News of a hack into Dutch SIM producer Gemalto led to a large scale investigation into whether mass encryption keys for consumer devices might have been stolen. While the company now assured the public that there is no threat, it is hardly comforting in the scheme of things.
The technology world has breathed a very small sigh of relief after being assured by Gemalto that in 2010 and 2011 an attempted hack by the NSA and GCHQ named in a leaks Snowden memo did not lead to a major privacy breach.
According to the company, they are constantly being attacked by numerous sources. But during those two years covered in the memo, two particularly sophisticated hack attempts seem to confirm the memo’s report of government interference from the US and UK.
One of those attacks was in France, where some unknown entity was found to be trying to spy on the internal network of the company used by employees to communicate with one another, and with customers and other staff. It was reportedly countered successfully.
The second attack was an email forgery scam that contained malicious coding that installed a window into the computer of customers. Those customers were warned, and the incident appears to have been stopped before causing any damage.
In both instances, Gemalto believes the NSA and GCHQ were behind them, but assure consumers that they did not succeed. Not only that, but had they succeeded in a massive breach it would not impact 3G and 4G smartphones, and so provide no risk to current devices.
The problem is that this is not as comforting as they might hope. It still once more gives us a peek at the illegal, criminally enacted methods of government agencies to gain access to the inner lives of all consumers. Not terror suspects, not people in the intelligence community, not even officials and representatives that you would expect to fall victim to spying. Just regular people going about their days, likely doing nothing more illegal than going 45 in a 40 MPH zone, or downloading a torrent of the latest Modern Family.
It also shows that security firms, already attempting to stop attacks from hackers gaining entry for monetary reasons, can’t rely on cyber security agencies that should have their back. They have to actively fight against governments, which provide the conflict of interest of also running the departments that regulate them.
Not only that, but how do we know that later attempts, those operating on current devices, weren’t successful and their methods just improved?