Gemalto Takes The Lenovo Approach: Denies Any Real Risk From NSA Hacking Its Encryption Keys
from the nothing-to-see-here... dept
Apparently, execs at Gemalto went to the same crisis management training program as the top execs at Lenovo. As you probably recall, last week The Intercept revealed that the NSA and GCHQ had hacked into the systems at Gemalto, the world's largest maker of SIM cards for mobile phones, in order to get access to their encryption keys. This is a pretty massive security breach, allowing these intelligence agencies to decrypt calls that people thought were encrypted. But Gemalto insists its SIM cards are perfectly secure:“Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the Company doesn’t expect to endure a significant financial prejudice.”This sounds an awful lot like Lenovo's initial reaction to the reports about the Superfish/Komodia vulnerability it shoved onto many of its customers computers, saying (totally incorrectly):
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.Lenovo, at least, pretty quickly changed its tune and admitted to it being a major problem. Of course, there are some differences here. With Lenovo, the company had made the choice to include Superfish -- whereas the Gemalto hacking was done (obviously) without the company's knowledge. You'd hope that the company would be much more upfront about the seriousness of the issue, rather than insisting that everything is just fine and dandy.
Of course, it's that last phrase -- about not having to "endure a significant financial prejudice" -- that shows what's really going on. Gemalto's stock price took a huge hit, and the company is trying to assure investors that everything is okay -- not necessarily its customers. See if you can tell when the news about this came out?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: gchq, hacking, nsa, risk, sim cards
Companies: gemalto
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
King(Executive, Legislative, Judicial) gives agency mountains of power and trust. Agency uses that mountain of power and trust to subvert surrounding agencies... Executive, Legislative, and Judicial branches never see it coming. They are so driven by their fear of the people they never learned to fear their fellow peeps.
Carl
[ link to this | view in chronology ]
Re: Re: Re:
Never see it coming? You wish. They are lining the roads cheering and waving flags.
[ link to this | view in chronology ]
Well sir, your initial conclusions must have missed the part about YOU HAVING BEEN HACKED YOU MORON!
That is the definition of insecure. Someone else has the data. Now, you MAY be trying to argue that nobody ELSE has compromised your systems, but if that is what you are saying, how can anyone believe you would have any idea if you have been hacked by someone else?
[ link to this | view in chronology ]
Re:
All signs point toward this not being true. Instead, it appears that this was an inside job, not a hack.
However, their initial conclusions must have missed the part about how everyone who possesses these keys can decrypt the voice communications on cell phones and listen in.
[ link to this | view in chronology ]
Re: Having Been Hacked
[ link to this | view in chronology ]
Can it in the long term can it keep its stock price up without keeping its user secure?
[ link to this | view in chronology ]
Re:
All of these companies have gone out of business...oh, wait, apparently you can be completely inept when it comes to security and be just fine.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Long term? In the long term the people making this decision are running other companies and whoever is left holding the bag at the point their decisions come home to roost gets to golden parachute out of that situation.
Basically the only people at Gemalto who stand to be personally affected didn't have a say in the first place.
hurrah for dysfunctional organization structures.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
which is more important to Gemalto? Keeping its stock price up or its users secure?
[ link to this | view in chronology ]
Confirn or deny
You can't always confirm that there was no breach, but in either case you need to tell people what you are going to do to fix the problem in the future.
[ link to this | view in chronology ]
Re: Confirn or deny
Or just stand there and say "what problem?" until everyone forgets.
[ link to this | view in chronology ]
"We have been hacked and millions if not billions of devices are no longer secure because we didn't detect the hack so maybe criminals might have the keys too."
Might be honest but then the stock wouldn't be in the 70 range, more like 7.
[ link to this | view in chronology ]
Excellent. Then can I have a copy of the keys, please?
[ link to this | view in chronology ]
Yeah, well...
About that, just show us the money!
[ link to this | view in chronology ]
Were they ordered not to speak about it?
Oracle has sure been pushing out a lot of Java updates,
how do we know we can trust them?
They may be under a national security order not to talk about any "special features"...
Turns out the tinfoil hat gang was right..
[ link to this | view in chronology ]
Re: Were they ordered not to speak about it?
[ link to this | view in chronology ]
Only air-to-basestation keys, not end-to-end
The SIM card encryption only protects the radio signal between the phone and the nearby base station. The signal between the base stations is most likely to be unencrypted as these are leased lines from transit providers where normal people don't have access to.
NSA doesn't need to go nearby a user to record the airwaves as they can do it with access to every transit router from the comfy chairs in Virginia and Utah.
Telephone encryption has been a joke since its invention. It's the Clipper Chip reincarnated.
[ link to this | view in chronology ]
Re: Only air-to-basestation keys, not end-to-end
Also the encryption system was designed to all tracking by the telcos for billing. Also for verifying that the phone and plan was legitimately activated so the user couldn't get free calls like land lines and the phreak boxes. This is why end-to-end encryption is still better for everyone.
[ link to this | view in chronology ]
Re: Only air-to-basestation keys, not end-to-end
Zero Knowledge Systems had a way to bill for anonymous network access 10 years ago. Combine that with Tor hidden services and you'd have a way for a telco to ring a phone without having to know its location. A SIM, of course, could generate its keys on first use. It'll be interesting to see if anyone actually redesigns these systems.
[ link to this | view in chronology ]
The stock change looks more like market noise to me
So it seems that investors initially overreacted to the news (as it seems they always do), and then it corrected. It doesn't look like they care too much about this news. Should they? Are they seriously going to lose business because of this? Does anyone seriously think that the NSA won't simply hack any other SIM card provider?
[ link to this | view in chronology ]
http://www.reddit.com/r/IAmA/comments/2wwdep/we_are_edward_snowden_laura_poitras_and_glenn/ couu01c?context=3
[ link to this | view in chronology ]
Re:
http://www.gemalto.com/press/Pages/Update-on-the-SIM-card-encryption-keys-matter.aspx
[ link to this | view in chronology ]
Hopefully
Hopefully, the two go hand in hand.
[ link to this | view in chronology ]
Re: Hopefully
[ link to this | view in chronology ]
Gemalto, sim card and other, company, hacked, exploited, didnt give a shit........gemalto sim cards and other, company, hacked, exploited, didnt give a shit.....was it a swedish company.......ill look that up one day, gemalto, sim card and other, company, hacked exploited, didnt give a fuck
Lenovo/spyfish...........
[ link to this | view in chronology ]
What I want to know
I'll be on the phone to them today.
[ link to this | view in chronology ]
Culpability
[ link to this | view in chronology ]
Stage One - Denial?
ANGER - Upon thorough security assessment, how dare they! EU protect us!
BARGAINING - international spy agencies, please don't. We know, "Eye of Sauron" and all but this is really cramping our business style. Promise you won't make us look bad. Promise you won't do it again.
DEPRESSION - they totally owned us, Sony 2.0, shit, shit, shit... Who will get fired? Our stock price, oh, our stock price.
ACCEPTANCE - This is going to happen. Hey, remaining customers, I'll sell you new gear with new technology buzz words like "Perfect Forward Secrecy", and SOME"open source". Psst, hey super secret spy agency, we will sell you technology too. Sure you could break in and get it yourself, but we are wise to you now, and invested in some better locks, save some time and just buy it from us instead. Telecom network upgrade fees $$, good PR from secure technology, check, and dual $$ revenue stream for every product shipped.
[ link to this | view in chronology ]