back to article SIM hack scandal biz Gemalto: Everything's fine ... Security industry: No, it's really not

Six days ago Gemalto, the world's largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims. Yet the IT security industry is not so sure. …

  1. beast666
    Thumb Down

    Forward encryption anyone? I've heard it said that phones don't have the processing power to do that... I call bullshit, but if anyone knows otherwise?

    1. psyq

      I very much doubt it has anything to do with the performance, even at the time of standardization of the 4G, phones had more compute performance than PCs from 90's and in miniature / low-power form.

      The elephant in the room is the incompatibility of the worldwide mobile standard set by an intergoverment entity with the desire of the goverments to be able to intercept their (and other) citizen communications.

      In the ideal world, a modern telephony standard would maintain forward secrecy and the voice data would never be transmitted unencrypted, with the keys tied only to the handsets themselves and overridable by the users of the said handsets. This way, data which goes through the switching office would be perfectly useless from the point of the contents. It is not realistic to expect that the international public telecommunication standard insists on further secrecy, like mechanisms for preventing locating the originator and the destination of the call.

      But even "just" secrecy of the contents, not so-called "meta"data is simply against laws set up in most countries nowdays which require an ability to do covert listening (after court order or with less oversight, depending on the country).

      So, no, there will be no forward secrecy in a public telephony standard.

  2. Anonymous Coward
    IT Angle

    The good news is...

    If Gemalto actually gets it's sales taken down because of loss of confidence in the marketplace caused by their penetration by the NSA/GCHQ, then that is going to put the fear of God into tech companies around the world, who will quite understandably fear that the same thing will happen to them.

    A) Much less likely to work with the NSA/GCHQ/other sigint agencies. Let's face it, these agencies are bad actors who are REALLY hurting tech companies. They can pull their cloak-and-dagger crap, but the tech industry should ACTIVELY oppose them in doing so.

    B) A little less likely to seek defense contracts, which quite possibly come with real or market-perceived strings attached. So hopefully this will starve defense establishments a little bit on the tech side and increase the pain to various DoD/defense ministries who could previously support sigint agencies' behavior on a nearly cost-free basis.

    C) Increased pressure from the global tech industry on political leaders to get these agencies back in line.

    Its a shame, because we do need sigint and militaries. However, it really looks like these sigint agencies are out of control. You can't crap all over the tech industry by damaging products/brands/standards/trust/revenue streams and then expect that the industry is just going to sit there and take it while these agencies tear down what the industry has spent the last 60 years building.

  3. PleebSmash
    Mushroom

    The Intercept vs. Gemalto

    https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

    https://firstlook.org/theintercept/2015/02/25/gemalto-doesnt-know-doesnt-know/

    Since commentards like user 72594 are still getting it dead wrong, I'll preemptively remind everyone that this is The Intercept's reporting (Jeremy Scahill and Josh Begley), not "Snowden... post[ing] a scare story."

    1. phil dude
      Alert

      Re: The Intercept vs. Gemalto

      I tried to raise that distinction a few days ago - ES had to give up docs to be "safe"...

      P.

  4. Mike 16

    2G only?

    That's OK, IIRC, one of the effects of a Stingray is to force all the phones in its vicinity to fall back to 2G.

    See, Govt. agencies _can_ work together.

  5. Mark 85

    I like the way it's worded....

    They didn't get anything. But the keys were for 2G. Oh.. the ones that weren't taken were only for 2G? Got it...

  6. Winkypop Silver badge
    FAIL

    PR flack Versus IT Security

    PR flack for the win.

    They always do, regardless of the truth.

  7. Christian Berger

    Of course they need to say that...

    Just imagine Gemalto admitting to their keys being stolen, whenever my mobile phone company sends me a bill I could always say, "It wasn't me who did those phone calls, it was the person Gemalto gave the key to".

    And that's what the security of GSM tries to protect. Making it a bit harder to eavesdrop on calls is just a side effect, the real problem it tries to solve is that people just clone other peoples SIM cards to make calls they don't pay for.

  8. Anonymous Coward
    Anonymous Coward

    It's a shame so much ire is being directed at the victim of this attack and not the perpetrators.

    Whether Gemalto are making themselves an easy target with clumsy PR shouldn't take away from the fact of what really happened here.

    1. Gotno iShit Wantno iShit

      It's a shame so much ire is being directed at the victim of this attack and not the perpetrators.

      1) Spies spy, it's what they do.

      2) This attack is not the same as mass hoovering of metadata, they keys taken cannot be used indiscriminately because they are only used between the handset and base station.

      3) Any attempt at mass hoovering would require intercept equipment in the vicinity of every cell site in the target country. Impractical.

      4) An attack using these keys forces the handset to drop to 2G, if that were happening on a mass scale someone would notice.

      5) These spies have no need of the keys for targets in friendly countries, they can simply request an intercept.

      So this raiding party facilitates targeted attacks against parties of interest in unfriendly countries. Pretty much what GCHQ and the NSA ought to be up to.

      What I am left wondering is why within the EU they needed to go on a raiding party. It should have been possible to acquire what they needed via gagged court orders. Did they suspect a leak that would reveal their actions should they take the legal route?

      1. Anonymous Coward
        Anonymous Coward

        Noooooo. You can't just 'request an intercept' - there is a test of necessity and proportionality to made and passed. Mass hoovering of keys including those for individuals for which there is no necessity is AGAINST THE LAW. In the UK anyways. It is mass hoovering.

        Dont confuse what the legislation says, with what those cheeky-eccentric-pipe-smoking-mis-matched-slippers good-ol-english-fair-play-n-cricket only-peeking-at-johnny-foreigner chappies at Cheltenham are supposed to get upto.

        This 'intelligence' hasnt stopped ISIS. It hasnt stopped radicalisation events. It might've stopped terrorist attacks but we just dont know the usefulness proportion of hoovered data versus other forms of intelligence.

        Hey - spies spy! Yeah and eaters eat and drinkers drink! What's your point?

      2. WatAWorld

        An enemy spy is a spy who spies on us.

        An enemy spy is a spy who spies on us.

        Isn't that what GCHQ, the NSA, and CSEC do?

    2. streaky

      It's a shame so much ire is being directed at the victim of this attack and not the perpetrators.

      Whether Gemalto are making themselves an easy target with clumsy PR shouldn't take away from the fact of what really happened here.

      The problem is the NSA/GCHQ OP has exposed them for a sham. It's not clumsy PR it's share price first, security second. From a company that sells crypto products to the financial sector, amongst others.

      Initially it's GCHQ/NSA's fault we could have been living in ignorance for decades about this; the UK government should be made to pay via a case at the ECJ for financial damage done to the state and costs to rebuild Gemalto with proper procedures in place and the recall/revoke/reissue of all the company's crypto products and keys.

      That last part is where this story gets sketchy because that isn't what's going to happen, and investors have displayed fairly shocking ignorance over these events. Share price is higher today than when the revelations first aired in public, which is just frightening. They're basically claiming that they fought off arguably the two most capable offensive hacker orgs on the planet and won and nobody sensible should believe them.

  9. tom dial Silver badge

    The Gemalto claim that IMSI/Ki data were not stolen from their internal network may be correct, especially if the internal networks where they generate and manage keys are, as they state, isolated from the public internet and they can establish with reasonable certainty that they were not breached.

    The basis for the Intercept's claim seems to be rather insubstantial, consisting of a bullet point on a single Powerpoint slide. Most of the article depends on a management report about a moderately successful research program ("compares favourably with manual results") to collect such information from bulk internet data. Several other items suggest that GCHQ (and perhaps NSA) wanted to get this data directly from the source, but no real indication that they actually were able to do so.

    1. Sir Runcible Spoon

      Sir

      "isolated from the public internet"

      Are you aware of how many ways that could be interpreted? I can think of half a dozen off the top of my head which would mean that the servers could be cracked whilst still maintaining the 'truth' of that statement.

      It's just PR shite to save their stock price or to try and stem the flow of people asking for new SIMs free of charge with new keys.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sir

        We already know that isolated from the public internet doesn't mean much, given stuxnet and similar! That doesn't provide any confidence!

    2. streaky

      especially if the internal networks where they generate and manage keys are, as they state, isolated from the public internet and they can establish with reasonable certainty that they were not breached

      They didn't state this - they said their network is like something to do with onions and that they got into their office network and no further, which is fairly obviously nonsense.

  10. Anonymous Coward
    Anonymous Coward

    Stupid Question

    If the keys were on a network not connected to the internet then how did they get them to their customers?

    In the post??

    1. Anonymous Coward
      Anonymous Coward

      Re: Stupid Question

      It's slippery PR working.

      The keys were stolen, but not from the "high security Gemalto network" where they were created.

      So that limits the possibilities to:

      - the keys were stolen somewhere within Gemalto that is not considered part of the high security network

      - the keys were intercepted in transit between Gemalto and customers

      - the keys were stolen at customer networks

      - all of the above

      - large scale key interception was a concept that never delivered large quantities of keys

      - this was a NSA/GCHQ thought exercise and no actual theft occured

      And there are probably more options.

      My guess is that the NSA/GCHQ obtained a lot of keys somehow (PR denies something so assume the opposite is true) and if they all came from Gemalto, then the source is likely to be within Gemalto based on the number of telco's supposedly compromised rather than breaches at every telco/transit medium.

      1. tom dial Silver badge

        Re: Stupid Question

        The Intercept says GCHQ and NSA hacked Gemalto's network, and the grammar in the lead paragraph says they stole keys from there. They point, in the second paragraph to a document they say details the operation, a PowerPoint slide in which the sole reference to Gemalto is:

        "- GEMALTO - successfully implanted several machines and

        believe we have their entire network - TDSD are working the

        data"

        Not a lot of detail, and not overly supportive of a claim that they succeeded in getting anything specific. The note containing the remark “very happy with the data so far and [was] working through the vast quantity of product”, said to accompany the slide did not accompany the article - perhaps it was in the blacked-out area of the slide. In that context one might ask why a mass grab of IMSI/Ki data from the source would require any "working through" worth mentioning.

        None of the documents linked in the article mentions the Mobile Handset Exploitation Team. That isn't to say such documents don't exist or that there is no such group, but it seems odd when many of the other claims have links to related documents, especially as the article says its existence had not previously been disclosed.

        The actually meaningful documents linked in the Intercept article describe getting keys by processing mass data collections. They do not state that all, or even a significant fraction of the IMSI/Ki data was for Gemalto SIMS, although given Gemalto's size many certainly would have been. The number of keys reported in the documents to have been obtained was in the order of a half million, compared to Gemalto's reported (in the Intercept article) two billion annual SIM card production. Most of the documents derived from this one:

        https://firstlook.org/theintercept/document/2015/02/19/pcs-harvesting-scale/

        which describes obtaining IMSI/Ki pairs by examining data intercepted in transit between vendors and carriers or between different carriers. One of the other documents, so called, appears to be an excerpt from a document describing goals:

        https://firstlook.org/theintercept/document/2015/02/19/dapino-gamma-cne-presence-wiki/

        We may reasonably think the agencies desired direct access to Gemalto's and others' key management facilities, but not that they succeeded in getting them.

        There seems generally to be a nearly total lack of scepticism about any claim of NSA, GCHQ, or other Five Eyes sins so long as it makes reference to a document that Edward Snowden is said to have provided.

    2. WatAWorld

      Re: Stupid Question

      "If the keys were on a network not connected to the internet then how did they get them to their customers?"

      Read up on Stuxnet.

      Read up on the Equation Group (The Register hasn't covered this story much).

      http://observer.com/2015/02/equation-group/

      In plain terminology, usually enemy spies put stuff on internet-connected computers that gets hand-carried over to the victim's non-internet connected computers via disks or USB sticks.

      There is also a history of some national intelligence agency intercepting US mail to alter conference proceedings CDs. So intercepting the physical transfer of information by mail or courier.

      But they can also do spying via monitoring energy usage or physically copying the contents of the non-internet connected computers.

      Nothing you can imagine as possible is impossible for the major state-sponsored spy agencies.

      It does not matter how much care you take, the NSA, GCHQ, their Russian, Israeli, French and Chinese counterparts can get at your stuff if they decide you are a target.

      1. tom dial Silver badge

        Re: Stupid Question

        Although they might be a good start, Stuxnet and exploits such as attributed to the Equation Group are not well suited to extraction and exfiltration of targeted information from a network that is properly isolated, either physically or logically, from the public internet.

        It may be that Gemalto was thoroughly owned and every SIM they produced in the last four or five years is compromised. The Intercept does not exactly say that, but certainly hints at it. However, it also is possible that any hack was, as Gemalto stated, limited to computers connected to their public facing network and that the IMSIs and keys were not compromised except during transfers. Either statement is logically compatible with the documents to which the Intercept article links.

    3. Tom 13

      Re: Stupid Question

      Yes.

      That is afterall how RSA and others ship physical keys. And if you're building that sort of structure, you buy your PCs and servers, build them out in an isolated secure room, never connect them to the internet, and only use the system to generate the keys which are then carried out of the room on whatever media they use. So long as the only thing touching the isolated networks is the media receiving the keys, you have a reasonable level of confidence it wasn't breached.

  11. Rob Crawford

    Perhaps in an alternate universe

    Maybe it's true and the keys haven't been stolen, because they where handed over?

    There you go the PR dept are right

  12. Anonymous Coward
    Anonymous Coward

    Do we have admission of the attacks?

    Because if we do, then the agents, their superiors, the civil servants and the MPs involved should all be brought up on criminal charges.

    There is no excuse for this action. None.

    People should not live in fear of their own governments, governments should live in fear of their voters.

    1. Jimmy2Cows Silver badge
      Pint

      Re: Do we have admission of the attacks?

      Would be nice, but since it'll never happen have an upvote and a beer instead

    2. SolidSquid

      Re: Do we have admission of the attacks?

      I'd agree, but technically Gemalto is a foreign company (Holland based) so the NSA targetting them is less clear cut in terms of remit (I don't agree that they should be allowed to do it, but it's only impacting voters indirectly)

  13. Anonymous Coward
    Anonymous Coward

    To quote The Room "everythin is fine, the fight is over, I'm sorry Mark"...

  14. Conrad Longmore
    Black Helicopters

    Maybe they got a visit..

    Maybe they got a visit from those people in suits and matching black SUVs.

    "Here, let us write the press release for you.."

  15. Keith 12

    They don't really have any other choice ...

    An immediate 10% drop in share price with the revelations didn't leave the company with any other choice but to deny the keys were compromised.

    2 billion SIM cards annual production - let's have a class action as regards our privacy say various action groups, I want a new one free of charge, I want my money back etc etc - a total nightmare for the company concerned. We all know that the T&C's will prevent any of this happening but the media attention alone ...

    It's the same old I'm afraid: CPU / Motherboard / Drives (add your product or service here) - there is absolutely no problem with our product / service says the supplier (ISP's used to be really good at this) - until it turns there WAS a problem but its now fixed.

    Just today, a large Hosting provider notes there is an "unknown" e-mail issue in their service update page - nah, it's not "unknown" at all - at least one of your Mail Servers is currently blacklisted ...

  16. Anonymous Coward
    Anonymous Coward

    HSM?

    I don't know much about Gemalto but surely they must use HSMs and secure rooms etc for key storage?

    If so, any breach of their corporate network shouldn't lead to the keys being compromised. Unless of course access can be gained to the HSMs...

    Maybe Gemalto could verify that the HSM environment wasn't breached?

    1. Anonymous Coward
      Anonymous Coward

      Re: HSM?

      They bought SafeNet ...... they'd better have an HSM. SafeNet uses their own HSM for their corporate CA.

  17. phil dude
    Black Helicopters

    more paranoia...

    Of course, it could be the NSA has an external method of cracking the keys, and this is the parallel construction...

    Any chili sauce to go with that goose leg?

    P.

  18. batfastad
    Black Helicopters

    Move along, nothing to see here

    If the secret police want to be all up in you sh*t, they don't need to hack.

    Carry on as you were everyone... says the secret warrant issued by a secret court.

  19. tom dial Silver badge

    It is interesting that these articles and comments always seem to come back to the NSA. In the documents Intercept article linked, in fact, the only occurrence of "NSA" was in connection with GCHQ referring recovered IMSI/Ki data for Somali carriers to them, since GCHQ had little interest in it. The article made additional statements not supported by links to documents.

    Certainly the NSA has been up to a lot, but in this case the actor appears to have been GCHQ.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like