Gemalto downplays impact of NSA and GCHQ hacks on its SIM cards

Dutch digital security firm Gemalto, which is the world’s biggest manufacturer of SIM cards, has reported back on internal investigations triggered by last week’s revelations about the NSA and GCHQ hacking into its systems and stealing encryption keys that are supposed to protect phone users’ communications.

On Wednesday Gemalto said it reckoned a series of intrusions into its systems in 2010 and 2011 could have matched up with the attacks described in documents leaked by Edward Snowden and published by The Intercept. However, it downplayed the impact of the attacks on its systems and SIM encryption key transfer mechanisms, hinting that the methods described in the documents were more likely to have affected its rivals.

For a start, Gemalto said these attacks, which involved the “cyberstalking” of some of its employees in order to penetrate its systems, only affected its office networks:

The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data…

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.

Regarding that method of targeting encryption keys in transit, Gemalto said it had put in place “highly secure exchange processes” before 2010, which explained why the documents noted how the NSA and GCHQ failed to steal the keys for certain Pakistani networks.

The company said that at the time “these data transmission methods were not universally used and certain operators and supplies had opted not to use them,” though Gemalto itself used them as standard practice, barring “exceptional circumstances.” In other words, Gemalto does it right (most of the time) while other suppliers may not have been so cautious.

Gemalto, whose stock price was whacked by last week’s revelations, also said that the attacks could only have affected 2G SIM cards, due to enhanced security measures introduced in 3G and 4G versions. “Gemalto will continue to monitor its networks and improve its processes,” it added. “We do not plan to communicate further on this matter unless a significant development occurs.”

On Tuesday, another SIM card vendor, Germany’s Giesecke & Devrient (G&D), said last week’s report had prompted it to “introduce additional measures to review the established security processes together with our customers.”

Levitation program tracked file-sharing sites, Snowden doc shows

The Canadian spy agency CSE monitors activity across over 100 free file upload sites, a newly-revealed PowerPoint document from NSA whistleblower Edward Snowden’s cache has shown.

The document describing CSE’s Levitation program was published on Wednesday by The Intercept, reporting alongside Canadian broadcaster CBC. Although Canada has long been known to be a member of the core Anglophone “Five Eyes” spying club, this is the first Snowden revelation putting it at the forefront of one of the Eyes’ mass surveillance programs.

Using an internet cable-tap program called Atomic Banjo, CSE’s agents were at the time of the presentation’s authoring collecting HTTP metadata for 102 cyberlocker sites, including Sendspace and Rapidshare, and tracking 10-15 million “events” each day to find “about 350 interesting download events per month.” And yes, this meant filtering out loads of TV shows and such.

According to the presentation, the technique yielded a “German hostage video” (the hostage was killed, according to The Intercept) and an “AQIM [Algerian al-Qaeda] hostage strategy”.

In total, there were 2,200 file addresses that effectively acted as traps once CSE had identified them. Once the agents have an IP address for someone downloading a suspect file, they then run a query on it through GCHQ’s Mutant Broth tool to see which ad cookies have been tracking them (insecure marketing technologies provide an easy vehicle for spying efforts), what their likely Facebook ID is, and so on.

SendSpace told CBC that no-one had permission to trawl its service for data, and internet policy lawyer Tamir Israel told the broadcaster that the program was potentially very intrusive, as CSE (known until last year as CSEC) could pick whichever documents it wanted.