(Adds Gemalto CEO quotes)
By Nicholas Vinocur and Eric Auchard
PARIS/FRANKFURT Feb 25 U.S. and British spies
are likely to have hacked into SIM card maker Gemalto
in an attempt to steal codes that protect the privacy of
billions of mobile phone users, the company said, as it sought
to downplay the impact and ruled out legal action.
The Franco-Dutch firm was responding to a report on an
investigative news website that said the hack allowed Britain's
GCHQ and the U.S. National Security Agency (NSA) to potentially
monitor the calls, texts and emails of cellphone users around
the world.
"The facts are hard to prove from a legal perspective and
... the history of going after a state shows it is costly,
lengthy and rather arbitrary," Gemalto Chief Executive Olivier
Piou told a news conference in Paris to discuss the findings of
its own investigation into the alleged hacking in 2010 and 201l.
"How many (SIM security codes) have been stolen, that's
difficult to say. How many have been used, that's even harder to
say," he told reporters.
Gemalto - the world's biggest maker of SIM (Subscriber
Identity Module) cards, now producing nearly 2 billion a year -
said the attack "probably happened" but that it "could not have
resulted in a massive theft of SIM encryption keys".
It said the operation aimed to intercept encryption keys
that unlock mobile phone SIM cards while they were being shipped
from its production facilities to mobile network operators
worldwide. SIMs are miniature cards that are used to uniquely
identify phones and computer data cards on a network.
Piou said the firm had not contacted the U.S. or British
intelligence agencies because doing so would have been a "waste
of time" and that it did not plan to take any legal action, as
chances of success were virtually non-existent.
A spokeswoman for Britain's GCHQ (Government Communication
Headquarters) said on Wednesday that it did not comment on
intelligence matters. The NSA could not be immediately reached
for comment.
The alleged hacking was reported last week by website The
Intercept, which cited documents leaked to it by former NSA
contractor Edward Snowden. (bit.ly/19E0KUK)
Such an incursion, if confirmed, could have expanded the
scope of known mass surveillance methods available to U.S. and
British spy agencies to include not just email and web traffic,
as previously revealed, but also mobile communications.
SOPHISTICATED
The attacks targeted email correspondence between Gemalto
and some of the world's largest network equipment makers,
including Ericsson and Nokia, but
primarily China's Huawei, the documents said.
Stolen key codes were vacuumed up on their way to network
operators located mainly in Afghanistan, Somalia, Yemen, Iran
and the Gulf States, but also involved countries ranging from
Vietnam, Zimbabwe and Italy to Iceland, the documents said.
In the biggest example, the documents say 300,000 SIM codes
destined for phone subscribers in Somalia were snatched.
Gemalto said it had never sold SIM cards to four of the 12
operators listed in the documents - naming a Somali carrier as
one of those four.
It also said only older model phones that are widely used in
emerging markets might have been affected and that more advanced
3G and 4G networks were not vulnerable to this type of attack.
"By 2010, Gemalto had already widely deployed a secure
transfer system with its customers and only rare exceptions to
this scheme could have led to theft," it said.
Even so billions of connections are still made using 2G
phones, with GlobalComms forecasting 3.5 billion connections in
2018, almost the same as for 3G phones that handle not just
calls and text messages but also video and Web surfing.
Gemalto confirmed that it had experienced many attacks in
2010 and 2011 and that it had found two particularly
sophisticated intrusions that only states could muster and which
matched the attacks described in the Intercept's report.
The company's statement outlining the likely limits of the
hack helped lift its shares 3.1 percent in late afternoon
trading in Amsterdam to 71.54 euros, marking a full recovery
from losses of as much as 10 percent last Friday following the
publication of The Intercept report.
(Reporting by Nicholas Vinocur, Cyril Altmehyer and James Regan
in Paris, Kate Holton in London, Noor Zainab Hussain in
Bangalore; Writing by Eric Auchard; Editing by Andrew Callus and
Pravin Char)