Friday, 20 February 2015

Un-safe SIM cards and the alleged Gemalto hack

The article here: http://m.bbc.co.uk/news/technology-31545050 describes an alleged hack by GCHQ and/or the CIA where the SIM encryption codes for many SIM cards were stolen, allowing them to be used by the intelligence agencies to decrypt voice and text data without needing to involve a service provider or even leave a trace of their actions.

Issues of privacy aside and think what you want about whether this is "proportionate" or an "abuse" of their expertise but I am still left feeling very sad that in this day and age with the amount that is known about security, that encryption keys are not only generated but kept in a form ready to be stolen and misused. That is not acceptable. Spear-phishing (the supposed route into this attack) is extremely common in targeted attacks so the fact that a company who stores these keys allows them to be accessed from the same machine that a user checks their email on is not acceptable.

The good news is that most of these attacks appear to be carried out against companies who have very poor or non-existent security policies and a seeming lack of knowledge about good practice so those of us who care and follow good practices are probably still fairly immune to most attacks.

Edit

After getting more information on this from the news, it sounds like the original reports were unduly harsh on Gemalto, who it seems do isolate their systems and would not allow this hack to occur along the lines of what is originally reported. I am happy to recant my criticism of their practices because of this!
Post a Comment