A Dutch SIM-card maker allegedly targeted by British and U.S. spying agencies says it believes there was a hacking operation, but it didn’t result in a massive privacy leak.
Netherlands-based Gemalto, a maker of SIM cards used in mobile phones and credit cards, said Wednesday that an internal investigation “gives us reasonable grounds to believe” an operation by the U.S. National Security Agency and its British counterpart “probably happened.”
The operation was reported last week on the website The Intercept using documents supplied by Edward Snowden.
Gemalto, a supplier to major mobile-phone operators including AT&T, T-Mobile, Verizon and Sprint, says the attacks in 2010 and 2011 “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.”
Gemalto said it had established a secure transfer system with its customers by 2010, and that the spy agencies would have been able to steal the encryption keys that permit them to listen in on conversations “only in rare exceptions.”
Any surveillance undertaken with stolen keys would have affected only the older 2G networks, Gemalto said, as more-recent 3G and 4G networks are not vulnerable to this type of attack.
“When we redesigned the 3G and 4G systems, we made sure that if a key was intercepted in transit like it was attempted, it would be useless, and this is why 3G and 4G are immune to this type of attack,” said Gemalto Chief Executive Olivier Piou.
In addition to SIM cards, Gemalto is a leading maker of encryption systems for other business and industrial uses, including electronic-payment processing and “smart” key cards that businesses and government agencies use to restrict access to computers or other sensitive facilities.
The Intercept offered no details on how the intelligence agencies employed the eavesdropping capability and no evidence that they misused it to spy on people who weren’t valid intelligence targets.