By Sam Schechner and Inti Landauro
PARIS--Security-chip maker Gemalto NV said Wednesday that
American and British intelligence services could be responsible for
a "particularly sophisticated intrusion" of its networks several
years ago, but denied that the alleged hack could have widely
compromised encryption it builds into chips used in billions of
cellphones world-wide.
The company, one of the world's largest makers of cellphone SIM
cards, on Wednesday disclosed the first details of an internal
investigation it launched in response to a report Friday that the
U.S. National Security Agency and the U.K.'s Government
Communications Headquarters, or GHCQ, had hacked Gemalto
systems.
The company, based in France and listed in the Netherlands, said
that it had in 2010 and 2011 detected intrusions in the outer parts
of its network that it now believes could have been carried out by
the NSA and GCHQ, and sounded an alarm over potential government
overreach.
"We are concerned that they could be involved in such
indiscriminate operations against private companies with no grounds
for suspicion," the company said in a news release.
GCHQ declined to comment Wednesday. Last week, the White House
and other U.S. officials referred questions on the leak to the NSA,
which didn't respond to requests for comment.
Big telecommunications carriers said last week they would work
with Gemalto to assess any vulnerability to customers, and some
European government officials lashed out at the alleged hack.
Gemalto counts some of the world's biggest telecoms carriers as
customers, including Vodafone Group PLC and Verizon Communications
Inc.
On Wednesday, China weighed in, saying it was concerned about
the reported hack. Gemalto provides SIM cards for China Mobile
Ltd., the world's largest carrier by subscribers. At a daily press
briefing, China Foreign Ministry spokesman Hong Lei said, "We are
concerned about" reports of the hacking attempt into Gemalto.
"We are opposed to any country attempting to use information
technology products to conduct cyber surveillance," Mr. Hong said.
"This not only harms the interests of consumers but also undermines
users' confidence."
The alleged hack was reported last week by the Intercept, a news
website that has been a conduit of leaks from former NSA contractor
Edward Snowden. It alleged the agencies had intercepted data
transfers between Gemalto and clients that included encryption keys
for Gemalto-made SIM cards. Those keys encrypt radio transmissions
between individuals' cellphones and cellular antennas operated by
telecommunications companies.
Gemalto said Wednesday the hackers it encountered in 2010 and
2011 had used spoofed emails sent to its clients. The company said
the hackers had also likely managed to access computers in its
office network, but not a separate network it used to store
SIM-card encryption codes or customer data.
"It is important to understand that our network architecture is
designed like a cross between an onion and an orange; it has
multiple layers and segments which help to cluster and isolate
data," the company said.
Gemalto's report said that the intelligence agencies could have
only intercepted a small number of its communications with
operators, as it had already by 2010 rolled out a secure system to
transfer the keys.
The company added that the latest generations of its SIM cards
for 3G and 4G networks have additional encryption measures that
would have made the stolen keys unusable.
It wasn't immediately possible to verify Gemalto's claims. Last
week, a former European intelligence official said that 2G networks
were already easy to penetrate, and that the theft of keys would be
primarily useful for decrypting radio communications on 3G and 4G
cellular networks.
Gemalto did acknowledge in its news release Wednesday that not
all operators pay for or use the most up-to-date security features,
which could make encryption easier to penetrate.
The firm has 450 mobile-network operators as customers. It
recorded EUR2.4 billion ($2.72 billion) in revenue in 2013.
Write to Inti Landauro at inti.landauro@wsj.com
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=HK0941009539
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=NL0000400653
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US16941M1099
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US36863N2080
Subscribe to WSJ: http://online.wsj.com?mod=djnwires