Spies in your SIM card? After alleged hack by NSA and GCHQ, manufacturer says its SIMs are secure

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

On Thursday last week, The Intercept published its latest exclusive courtesy of NSA whistleblower Edward Snowden.

According to the report, intelligence agencies in the United States and Great Britain joined forces to hack Gemalto, a company which manufactures billions of SIM cards every year, and stole encryption keys used to protect the privacy of communications around the world.

GCHQ slide on Gemalto breach

Gemalto’s customers include 450 mobile telecom operators globally, including Verizon, AT&T and Vodafone.

Sign up to our free newsletter.
Security news, advice, and tips.

If the hacking claims are true, GCHQ and the NSA would be able to use the stolen encryption keys “to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.” In other words, no need for a warrant or a wiretap, and no awkward evidence left on a communications provider’s network that communications were snooped upon.

That is, for anyone who cares about privacy, a nightmare scenario with potentially billions of calls, texts and emails vulnerable to covert spying by intelligence agencies.

GCHQ slide

According to Snowden’s documents, the alleged hacking operation took place during 2010 and 2011.

SIM cardsBut today, Gemalto – which also produces ID chips for passports and other technologies – is trying to reassure the public, its partners and investors.

The corporation has today published a short statement saying it will hold a press conference on Wednesday 25 February about its investigation into the alleged hacking, but that it already believes that “Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure.”

A question, clearly, remains. If GCHQ’s slide was accurate in boasting “[we] believe we have their entire network”, how on earth can Gemalto say with any confidence what occurred in 2010/2011? After all, any digital fingerprints that the hackers might have left could have been entirely wiped by the hackers if they truly owned Gemalto’s computer system.

We shouldn’t forget, GCHQ is perfectly prepared to hack innocent, law-abiding companies if they believe that it will help them gather intelligence. Just look what happened at leading telecoms firm Belgacom, for instance.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Spies in your SIM card? After alleged hack by NSA and GCHQ, manufacturer says its SIMs are secure”

  1. I don't understand why in the midst of this big data revelation and whistleblowing they would provide a redacted slide from GCHQ. What's being withheld there?

    1. tubeist- dan · in reply to Jason Shaw

      Snowden was careful to make clear that he would withold information that could CRUCIALLY compromise methods, operations, and personnel.

      Nota Bene: I have put 'crucially' in all-caps. Just in case it wouldn't be noticed.

  2. derek

    in this age of murdering b………………. terrists i suppose they have to be 1 step ahead—the risk is haveing info on us all—-its open to curruption human nature as it is

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.