Gemalto – the largest SIM card manufacturer on the planet – has denied reports claiming the NSA had the ability to capture and store the encryption keys that protect SIM cards. The company has denied the breach and explained that 3G and 4G networks were unaffected.
Recent reports stated that any phone using a Gemalto SIM card was at risk of having its encryption keys stolen, claiming the NSA and GCHQ have been able to decrypt cell phone signals mid-air or remotely implant malware on hardware. Having access to these encryption keys would result in global privacy ramifications, as Gemalto produces 2 billion SIM cards every year for over 450 carries including AT&T, Sprint and Verizon.
While Gemalto does not deny that such an operation by the NSA and GCHQ most likely happened, the company has issued a press release explaining the attack would have “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.”
“It is extremely difficult to remotely attack a large number of SIM cards on an individual basis,” explains Gemalto. “This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators.”
Gemalto claims the attempt to intercept encryption keys while they were being exchanged between mobile operators and their suppliers started in 2010, by which point they had already “widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.”
The SIM card manufacturer insists 3G and 4G networks are not susceptible to this kind of attack, explaining that even if the encryption keys had been stolen, they could only be used to intercept communications on second generation 2G mobile.