{"id":54434,"date":"2015-03-02T12:00:19","date_gmt":"2015-03-02T12:00:19","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=54434"},"modified":"2015-05-05T21:26:02","modified_gmt":"2015-05-05T20:26:02","slug":"gemalto-doesnt-know-what-it-doesnt-know","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/03\/gemalto-doesnt-know-what-it-doesnt-know\/","title":{"rendered":"Gemalto Doesn\u2019t Know What It Doesn\u2019t Know"},"content":{"rendered":"
\"Gemalto<\/a>

Gemalto CEO Olivier Piou shows a cellphone SIM card before a press conference on February 25, 2015 in Paris.
Photo: Kenzo Tribouillard\/AFP\/Getty Images<\/p><\/div>\n

25 Feb 2015 – <\/em>Gemalto, the French-Dutch digital security giant, confirmed that it believes American and British spies were behind a \u201cparticularly sophisticated intrusion\u201d of its internal computer networks, as reported by The Intercept<\/em> last week<\/a>.<\/p>\n

This morning, the company tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys \u2014 and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.<\/p>\n

Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept<\/em> six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.<\/p>\n

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.<\/p>\n

After the brief investigation, Gemalto now says that the NSA and GCHQ operations in 2010-2011 would not allow the intelligence agencies to spy on 3G and 4G networks, and that theft would have been rare after 2010, when it deployed a \u201csecure transfer system.\u201d The company also said the spy agency hacks only affected \u201cthe outer parts of our networks \u2014\u00a0our office networks \u2014 which are in contact with the outside world.\u201d<\/p>\n

Security experts and cryptography specialists immediately challenged Gemalto\u2019s claim to have done a \u201cthorough\u201d investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces.<\/p>\n

\u201cGemalto learned about this five-year-old hack by GCHQ when the The Intercept<\/em> called them up for a comment last week. That doesn\u2019t sound like they\u2019re on top of things, and it certainly suggests they don\u2019t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,\u201d says Christopher Soghoian, the chief technologist at the American Civil Liberties Union. He adds that Gemalto remains \u201ca high-profile target for intelligence agencies.\u201d<\/p>\n

Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, said, \u201cThis is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.\u201d<\/p>\n

In its statement<\/a>, Gemalto asserted:<\/p>\n

\u201cWhile the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.<\/em><\/p>\n

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.\u201d<\/em><\/p>\n

But security and encryption experts told The Intercept<\/em> that Gemalto\u2019s statements about its investigation contained a significant error about cellphone technology. The company also made sweeping, overly-optimistic statements about the security and stability of Gemalto\u2019s networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees. \u201cTheir \u2018investigation\u2019 seem to have consisted of asking their security team which attacks they detected over the past few years. That isn\u2019t much of an investigation, and it certainly won\u2019t reveal successful nation-state attacks,\u201d says the ACLU\u2019s Soghoian.<\/p>\n

Security expert Ronald Prins, co-founder of the Dutch firm Fox IT, told The Intercept<\/em>, \u201cA true forensic investigation in such a complex environment is not possible in this time frame.\u201d<\/p>\n

\u201cA damage assessment is more what this looks like,\u201d he added.<\/p>\n

In a written presentation of its findings, Gemalto claims that \u201cin the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable.\u201d Gemalto also referred to its own \u201ccustom algorithms\u201d and other, unspecified additional security mechanisms on top of the 3G and 4G standards.<\/p>\n

Green, the Johns Hopkins cryptography specialist, said Gemalto\u2019s claims are flatly incorrect.<\/p>\n

\u201cNo encryption mechanism stands up to key theft,\u201d Green says, \u201cwhich means Gemalto is either convinced that the additional keys could not also have been stolen or they\u2019re saying that their mechanisms have some proprietary \u2018secret sauce\u2019 and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That\u2019s a deeply worrying statement.\u201d<\/p>\n

\u201cI think you could make that statement against some gang of Internet hackers,\u201d Green adds. \u201cBut you don\u2019t get to make it against nation state adversaries. It simply doesn\u2019t have a place in the conversation. They are saying that NSA\/GCHQ could not have breached those technologies due to \u2018additional encryption\u2019 mechanisms that they don\u2019t specify, and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.\u201d<\/p>\n

In a press conference today in Paris, Gemalto\u2019s CEO, Olivier Piou, said his company will not take legal action against the NSA and GCHQ. \u201cIt\u2019s difficult to prove our conclusions legally, so we\u2019re not going to take legal action,\u201d he said. \u201cThe history of going after a state shows it is costly, lengthy and rather arbitrary.\u201d<\/p>\n

There has been significant commercial pressure and political attention placed on Gemalto since The Intercept<\/em>\u2019s report. Wireless network providers on multiple continents demanded answers and some, like Deutsche Telekom, took immediate action to change their encryption algorithms on Gemalto-supplied SIM cards. The Australian Privacy Commissioner has launched an investigation and several members of the European Union parliament and Dutch parliament have asked individual governments to launch investigations. German opposition lawmakers say they are initiating a probe into the hack as well.<\/p>\n

On Wednesday, Gerard Schouw, a member of the Dutch parliament, submitted formal questions<\/a> about the Gemalto hack and the findings of the company\u2019s internal investigation to the interior minister. \u201cWill the Minister address this matter with the Ambassadors of the United States and the United Kingdom? If not, why is the Minister not prepared to do so? If so, when will the Minister do this?\u201d Schouw asked. \u201cHow does the Minister assess the claim by Gemalto that the attack could only lead to wiretapping 2G-network connections, and that 3G and 4G-type networks are not susceptible to this kind of hacks?\u201d<\/p>\n

China Mobile, which uses Gemalto SIM cards, has more wireless network customers than any company in the world. This week it announced it was investigating the breach and the Chinese government said it was \u201cconcerned\u201d about the Gemalto hack. \u201cWe are opposed to any country attempting to use information technology products to conduct cyber surveillance,\u201d Foreign Ministry spokesman Hong Lei said. \u201cThis not only harms the interests of consumers but also undermines users\u2019 confidence.\u201d He\u00a0did not mention that China itself engages in widespread, state-sponsored hacking.<\/p>\n

While Gemalto is clearly trying to calm its investors and customers, security experts say the company\u2019s statements appear intended to reassure the public about the company\u2019s security rather than to demonstrate that it is taking the breach seriously.<\/p>\n

The documents published by The Intercept<\/em> relate to hacks done in 2010 and 2011. The idea that spy agencies are no longer targeting the company \u2014 and its competitors \u2014 with more sophisticated intrusions, according to Soghoian, is ridiculous. \u201cGemalto is as much of an interesting target in 2015 as they were in 2010. Gemalto\u2019s security team may want to keep looking, not just for GCHQ and NSA, but also, for the Chinese, Russians and Israelis too,\u201d he said.<\/p>\n

Green, the Johns Hopkins cryptographer, says this hack should be \u201ca wake-up call that manufacturers are considered valuable targets by intelligence agencies. There\u2019s a lot of effort in here to minimize and deny the impact of some old attacks, but who cares about old attacks? What I would like to see is some indication that they\u2019re taking this seriously going forward, that they\u2019re hardening their systems and closing any loopholes \u2014 because loopholes clearly existed. That would make me enormously more confident than this response.\u201d<\/p>\n

Green says that the Gemalto hack evidences a disturbing trend that is on the rise: the targeting of innocent employees of tech firms and the companies themselves. (The same tactic was used by GCHQ in its attack on Belgian telecommunications company Belgacom<\/a>.)<\/p>\n

\u201cOnce upon a time we might have believed that corporations like this were not considered valid targets for intelligence agencies, that GCHQ would not go after system administrators and corporations in allied nations. All of those assumptions are out the window, so now we\u2019re in this new environment, where everyone is a valid target,\u201d he says. \u201cIn computer security, we talk about \u2018threat models,\u2019 which is a way to determine who your adversary is, and what their capabilities are. This news means everyone has to change their threat model.\u201d<\/p>\n

______________________________<\/p>\n

Additional reporting by Ryan Gallagher. Josh Begley contributed to this report.<\/em><\/p>\n

Email the author: jeremy.scahill@theintercept.com<\/a><\/em><\/p>\n

Go to Original \u2013 firstlook.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

25 Feb 2015 – Gemalto, the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-54434","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/54434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=54434"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/54434\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=54434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=54434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=54434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}