
Gemalto's findings of its investigations into the alleged hacking of SIM cards - eonwe
http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx
======
scintill76
Can anyone elaborate on why it's supposedly only a problem for 2G? "If someone
intercepted the encryption keys used in 3G or 4G SIMs they would not be able
to connect to the networks and consequently would be unable to spy on
communications." Why not? I feel like there is a "merely" missing from this
sentence -- if so, what more than keys do they need to spy?

Are they basing this on the specific type of key discussed in the documents? I
don't know a lot about it, but I'm inclined to believe there are valuable keys
burned-in to 3G+ cards too.

I also wonder if there is a downgrade attack to force 2G, so that those keys
are not completely worthless.

~~~
MrBuddyCasino
I wondered about that too, not sure why this was downvoted.

Sorry for being OT, but maybe HN should recheck whether downvoting a comment
just to express disagreement about a factual statement (as opposed to
punishing bad or trollish ones) is conducive to a civil and constructive
discourse here.

~~~
stingraycharles
Yeah I have no idea what is happening to HN lately, a lot of posts that add
information are being downvoted. I personally feel like getting rid of the
downvote button altogether would be a great step forward, since we already
have the flag button.

~~~
proksoup
Some users, such as me, have no downvote button. Maybe it is an existing
account setting that could be used more frequently.

~~~
stingraycharles
There is a certain karma threshold before you can downvote.

------
r0h1n
Firstly, I'm amazed that a large global corporation has put out a press
release saying it has "reasonable grounds to believe that an operation by NSA
and GCHQ probably happened." Wow.

That said, I wonder if Gemalto really had any other option than to say its
keys weren't stolen. What might be the cost of replacing all affected SIM
cards?

~~~
fab13n
> reasonable grounds to believe that an operation by NSA and GCHQ probably
> happened.

No kidding, they've been bought, under more-than-suspicious circumstances, by
[inQtel]([https://www.iqt.org/](https://www.iqt.org/)) and [Texas Partner
Group]([https://tpg.com/](https://tpg.com/)), which officially are CIA
proxies.

I don't think they had to resort to tailored access to perform their heist,
I'd rather bet that they still have enough former colleagues inside Gemalto to
get whatever they want by simply entering the correct password on the correct
keyboard.

~~~
bjornsing
Are you serious?!? Is Gemalto wholly owned by the CIA (through well known
proxies), and nobody is reporting on that...? No...

~~~
fab13n
Ostensibly, they've sold it back years ago.

But that just means they don't need to officially own it anymore: Alex Mandl,
Gemalto's current chairman, is among others a former board member of intQtel,
which presents its mission on its web page as:

    
    
        We identify, adapt, and deliver innovative technology solutions to support the missions of the Central Intelligence Agency and broader U.S. Intelligence Community.
    

So the news that nobody wants spread is: nobody cares about how much the NSA
stole from Gemalto: whatever Gemalto has and NSA wants, the NSA is most likely
to get by simply asking NSA affiliates installed at every interesting node in
Gemalto's hierarchy.

Incidentally, it's rather easy to find sources about this in French (Gemplus
used to be a French company, before the fusion with Axalto which was forced by
intQtel and TPG), but surprisingly hard to find in English.

~~~
toyg
_> nobody cares about how much the NSA stole from Gemalto: whatever Gemalto
has and NSA wants, the NSA is most likely to get by simply asking NSA
affiliates_

This seems at odds with the leaked documents though. Why going to the trouble
of compromising a company you've already social-engineered to the max?

~~~
AlyssaRowan
Not at all. GCHQ are not usually ones to try just one approach. They often try
every approach at once: partly because they can; but mostly for
compartmentation; to overwhelm layered defences; and to decrease sensitive
source exposure by combining the results of everything they care to try.

The doctrine has been called "penetrating targets' defences" or PTD: that's
also the name of their budget/office/department/contracting scheme which is
broadly equivalent to NSA's Special Source Operations/Targeted Access
Operations, only more aggressive and multi-pronged. It incorporates HUMINT as
well as both R&D and operational deployment of advanced technical attacks.

You may see references in the Snowden documents of this (check the bottom), or
in their tenders to BAE Detica for their modular botnet software, or
elsewhere. Although much of the really juicy or operational stuff is STRAP3
and thus kept off the TS//STRAP2 wiki.gchq (which the NSA have shared access
to via their ic.gov portal, and which Snowden dumped - and which, yes, runs a
tweaked MediaWiki on PHP).

------
rsm439
Please pardon my naiveté, but is it even possible for a company that operates
in 85 countries to do a thorough security audit in the six days since this
news started making the rounds? The rapidity of their response makes me
uneasy.

~~~
skolor
From the article, it sounds like they just looked at old incident reports and
said "yup, these two are 'sophisticated,' they could be the NSA/GCHQ."

Its a little disturbing that the "sophisticated" attacks they detected don't
really sound all that sophisticated. Is spoofing an email and sending a
PDF/Office exploit really considered sophisticated? While its a step above the
most basic script-kiddie type stuff, that isn't unreasonable for even normal
pentesting to do, and I wouldn't consider it an indicator of a nation-state
attacker at all. Even if the attack was using 0-day in the attachment viewer,
its not unheard of for malware kits to employ similar techniques.

It definitely says something that those attacks were at least partially
successful against systems Gemalto thinks could have resulted in the theft of
sensitive crypto keys.

~~~
joosters
_Is spoofing an email and sending a PDF /Office exploit really considered
sophisticated?_

Maybe. I'd say a targeted email, using a believable, researched sender address
and relevant contents, would be fairly sophisticated. It would certainly be
way more effective than the bulk 'please pay this generic invoice' exploits
that I get spammed with.

~~~
AlyssaRowan
Spear phishing, as its nicknamed? If something is sophisticated enough to
_work_ , don't knock it!

There's no fundamental difference between the basic techniques used by
malicious hackers, organised crime, pentesters or nation-state adversaries
doing offensive "cyber-operations" (ugh): the only big difference is the
budget (time, personnel, money), how likely they are to get away with it, and
how aggressive they are.

------
discardorama
FTA: > In July 2010, a second incident was identified by our Security Team.
This involved fake emails sent to one of our mobile operator customers
spoofing legitimate Gemalto email addresses. The fake emails contained an
attachment that could download malicious code. We immediately informed the
customer and also notified the relevant authorities both of the incident
itself and the type of malware used.

I'm not buying this. If the fake emails were sent to the customer, wouldn't
the _operator_ be the one who detects the malicious address? So how is Gemalto
informing the customer that the mails are malicious?

------
TeMPOraL
I see two totally separate threads of discussion here, so I have to ask -
which way is it? Is Gemalto a poor company that got pwnd by Five Eyes, or are
they just a bunch of spooks in corporate suits[0]? Because the latter paints
the situation in a completely different light.

[0] -
[https://news.ycombinator.com/item?id=9106179](https://news.ycombinator.com/item?id=9106179)

------
e12e
"If someone intercepted the encryption keys used in 3G or 4G SIMs they would
not be able to connect to the networks and consequently would be unable to spy
on communications."

I don't understand this. First, it's well known that intelligence services
passively listen to and collect any and all radio traffic. The issue then is
can that traffic be decrypted, not can the traffic be spied on. Related to
that is of course the use of frequency hopping -- but as I understand it, if
frequency hopping uses N bands, and you have N antennas/radios at your
disposal, you could listen and record all of them.

Secondly, we all know that if you have a sim card, you can connect to a 3g/4g
network. What they seem to be implying, is that 3g/4g uses asymmetric
encryption (certificates) for authentication, and that only the sim card knows
its own secret key. Does anyone know is this is true? Did 3g/4g move away from
shared-secret to asymmetric keys?

I hope I'm missing something -- because if not this press release is basically
full of placating lies.

------
Jolijn
Whew, that was quick wasn't it!

Four to five years after the hacks happened, Gemalto says it was all not so
bad, they really really checked this time and they have super duper server
logs they grepped twice to be sure.

~~~
mootothemax
_Four to five years after the hacks happened, Gemalto says it was all not so
bad, they really really checked this time and they have super duper server
logs they grepped twice to be sure._

That's a bit unfair. Gemalto say:

\- "The risk of the data being intercepted as it was shared with our customers
was greatly reduced with the generalization of highly secure exchange
processes that we had put in place well before 2010."

\- "The report... also states that when operators used secure data exchange
methods the interception technique did not work."

\- "Gemalto has never sold SIM cards to four of the twelve operators listed in
the documents, in particular to the Somali carrier where a reported 300,000
keys were stolen."

\- "A list claiming to represent the locations of our personalization centers
shows SIM card personalization centers in Japan, Colombia and Italy. However,
we did not operate personalization centers in these countries at the time."

There's a lot of valid points in Gemalto's report, and it seems dishonest to
write it off so pettily.

~~~
Jolijn
> There's a lot of valid points in Gemalto's report, and it seems dishonest to
> write it off so pettily.

I agree they have valid points that are worth setting the record straight on.
But conveniently for Gemalto they distract from the core issue, which in my
opinion is that they have been owned and are in denial of it.

Hopefully it's just PR and they are scrambling internally to keep spies out.

------
yuhong
Obviously the key theft made it easier, but remember that 2G/GSM still only
uses 64-bit encryption keys even in A5/3 and GEA3.

------
zumtar
This statement from Gemalto seems quite naive considering the leaked documents
state that the operations to obtain the private keys were successful. They
talk about the deployment of a "secure transfer system" BUT that will only
help if that is the only time that data is ever transferred between two
entities and assumes that the data will be kept securely.

The Ki database has to be distributed to so many places in and around the
network that it isn't surprising that it is schlepped around using insecure
means.

Of course in an ideal world the keys should never be accessible by a human,
they should have been generated in a set of HSMs at the SIM manufacturer that
are transferred physically to the network operator. In reality this doesn't
happen as that takes time and money and is an overall logistical nightmare.

Mobile carriers use lots of professional services "experts" from the vendors
they buy from, it is rare to have in-house engineers running and maintaining
the systems as those tasks are usually outsourced.

Such engineers will have done a 4 week course with Nokia-Siemens-Networks,
Huawei or Ericsson and they are sent out into the field with a crappy laptop
and a few tools, they are just expensive "remote hands" without any real
knowledge.

This is how it would play out from a 3rd level support/engineer back at Telco
HQ -

In-house expert: Hi Mr Field Engineer, I need you to restore that HLR you are
looking at, I can't reach it from here, and I need to send you a file securely
to restore to that node, do you use PGP? Do you have the emergency encrypted
USB stick with you?

Outsourced Engineer: PGP? I don't know how to program, isn't that for making
web-sites? USB stick, yes I have a new one in my bag I bought for downloading
movies.

In-house expert: No, that is PHP, don't worry about that for now, do you have
any decryption software on your laptop?

Outsourced Engineer: No, but my laptop is already unlocked, I've typed in my
account and password.

In-house expert: I have my boss screaming at me and the call-center is
overloaded with complaints, do you know how to use SCP?

Outsourced Engineer: SCP?

In-house expert: OK, how about FTP, do you have an FTP client?

Outsourced Engineer: Yes, I've got that, I use it for sending firmware to
Cisco routers.

In-house expert: No, not TFTP, FTP! Do you know what that is?

Outsourced Engineer: Huh?

In-house expert: OK, how about a corporate email account?

Outsourced Engineer: No, I'm working for "XYZ Solutions" and I'm on a
probationary period, I have a hotmail account, does that help?

In-house export: OK, I suppose that will have to do, please just delete the
email from hotmail and make sure you delete that file later from your PC.

Outsourced Engineer: OK, you mean just drag it to trash on this 4 year old
Windows XP laptop I'm using?

 _sigh_

~~~
Potando
It does say 98% of private key transfers are not between the SIM supplier
(Gemalto) and the carrier. It explicitly says those could be hacked more
easily but are out of their hands. I have little doubt that many governments
already monitor thier own people's phone use anyway, making the issue of
surveillance irrelevant.

A bit surprising they promote security by obscurity though:

"Security is even higher for mobile operators who work with Gemalto to embed
custom algorithms in their SIM cards. The variety and fragmentation of
algorithmic technologies used by our customers increases the complexity and
cost to deploy massive global surveillance systems."

~~~
zumtar
> It does say 98% of private key transfers are not between the SIM supplier
> (Gemalto) and the carrier. It explicitly says those could be hacked more
> easily but are out of their hands.

But that is the problem, they shouldn't really be in a state that could ever
be read by a human, they should be on individual HSMs that are distributed
around the networks from the SIM manufacturer.

The problem is that there isn't a real standard on how to exchange HSMs
between SIM manufacturers and the network operators that use different jury-
rigged hacks for everything.

The mass deployment of HSMs would add a huge cost and involves additional
hardware development and integration in mobile networks that already work
perfectly.

If the SIM manufacturer insisted that the keys would never be given in a
plain-text format but _only_ as individual non-dumpable HSMs then that would
force the network equipment vendors and mobile operators to deploy the
technology.

This isn't going to happen as the SIM company will lose business to a
competitor and the mobile network operator will not spend their budget on such
a project that adds zero functionality to their existing (and completely
operational) network.

------
chiph
> Gemalto will continue to monitor its networks and improve its processes.

I wonder if they're going to reissue the root key. And if they do, how can I,
as an AT&T Wireless customer, know that my new SIM is using it?

~~~
rkangel
Are you sure there is such a thing as a root key? Root keys apply to X509 and
certificate signing, which isn't applicable here. They're likely just to be
generating keys randomly (in the technical sense of the word).

~~~
chiph
Looks like I misunderstood how the leak happened. I was thinking they
infiltrated Gemalto's infrastructure and stole the signing key. But it looks
like the keys (lots of them - one per SIM) were stolen while they were in
transit, because of weak/no transmission security.

Since I have no way of knowing if my personal SIM key was stolen, I'll have to
wait until AT&T works their way through their existing stock of SIMs and then
request a new one. And hopefully get one that wasn't exposed.

------
spacefight
"The attacks against Gemalto only breached its office networks and could not
have resulted in a massive theft of SIM encryption keys"

That's what they think...

------
hurin
Could someone explain to me the significance of having the keys as opposed to
simply breaking A5/1 or A5/2 (Which is considered to be trivial)? Especially
since A5/3 (which is also known to be insecure at least theoretically) can be
downgraded to either of those or even A5/0?

Is the advantage solely that they don't need to intercept the traffic as a
middleman to ask the target to downgrade?

~~~
kabouseng
The difference would be, that with the keys you could just listen in and
capture all the traffic.

If you had to force cell phone connections to A5/0, you would have to:

1) Have to both receive and transmit.

2) Have a stronger connection than any other nearby cell towers.

3) Have a backbone connection back into the network so that you can actually
negotiate phone calls to users connected to other cell phone towers.

4) Have to be able to handle multiple simultaneous connections. Some MITM
spoof cell towers only establish a connection for the person of interest, and
all other devices in the area loses connection. A pretty tell tale sign of a
rogue base station operating in an area.

So in short it is much easier just to have the keys...

~~~
hurin
That's what I assumed (but I wondered if there was some other advantage I was
missing).

Are not all the ciphers breakable post collection anyways? Is it fair to say
that this is effectively for the purpose of blanket non-targeted surveillance?
Where by having the keys in their possession it gives them a shortcut for bulk
analysis and saving CPU time that would otherwise be spent breaking
encryption.

And a cpu-processing-savings advantage justified cyber-attacking a foreign
civilian corporation?

~~~
rkangel
With the keys, you can do data collection now, and cracking later. You can do
mass interceptions and then decide which calls you want to look at.

~~~
hurin
>With the keys, you can do data collection now, and cracking later.

Do the attacks on A5/1 require known plaintext? I was under the impression
that they do not.

~~~
BuildTheRobots
My understanding was that the A5/1 attack (and massive rainbow table) not only
relies on known plaintext but also requires you to get the _start_ of the
communication.

------
packetized
This seems to have been released with breathtaking speed. Was it canned, or
did they previously know that these revelations would come to light?

~~~
garrettheaver
I wouldn't have said it was fast to the extent I'd be suspicious. Given the
nature of the business they're in and the security risks they're well aware
of, I'd say they have a plan of action on what to do in the event of a
confirmed or potential breach and they just put that into action immediately.

------
microcolonel
“…customized algorithms for each operator” What are they smoking?

~~~
madez
Using customized algorithms makes a lot of sense to evade untargeted attacks
on your encryption.

------
eps
Not a big deal.

Just carry on. Please.

* But be vigilant!

------
LLWM
Hopefully this will finally shut up the people who complain that the NSA's
behavior will damage the US tech industry. If they are interested in
compromising a system, being non-American just means they will break in the
hard way. At least American companies can theoretically be secure if they are
willing to grant authorized access when requested.

