BERLIN -- Gemalto, the largest maker of mobile-phone cards, said it's investigating a report that U.S. and U.K. spies allegedly hacked into its computer network to steal the keys used to encrypt conversations, messages and data traffic.
The United Kingdom's Government Communications Headquarters and the U.S. National Security Agency started intercepting the encoders in 2010 as they were being shipped to phone companies, allowing them to monitor wireless communications and bypass the need to get permission for wiretapping, the online publication Intercept reported Thursday, citing documents from former NSA contractor Edward Snowden.
Gemalto is a particularly valuable holder of the key,s as the French company produces 2 billion SIM cards every year, according to the report.
"The publication indicates the target was not Gemalto per se -- it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent," Gemalto said in a news statement Friday, adding that it couldn't immediately verify the findings in the report.
In an emailed statement, the British communications agency said it couldn't comment on intelligence matters, citing agency policy.
The theft of encryption keys potentially would allow U.S. and U.K. agencies to also unlock communications they had recorded but were previously unable to unlock, the Intercept said.
A U.K. court this month ruled against the nation's spy agencies for the first time, saying its mass collection of Internet and phone data was illegal until late last year. The data-sharing program with U.S. agencies contravened privacy and free-speech provisions in the European Convention on Human Rights, the Investigatory Powers Tribunal said Feb. 6 in London.
According to the Intercept, the spies planted malware on several of Gemalto's computers and obtained access to private communications among employees to help them set up the theft. They also targeted unidentified mobile-phone companies to gain insight into customers and network maps, and tapped into authentication servers that verify communication between an end user and the network operator, according to the report.
While individual hackers are responsible for the lion's share of security breaches, state-sponsored attackers typically can afford large teams and expensive hardware to help them carry out complex assaults on company and government computer systems.
While calls and messages transmitted over older networks, such as those based on 2G technology, can be decrypted with little more than a powerful computer and some mathematical shortcuts, private hacker and secret services alike are finding it harder to break security locks used for 3G and 4G systems that have become more popular. That makes the acquisition of keys a worthwhile endeavor.
Gemalto, whose headquarters are in Amsterdam, said it had detected and mitigated many types of hacking attempts over the years.
"At present we cannot prove a link between those past attempts and what was reported yesterday," it said. "There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and amongst businesses, this truly emphasizes how serious cybersecurity is in this day and age."
Meanwhile, rights organizations on Friday called for urgent steps to be taken to protect private calls and online communications.
The World Wide Web Foundation, founded by Tim Berners-Lee, said the alleged hacking by the NSA and its British counterpart was "another worrying sign that these agencies think they are above the law."
Privacy International, which recently won an unprecedented court victory against British agency in the wake of the Snowden revelations, said that the electronic eavesdropping agency had lost its way.
"In stealing the SIM card encryption keys of millions of mobile phone users they have shown there are few lines they aren't willing to cross," Privacy International Deputy Director Eric King said in a statement.
"Hacking into law-abiding companies, spying on their employees and stealing their data should never be considered 'fair game,'" he added. "Their actions have undermined the security of us all."
White House spokesman Josh Earnest said he could not comment on the contents of the documents disclosed by Snowden. But asked whether the technology industry could trust the U.S. government, Earnest said government and the industry can cooperate in a way that finds a balance between civil liberties and security.
"There are certainly steps that the United State has taken in the name of national security that some members of private industry haven't agreed with, but I do think that there is common ground," Earnest said. "It is hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so."
Information for this article was contributed by Cornelius Rahn and Jeremy Hodges of Bloomberg News and by Sylvia Hui, Frank Jordans, Ken Dilanian and Jim Kuhnhenn of The Associated Press.
A Section on 02/21/2015