Well they would say that
Wouldn't they
Gemalto, the world's biggest SIM card maker, has investigated the NSA's and GCHQ's infiltration of its computers – and says that while the agencies did get into its network, they didn't get in far enough to siphon off phone-call encryption keys. Files leaked by intelligence whistleblower Edward Snowden appeared to show the US …
@AC: The difference is that the NSA and GCHQ have proved their capability time and time again.
<quote>
"While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network", the statement continued, adding:
No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.
</quote>
"Each of these networks is isolated from one another and they are not connected to external networks." could just mean separate VLANs. My money goes on the spooks being in their network equipment and their sysadmin accounts - remember the "I hunt sysadmins" line the other day? That they didn't detect them in other parts of the network doesn't mean they're not there. They have every incentive to go after this treasure trove of warrant avoidance.
> > > Snowden has a reputation to defend?
> > I think he has a tremendous reputation. He should be nominated for the Nobel Peace Prize.
> You mean the one won by Henry Kissinger and Barak Obama?
Ok, yeah, good point. OK, I think Snowden should be given a prize, where the prize itself still has a positive reputation
That they didn't find a breach doesn't mean it hasn't happened.
It could have been an inside job, if anyone can get an impeccable CV for working at Gemalto it's a spook.
Presumably Gemalto contracts out some operations to third parties. Whatever was found on their LAN was probably useful in infiltrating them.
Edit: Gemalto say prepay SIMs (and in most cases that means their phones too) are chucked after 3-6 months. O'Rly?
Etc... etc...
"Edit: Gemalto say prepay SIMs (and in most cases that means their phones too) are chucked after 3-6 months. O'Rly?
If I look at my own usage of prepaid SIMs, until recently I still used the one I bought in 1998. While that first one was bought in conjunction with an unlocked phone, I found that I could carry on using it (and thus keep my number) with locked budget phones sold with a PAYG package as long as I stayed with the same telco.
So yes, the SIM cards that came with those cheap phones were only used until their initial credit ran out.
So who is right and who is wrong? Is it possible the Snowden document was faked by someone in NSA as a red herring "just in case"? Or that Gemalto hasn't really figured out what happened? If there's truly and air-gap on their internal networks and others are to be believed, then that gap may very well have been jumped.
It's quite possible that we'll never find out the truth. Someone could have been bought off or a 1000 and 1 things are going on.
I thought of that too, but this is chicken feed compared to established Snowden stories. It is probably factual errors by the NSA drones that composed the PPT along with a successful operation undiscovered by Gemalto. Forget "Each of these networks is isolated from one another and they are not connected to external networks." This is the agency that can divert your FedEx electronics and insert extra hardware, compromise undersea cables, or get a Stuxnet thumb drive into Iran's nuclear facilities.
I tend to believe the hack happened, and that the original GHCQ slides were mistaken in stating some facts, as seen in this document: http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx
Can you imagine the impact to their bottom line if they had come out and said "yeah everyone, we got hacked big time, take out those sim cards now" ?
To answer your question:
The target for the team was the unique Ki encryption keys baked into each of Gemalto's SIM cards. These 128-bit values are hidden away inside the SIM electronics, and are supposed to be kept secret. Every SIM has one regardless of its manufacturer.
Mobile networks keep a copy of a SIM's Ki key before the card is given to a subscriber. This is so that the carrier can identify and authenticate the device containing the SIM when it joins a network.
http://www.theregister.co.uk/2015/02/19/nsa_and_gchq_hacked_worlds_largest_sim_card_company_to_steal_keys_to_kingdom/
http://en.wikipedia.org/wiki/Subscriber_identity_module#Authentication_key_.28Ki.29
Gemalto are in a difficult situation. "We didn't find an intrusion" either means
1) there was a really good intrusion that they didn't find.
2) it never happened.
or
3) there was an intrusion but it wasn't too bad so can be swept rapidly under the carpet.
Option 3 is always likely as Gemalto will be wriggling for their financial lives and is the safest way out (admit a bit, declare "we're great, we coped with it" and "it's self terminating over time so it's ok" or "nobody uses it anyway").
Option 1 is scary and, if true, someone will be in a spooky bar drinking to a job well done!
I'm more apt to believe Gemalto are attempting to downplay the effect, their stock prices took a rather large hit when the news leaked and they've come out with comments like "... are secure and the Company doesn’t expect to endure a significant financial prejudice.”
So who are they looking out for, stock prices or users?
I'm going to play devil's advocate and say that it happened, happened real bad, and they are totally fucked and headed to the corporate graveyard. However the top level execs are trying to keep it going long enough to offload all that stock and stock options they're sitting on which will be worth fuck all soon enough.
Shouldn't the focus of Gemalto be on a legal challenge to NSA and GCHQ activities? This is rather unprecedented, but surely is, by any interpretation, a misuse of power and a lack of due process i.e. this ought to be pretty damn illegal?
"But the terrorists..."
All in all it's looking more and more like the terrorists have won, gifted to them by the very actions governments here are taking. Not educating women and a lack of civil liberties are different facets of the same issue - the lack of a fair, just and principled society.
NSA and GCHQ may have been acting illegally, so do loads of people - crooks, terrorists.
Gematlo's product is trust, specifically to keep the bad guys (whoever they are) from knowing their customers secrets. Where is that trust now?
They are effectively saying it didn't happen (even though GCHQ and NSA said it did) and if it did it was everyone's fault but ours.Especially our customers.
Nice line!
From reading through the details in the slides that were released, GCHQ/NSA intercepted the keys when they were being sent to the network providers, not in Gemalto's central store, so perhaps they were looking in the wrong place for a breach.
Wouldn't the easiest way for the TLAs to intercept keys be to vacuum up all emails coming out of Gemalto to grab the presumably encrypted keys, whilst also checking all other methods of communication to grab the passwords?
I, me, you, we would all be banged up if for industrial espionage on this scale.
As ever, the rules are different for those that make the rules.
I'm not condoning terrierislamopedoismists or whoever the threat to national insecurity is this week. But there's defence and there's offence. This is most definitely offence.
Not bothered to go anonymous - I'm going to get downvoted to the max anyway.
I'm not a Gemalto employee, to be clear.
But, unlike the armchair conspiracy theorists on this page, I have actually visited a Gemalto site, I know several Gemalto employees, and I've had demo's of a number of security related experiments that they undertake. This is all in the period up to about a couple of years ago.
I know the lengths they go to to test the protection of the private key inside SIM cards- they employ techniques far beyond the means of the average hacker to protect the private keys. I can't believe that they would miss something as obvious as not properly airgapping their network. They were intensely aware that their business relied on their security precautions. They provided superb resources to some very bright guys to try to penetrate the SIM cards and their systems. By the way, the best drive firmware hack in the world can't get data through a true air gap.
When I say i visited a site of theirs, I mean I was allowed into a meeting room outside their secure perimeter. To get that far into their site meant a passport check and being pre- notified to their site.
Yes, they would say that the hack did not penetrate. And It's possible that NSA/GCHQ targetted an employee to get at the data, but the security precautions I saw would have made it very difficult to get the data out.
There is one (theoretical) exit path for the data - if the phone network was presented with the private key data for the SIM's they bought (so that symmetrical encryption was possible), then the transfer of that data may be a risk. And that would account for the 2G statements. if the report names networks that were not supplied by Gemalto then it's more likely that NSA/GCHQ compromised the private key data at the entry to the phone network, rather than within the SIM manufacturer.
It's always fun to believe that the NSA ex-employee is telling the truth and Gemalto is lying, though :)
It's always fun to believe that the NSA ex-employee is telling the truth and Gemalto is lying, though :)
Wipe that emote off your face you smug fuck. You think Snowden, Intercept, etc. altered slides to add "successfully implanted several machines and believe we have their entire network"?
Nope, Gemalto got owned and you're in denial. I bet some higher up Gemalto employees are stitching together their golden parachutes right now.
<i>"Just what this statement means for Snowden's reputation remains to be seen."</i>
That sentence gives the ridiculous impression that Edward Snowden, himself, was in some way responsible for the creation of the multitude of NSA documents that he absconded with. No one from the President down to the Director of the NSA is making such a claim. It's called a "Leak" for a reason.
<i>"Disclosures of National Security Agency secrets by the former contractor Edward Snowden have damaged U.S. efforts to battle terrorists, NSA Director Adm. Mike Rogers said on Monday."</i> Washington Post