Gemalto Claims GCHQ, NSA Didn't Compromise Its Keys, Security Experts Remain Skeptical

Today, Gemalto, the biggest manufacturer of SIM cards in the world, gave a more detailed response about why it doesn't believe its systems have been seriously compromised, as originally reported in The Intercept.

The company believes only its office network was breached, which is the network that its employees use for more regular work and to communicate with the outside world. However, this breach was found in 2010 and thwarted, according to Gemalto.

Before that breach, the company upgraded to more secure data exchange systems that made working with its SIM customers safer. However, Gemalto also said that it is involved in only 2 percent of the SIM encryption exchanges, and the other 98 percent of exchanges would be more vulnerable to data theft because they don't use the same type of strong security that Gemalto does. In other words, the encryption keys would be more easily stolen from Gemalto's customers (the carriers) themselves.

Gemalto also said that even if the keys were stolen, only 2G keys would be useful, because 3G and 4G technologies use more advanced encryption, but the company was not clear as to exactly why 4G communications would be harder to intercept.

Many security experts still remain skeptical that what Gemalto said is true, or completely true, and that these statements are mostly targeted at their investors in order to keep its stock from falling.

Matthew Green, a cryptography professor at the Johns Hopkins Information Security Institute, told The Intercept: "This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.""No encryption mechanism stands up to key theft," Green said, "which means Gemalto is either convinced that the additional keys could not also have been stolen or they're saying that their mechanisms have some proprietary 'secret sauce' and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That's a deeply worrying statement."

Security expert Ronald Prins, who is the co-founder of the Dutch firm Fox IT, also thinks the time frame to do a full investigation was too short.

“A true forensic investigation in such a complex environment is not possible in this time frame. A damage assessment is more what this looks like."

Gemalto also said today in a press conference in Paris that the company will not take legal action against GCHQ and NSA because "it's difficult to prove their conclusions legally." However, that sounds like the company doesn't have a full grasp of what happened either, which wouldn't normally be an issue, except Gemalto also appears very confident in its statements that two of the most powerful spy agencies in the world couldn't steal their encryption keys.

Members of governments in Australia and in several European Union countries have started asking for investigations to see exactly what happened and whether Gemalto is telling the truth.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.