Privacy

by Mike Masnick


Filed Under:
gchq, hacking, nsa, risk, sim cards

Companies:
gemalto



Gemalto Takes The Lenovo Approach: Denies Any Real Risk From NSA Hacking Its Encryption Keys

from the nothing-to-see-here... dept

Apparently, execs at Gemalto went to the same crisis management training program as the top execs at Lenovo. As you probably recall, last week The Intercept revealed that the NSA and GCHQ had hacked into the systems at Gemalto, the world's largest maker of SIM cards for mobile phones, in order to get access to their encryption keys. This is a pretty massive security breach, allowing these intelligence agencies to decrypt calls that people thought were encrypted. But Gemalto insists its SIM cards are perfectly secure:
“Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the Company doesn’t expect to endure a significant financial prejudice.”
This sounds an awful lot like Lenovo's initial reaction to the reports about the Superfish/Komodia vulnerability it shoved onto many of its customers computers, saying (totally incorrectly):
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
Lenovo, at least, pretty quickly changed its tune and admitted to it being a major problem. Of course, there are some differences here. With Lenovo, the company had made the choice to include Superfish -- whereas the Gemalto hacking was done (obviously) without the company's knowledge. You'd hope that the company would be much more upfront about the seriousness of the issue, rather than insisting that everything is just fine and dandy.

Of course, it's that last phrase -- about not having to "endure a significant financial prejudice" -- that shows what's really going on. Gemalto's stock price took a huge hit, and the company is trying to assure investors that everything is okay -- not necessarily its customers. See if you can tell when the news about this came out?
So now the question is, which is more important to Gemalto? Keeping its stock price up or its users secure?

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Feb 2015 @ 11:34am

    if there was 'no real risk' why do the NSA (and others) want the keys in the first place?

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 23 Feb 2015 @ 11:58am

      Re:

      To be fair, the NSA wants the keys to EVERYTHING, it doesn't have to be of particular importance.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Feb 2015 @ 1:35pm

        Re: Re:

        Yes, the NSA is making very clear they want to take full power. This is quite literally how to usurp a throne.

        King(Executive, Legislative, Judicial) gives agency mountains of power and trust. Agency uses that mountain of power and trust to subvert surrounding agencies... Executive, Legislative, and Judicial branches never see it coming. They are so driven by their fear of the people they never learned to fear their fellow peeps.

        Carl

        reply to this | link to this | view in chronology ]

        • identicon
          David, 24 Feb 2015 @ 3:20am

          Re: Re: Re:

          Agency uses that mountain of power and trust to subvert surrounding agencies... Executive, Legislative, and Judicial branches never see it coming.

          Never see it coming? You wish. They are lining the roads cheering and waving flags.

          reply to this | link to this | view in chronology ]

  • identicon
    Michael, 23 Feb 2015 @ 11:35am

    “Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the Company doesn’t expect to endure a significant financial prejudice.”

    Well sir, your initial conclusions must have missed the part about YOU HAVING BEEN HACKED YOU MORON!

    That is the definition of insecure. Someone else has the data. Now, you MAY be trying to argue that nobody ELSE has compromised your systems, but if that is what you are saying, how can anyone believe you would have any idea if you have been hacked by someone else?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Feb 2015 @ 2:14pm

      Re:

      "your initial conclusions must have missed the part about YOU HAVING BEEN HACKED YOU MORON!"

      All signs point toward this not being true. Instead, it appears that this was an inside job, not a hack.

      However, their initial conclusions must have missed the part about how everyone who possesses these keys can decrypt the voice communications on cell phones and listen in.

      reply to this | link to this | view in chronology ]

    • identicon
      Dan J., 25 Feb 2015 @ 7:24am

      Re: Having Been Hacked

      To be clear, Gemal is claiming that the SIM keys were not compromised. They say that the hacking was of their office network and that the sim keys were not stored on that network at all, and that there is no evidence that the hackers breached the internal network where the keys are stored. They may very well be lying, but their claim is not that someone else having the data is harmless; they're saying no one else has the data.

      reply to this | link to this | view in chronology ]

  • identicon
    wec, 23 Feb 2015 @ 11:39am

    So now the question is, which is more important to Gemalto? Keeping its stock price up or its users secure?

    Can it in the long term can it keep its stock price up without keeping its user secure?

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 23 Feb 2015 @ 11:43am

      Re:

      Of course not. Look at the history of companies that cannot secure anything, Bank of America, Citibank, Home Depot...

      All of these companies have gone out of business...oh, wait, apparently you can be completely inept when it comes to security and be just fine.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 2:13pm

      Re:

      Maybe, but they would have to rebrand significantly since security obviously cannot be their selling point.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2015 @ 12:25pm

      Re:

      "Can it in the long term can it keep its stock price up without keeping its user secure?"

      Long term? In the long term the people making this decision are running other companies and whoever is left holding the bag at the point their decisions come home to roost gets to golden parachute out of that situation.

      Basically the only people at Gemalto who stand to be personally affected didn't have a say in the first place.

      hurrah for dysfunctional organization structures.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2015 @ 11:40am

    Could Gemalto not use ISDS against the US government, as in this case the US governments illegal actions did the damage?

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 23 Feb 2015 @ 11:45am

      Re:

      They were basically working with the GCHQ, so probably not. And, of course, even if they could, it's the US government and they just ignore things like international obligations, human rights, and the US Constitution.

      reply to this | link to this | view in chronology ]

  • icon
    MondoGordo (profile), 23 Feb 2015 @ 11:40am

    which is more important to Gemalto? Keeping its stock price up or its users secure?

    Are you serious? This is a corporate entity we're discussing here, their chief priority is always the bottom line. Customer security is only ever a consideration when it affects the bottom line.

    reply to this | link to this | view in chronology ]

  • identicon
    lars626, 23 Feb 2015 @ 11:42am

    Confirn or deny

    The one thing I am not seeing from these companies is clear statements to confirm or deny whether a breach actually occurred.

    You can't always confirm that there was no breach, but in either case you need to tell people what you are going to do to fix the problem in the future.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 23 Feb 2015 @ 11:46am

      Re: Confirn or deny

      but in either case you need to tell people what you are going to do to fix the problem in the future

      Or just stand there and say "what problem?" until everyone forgets.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2015 @ 12:09pm

    What do you expect them to say?
    "We have been hacked and millions if not billions of devices are no longer secure because we didn't detect the hack so maybe criminals might have the keys too."
    Might be honest but then the stock wouldn't be in the 70 range, more like 7.

    reply to this | link to this | view in chronology ]

  • identicon
    Lord Binky, 23 Feb 2015 @ 12:46pm

    "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

    Excellent. Then can I have a copy of the keys, please?

    reply to this | link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 23 Feb 2015 @ 1:02pm

    Yeah, well...

    "So now the question is, which is more important to Gemalto? Keeping its stock price up or its users secure?"

    About that, just show us the money!

    reply to this | link to this | view in chronology ]

  • icon
    gordwait (profile), 23 Feb 2015 @ 1:10pm

    Were they ordered not to speak about it?

    With this "new world" we've found ourselves, how many other software packages we let autoupdate have government ordered spyware installed in them?

    Oracle has sure been pushing out a lot of Java updates,
    how do we know we can trust them?
    They may be under a national security order not to talk about any "special features"...

    Turns out the tinfoil hat gang was right..

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2015 @ 1:10pm

    Only air-to-basestation keys, not end-to-end

    Why are investors so gullible to think that the NSA can be stopped by the encryption power offered by a SIM card?

    The SIM card encryption only protects the radio signal between the phone and the nearby base station. The signal between the base stations is most likely to be unencrypted as these are leased lines from transit providers where normal people don't have access to.

    NSA doesn't need to go nearby a user to record the airwaves as they can do it with access to every transit router from the comfy chairs in Virginia and Utah.

    Telephone encryption has been a joke since its invention. It's the Clipper Chip reincarnated.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 2:16pm

      Re: Only air-to-basestation keys, not end-to-end

      The SIM card hacking is for the Stingray devices or things like them.

      Also the encryption system was designed to all tracking by the telcos for billing. Also for verifying that the phone and plan was legitimately activated so the user couldn't get free calls like land lines and the phreak boxes. This is why end-to-end encryption is still better for everyone.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 3:56pm

      Re: Only air-to-basestation keys, not end-to-end

      NSA doesn't need to go nearby a user to record the airwaves as they can do it with access to every transit router from the comfy chairs in Virginia and Utah.
      There's always a good number of GSM security videos from the Chaos Communication Congress, and I'm under the same impression: the systems aren't that secure. So it's kind of amazing that the NSA et al. feel the need to hack SIMs in the first place. Just because they can, I guess. Maybe someone was bored.

      Zero Knowledge Systems had a way to bill for anonymous network access 10 years ago. Combine that with Tor hidden services and you'd have a way for a telco to ring a phone without having to know its location. A SIM, of course, could generate its keys on first use. It'll be interesting to see if anyone actually redesigns these systems.

      reply to this | link to this | view in chronology ]

  • icon
    Dave Cortright (profile), 23 Feb 2015 @ 1:28pm

    The stock change looks more like market noise to me

    I took a look at Gemalto's stock price over the past year, and noticed it was in the mid-$80s a year ago, and dropped to below $60 4 months ago. The blip from $73 to $67, which then trended back up to $70 looks like minor fluctuations compared to the macro trend.

    So it seems that investors initially overreacted to the news (as it seems they always do), and then it corrected. It doesn't look like they care too much about this news. Should they? Are they seriously going to lose business because of this? Does anyone seriously think that the NSA won't simply hack any other SIM card provider?

    reply to this | link to this | view in chronology ]

  • identicon
    tomczerniawski, 23 Feb 2015 @ 1:33pm

    Edward Snowden is currently doing a Reddit AMA. He mentioned the Gemalto hack as far more significant than other stories of NSA device-fuckery to emerge recently.

    http://www.reddit.com/r/IAmA/comments/2wwdep/we_are_edward_snowden_laura_poitras_and_glenn/ couu01c?context=3

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 23 Feb 2015 @ 2:12pm

    Hopefully

    So now the question is, which is more important to Gemalto? Keeping its stock price up or its users secure?


    Hopefully, the two go hand in hand.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 5:50pm

      Re: Hopefully

      You've left out the 'Marketing' part of the equation: keeping the stock price up by convincing its users that they're secure. It doesn't matter what you're selling, it just matters what your customers think they're getting.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2015 @ 2:13pm

    So basically just another, if its not affecting our profit its not a problem, its a feature........thankyou gemalto you've told us exactly were you stand........excuse me while i memorise a companies name i had no reason to before

    Gemalto, sim card and other, company, hacked, exploited, didnt give a shit........gemalto sim cards and other, company, hacked, exploited, didnt give a shit.....was it a swedish company.......ill look that up one day, gemalto, sim card and other, company, hacked exploited, didnt give a fuck

    Lenovo/spyfish...........

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 23 Feb 2015 @ 2:16pm

    What I want to know

    What I want to know is -- is there a source of SIM cards that haven't been compromised? And if so, can I talk my carrier into letting me use one?

    I'll be on the phone to them today.

    reply to this | link to this | view in chronology ]

  • identicon
    gramsa49, 23 Feb 2015 @ 4:33pm

    Culpability

    I did not see any thinking along these lines, but some, if not most, of the culpability, given the circumstances, should lie with the party that reissued these devices. They were the party with both and end user agreement and an assumed technologial liability. The carriers should not have rested trust with a third partY for the privacy of another third party. There is way too much of this in corporate arenas.

    reply to this | link to this | view in chronology ]

  • identicon
    New Boss, 24 Feb 2015 @ 5:50pm

    Stage One - Denial?

    Seems like they are in stage one of grief, DENIAL. In the days that follow:
    ANGER - Upon thorough security assessment, how dare they! EU protect us!
    BARGAINING - international spy agencies, please don't. We know, "Eye of Sauron" and all but this is really cramping our business style. Promise you won't make us look bad. Promise you won't do it again.
    DEPRESSION - they totally owned us, Sony 2.0, shit, shit, shit... Who will get fired? Our stock price, oh, our stock price.
    ACCEPTANCE - This is going to happen. Hey, remaining customers, I'll sell you new gear with new technology buzz words like "Perfect Forward Secrecy", and SOME"open source". Psst, hey super secret spy agency, we will sell you technology too. Sure you could break in and get it yourself, but we are wise to you now, and invested in some better locks, save some time and just buy it from us instead. Telecom network upgrade fees $$, good PR from secure technology, check, and dual $$ revenue stream for every product shipped.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.