Gemalto claims GCHQ encryption key theft did not compromise 3G and 4G networks

Attacks were "sophisticated", but only breached "branch networks" and did not threaten 3G or 4G communications, claims Gemalto

Gemalto has claimed that the attacks by GCHQ and the US National Security Agency (NSA), which leaked documents indicate resulted in the large-scale theft of encryption keys for SIM cards used in mobile phones around the world, "could not have resulted in a massive theft of SIM encryption keys".

The claim is the first result from the in-depth investigation that the security company launched after it was revealed that security services had broken into its networks and stolen technology vital to mobile phone network security.

Gemalto claims that it detected "sophisticated attacks" against it in 2010 and 2011, giving it reasonable grounds to believe that GCHQ and the NSA did launch an attack against the company. However, it says that the attacks "only breached office networks" and could not have achieved the kind of wide-scale success that reports have indicated.

"The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft," claimed Gemalto in a statement.

It continued: "In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack... None of our other products were impacted by this attack."

The company had initially suggested that it knew nothing of the concerted attack by GCHQ and the NSA to steal the encryption keys used to secure mobile communications.

However, its claims have been treated with scepticism by security specialists, who argue that it is not possible for Gemalto to make such claims with certainty, less than a week into an investigation.

"You didn't investigate the hacking attempts against your employees, did you? That said, how can you assure that nothing was copied?" asked coder Andreas Mueller on Twitter. He continued: "So, you detected some high-level intrusion attempts in 2010 & they suddenly stopped? Do you think #NSA & #GCHQ simply gave up?"

Gemalto also pointed out that it was one of several SIM card makers targetted by GCHQ and that a number of the operators that the original report in The Intercept said were compromised Gemalto customers the company had never done business with - indicating that other SIM card makers were almost certainly breached, too.