The 5 reasons why you shouldn’t worry about Gemalto’s SIM hack…yet

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcpro.co.uk/internet-security/1000432/the-5-reasons-why-you-shouldn-t-worry-about-gemalto-s-sim-hack-yet

Gemalto is the world’s largest producer of SIM cards, manufacturing over 2
billion every year. Chances are, if you have a mobile phone, your SIM card
came from Gemalto.

Today Gemalto confirmed that its network had been hacked, following reports
that both the NSA and GCHQ had pilfered SIM encryption keys from the
manufacturer.

If the US and British spying agencies actually got hold of those encryption
keys, they could (metaphorically) blow your phone right open, gaining
access to encrypted conversations, messages and data traffic.

While this definitely raises questions about how much trust we should place
in the security of the internet and governments, the truth of the matter is
that this Gemalto business isn’t as big a concern as the media is making it.

Here’s 5 reasons why you have no need to worry if your SIM has been
compromised.

1. The NSA and GCHQ couldn’t get into Gemalto’s systems

We could be placing too much faith on Gemalto’s word, but it’s been more
than open about the fact that its systems were hacked into by intelligence
agencies between 2010 and 2011.

However, the Netherlands-based company has said that despite the serious
intrusion, neither agency could get deep enough to access the sensitive
information they sought.

2. 3G and 4G are too secure

Gemalto has admitted that if the hackers had managed to delve in and grab
SIM encryption, only people who use 2G networks would have been affected.
Due to both 3G and 4G being more secure, an encryption-based attack
wouldn’t have exposed people on those networks.

Gemalto is currently confident enough to claim that most people have
already switched to faster networks, so if a hack had been successful, it
would only affect a few people.

3. The attacks didn’t take place on UK numbers

While that argument is very “it’s not in my backyard”, on a day-to-day
note, you really have nothing to worry about in terms of your personal
number and data.

The attempted hacks targeted mobile operators in Afghanistan, Yemen, India,
Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan. That means that if
you live in the UK, or at least have a UK or general European SIM you’ll be
completely fine.

That doesn’t dismiss the existence of such a problem, but it certainly puts
your daily worries into perspective.

4. There’s no risk to card chips or security networks

You’d have to be a major conspiracist to believe a breach on SIM encryption
also poses a risk to Gemalto’s other products.

If a breach had occurred on the infrastructure running Gemalto’s SIM
activity, it wouldn’t have any access to payment chip encryption or other
security systems. Gemalto isn’t a small player in any field it occupies, it
has physically separate networks for all of its sensitive information.
Breaching one, wouldn’t mean breaching all.

5. Gemalto doesn’t benefit from lying

While the security breach could have done some serious damage to Gemalto’s
business, with it’s 450 worldwide clients possibly taking their business
elsewhere, things would be worse for it if it broke the law.

The Netherlands, where Gemalto is based, has a net neutrality law in place.
If Gemalto is found lying about any breaches, it would be lumped with fines
and reparations beyond lost clients.

Admittedly, Gemalto denied any such breach on its networks only a week ago.
That was most likely a result of poor PR damage control, and a genuine lack
of knowledge due to no encryption-level breach taking place.

After its own investigation into the attacks Gemalto has been reasonably
transparent about what occurred.

While it does still smack of Gemalto saying everything’s fine to ensure its
products don’t suffer, it’s unlikely a real risk exists.

The personal take

While there’s definitely a case for a breach of privacy and a need for
genuine concern over the security of our personal information and
communications online, I wouldn’t worry about the Gemalto story.

For various reasons, mostly stated above, the likelihood of your individual
SIM being breached and traced is unlikely. And, while Gemalto does admit
that if a breach had occurred, only those running on 2G networks would need
to be concerned. Operators who could possibly be affected in the regions
targeted only have a slim set of users running on 2G networks. For the
billions of SIM cards that Gemalto is producing internationally, a tiny set
will have actually been compromised.

It certainly doesn’t make the act of GCHQ and the NSA purportedly trying to
smash its way into Gemalto’s network any more reassuring, but it does help
put things into perspective

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!