My Take on the Gemalto "Great SIM Heist" bombshell story
(originally posted 22.02.2015 on Google+)
[Update 01.03.2015]
From Gemalto's statement, it is not clear whether they had access to the unredacted documents or not. With it, they could assess the story much better, because names and email addresses were (with good reason) redacted in the published documents.
On Twitter, I asked Gemalto, The Intercept and the authors of the article if Gemalto had access to the unredacted documents, but I got no reply:
https://twitter.com/twrweb/status/570583046375800832
https://twitter.com/twrweb/status/571027915875467264
And I asked other people familiar with the topic, nobody could say for sure. Google had no answer either.
So, of course it could be possible that Gemalto had access, and Gemalto didn't answer me because they said they would not comment any further. And The Intercept doesn't talk to a Snowden denier like me. Or both just do not care to answer a private person with just 150 followers on Twitter. This may be possible.
But it may also be possible that they both don't want to answer this question. It is possible that Gemalto just did not ask for the unredacted documents (for whatever reason), and The Intercept was quite happy that Gemalto didn't ask and could not validate the story too thoroughly.
Both is possible. So far, none of the open questions was answered. We still don't know if the story was entirely correct or completely bogus. Or something in between.
[/Update]
[Update 26.02.2015]
Yesterday, Gemalto published a statement with the result of its investigations. In it, Gemalto rejected most parts of the Intercept's reporting. And contrary to some media reports, Gemalto didn't even confirm a GCHQ / NSA attack, because they clearly said:
"All comments in this publication assume that the published documents are real and refer accurately to events that occurred during 2010 and 2011. Our publication here below does not aim at confirming partially or entirely nor at providing elements to refute partially or entirely the contents of those website published documents."
http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx
So all that Gemalto basically said is: "If the published documents are real and refer accurately to attacks against us, then we can confirm that we experienced some sophisticated attacks which could have been launched from nation-state attackers like NSA or GCHQ."
They further said they now believe the attacks came from GCHQ / NSA, but they didn't confirm it.
The Intercept and some others criticised Gemalto's statement, saying it was in part incorrect, and that it would be impossible to finish a thorough investigation within that a short timeframe. This may be correct, but this doesn't change the fact that the published documents didn't prove the Intercept's claims, and that Gemalto didn't confirm any of them. So we are where we were before, the Intercept's interpretations could be right or completely wrong. But the claims came from the Intercept, so they are the ones who hold the carry of proof.
[/Update]
The latest Snowden-based revelation from The Intercept, the "SIM heist", doesn't add up at several points, and leaves a lot of question marks behind.
The first point that's worth to mention is, that even if the article is basically correct on all its points, it however shows that GCHQ and NSA are primarily interested in SIM cards from conflict areas like Somalia, Yemen or Afghanistan, not in those of innocent people in western countries, as this chart clearly shows:
https://firstlook.org/theintercept/document/2015/02/19/imsis-identified-ki-data-network-providers-jan10-mar10-trial/
The Intercept tries its best to mislead the reader here.
The second point is, that even if we assume that GCHQ and NSA could obtain the keys from virtually all SIM cards of the world, this still doesn't mean they are able to listen to each cell phone call they want to. The key on the SIM card encrypts the data between the phone and the base station, so if the intelligence agencies actually want to listen to a call, they need to get close to the target and eavesdrop on its wireless traffic.
This means, that even if we buy all the claims in the article, this again is no proof at all for mass surveillance.
That's what else is to say is more complex.
One of the first questions I asked myself after reading the story was: Why should GCHQ and NSA do this? I mean, they always have to weigh between what they can gain and the related risks. And here is obviously a big imbalance. The keys are not necessary to break the very weak 2G encryption (most voice calls are done under 2G, at least back in 2010), while 3G and LTE is almost always only used for internet data (which is often encrypted at higher layers too). But on the other side, Gemalto is obviously a very hard target, with serious risks of getting caught.
It just makes no (or very little) sense for GCHQ to attack Gemalto, and Gemalto so far didn't confirm they were attacked.
Another question you should ask: Why came this revelation that late? I mean, if this story is basically correct, then of course it was one of the most interesting revelations so far. But why did Greenwald wait that long? I cannot believe he overlooked it. But I don't have any good explanation either.
The next problem -- as always with the Snowden revelations -- are the published documents. We can read them, and at first sight they seem to prove what is claimed in the article, but we don't know the context they were written. So let's have a closer look at the document which should prove the successful hacking of Gemalto:
https://firstlook.org/theintercept/document/2015/02/19/dapino-gamma-cne-presence-wiki/
I got amazed when I read "Our Workshop Aims". What does this mean? This is a clear hint that the document is not a documentation of a real operation, but rather training material. And if it is training material, it could either describe a virtual attack against Gemalto, or it could explain based on a real attack against Gemalto. We just can't say, because we don't know the context.
I think Gemalto could give an answer here, if they have the unredacted documents. So we have to stay tuned until their final statement.
Another document left me skeptical as well:
https://firstlook.org/theintercept/document/2015/02/19/pcs-harvesting-scale/
The Intercept interprets this as a description of an ongoing operation to collect as much SIM card keys as possible. However, if you read it, it sounds much more like a case study from a research department, with a focus on the comparison between automated vs manual collection. So again, we do not know the real context of this document, so we just can't tell.
From Gemalto's statement, it is not clear whether they had access to the unredacted documents or not. With it, they could assess the story much better, because names and email addresses were (with good reason) redacted in the published documents.
On Twitter, I asked Gemalto, The Intercept and the authors of the article if Gemalto had access to the unredacted documents, but I got no reply:
https://twitter.com/twrweb/status/570583046375800832
https://twitter.com/twrweb/status/571027915875467264
And I asked other people familiar with the topic, nobody could say for sure. Google had no answer either.
So, of course it could be possible that Gemalto had access, and Gemalto didn't answer me because they said they would not comment any further. And The Intercept doesn't talk to a Snowden denier like me. Or both just do not care to answer a private person with just 150 followers on Twitter. This may be possible.
But it may also be possible that they both don't want to answer this question. It is possible that Gemalto just did not ask for the unredacted documents (for whatever reason), and The Intercept was quite happy that Gemalto didn't ask and could not validate the story too thoroughly.
Both is possible. So far, none of the open questions was answered. We still don't know if the story was entirely correct or completely bogus. Or something in between.
[/Update]
[Update 26.02.2015]
Yesterday, Gemalto published a statement with the result of its investigations. In it, Gemalto rejected most parts of the Intercept's reporting. And contrary to some media reports, Gemalto didn't even confirm a GCHQ / NSA attack, because they clearly said:
"All comments in this publication assume that the published documents are real and refer accurately to events that occurred during 2010 and 2011. Our publication here below does not aim at confirming partially or entirely nor at providing elements to refute partially or entirely the contents of those website published documents."
http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx
So all that Gemalto basically said is: "If the published documents are real and refer accurately to attacks against us, then we can confirm that we experienced some sophisticated attacks which could have been launched from nation-state attackers like NSA or GCHQ."
They further said they now believe the attacks came from GCHQ / NSA, but they didn't confirm it.
The Intercept and some others criticised Gemalto's statement, saying it was in part incorrect, and that it would be impossible to finish a thorough investigation within that a short timeframe. This may be correct, but this doesn't change the fact that the published documents didn't prove the Intercept's claims, and that Gemalto didn't confirm any of them. So we are where we were before, the Intercept's interpretations could be right or completely wrong. But the claims came from the Intercept, so they are the ones who hold the carry of proof.
[/Update]
The latest Snowden-based revelation from The Intercept, the "SIM heist", doesn't add up at several points, and leaves a lot of question marks behind.
The first point that's worth to mention is, that even if the article is basically correct on all its points, it however shows that GCHQ and NSA are primarily interested in SIM cards from conflict areas like Somalia, Yemen or Afghanistan, not in those of innocent people in western countries, as this chart clearly shows:
https://firstlook.org/theintercept/document/2015/02/19/imsis-identified-ki-data-network-providers-jan10-mar10-trial/
The Intercept tries its best to mislead the reader here.
The second point is, that even if we assume that GCHQ and NSA could obtain the keys from virtually all SIM cards of the world, this still doesn't mean they are able to listen to each cell phone call they want to. The key on the SIM card encrypts the data between the phone and the base station, so if the intelligence agencies actually want to listen to a call, they need to get close to the target and eavesdrop on its wireless traffic.
This means, that even if we buy all the claims in the article, this again is no proof at all for mass surveillance.
That's what else is to say is more complex.
One of the first questions I asked myself after reading the story was: Why should GCHQ and NSA do this? I mean, they always have to weigh between what they can gain and the related risks. And here is obviously a big imbalance. The keys are not necessary to break the very weak 2G encryption (most voice calls are done under 2G, at least back in 2010), while 3G and LTE is almost always only used for internet data (which is often encrypted at higher layers too). But on the other side, Gemalto is obviously a very hard target, with serious risks of getting caught.
It just makes no (or very little) sense for GCHQ to attack Gemalto, and Gemalto so far didn't confirm they were attacked.
Another question you should ask: Why came this revelation that late? I mean, if this story is basically correct, then of course it was one of the most interesting revelations so far. But why did Greenwald wait that long? I cannot believe he overlooked it. But I don't have any good explanation either.
The next problem -- as always with the Snowden revelations -- are the published documents. We can read them, and at first sight they seem to prove what is claimed in the article, but we don't know the context they were written. So let's have a closer look at the document which should prove the successful hacking of Gemalto:
https://firstlook.org/theintercept/document/2015/02/19/dapino-gamma-cne-presence-wiki/
I got amazed when I read "Our Workshop Aims". What does this mean? This is a clear hint that the document is not a documentation of a real operation, but rather training material. And if it is training material, it could either describe a virtual attack against Gemalto, or it could explain based on a real attack against Gemalto. We just can't say, because we don't know the context.
I think Gemalto could give an answer here, if they have the unredacted documents. So we have to stay tuned until their final statement.
Another document left me skeptical as well:
https://firstlook.org/theintercept/document/2015/02/19/pcs-harvesting-scale/
The Intercept interprets this as a description of an ongoing operation to collect as much SIM card keys as possible. However, if you read it, it sounds much more like a case study from a research department, with a focus on the comparison between automated vs manual collection. So again, we do not know the real context of this document, so we just can't tell.
The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Geteilt mit: Öffentlich
+1'd by: Dai Nghia Hang Vo, Thomas Dirscherl
The only explanation I could come up with is they just got so used to harvesting all the data they could get that they don't really weight gains and risks in a sensible way.
That would fit in the greater picture of all the revelations. There are tremendous amounts of secret operations, with a lot of them potentially causing diplomatic, political and economic damage when exposed. They were still carried out, most of the time probably without the knowledge of congress. And they lack proper OpSec (else it would not have been possible to copy as much documents as Snowden did) despite better knowledge.
To me, that imbalance in gain/risk assessment makes them look completely out of control.
Maybe we should wait until Wednesday for further discussion. Gemalto announced a press conference with results about its investigations:
http://www.gemalto.com/press/Pages/Update-on-the-SIM-card-encryption-keys-matter.aspx
Maybe we know more then ...
Whether media coverage of those documents is true or misleading is of no importance at all concerning my conclusion. There is no reason to assume media coverage of previously secret documents would be fundamentally different to any other media coverage. Exaggerated headlines and unfavorable descriptions of their power
abuseusage should have been factored into the weighting of risks and benefits of their actions.The same as with many other stories, like the "direct access" or "millions of Germans tapped" -- turned out to be completely wrong.
So if you don't refer to the headlines, but to the documents: Which documents do you exactly mean? Which of them clearly shows "shocking" actions?
You can blame NSA for a lot, but not that nobody took into account that the documents could be stolen and totally misrepresented by biased "journalists".
I don't blame the NSA for the biased presentation of the documents by journalists. I blame the NSA for bad decision making. They knew there would be biased reporting. They knew there would be sensationalist headlines. They knew this would lead to diplomatic, political and economic problems, mainly for the US. They knew that would weaken USA's position in the world. As a political partner, as a trade partner, as well as a moral institution. And despite that knowledge they carried on with their programs. And they did not even care enough to keep them secret. If a single person was able to retreive quite a bunch of documents, how many documents might have been stolen by Chinese or Russian agencies?
We agree, that if Gemalto was attacked, then it was a wrong decision. But there is no proof, we just don't know.
So which of NSA's proven (not alleged!) actions were wrong decisions?
Even the eavesdropping of Merkel (which I consider to be proven) was not clearly wrong.
That the NSA obviously totally failed with its internal security (however no solid details are known), that is correct. But this is another story.
The decision to have several programs capable of bulk data collection.
The decision, to pay RSA 10 Million USD to use weak encryption.
And why not: The decision to spy on Foreign Heads of Government like Angela Merkel.
I do not see any evidence of the benefits. Probably there are some (though I wonder why the NSA does not make them public, at least to some degree), but were they worth the costs? I highly doubt it. I'm fairly sure the US' long-term loss in credibility was severely underestimated by NSA officials. Or, alternatively (imho this is closely related), their ability to keep their secrets secret was severely overrated. In any case: wrong decisions.
The story with RSA is not entirely clear. RSA denies it took money to use "weak" encryption. Even if the story is correct, then only RSA is to blame, not NSA, because the alleged "backdoor" in Dual_EC_DRBG is a very sophisticated one, which could only be exploited by NSA, not any third parties.
And to spy on foreign heads is simply the task of intelligence agencies. I agree that it is not smart to spy on friends, but Merkel's predecessor, chancellor Schröder, clearly showed that Germany is a very unreliable friend.
And the benefits are very simple: Gaining foreign intelligence.
But there is also benefit of the doubt. :-)
I wonder which statement would have made you believe that Gemalto had been attacked by the NSA. The NSA has at least been looking at Gemalto as a target, Gemalto has been attacked. It makes perfect sense for the NSA to hack into Non-American-made SIM cards. Nobody provided even anecdotal evidence that someone other than the NSA might be the attacker. The NSA isn't even trying to deny they attacked Gemalto. What else do you need?
I get that you don't like the exaggerations and anti-NSA reporting of The Intercept and other media organizations. I would even say you had a point. If, yes if, you wouldn't use interpretations which are even further from the truth.
But the published documents don't prove an actual attack on Gemalto. They don't even prove Gemalto was picked as a target. I explained this in my post. But I ask you: What do you think, why do they write "Our Workshop Aims" in the document?
And again, I don't claim the Intercept's interpretation is wrong. It could be right. It is even possible GCHQ / NSA penetrated Gemalto's internal network without leaving a trace. But it's completely unproven.
In a business where "We do not collect that data" means "We collect that data, but most of the time it is not used" reading statements like these literally makes as much sense as reading the bible literally.
But I still wait on an answer from you. How do you read the quote "Our Workshop Aims" from the document?
And you can't just read one statement literally and do your own interpretation on another statement. There is no proof at all that the NSA spied on Merkel. Period. Still you and everyone else knows they did it. And still everyone knows they attacked Gemalto. Only your view is too biased in this case, but that doesn't matter, as everyone else knows.
From wikipedia: In "office environments" a workshop describes a conference room meeting intended to create or generate plans, analysis, or design that supports organizational efforts.
That means people familiar with the matter sit together and try to find ways to achieve the aims of the workshop. So here, they thought about how they could get into Gemalto in order to perform Computer Network Exploitation.
I have no problem with being called "biased" or "the only one". I was one of the very few who were skeptical about the very first "revelations" like the "direct access" or "BOUNDLESSINFORMANT". They all turned out to be completely wrong. For me it's more important to be right on the long run. ;-)
And regarding "workshop", I think it's absurd this kind of workshop was meant. But I don't know, you may be right, of course. So you see how difficult it is to interpret documents without knowing the correct context.
Maybe it is far-fetched, but no less than the Intercept's interpretation.
And Gemalto also said they are attacked daily. It's simply not a fact the hack was from GCHQ / NSA.