Gemalto Dismisses Any Security Concerns About SIM Card Hacks

News
By Lucian Armasu
published

Last week, a report in The Intercept revealed that GCHQ and NSA managed to hack into all of Gemalto's systems and steal encryption keys for its SIM cards, credit card chips and so on. Gemalto is currently the largest SIM chip manufacturer in the world, serving over 3,000 banks and 450 carriers.

Such a hack could have potentially disastrous financial implications for the company. Within a day, the company had already lost $500 million in stock value. For a security company, having trustworthy products is critical to keeping customers buying products.

This is why Gemalto has already come out and made a statement today, saying that its SIM chips are secure.

“Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the Company doesn't expect to endure a significant financial prejudice," read a statement on its website.

However, the statement seems to be quite vague. For one thing, Gemalto doesn't address the issue of having its systems compromised in the past, even if they may have fixed all the security holes. Gemalto's products may be secure now, but what about all the billions of SIM cards on the market that have compromised keys? The company seems to completely sidestep this issue.

The second problem with the statement is that it seems unlikely the company could fix all of its systems in 40 countries, over the weekend, after having the GCHQ and NSA go through their systems and implant malware since 2010. Therefore, it sounds more like this statement is designed to appease both shareholders, who have lost some trust in the company's stock, but also its customers (carriers, banks, etc.).

In fact, since the company published the statement, its stock value began rising:

Security experts such as Matthew Green, a professor of cryptography at Johns Hopkins University, don't seem to believe Gemalto:


Much like Lenovo, Gemalto responded to a very serious security issue with a statement that completely dismissed the concerns of security experts. Lenovo later retracted its statement that said there were no security issues, realizing how irresponsible that was, so it remains to be seen if Gemalto will do the same. The company will hold a press conference (Paris, 10:30 am) on Wednesday to offer more details.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
4 Comments Comment from the forums
  • Alec Mowat
    There's a typo in the title; should say "Gemalto paid off by NSA"
    Reply
  • guner451
    Just don't do banking with your cell phone,there's more security flaws in android and iOS than you can shake a stick at, this is just icing on the cake. Also how dumb can investors be to believe that they've fixed anything in this short amount of time or that they will at all. They better rebuild in a clean room environment or they'll never get rid of our NSA friends.
    Reply
  • Dags
    This is great technology, today. When I will get that APU in my hands or in a device it will be already old. I've been always buying AMD products but there is nothing worth buying out there to replace my Phenom II.
    Reply
  • Maxor1
    The ability of the NSA to crack something's security is a little bit different than the ability of even an advanced and organized criminal ring. Publicizing that it can be done and maybe laying out a vague over view of how its done on the part of the NSA is slightly irresponsible on the part of that very large government entity in my opinion as it makes the security compromise far more likely to happen in the near future by an organized ring. where informing the company of the loophole and allowing them the opportunity to patch that and future tech and only issuing a press release if its not done in a responsible amount of time seems to me to be a far more responsible course of action.
    Reply