back to article Not even GCHQ and NSA can crack our SIM key database, claims Gemalto

SIM card manufacturer Gemalto has given more details of what it understands is behind the reports that GCHQ and the NSA got their mitts on the encryption keys for its SIM cards. As we reported earlier, the company says it detected intrusions and prevented them, and that at no time were the systems which held information on the …

  1. John Smith 19 Gold badge
    Unhappy

    Who to believe?

    Released documents of agencies concerned or company whose share price will go down the toilet if public trust in them is shattered.

    Decisions, decisions.

    1. streaky
      FAIL

      Re: Who to believe?

      Huge crypto vendor in total denial about the state of its own security. They clearly proven untrustworthy by word and action. This is actually worse than the DigiNotar attack and the company should be fed to the fishes the same way.

      They're in denial about the SIM attack, who could trust any of their other crypto products ever again?

      1. Anonymous Coward
        Anonymous Coward

        Re: Who to believe?

        The Danish Government and the Danish Financial Sector will keep trusting because it is the easiest for them to "not know ..." or "not be able to imagine ...", in fact, the leadership are probably paid their millions exactly for being ignorant, blind and stupid. Which is nice - for them - and not so nice for everyone else.

        Gemalto products are used for the hardware version of NemID, the single sign-on facility for everything that everyone must now use, and the chippery in biometric passports.

        But hey - as the Danish prime minister says: "I think we will be happy about it (the ubiquitous mass surveillance) in the long run!"

        1. Stuart 22

          Re: Who to believe?

          If NSA/GCHQ can't crack 'em then they should be closed down as incompetent. If they can and use them without warrant then they should be shut down.

          As for Gemalto - they wouldn't have a clue. NSA/GCHQ do have a reasonably 65+ years track record of doing the impossible without the target noticing.

  2. Mark 65

    Hmmm

    To be honest my money is on Gemalto not knowing what the fuck has happened, like some punch drunk journeyman getting up off of the canvas, and are hoping that all this bullshit will save their company. A company whose business relies utterly on trust in their security practices. The fact they started by denying everything then changing tact does not bode well for them. I predict there will be some contract renegotiations by major clients including the Aussie comms that all use them.

    It'd also be almost TV drama-like if the NSA couldn't hack them but did hack their nearest rival and were planting doubts in order to send customers to the vulnerable vendor.

    I'll go with the simplest option though.

  3. Christoph

    How would they know? The NSA doesn't bother hacking into places where it can plant compromised equipment. Or it might have used an inside agent.

    They claim they couldn't have missed an attacker, but the NSA missed Snowden!

  4. x 7

    Or maybe Snowden is earning money for hiimself......

    All he has to do is post a scare story about a tech company and its share price crashes. What chance he was paid to do so by a competitor or hostile purchaser? How long before we see a stock market bid for Gemalto?

    Snowden - and his utterings - have become a very valuable commercial commoditty

    1. Annihilator

      I understood he had handed over everything to the journalists and that *they* were deciding when additional material was published? He's effectively out of it now.

      1. Will Godfrey Silver badge
        Unhappy

        Indeed so. Unfortunately this has to keep being repeated because - goldfish memory span.

    2. PleebSmash
      Thumb Down

      Snowden didn't post the story, genius, the Intercept did.

  5. Spaceman Spiff

    How many?

    And just how many compromised hard drive controllers do they have in their servers? Pwnd usb devices? Talk about doing the ostrich thing (head in hole)...

  6. Anonymous Coward
    Anonymous Coward

    You Fools...

    We know everything and hear everything from all the countries but especially the ones whose names end in 'stan.

    All your base belong to us! Including those sim cards.

  7. Anonymous Coward
    Anonymous Coward

    Let's play "Snowden says"

    Snowden says NSA says "All your SIMS are belong to us !"

    Gemalto says "No way Jose"

    NSA says "No comment"

    1. PleebSmash
  8. Crazy Operations Guy

    No air-gap?

    I figured that their manufacturing process would involve the blank cards being sent to a secure facility that is fully air-gapped from everything. That facility would then program the cards, encrypt the keys, then burn them to CD/DVD. The CD would then be sent along with the SIM cards themselves to the cell company while the encryption key to decrypt the drive would be sent securely (Preferably in a tamper-evident, sealed envelope carried by a bonded courier).

    I would also figure that with how cheap storage is, they would have the system that writes the keys boot off of a Live-CD like environment and rebooted for each batch, that way if someone does compromise the machine, they could only get the keys for the current batch of cards. Previous keys would be archived on a copy of the CD sent to customer, but stored in a secure facility.

    1. Richard Taylor 2

      Re: No air-gap?

      One would hope. But even an air gap is vulnerable to a well paid employee seeking to add to his/her salary.

      1. Fred Flintstone Gold badge

        Re: No air-gap?

        One would hope. But even an air gap is vulnerable to a well paid employee seeking to add to his/her salary.

        Yup. Wasn't that called sneakernet? :)

        1. James 100

          Re: No air-gap?

          With a government involved, it doesn't even need to involve a *corrupt* employee - just some government credentials. "Police" investigators come in late one night, show the minimum-wage security guys a search warrant and tell them there's a suspicion somebody's been using the work computers for child abuse images/terrorism/money laundering, and they just need to run a forensic scan of the target storage device - mustn't tell anybody just yet, in case it compromises the investigation... Or, of course, plant their own agent(s) as the guards themselves: a pretty trivial job for any government agency.

          If somebody comes to my office with proper law enforcement ID and a warrant, I'm not going to jail to keep them out: would you? (Come to think of it, WTF should we do in that case? Trying to call the boss might legitimately be refused, tipping someone off about a search could mean an obstruction charge...)

    2. Adam 1

      Re: No air-gap?

      Homework essay:

      Discuss the success of air gap defences in mitigating attacks on the centrifuge facilities in Iran.

    3. JCitizen
      Black Helicopters

      Re: No air-gap?

      There's more than one way to jump an air gap - I think Snowden has featured some of them.

  9. phil dude
    Boffin

    the long game....

    I think it is easy for us to become anesthetised to the Snowden releases, so it bears a summary to remind ourselves. My shortlist, please correct ;-)

    1) All the materials were given to journalists, so what is released is editorial.

    I think we all know the materials made ES an assassination target, so getting rid of them was his best option. The media are doing reasonably well releasing the information.

    2) There are far too many legal barriers to trust any companys word for their products. So the big ones like Google, FB, Apple, Microsoft etc maybe fuming their business is taking a hit, have an uphill struggle with the currently legal environment.

    Probably the biggest fallout from the Snowden releases is that we cannot trust that which we cannot verify independently. Cell phones are a touch creepy though...

    I'm counting on the mathematics to save us.

    P.

  10. Richard Taylor 2

    Sounds like a challenge to me. fight fight oh er er er silence to me

  11. Anonymous Coward
    Anonymous Coward

    OF COURSE THEY CAN....

    The fuckheads at GCHQ have a 25yr (minimum) head start on everyone else!

  12. Anonymous Coward
    Anonymous Coward

    Let me get this straight...

    Gemalto does not dispute that the NSA were sniffing around for quite some time?

    However, within a matter of days they are absolutely certain that the NSA couldn't have stolen anything worth protecting years ago?

    Right. Got ya. Maybe that's good enough a statement for stock traders...

  13. Mark 85
    Devil

    The good news is....

    No one is blaming the NORK's..... yet.

    1. Will Godfrey Silver badge

      Re: The good news is....

      They're working on it.

  14. martinusher Silver badge

    Its the system...

    "The Imitation Game" is a great movie but but it was only a movie. To get the real story you have to read stuff like the Turing Papers which aren't anything like as entertaining. The math might be a bit arcane but the takeaway is easy to understand -- cracking Enigma was not a matter of breaking codes so much as finding, understanding and exploiting weaknesses in the overall system, weaknesses exposed typically by operator error or laziness, to figure out the settings for the machine.

    The executives at Gemalto need to study this history. Enigma was not only a well designed encryption machine but the Germans also had a very well designed procedure for using it. They even had a team looking out for procedural lapses. The only thing they did wrong is that the just didn't appreciate the scale of the Bletchley Park operation -- when you get code cracking on an industrial scale any weakness, no matter how small, is more than enough to compromise the entire system.

    We should assume that SIM cards can be compromised. There was obviously a reason why the Secret Service made Obama give up his iPhone for a not-so-cool custom Blackberry when he became President.

    1. Phil Koenig

      Re: Its the system...

      "There was obviously a reason why the Secret Service made Obama give up his iPhone for a not-so-cool custom Blackberry when he became President."

      Tidbit: Obama's device is, among other special customizations, a older BBOS device on Verizon's network - in other words - no SIM card. :D

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like