Gemalto: we were 'probably' hacked, but definitely affected

For a company that wasn't even aware they'd been hacked years prior, Gemalto sounds pretty confident things are just fine. In a report outlining the 'probable' hack executed by the NSA and GCHQ, Gemalto says none of the encryption keys our SIM card have were compromised. Earlier this week, Gemalto said they believed the hack was less damaging than initially outlined by Edward Snowden, wherein he says the NSA and GCHQ played a kind of 'man in the middle' game to grab your SIM codes.

Gemalto says that a hack by the NSA and GCHQ "probably happened". The company then goes on to say "the attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys".

So, you were probably hacked, but that hack that maybe happened definitely resulted in breached networks? Okay, then.

This hack/not-hack was alleged to have occurred in 2010-2011. Gemalto says that by 2010, they had already implemented a secure mode of transporting SIM cards and their digital codes between the company and it's customers.

Furthermore, Gemalto says this hack — which didn't affect SIM cards anyway — would have only given the NSA or GCHQ access to 2G traffic, as "3G and 4G networks are not vulnerable to this type of attack".

Gemalto also questions the validity of Snowden's report, saying "Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen."

The response is welcome, but ultimately smacks of Gemalto trying to cover their tracks when they don't have to. Even if they had been hacked, a simple 'how dare they!' probably would have sufficed. Gemalto also points out that security is a dynamic part of their business, so if the hack were limited to 2010-2011, it's entirely possible the last SIM you got had nothing to do with a hack anyway.

Source: Gemalto