Gemalto: Our SIM cards are secure despite alleged hack

The company also promises more to say on Wednesday about the alleged hacking of its SIM cards by the US National Security Agency and the UK's GCHQ.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Were Gemalto's mobile phone SIM cards compromised by the US and UK governments? James Martin/CNET

Gemalto's SIM cards for mobile phones are secure despite purported hacks by US and UK spy agencies, the company announced Monday.

A report released Thursday by online publication The Intercept claims that the US National Security Agency and the UK's Government Communications Headquarters, or GCHQ, hacked into Gemalto's internal network and stole the encryption keys used to secure the company's SIM cards. The Amsterdam-based company said last week it would fully investigate the claim.

On Monday, the company said that "initial conclusions" indicate that its SIM cards and other products are "secure" and that it doesn't expect any "significant financial prejudice." Gemalto added that it plans to host a press conference and issue a statement on Wednesday to reveal more information about results of its investigation.

Gemalto sells its SIM cards to 450 carriers around the world, including AT&T, Verizon, T-Mobile and Sprint. The cards contain personal information, including your phone number, billing information, contacts and text messages and are supposed to be protected by encryption keys to thwart hacking attempts.

The Intercept was co-founded by journalist Glenn Greenwald, who was working for the Guardian when he met NSA contractor-turned-whistleblower Edward Snowden. (The Guardian and the Washington Post were the first to publish revelations about government spying based on documents provided by Snowden.) Citing documents from Snowden, The Intercept's report last week charges that a joint unit of the NSA and GCHQ hacked the SIM card encryption keys used by Gemalto and possibly other vendors.

The report of the hack, which allegedly occurred in 2010 and 2011, has raised red flags because it would mean that the spy agencies have the ability to access personal data and tap into mobile phone voice and data communications around the world.

Using stolen keys, the NSA and GCHQ could intercept mobile communications without getting approval from telecom providers or foreign governments, The Intercept's report alleges. Having those keys basically would mean there's no need to get a legal warrant.

Gemalto's security team started its investigation on Wednesday after the company was contacted by The Intercept. Gemalto's team attempted to determine how its network could have been compromised but could find no trace of any hacks, The Intercept reported. Paul Beverly, a Gemalto executive vice president, was also asked by The Intercept if the NSA or GCHQ had ever requested access to the SIM card encryption keys.

"I am totally unaware," Beverly told the publication. "To the best of my knowledge, no."

Correction, February 24, 9:10 a.m. PT: This story initially misstated where the revelations about government spying were first published. They were published in the Guardian and the Washington Post.