Privacy Commissioner to investigate SIM card hack

February 27, 2015 |

Yesterday the Privacy Commissioner issued a brief, general and somewhat opaque  statement saying he would “make preliminary enquiries”into the hack of Gemalto which likely resulted in compromise to the SIM cards.  There is a clear privacy implications and it would be caught under the Privacy Act.  It would be a very interesting test of the Privacy Commissioner’s powers and application of Privacy Principle 1 and 11.

The statement, found here, provides:

‘The Office of the Australian Information Commissioner is making preliminary inquiries with a number of Telecommunications mobile providers in relation to this issue, in order to determine what, if any, further action is required.

Australian Privacy Principle 11 requires an entity to take reasonable steps to protect the personal information that it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.’

The Privacy Commissioner’s statement is covered by the Age in  Privacy Commissioner considers inquiry into Gemalto SIM cards hack which provides a useful background to the story.

It provides:

Australian Privacy Commissioner Timothy Pilgrim is considering whether to launch an investigation into the hacking of Gemalto SIM cards by United States and British spy agencies that experts say leaves potentially millions of Australians open to having their phone conversations or text messages monitored.

The news comes as security experts rubbished the Dutch company’s claims overnight that its SIM cards – which it supplies to Telstra, Optus and Vodafone – were secure, even though the manufacturer admitted it had “probably” been hacked by the US National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ).

Mr Pilgrim said the Office of the Australian Information Commissioner (OAIC) was making preliminary inquiries into the matter with “a number” of Australian mobile carriers, “in order to determine what, if any, further action is required.”

He noted Australian Privacy Principle 11, which requires an organisation to take “reasonable steps to protect the personal information that it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure”.

Last year Australia’s privacy rules were overhauled to give the commissioner more teeth, including the ability to fine companies who breach the privacy rules up to $1.7 million.

Gemalto, the world’s largest SIM card manufacturer, responded overnight to news leaked in documents from whistleblower Edward Snowden that the NSA and GCHQ had stolen the encryption keys of its SIM cards, meaning the agencies could listen in on citizens’ phone calls, text messages and more.

The company said it had “reasonable grounds to believe that an operation by NSA and GCHQ probably happened”, but said the attacks “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys“.

Online publication The Intercept, which initially broke the story, immediately hit back, citing various security experts, with claims Gemalto had made “erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable” in the statement.

Local security expert Phil Kernick, co-founder and chief technology officer at CQR Security, said while Gemalto was “trying very hard” to play down the incident, its claims could not be relied upon.

“We can accept that they might believe this to be true, but there’s no reasonable basis for accepting that it is,” Mr Kernick said.

“Six days ago they said they’d never been hacked, today they’re saying ‘Well yeah, it does appear we were hacked but we don’t think anything important’s been stolen.

“I don’t think we can rely on anything they’re saying today as being meaningful.”

Mr Kernick described Gemalto’s claims that the 3G and 4G SIMs it manufactured today were more secure than the 2G SIMs on the market at the time of the attacks in 2011 as “disingenuous”.

“3G and 4G SIMs have 2G fallback so if you go into a train tunnel or go out into the bush you may find that your phone goes from 4G to 3G, which is ‘edge’; that means it’s fallen back to 2G, which means that it’s just as vulnerable as any 2G SIM,” Mr Kernick said.

A malicious actor could also implement a “channel downgrade attack”, effectively forcing mobile phone towers to switch to 2G, he said.

“[3G and 4G] are inherently better but if someone’s gone in and stolen the keys to the kingdom, it makes no difference.”

Fairfax Media put these security concerns to Australian carriers but Telstra, Optus and Vodafone each deferred to the manufacturer.

A Telstra spokesperson said the telco did not believe the security breach had impacted its customers and that it did not believe replacing customers’ SIM cards was necessary.

“Gemalto has confirmed they have found no evidence to substantiate claims that the encryption keys of their SIMs were intercepted,” the spokesperson said.

“They have provided evidence that their manufacturing, distribution and security processes would not allow the claimed hack to have occurred.

“Gemalto has advised it believes there is no impact on Telstra customers and we have confidence in their investigation.”

A Vodafone spokesperson also referred Fairfax Media to Gemalto’s statement, while Optus declined to comment further.

It is not known what percentage of Australian SIM cards are manufactured by the company,

However Mr Kernick and other experts cited in Thursday’s Intercept article warned other SIM manufacturers would be prime targets for intelligence agencies.

Mr Kernick also said there was no reason to believe agencies hadn’t hacked into Gemalto’s – or other manufacturers’ – networks in the years since 2011.

He raised further concerns that this type of incident was not limited to Gemalto, nor would it have ceased in the four to five years since the incident in question.

“I think that … various spy agencies are still in their networks,” Mr Kernick said.

Gemalto’s stock plummeted this week following the revelations.

 

 

One Response to “Privacy Commissioner to investigate SIM card hack”

  1. Privacy Commissioner to investigate SIM card hack | Australian Law Blogs

    […] Privacy Commissioner to investigate SIM card hack […]

Leave a Reply