The 5 reasons why you shouldn’t worry about Gemalto’s SIM hack…yet
Gemalto is the world’s largest producer of SIM cards, manufacturing over 2 billion every year. Chances are, if you have a mobile phone, your SIM card came from Gemalto.
Today Gemalto confirmed that its network had been hacked, following reports that both the NSA and GCHQ had pilfered SIM encryption keys from the manufacturer.
If the US and British spying agencies actually got hold of those encryption keys, they could (metaphorically) blow your phone right open, gaining access to encrypted conversations, messages and data traffic.
While this definitely raises questions about how much trust we should place in the security of the internet and governments, the truth of the matter is that this Gemalto business isn’t as big a concern as the media is making it.
Here’s 5 reasons why you have no need to worry if your SIM has been compromised.
1. The NSA and GCHQ couldn’t get into Gemalto’s systems
We could be placing too much faith on Gemalto’s word, but it’s been more than open about the fact that its systems were hacked into by intelligence agencies between 2010 and 2011.
However, the Netherlands-based company has said that despite the serious intrusion, neither agency could get deep enough to access the sensitive information they sought.
2. 3G and 4G are too secure
Gemalto has admitted that if the hackers had managed to delve in and grab SIM encryption, only people who use 2G networks would have been affected. Due to both 3G and 4G being more secure, an encryption-based attack wouldn’t have exposed people on those networks.
Gemalto is currently confident enough to claim that most people have already switched to faster networks, so if a hack had been successful, it would only affect a few people.
3. The attacks didn’t take place on UK numbers
While that argument is very “it’s not in my backyard”, on a day-to-day note, you really have nothing to worry about in terms of your personal number and data.
The attempted hacks targeted mobile operators in Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan. That means that if you live in the UK, or at least have a UK or general European SIM you’ll be completely fine.
That doesn’t dismiss the existence of such a problem, but it certainly puts your daily worries into perspective.
4. There’s no risk to card chips or security networks
You’d have to be a major conspiracist to believe a breach on SIM encryption also poses a risk to Gemalto’s other products.
If a breach had occurred on the infrastructure running Gemalto’s SIM activity, it wouldn’t have any access to payment chip encryption or other security systems. Gemalto isn’t a small player in any field it occupies, it has physically separate networks for all of its sensitive information. Breaching one, wouldn’t mean breaching all.
5. Gemalto doesn’t benefit from lying
While the security breach could have done some serious damage to Gemalto’s business, with it’s 450 worldwide clients possibly taking their business elsewhere, things would be worse for it if it broke the law.
The Netherlands, where Gemalto is based, has a net neutrality law in place. If Gemalto is found lying about any breaches, it would be lumped with fines and reparations beyond lost clients.
Admittedly, Gemalto denied any such breach on its networks only a week ago. That was most likely a result of poor PR damage control, and a genuine lack of knowledge due to no encryption-level breach taking place.
After its own investigation into the attacks Gemalto has been reasonably transparent about what occurred.
While it does still smack of Gemalto saying everything’s fine to ensure its products don’t suffer, it’s unlikely a real risk exists.
The personal take
While there’s definitely a case for a breach of privacy and a need for genuine concern over the security of our personal information and communications online, I wouldn’t worry about the Gemalto story.
For various reasons, mostly stated above, the likelihood of your individual SIM being breached and traced is unlikely. And, while Gemalto does admit that if a breach had occurred, only those running on 2G networks would need to be concerned. Operators who could possibly be affected in the regions targeted only have a slim set of users running on 2G networks. For the billions of SIM cards that Gemalto is producing internationally, a tiny set will have actually been compromised.
It certainly doesn’t make the act of GCHQ and the NSA purportedly trying to smash its way into Gemalto’s network any more reassuring, but it does help put things into perspective.