Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.
Some mobile operators in Estonia use Mobile-ID SIM cards supplied by Gemalto. Here is Estonian Certification Centre response:
Attacks against Dutch SIM card manufacturer Gemalto which became public yesterday does not endanger Mobile-IDs. AS SK (Certification Centre) confirmed that the attacks against the world’s largest SIM card manufacturer Gemalto does not threaten the security of Estonian Mobile-ID.
“We analyzed the information available to us about the attack and verified that the Mobile-ID security is not affected, Mobile-ID is still secure, and users do not need to make adjustments to their normal behavior in any way,” said the head of the Certification Center Kalev Pihl.
Gemalto has released a public report where the company tries to downplay the significance of NSA and GCHQ hack. But that is understandable:
The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.
Fortunately, the exploitation of the stolen symmetric keys requires the attacker to be in close proximity of the victim’s mobile phone and requires to perform active MITM attack at the moment when the victim performs Mobile-ID transaction.
Update about Estonian mobile network operators’ use of Gemalto SIM cards:
Estonian National Electoral Commission’s e-voting commission’s deputy chairwoman Epp Maaten said that among Estonian mobile operators, only EMT uses SIM cards issued by Gemalto, but only as pre-paid call cards and Gemalto is not the only vendor of the cards.
Links:
https://theintercept.com/2015/02/25/gemalto-doesnt-know-doesnt-know/
https://sk.ee/uudised/runnakud-gemalto-vastu-ei-ohusta-mobiil-id-turvalisust/
http://democracychronicles.com/estonian-internet-voting-safety/