SIM CARD COMPANY Gemalto has concluded the investigation into whether or not it was hacked and decided that it probably was hacked, and that the NSA and GCHQ probably did it, but that no real harm was done, so it won't be taking any action.
The firm has trialled this announcement, and promised to reveal the source of the attack today, it did that, but in rather a watery way.
"The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened," it said.
"The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys."
This is run of the mill stuff for the firm, and it added that it is whacked by hackers like a cyber pinata. It said that going by the evidence, it would seem fair to finger the agencies.
"As a digital security company, people try to hack Gemalto on a regular basis. These intrusion attempts are more or less sophisticated and we are used to dealing with them. Most are not successful while only a few penetrate the outer level of our highly secure network architecture," it added.
"If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks. In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation."
More detail is deserved here, and it is given. Gemalto said that it spotted a couple of intrusion attempts, including some on user PCs, but was unable to trace them. That is, until now.
"At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation," it explained.
The firm adds that key stuff, like its encryption gewgaws are stored on another, untouched network.
"The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data," it said.
"While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network."
Naturally we asked GCHQ and the NSA for its take on the news from Gemalto and the former declined an updated comment. It did however say that whatever it does is fair and monitored.
"It is a longstanding policy that we do not comment on intelligence matters," said a spokesperson, before adding that it is covered by the ‘rigorous oversight' of outfits including the Parliamentary Intelligence and Security Committee.
It added, that "the United Kingdom's interception regime is entirely compatible with the European Convention on Human Rights". We are waiting for the NSA to respond.
Earlier this week Gemalto readied itself to release this information with a teaser and a reminder that people really ought to trust the security of its equipment.
"Gemalto pursues its investigations following the article mentioning that in 2010 and 2011, a joint unit composed of operatives from the British GCHQ and the American NSA reportedly hacked SIM card encryption keys engraved in Gemalto and possibly other SIM vendors' cards," it said.
"Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the Company doesn't expect to endure a significant financial prejudice."
The firm has already reacted to reports that US and UK spy agencies have hacked their way into its heart, pinched its security crown jewels, and hopped right into global communications.
US news website The Intercept, a frequent host of Snowden revelations, claims to have evidence that GCHQ and the US National Security Agency (NSA) worked together to hack Gemalto and steal its encryption keys. This potentially gave the agencies an easy way to eavesdrop on global mobile communications.
"The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including voice and data," said The Intercept.
The report adds that Gemalto produces some two billion SIM cards a year, and that the theft of keys throws citizens' communications wide open.
"With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments," the report said.
"Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider's network that the communications were intercepted."
Gemalto said in an earlier statement that it has not been able to establish whether the breach is an actual thing, but did explain that it takes hacking very seriously and that it "had no prior knowledge that these agencies were conducting this operation".
"Gemalto is especially vigilant against malicious hackers, and has detected, logged and mitigated many attempts over the years," the company said.
"We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques."
The manufacturer said that it is not alone in being mentioned in the same breath as state-sponsored attacks, of which there have been several recently.
"There have been many reported state-sponsored attacks of late that have gained attention in the media and among businesses. This emphasises how serious cyber security is in this day and age," Gemalto said.
Pressure group Fight for the Future said that the allegations are chilling, and that people should fight for a more open and freer web.
"Spy agencies like the NSA are literally just hacking into phone companies and and stealing information so they can constantly monitor all of us without any oversight or checks and balances to protect civil liberties and free speech," the group said, adding that citizens should protest against mass surveillance. µ
Rare protest is blocked at the source (code)
Galaxy Fold... more like Galaxy F***ed
And the nostril-facing webcam has been replaced
No port in a publicity storm