By Sam Schechner
PARIS--Security-chip maker Gemalto NV said Wednesday that
American and British intelligence services could be responsible for
a "particularly sophisticated intrusion" of its networks several
years ago, but denied that the alleged hack could have widely
compromised encryption it builds into chips used in billions of
cellphones world-wide.
The company, one of the world's largest makers of cellphone SIM
cards, on Wednesday disclosed the first details of an internal
investigation it launched in response to a report Friday that the
U.S. National Security Agency and the U.K.'s Government
Communications Headquarters, or GHCQ, had hacked Gemalto
systems.
Gemalto, based in France and listed in the Netherlands, said it
had detected intrusions in 2010 and 2011 in the outer parts of its
network that it now believes could have been carried out by the NSA
and GCHQ. While the company voiced concern that government agencies
could target private companies, Chief Executive Olivier Piou said
Gemalto doesn't plan legal action.
"The operation very probably happened," Mr. Piou told a news
conference, but "it's difficult to prove our conclusions legally,
so we're not going to take legal action."
"We are concerned that they could be involved in such
indiscriminate operations against private companies with no grounds
for suspicion," the company said in a news release.
A NSA official didn't immediately have a comment. GCHQ declined
to comment.
Big telecommunications carriers said last week they would work
with Gemalto to assess any vulnerability to customers, and some
European government officials lashed out at the alleged hack.
Gemalto counts some of the world's biggest telecoms carriers as
customers, including Vodafone Group PLC and Verizon Communications
Inc.
On Wednesday, China weighed in, saying it was concerned about
the reported hack. Gemalto provides SIM cards for China Mobile
Ltd., the world's largest carrier by subscribers. At a daily press
briefing, China Foreign Ministry spokesman Hong Lei said, "We are
concerned about" reports of the hacking attempt into Gemalto.
"We are opposed to any country attempting to use information
technology products to conduct cyber surveillance," Mr. Hong said.
"This not only harms the interests of consumers but also undermines
users' confidence."
The alleged hack was reported last week by the Intercept, a news
website that has been a conduit of leaks from former NSA contractor
Edward Snowden. It alleged the agencies had intercepted data
transfers between Gemalto and clients that included encryption keys
for Gemalto-made SIM cards. Those keys encrypt radio transmissions
between individuals' cellphones and cellular antennas operated by
telecommunications companies.
Gemalto confirmed details of the report, saying that hackers had
used spoofed emails sent to clients to install software that
allowed them to intercept communications. The company said the
hackers had also likely managed to access computers in its office
network, but not a separate network it used to store SIM-card
encryption codes or customer data.
Executives acknowledged that data transfers between customers
and Gemalto could have only been intercepted in "exceptional" cases
such as tests when it wasn't using its own secure system to
transfer keys.
"It's difficult to say how many," Mr. Piou said of the number of
potential interceptions. "Maybe a dozen, maybe 100. We know it's
very few."
Company executives also asserted that the interceptions wouldn't
have compromised the security of its newer SIM cards for 3G and 4G
cellular networks, only older 2G networks. The reason: Gemalto says
the new technology no longer require it to send telecom companies
the keys to decrypt individuals' communications--so they couldn't
have been intercepted.
"The data which are exchanged between the SIM manufacturers and
the telcos, when it was 2G, was indeed the keys. When it comes to
3G and 4G, they are no longer the encryption keys," said Serge
Barbe, senior vice president of Embedded Software and Card Products
for Gemalto.
The Wall Street Journal didn't immediately verify Gemalto's
claims. The company acknowledged that it isn't possible to disprove
other types of attacks may have occurred against Gemalto or other
companies to obtain newer keys.
Last week, a former European intelligence official said that 2G
networks were already easy to penetrate, and that the theft of keys
would be primarily useful for decrypting radio communications on 3G
and 4G cellular networks.
Gemalto did acknowledge in its news release Wednesday that not
all operators pay for or use the most up-to-date security features,
which could make encryption easier to penetrate.
The firm has 450 mobile network operators as customers. It
recorded EUR2.4 billion ($2.72 billion) in revenue in 2013.
Inti Landauro contributed to this article.
Write to Sam Schechner at sam.schechner@wsj.com
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=HK0941009539
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=NL0000400653
Access Investor Kit for China Mobile Ltd.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US16941M1099
Access Investor Kit for Gemalto NV
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US36863N2080
Subscribe to WSJ: http://online.wsj.com?mod=djnwires