Thursday 16 April 2015

Should You Worry About Gemalto's Breach ?

Gemalto is the largest sim card producer in the world, producing over 2 billion every year. This means that the chances are highly probably that your sim card would have come from Gemalto.


Recently Gemalto confirmed that they have been hacked and that both the NSA and GCHQ had got their hands on the SIM encryption keys from the manufacturer. This mean that both GCHQ and the NSA could access to encrypted conversations, messages and data traffic. But is that this as big of a concern as the media is making it?

No-one is claiming they succeeded in the access
We so far only have Gemalto’s word on the breach, but it’s been more than open about the fact that its systems were hacked into by intelligence agencies between 2010 and 2011.

Only 2G is vulnerable
According to Gemalto, 3G and 4G are too secure and only 2G networks would be affected. Gemalto is currently confident enough to claim that most people have already switched to faster networks, so if a hack had been successful, it would only affect a few people.

The attacks didn’t take place on UK numbers
The attempted hacks targeted mobile operators in Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan. Theoretically that means that if you live in the UK, or at least have a UK or general European SIM you are unaffected.

There’s no risk to card chips or security networks
If a breach had occurred on the infrastructure running Gemalto’s SIM activity, it wouldn’t have any access to payment chip encryption or other security systems. Gemalto isn’t a small player in any field it occupies, it has physically separate networks for all of its sensitive information. Breaching one, wouldn’t mean breaching all.

An interesting question...
While there’s definitely a case for a breach of privacy and a need for genuine concern over the security of our personal information and communications online, the interesting question is, if it is true that GCHQ actively hacked an organisation, from the UK, did a breach of the Computer Misuse Act occur and would GCHQ be liable to prosecution? If one had a genuine concern that their information was being inappropriately processed, would the ICO be concerned?

Of course, it could all just be mis-information.

Author - Peter Bassill
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)