PARIS/FRANKFURT (Reuters) - U.S. and British spies are likely to have hacked into SIM card maker Gemalto in an attempt to steal codes that protect the privacy of billions of mobile phone users, the company said, as it sought to downplay the impact and ruled out legal action.
The Franco-Dutch firm was responding to a report on an investigative news website that said the hack allowed Britain’s GCHQ and the U.S. National Security Agency (NSA) to potentially monitor the calls, texts and emails of cellphone users around the world.
“The facts are hard to prove from a legal perspective and ... the history of going after a state shows it is costly, lengthy and rather arbitrary,” Gemalto Chief Executive Olivier Piou told a news conference in Paris to discuss the findings of its own investigation into the alleged hacking in 2010 and 201l.
“How many (SIM security codes) have been stolen, that’s difficult to say. How many have been used, that’s even harder to say,” he told reporters.
Gemalto - the world’s biggest maker of SIM (Subscriber Identity Module) cards, now producing nearly 2 billion a year - said the attack “probably happened” but that it “could not have resulted in a massive theft of SIM encryption keys”.
It said the operation aimed to intercept encryption keys that unlock mobile phone SIM cards while they were being shipped from its production facilities to mobile network operators worldwide. SIMs are miniature cards that are used to uniquely identify phones and computer data cards on a network.
Piou said the firm had not contacted the U.S. or British intelligence agencies because doing so would have been a “waste of time” and that it did not plan to take any legal action, as chances of success were virtually non-existent.
A spokeswoman for Britain’s GCHQ (Government Communication Headquarters) said on Wednesday that it did not comment on intelligence matters. The NSA could not be immediately reached for comment.
The alleged hacking was reported last week by website The Intercept, which cited documents leaked to it by former NSA contractor Edward Snowden. (bit.ly/19E0KUK)
Such an incursion, if confirmed, could have expanded the scope of known mass surveillance methods available to U.S. and British spy agencies to include not just email and web traffic, as previously revealed, but also mobile communications.
The attacks targeted email correspondence between Gemalto and some of the world’s largest network equipment makers, including Ericsson and Nokia, but primarily China’s Huawei [HWT.UL], the documents said.
Stolen key codes were vacuumed up on their way to network operators located mainly in Afghanistan, Somalia, Yemen, Iran and the Gulf States, but also involved countries ranging from Vietnam, Zimbabwe and Italy to Iceland, the documents said.
In the biggest example, the documents say 300,000 SIM codes destined for phone subscribers in Somalia were snatched.
Gemalto said it had never sold SIM cards to four of the 12 operators listed in the documents - naming a Somali carrier as one of those four.
It also said only older model phones that are widely used in emerging markets might have been affected and that more advanced 3G and 4G networks were not vulnerable to this type of attack.
“By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft,” it said.
Even so billions of connections are still made using 2G phones, with GlobalComms forecasting 3.5 billion connections in 2018, almost the same as for 3G phones that handle not just calls and text messages but also video and Web surfing.
Gemalto confirmed that it had experienced many attacks in 2010 and 2011 and that it had found two particularly sophisticated intrusions that only states could muster and which matched the attacks described in the Intercept’s report.
The company’s statement outlining the likely limits of the hack helped lift its shares 3.1 percent in late afternoon trading in Amsterdam to 71.54 euros, marking a full recovery from losses of as much as 10 percent last Friday following the publication of The Intercept report.
Reporting by Nicholas Vinocur, Cyril Altmehyer and James Regan in Paris, Kate Holton in London, Noor Zainab Hussain in Bangalore; Writing by Eric Auchard; Editing by Andrew Callus and Pravin Char