Cellphone chip maker confirms U.S., UK hack, denies theft

The cellphone chipmaker that U.S. and United Kingdom spies reportedly hacked has confirmed the intrusion, but claims its valuable encryption data was not stolen.

Documents leaked by Edward Snowden revealed that the National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ), had broken into Dutch company Gemalto to steal data that allowed the agencies to decrypt cellphone communications.

ADVERTISEMENT
Gemalto manufactures SIM cards — which help encrypt a cellphone’s data — for major cellphone service providers like AT&T and Verizon. Shortly after the hacking reports surfaced, the company started investigating the incident.

“We can confirm that we experienced many attacks,” Gemalto said in a statement. However, “the attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.”

With SIM encryption keys, security experts said the NSA and GCHQ would have the ability to eavesdrop on billions of phones around the world.

Gemalto said the company had installed measures by 2010 to stymie the type of cyberattack the spy agencies were using. The Dutch firm believes the hacking occurred in 2010 and 2011.

“The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally,” the company said. “By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.”

Even if U.S. and UK agents were able to make off with SIM encryption keys, Gemalto said it would only be able to use the information to decrypt communications on 2G mobile networks.

For the past several years, most phones have moved to 3G and 4G networks, which “are not vulnerable to this type of attack,” the chip maker said.

Gemalto also warned other manufacturers.

The leaked NSA documents, the company said, reveal the NSA and GCHQ were also trying to infiltrate “numerous parties beyond Gemalto."

Gemalto was simply "the target of choice" as the biggest chip maker, it said.