Gemalto: “They don’t know, what they don’t know”
News of the Gemalto hack dominated almost all of last week. The details of the hack by the NSA and GCHQ had been made public the week before, but it was down to news punditry to keep the story alive until Gemalto could investigate further and give a press conference to release the findings of their own, internal, investigation. Then there was the obligatory review of Gemalto’s findings. Ultimately it came down to a phrase digitally muttered by The Intercept (the online publication that broke the news) “Gemalto doesn’t know, what it doesn’t know”.
How apt and what a total non-surprise.
Really, what did people expect? Of course, Gemalto is not going to admit to a serious hacking that caused untold damage and neither are the NSA or GCHQ going to admit to any liability in the matter. Gemalto did have the following to say: “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks. It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the (accompanying) documents.”
In other words, the hacks by the security services were greatly exaggerated. To re-cap, Gemalto added that after a 'thorough' investigation, it concluded that although the company did experience hacks in 2010, it suffered none that could have resulted in the loss of the vast number of SIM encryption keys that The Intercept article referenced. And, the company continued, if some keys had been stolen, then technology pertaining to the 3G and 4G networks that Gemalto builds SIMs for would have prevented substantial hacking. The company believes 2G networks were the only ones that would have truly suffered under such a hack.
The Intercept (the before-mentioned online publication that first published the report of the alleged hack) took the position that “the company (Gemalto) tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable”. The publication said that “security experts and cryptography specialists immediately challenged Gemalto’s claim to have done a “thorough” investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces”.
Bringing in their own experts for statements, The Intercept reported this quote by Christopher Soghoian, the Chief Technologist at the American Civil Liberties Union, “Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks.” He added that Gemalto remains “a high-profile target for intelligence agencies.” Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, added, “This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.”
In my humble opinion, everyone is missing the point here: It’s not that Gemalto doesn’t know what it doesn’t know (as the Intercept points out), it’s more a case that Gemalto can’t admit what it does or does not know. On some level, perhaps Gemalto does’t even want to know. You know?
Interestingly - in the midst of all this mess it was a report by the UK’s Daily Mail — that media bastion for truth and justice (for those of you not picking it up, I’m being sarcastic here) — which picked up a nuance that no one else had: When covering the topic of making a complaint or taking legal action over the hacking incident, Gemalto pointed out that complaining to the UK and US would be a waste of time. Olivier Piou, Chief Executive of Gemalto, downplayed the scale of the theft as he said any legal action against the British and US digital espionage agencies was destined to fail.
Now that is a truth that I think we all know.
In other news, I am going to go out on a limb here and guess that the majority of our readers are working their way through this Monday morning editorial on some kind of mobile or tablet device at this year’s MWC – providing their WIFI is working. They may also be stood on a booth worrying if their demos have made the journey intact and are actually going to work for the rest of the week. There is nothing more frustrating than finding the product demo that worked last week in the office now stubbornly refuses to function on a booth in Barcelona. Am I right? Well I hope that all is working for everyone this year.
Especially for those 44 companies who have made it as finalists into the 2015 Contactless and Mobile Awards. Even though the 28th April may still seem a long way away, as always, time will fly! Yes, the whittling of nominations is (finally) over and we have our finalists - many of whom will be at MWC 2015. We have decided to wait until next week to make the announcement but from next Monday onwards - it’s in the hands of our judges to pick the category winners.
We are now finishing up our agenda for the Contactless Intelligence Conference, as well as the Open Standards Forum and Mobile ID Forum that are being held the following day. So please stop by our site to check out this years speakers, the companies they are representing and the topics they will be covering. From next week onwards we move into the countdown to this annual Contactless Intelligence event –expect further details from then on.
Until next week, I would like to say to all you MWC attendees ‘Live long and may your demos prosper’.
Steve Atkins
Contactless Intelligence
R.I.P Leonard Nimoy 1931 - 2015
