Solution Providers: Reported Gemalto SIM Key Hack Raises Questions About Mobile Security

Digital security company Gemalto responded to a report that its mobility encryption codes had been hacked, confirming Wednesday that its office networks were likely breached by the U.S. and U.K., but that there was not a "massive theft" of its SIM card encryption codes.

The claims downplay a report last week by The Intercept, a website publishing stories based on documents provided by NSA whistle-blower Edward Snowden, that the U.S.' National Security Agency and U.K.'s Government Communications Headquarters hacked Gemalto's SIM card encryption key in 2010, giving them access to billions of phones.

Mobile-security-focused solution providers, for their part, say there are a variety of services available to protect against external hacking for phones, but the security space for handsets still has a long way to go in the future.

[Related: Gemalto Denies Knowledge Of NSA Cellphone SIM Tampering]

id
unit-1659132512259
type
Sponsored post

"People can and do protect against the whole general class of hackers who eavesdrop," said Nicko van Someren, chief technology officer of Sunnyvale, Calif.-based mobile security solution provider Good Technology. "Communication devices are hooked up to servers. Each bit along the way is vulnerable to different sorts of attacks, and the wireless leg is particularly exposed. But there are certain ways to protect privacy at all levels of your mobile device."

Gemalto is an Amsterdam-based international digital security company that manufactures SIM cards, which serve to securely log mobile devices into networks, allowing calls and data access.The company's cards are used in cellphones sold by AT&T, Verizon, Sprint and hundreds of other telecommunications providers internationally.

These cards contain personal information, such as mobile numbers, billing information, text messages and contacts, meaning that if hackers obtained their encryption codes, they can listen in on voice calls, read text messages and view Internet traffic for mobile phone users.

According to Gemalto's release, the best counter-method against this specific type of situation is the systematic encryption of data when stored and in transit, the utilization of the latest SIM cards and customized algorithms for each unique operator.

Charles King, analyst at research firm Pund-IT, said that there were solutions that can be utilized to protect SIM card encryption data, but they are not supported at the handset-manufacturer level.

"Transport Layer Security, which underlies the HTTPS protocol, can secure apps for email and messaging," said King. "Android and iPhones support TLS, and so do Yahoo and Google in their search functions. There's also an encryption technology called Perfect Forward Security that creates, uses and then discards unique encryption keys for every call, message and piece of data. But while many web browsers support PFS, no handset makers that I'm aware of do."

At the enterprise level, Good Technology's van Someren said that encrypting mobile solutions at all levels is an efficient solution for end users to protect their smartphones.

While only a handful of players are responsible for structuring security measures on their manufactured chips, end-to-end security allows for each device owner to individually encrypt their communications so that only the sender and receiver have the access key.

End-to-end encryption solutions, which are offered by a variety of mobile security companies, according to van Someren, would protect outside sources from viewing messages and emails of end users by making the encryption data, typically stored by vendors, not even available to the manufacturers. The solution is slowly gaining popularity, said van Someren, but still has a long way to go before it becomes fully embraced.

"The end-to-end encryption model needs to be supported by both ends and needs to be managed well," he said. "It's easier in an enterprise environment where you have someone setting it up properly."

NEXT: Will More People Protect Their Phones In The Future?

Pund-IT's King said the underlying problem behind end-to-end encryption, and other mobile security solutions, is convenience.

"People get used to using their mobile devices in specific ways and resist changes that complicate those practices," he said. "Unless vendors can come up with ways to make end-to-end security both seamless and transparent, I expect end users will reject it."

Despite the inconvenience of extra mobile security precautions, partners and analysts alike are seeing the need for mobile security as a growing trend in both the consumer and enterprise space.

According to a Gartner study released Wednesday, by 2018 up to 40 percent of large enterprises will have plans to address aggressive cybersecurity disruption attacks, up from zero percent in 2015. The study's results suggest that more executives are recognizing security, both in the mobile and Internet of Things space, as an increasingly problematic issue that needs to be addressed.

Sean Moshir, CEO and founder of Scottsdale, Ariz.-based CellTrust Corp., agreed, asserting that mobile security will take the forefront in the coming years.

"Mobile is following the same path as the PC -- there is more and more need for security as the popularity increases," he said. "Phones are becoming open to vulnerabilities, and companies are beginning to realize this."

PUBLISHED FEB. 25, 2015