Following reports that the UK’s GCHQ had hacked into SIM card maker Gemalto’s system to steal encryption keys allowing it to eavesdrop at will on 3G and 4G conversations and data over the air, the company has issued a statement that can at best be described as being clueless or at worse being in denial.
Gemalto makes over two billion mobile phone SIM cards a year for over 450 networks. It is the world’s largest SIM card maker with 28.6% of the market.
Gemalto said that it had logged and thwarted attacks over many years and that there was no link between those attacks and the ones published by The Intercept.
It also said that the target was not Gemalto per se, but an attempt to cast the widest net possible to reach as many mobile phones as possible.
“Gemalto is devoting the necessary resources to investigate and understand the scope of such sophisticated techniques. Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the company doesn't expect to endure a significant financial prejudice,” the statement concluded.
In other words, it said that the attack never happened, if it happened it was not targeted at Gemalto but the entire industry, and that its security products are all good.
Oh, and perhaps most importantly of all, that it will not lose much money from the incident.
Before the publication of the Intercept’s piece, Gemalto shares were trading at €72.70 and by the end of that day it fell to €67.10, an 8% loss in one day, though lately it has rebounded to €69.50, suggesting that markets believe in Gemalto.
I floated the response among some of my friends in the infosec community to see what they thought of Gemalto’s official response.
Matthew Green, Assistant Research Professor at the Johns Hopkins Information Security Institute, summed it up nicely, “the problem for Gemalto is that their business is built on trust. Trust is earned, not asserted. Right now its internal and highly-specific GCHQ documents vs. vague PR denials. There's no contest.”
He did however point out that one week was not a long enough period of time to conduct a proper forensic analysis.
Caspar Bowden, an independent privacy advocate, formerly of Microsoft, said the Gemalto response was, “standard evasive irresponsible PR balls,” and said that yes, I could quote him on that.
Bowden also noted that the Gemalto statement used the word, “are”, suggesting that the SIM cards today are secure going forward.
The Bangkok-based infosec expert known only as The Grugq said that Gemalto essentially said, “we still make the best safes, just never mind that the combination to the safe was stolen.”
He also noted that the attention was focusing on over-the-air encryption through SIM cards. That would be a moot point in many networks if GCHQ’s claim to have access to many telcos’ unencrypted core networks is true.
But what strikes me as surprising is the way most telcos seem to be reluctant to even address the matter. One would have thought that they would have jumped to the defence of their subscriber and pledged to do anything and everything to secure their networks.
True, nobody wants to make an enemy of the US government with gung-ho political statements, but telcos have an interest in restoring trust. The alternative is the acceleration of their descent into a dumb pipe in favour of end-to-end encrypted voice solutions such as the ZRTP protocol or dedicated apps such as RedPhone.
It is one thing trying to sell a product with an inferior user experience (think SMS versus your favourite instant-messaging app) but to have its security blown out of the water too would likely seal its doom.
One can look back at what happened to Cisco and IBM in the wake of the original Snowden revelations, by the end of 2013, Cisco stock had fallen 11% and its sales in China had plummeted 10%. IBM’s sales in China were down 22% because of mistrust of US products.
Facebook CEO Mark Zuckerberg said back then that the US government had blown it when it came to the NSA surveillance and it did nothing to help American Internet firms trying to do business globally.
The same would hold true for Europe if the UK’s GCHQ is allowed free reign to conduct espionage in fellow, friendly European countries without any consequence. In this case they have targeted innocent individuals, Gemalto engineers, simply because they knew something that could be useful.
Earlier the GCHQ targeted Belgium’s Belgacom’s engineers who had access to their core network, and how can we forget how the NSA spied on German Chancellor Angela Merkel’s phone. Well, everyone else remembers it except Merkel herself who does not seem to be too bothered by the intrusion.
The standard answer when politicians are asked to reign in spy agencies are to protect against the four horsemen of the infocalypse - drug-dealers, money-launderers, terrorists, and pedophiles. In the case of Thailand one could add anti-royalists. But at what cost is this security? More and more innocent people are being caught up in the dragnet. Journalists, human rights lawyers and activists have long been fair play in the name of national security and now we are seeing the spy agencies target innocent engineers just because they are a means to an end, not because they have done anything wrong or even know of someone who might have committed a crime..
Is spying for national security so valuable that the security establishment is ready to destroy entire industries just to be able to catch it all?
Last night the Edward Snowden documentary Citizenfour won the Academy Award for best documentary. In her acceptance speech, Laura Poitras said,“The disclosures that Edward Snowden revealed don’t only expose a threat to our privacy but to our democracy itself.”
I could not agree more.