. The Dude

        Re: Works For Me

        According to CBC news and the Globe and Mail, the recent survey results show that 89% of Canadians are A-OK with it too. I did a little on-line investigation, and judging by the reader comments responding to this story, nearly 100% of Canadians are mad as hell about it and not okay at all!

        So... someone is fibbing.

        1. Captain DaFt

          Re: Works For Me

          What answer would you expect people to give when someone that appears officialish asks them:

          "Do you approve of the NSA's current practices and if not, why not?"

          Given today's climate of paranoia?

        2. I. Aproveofitspendingonspecificprojects

          Most people

          Nobody wants to know about politics in Britain. Yet if you watch or listen to the BBC, you would get the opinion that all the viewers are interested in is soap and politics. With some economics on the side. I am not saying we are unaware or antisocial. Just that like things in the US, nobody wants to vote for a politician.

          People with functional brain cells stay in and watch the telly/go out for the evening when there is an election. But only because of passing interest/disinterest.

      2. Anonymous Coward
        Anonymous Coward

        @Mark 85 - Re: Works For Me

        It's simple, Mark, most Americans are voting the same people so they must be OK with whatever they do.

        1. Mark 85
          Facepalm

          Re: @Mark 85 - Works For Me

          Argghhh... you're right. What could I possibly have been thinking.

        2. Michael Wojcik Silver badge

          Re: @Mark 85 - Works For Me

          It's simple, Mark, most Americans are voting the same people so they must be OK with whatever they do.

          Sure. The lack of alternative viable candidates with different policies has nothing to do with it.

          But, hey, simple people will continue to recommend simple solutions.

      3. Anonymous Coward
        Anonymous Coward

        Re: Works For Me

        The Fox News watchers? The Oprah worshippers? The reality show addicts? The Facebookers?

        As far as most of the world goes, that list covers 99% of the US population already...

    2. NoneSuch Silver badge

      Re: Works For Me

      We only know what Snowden knew. I'm sure he was not in on all the pies the NSA/GCHQ had jammed their fingers into.

      There is certainly more out violations out there and instead of governments reigning the intel services in, they're actually increasing efforts across the board for more access.

      This will not stop until someone is made accountable, charged and convicted. Then you'll see the doe eyed civil servants pause when they realize they can be held accountable.

      1. Anonymous Coward
        Anonymous Coward

        @NoneSuch - Re: Works For Me

        I wish you a very, very long life so you can live the moment when somebody other than whistle blowers will be charged.And then again a few centuries until they will be convicted.

    3. I. Aproveofitspendingonspecificprojects

      Re: Works For Me

      > Speculation that the Dutch manufacturer may be forced to recall chips, incurring huge costs, caused its share price to fall eight per cent in early trading before recovering a little to four per cent down on closing.

      If someone invented a heavy vehicle (lets call it a tank because it will be big and hold a lot of heavy) and goes around banging into other people's vehicles on purpose, you can't blame the manufacturers of other people's vehicles. What the manufacturers of other people's vehicles need to do is take out the tank.

      If you supply some "thing" designed for fair wear and tear and a madman completely out of control decides to rip it up and throw it in our face, all you can do is deal with the madman and go and get another "thing".

      The market will open up to every other manufacturer of "things" . Some to sell to people who are afraid of psychos and some to people who expect to be treated the way that they treat others. You can't fuck with the golden rule. Not for long. You get heroes like Snowden coming along and pulling your trousers down.

      Then, hopefully, someone with a lot of confidence will give you a fucking good spanking.

      How thick a veneer do the people who work at secret HQs believe they have?

      There are lots of survivalists in Utah and all of them subscribe to channels on video sites that do nothing but discuss bows, arrows, knives, guns and ammo. They can't all be working for the NSA can they?

      I can't wait for the action to get started. I wonder if Mr Snowden confiscated their addresses. Could be funny.

  2. king_tut
    Facepalm

    Fundamental misunderstanding of telecoms

    There seems to be some fundamental misunderstandings out there about how cellular comms actually work. The encryption keys which have been stolen were only ever used for the wireless link - i.e. between phone and cell tower, and even then could be circumvented via active attacks. Within the carrier networks the calls are in the clear.

    Some carriers may encrypt some parts of their network - there is no guarantee though, and the carrier wouldn't necessarily tell you either way. So in short your comms were _already_vulnerable_ if you relied on this encryption. That's why you use multiple layers of crypto, and use end-to-end encryption. Yes, having the keys makes passive interception and decryption easier, but if you were relying on it for your security then you were an idiot.

    In the UK, these keys are in theory not much use anyway. That's because the exact same warrant would be required to use these keys within the UK as would be needed to order the carrier to do cell interception - in fact, this was confirmed in the recent trial which found that GCHQ had been breaking the law because they hadn't made this fact public. The keys could be misused, yes, but oversight in the UK is actually pretty good - again, the recent "GCHQ broke the law" was a pretty technical finding, not intimating willy-nilly interception of anyone they want.

    The US is a different situation - the yanks have bugger all oversight over their intelligence services. They need to sort their act out, but I expect to see pigs flying first.

    Where the keys are useful is intelligence in unfriendly locations, where the UK government cannot ask the carrier to do intercept direct, and cannot ask the local intelligence/police to help as they're not trusted. For example, it would be dangerous to ask the ISI to do cell intercept on the Pakistani Taliban, due to supporters within the ISI itself who would leak the fact that specific phones were being targeted.

    All countries spy on each other. The only countries that don't, only don't because they cannot afford to.

    The more iffy area is spying on employees of Gemalto and carriers, in order to gain access. The leaked documents highlight that specific only K, Ki, and IMSI info was being searched for. There was no mention of looking for personal information for blackmail etc, and furthermore these were all work email accounts - I didn't see any evidence of searching home accounts for embarrassing details etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fundamental misunderstanding of telecoms

      "All countries spy on each other. The only countries that don't, only don't because they cannot afford to."

      Hack into the GCHQ/NSA/FBI/DHS/etc. as a citizen without the backing of a state and it won't end well for you.

      Citizens are being attacked by their governments, and they can barely defend much less go on the offensive.

      1. king_tut

        Re: Fundamental misunderstanding of telecoms

        Yep, nation/states jealously guard their prerogatives. But then allowing anyone to hack anyone else with no controls just leads to anarchy.

        Citizens _can_ go on the offensive. It's called elections. Elected officials can reign in the intelligence services, if they want. Unfortunately, most people are idiots, perfectly happy to sleep-walk into crappy situations with crappy elected officials.

        The overlap is the whistleblowers, and I firmly believe there should be whistleblower protections. It's a difficult situation though - when does whistleblowing (telling the public about abuses which are, or probably are, happening) become leaking secrets (telling the public about things which aren't abuses but cause measurable damage to intelligence operations). This is where good quality oversight is absolutely vital - an area that could be improved in the UK, and is an absolute mess in the US.

    2. T. F. M. Reader

      Re: Fundamental misunderstanding of telecoms

      @king_tut: I think the issue here is that if you've got the keys for damn near all the SIMs in the world then you can, in principle at least, eavesdrop on cellular conversations everywhere, not just in your own country where you may have either a quiet understanding with carriers or a secret blanket warrant. You don't need permission from a foreign cell company or authorities that may not be completely accommodating, nor do you need to sneak inside the carrier's network to get to unencrypted comms. Capturing the signal from the wireless leg will be enough - you can decrypt it at your leisure and without much effort. You say as much, of course, but I would not limit the utility of the method to really unfriendly locations as you do. Therein lies a problem...

      1. king_tut

        Re: Fundamental misunderstanding of telecoms

        You're absolutely correct, from the technical side. Having the keys allows ad-hoc decryption around the world. And there is definitely a danger of abuse. There are therefore two questions:-

        1) Should these agencies have ways to gain access to intercept product. If no, then there's no danger of abuse, but there will be an increased danger from assorted serious crimes including terrorism. How much of an increase is a difficult question - I think the gov regularly overplays this, but I think there is definitely a risk. If yes, then...

        2) What can you do to stop abuse, or detect if it happens. This is all about oversight, and technical controls to audit and control access. I would hope, and expect, that there will be technical controls to anything which gains access to product, that the relevant warrant details need to be entered. The oversight can then check these. Note that I primarily care about UK citizens, although proportionality should be maintained everywhere - just because your wife pops over to Poland to visit friends doesn't give you the right to spy on her.

        I also think that details of the technical controls, and how the oversight operates, must be public - that's the only way we can trust it. We have to a) be able to judge for ourselves whether the controls would be sufficient, and then b) trust in the oversight bodies, and that they will use the controls. This is ultimately where the recent "GCHQ broke the law" ruling came in - (a) is pretty much what EU law requires, and GCHQ weren't making the knowledge public. They still haven't enough, IMHO, and I want to see improvements there.

        It should be noted that I think David Anderson and IOCCO are doing a good job. I'm less comfortable with the ISC - there are too many "insiders" in the ISC who have publicly been in the authoritarian camp.

    3. Gordon 10
      Unhappy

      @King_tut Re: Fundamental misunderstanding of telecoms

      "In the UK, these keys are in theory not much use anyway. That's because the exact same warrant would be required to use these keys within the UK as would be needed to order the carrier to do cell interception "

      But isn't the point that if they have the encryption keys - they potentially dont need to apply for a warrant in the UK. Is there any oversight thats checking that haven't abused these keys on British nationals, or are we just meant to take their word for it? I take your point they may be fractionally more circumscribed than the NSA, but their previous form leaves me very doubtful.

      Also presumably they dont have controls over where the sim cards end up so have to do some sort of polling/monitoring of Networks to determine who has what key - i.e. yet more indiscriminate data collection.

  3. fnusnu

    Presumably the rest of Gemalto's products have also been hacked. I for one won't be trusting their tokens again as it is not unreasonable to assume GCHQ / NSA stole the seed values.

    1. king_tut

      Why did you trust them in the first case? The only way to be secure (or rather, to know how secure you are) is for all sensitive crypto primitives to be under your control. Would you trust Gemalto (or any other 3rd party) to generate your SSL certificates, including private keys, for you?

  4. elDog

    Typical western immediate ROI thinking from the "intelligence" bunch

    I won't get too long winded here because there are so many facets to this appalling development. Well, almost as appalling as backdooring the firmware on most of the worlds HDDs.

    The cowboys that are making these decisions don't really think about any long-term implications. It's a game to see who can come up with a more clever way of subverting protections. Sorry for the disrespect to real cow-people who do real work - the ones I'm talking about sit in plushy chairs in mini-mansions.

    It's not about protecting national secrets or really about infiltrating foreign governments, it is about being clever and malicious. The same techniques are adapted by the other side, perhaps the axis-of-evil or the dark forces.

    These cowboys (and I was one a few years ago) make 5-6 digit US$ salaries. They are far beyond the purview of law. Their bosses are in comfy corporate offices that are contracting to the 5-eye governments. The money that is spent by the taxpayers to fund this hedonistic group-fuck is incredible. But it is "black" and we'll probably never know how much was wasted on sorting through the dirty laundry and sewage that goes over the comm lines.

    1. The Dude

      Re: Typical western immediate ROI thinking from the "intelligence" bunch

      There was a time, when I was young and naïve, that I thought it might be reasonable to fund these people because they provided some protection and the risk of abuse was a reasonable gamble. Now, it has become painfully obvious that we have basically given hand-greandes to beat cops to deal with the problem of shoplifting. It is time to yank the leash, hard.

      1. BobRocket

        Re: Typical western immediate ROI thinking from the "intelligence" bunch

        no, it's time to think about what sort of world you want, just be careful what you wish for.

  5. Crazy Operations Guy

    Any word on their smart cards / tokens?

    I'm more concerned about whether their Smart Cards and tokens are still safe...

    1. BobRocket

      Re: Any word on their smart cards / tokens?

      Yes insofar as they were never safe in the first place (it's baked in)

  6. ez2x

    Sue the NSA

    Maybe Gemalto can sue the American government.

    1. stanimir

      Re: Sue the NSA

      Maybe Gemalto can sue the American government.

      Where?

      In the US they are bound to get a gag order and be done with.

  7. All names Taken
    Alien

    Shame?

    Tough on Gemalto.

    Maybe they can go to ARM to redeem the situation?

  8. ideapete
    Mushroom

    Then along comes Apple software sim

    Jobs is proved right once again - Software sim + encryption is the only way . Come on Apple

  9. RobHib

    Any advance on 'Cyber Thugs'.

    The more I read about the antics of these government-sponsored cyber thugs, the more they resemble common criminals--with the law unto themselves and unaccountable to no one.

    But that's putting it mildly, and mild it is.

    (I nearly said what I really think, but I'd have been accused of falling victim to Godwin's.)

  10. Michael Habel

    How is this different to say GSM

    Now its been ~Five Years since that story washed up here, on the Reg.http://www.theregister.co.uk/2010/08/02/gsm_cracking/

    But, if the same thing (more or less) can be done by some Smuck with some 1500$ Equipment. Then lord knows the GHCQ & the NSA should have been doing this for far longer. Perhaps its time to update security for G5.

  11. stewwy

    I for one will trust my data to the chinese rather than our lot, always buy cheap knockoffs.

    In the infinitesimal chance that I do something 'evil' ( and nowadays in the western world that seems to equate more or less to existing as a citizen and dropping litter ) I'd far rather that it was noticed half a world away than by my local council.

    Now where's the chinese start-up producing knock off SIMS?

    If there isn't one

    ?????

    PROFIT

    1. amanfromMars 1 Silver badge

      In SMARTR IT Networks and Knightly Round Tables, it never rains but it pours.

      I for one will trust my data to the chinese rather than our lot, always buy cheap knockoffs.

      In the infinitesimal chance that I do something 'evil' ( and nowadays in the western world that seems to equate more or less to existing as a citizen and dropping litter ) I'd far rather that it was noticed half a world away than by my local council.

      Now where's the chinese start-up producing knock off SIMS?

      If there isn't one

      ?????

      PROFIT …. stewwy

      What supposedly Elite and Too Big to Fail type occidental leaderships most rightly should nowadays, and forever more into the future, be fully mindful and most probably quite reasonably terrified of, is if you are smarter product of Western ingenuity, the East would logically be a place with space to provide and reward every opportunity to demonstrate one's mind bending and intelligence mining craft honing skill sets, and especially so if discoveries one be making at home be able to be remotely enabled to result in catastrophic destruction and systemic disruption of localised and national international SCADA engines/exclusive executive office administrations, and there be no rewarding home market for protective and/or preventative non-disclosure services/agencies.

      And with further regard to ….

      Hack into the GCHQ/NSA/FBI/DHS/etc. as a citizen without the backing of a state and it won't end well for you. … Anonymous Coward
      …… is the following an exploit to test for fitness of purpose.

      And which state to be an agent for is a novel virtual part of the …. well, let us imagine IT now as a Great Intelligence Game with Sublime and Surreal AIMethodologies and NEUKlearer HyperRadioProActive Defence Weapons Systems, for one is not tied to any particular or peculiar national/international/internetional choice nowadays whenever/where the global private and pirate commercial and banking sectors can try to chaotically control nations and humanity remotely with APT actions increasingly badly and ineffectively designed to try and protect and save themselves from popular violent revolution?

  12. WalterAlter

    Off the Books Intel Customers Will Make your Paranoid Glow Incandescent

    We know the CIA dumped crack cocaine onto the ghettos to fund rogue anti-Sandanista counter revolution and took over the Marseilles connection and gave it to the Mafia. They don't call it "The Company" for nothin'. This is the happy go lucky world of intel gathering. Now, take a big hit off the bong and visualize in whose hands any and all NSA SIGINT might fall, with the collusion and blessing of its administrators, and imagine the scenarios available for suppression of dissent, geopolitical negotiations, industrial espionage, stock market manipulation, and, my personal favorite, the institutionalization of the Police State.

  13. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon