Gemalto hack and 2degrees SIM cards

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Gemalto hack and 2degrees SIM cards

jpoc

1043 posts

Uber Geek
+1 received by user: 289

#165793 20-Feb-2015 20:26

Are 2 degrees SIM cards subject to the hacking of cards made by Gemalto?

If so, will 2 degrees be replacing these cards?

1 | 2

31 posts

Geek
+1 received by user: 7

#1243401 21-Feb-2015 07:39

All mobile providers, payment providers are compromised. Gemalto is a major supplier of SIM cards and also NFC tech.

https://www.paymark.co.nz/case-studies/mobile-wallet-trial.html

Unfortunately because it was US and Uk who perpetrated hack this will be swept under carpet as protecting your freedom and stopping the terrorist's.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1243419 21-Feb-2015 08:41

I'm unsure why people would really share any concern from this - interception of your voice traffic is easy with a warrant and all SMS messages in NZ are logged and stored anyway and can be accessed with a warrant.

dvkwong

31 posts

Geek
+1 received by user: 7

#1243443 21-Feb-2015 08:57

The issue is it bypasses the warrant and all communications are gathered.

It is a slippery slope when governments who have the power to prosecute can and do abuse these powers.

You only need look at the recent vindictive prosecutions in the US and UK on journalists and whistleblowers. Not to mention the Dotcom case in NZ.

SaltyNZ

8862 posts

Uber Geek
+1 received by user: 9539

Trusted

2degrees

Lifetime subscriber

#1243455 21-Feb-2015 09:16

dvkwong: The issue is it bypasses the warrant and all communications are gathered.

But to do so would be illegal, and our secret intelligence services would never unlawfully spy on you. Can you imagine the public outcry if they did? There would be a revolution.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

dvkwong

31 posts

Geek
+1 received by user: 7

#1243462 21-Feb-2015 09:34

NZ just passed law last year, they do NOT need a warrant for first 24 hours of surveillance on anybody in NZ. As for NZ data held by overseas spy agencies that seems to be open season.

The only revolution is to encrypt your data and communications. Your electronic data's privacy should be treated no diffently to the physical documents you may have stored at home.

nathan

5695 posts

Uber Geek
+1 received by user: 1630
Inactive user

#1243463 21-Feb-2015 09:38

dvkwong: NZ just passed law last year, they do NOT need a warrant for first 24 hours of surveillance on anybody in NZ. As for NZ data held by overseas spy agencies that seems to be open season.

The only revolution is to encrypt your data and communications. Your electronic data's privacy should be treated no diffently to the physical documents you may have stored at home.

smash your phone and shred your SIM card, how do I encrypt my cellular voice calls and SMS?

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

dvkwong

31 posts

Geek
+1 received by user: 7

#1243488 21-Feb-2015 09:59

This link has good information

https://www.eff.org/deeplinks/2013/07/technology-protect-against-mass-surveillance-part-1

The idea that we are under constant surveillance and anything we say or do may be under scrutiny affects you whether you know it or not.

SaltyNZ

8862 posts

Uber Geek
+1 received by user: 9539

Trusted

2degrees

Lifetime subscriber

#1243592 21-Feb-2015 11:44

nathan:

smash your phone and shred your SIM card, how do I encrypt my cellular voice calls and SMS?

Well, if you've smashed your phone and shredded your SIM, you'll find it difficult to make any cellular calls or SMS. But assuming you haven't done that, you could give Silent Circle a try.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

nathan

5695 posts

Uber Geek
+1 received by user: 1630
Inactive user

#1243600 21-Feb-2015 12:08

SaltyNZ:
nathan:

smash your phone and shred your SIM card, how do I encrypt my cellular voice calls and SMS?

Well, if you've smashed your phone and shredded your SIM, you'll find it difficult to make any cellular calls or SMS. But assuming you haven't done that, you could give Silent Circle a try.

:)

probably easier to not use cellular if you are paranoid (!) about that sort of thing

its kind of impractical for every person you want to call or text to have a paid Silent Circle account too.

jpoc

1043 posts

Uber Geek
+1 received by user: 289

#1243988 22-Feb-2015 07:54

dvkwong: All mobile providers, payment providers are compromised. Gemalto is a major supplier of SIM cards and also NFC tech.

https://www.paymark.co.nz/case-studies/mobile-wallet-trial.html

Unfortunately because it was US and Uk who perpetrated hack this will be swept under carpet as protecting your freedom and stopping the terrorist's.

No. Only those providers who are using Gemalto SIM cards are compromised.

You would have hoped that a company that is selling security products would have given their staff some guidance to help them fend off the kind of phishing attacks that led to the leaking of keys.

Other SIM card vendors do warn their staff of that sort of attack.

SaltyNZ

8862 posts

Uber Geek
+1 received by user: 9539

Trusted

2degrees

Lifetime subscriber

#1244004 22-Feb-2015 09:15

jpoc:

No. Only those providers who are using Gemalto SIM cards are compromised.

You would have hoped that a company that is selling security products would have given their staff some guidance to help them fend off the kind of phishing attacks that led to the leaking of keys.

Other SIM card vendors do warn their staff of that sort of attack.

The Semble SIMs are from Gemalto. And I'm pretty sure Gemalto took reasonable precautions too. If you think you'd be safe against the combined might of the NSA and the GCHQ making a determined, targeted attack against you, then you would unpleasantly surprised. There were the occasional slip-ups -- and those do happen, for a lot of good reasons -- but a lot of it seems to be the so-called good guys MITM-ing or infecting otherwise legitimate sites with advanced malware targeted against specific individuals.

Finally, it's worth noting that SIMs were never designed to be secure in the face of a persistent threat from an adversary with billions of dollars and government backing. They are designed to prevent fraud, and the kind of snooping a normal criminal of the 90s to mid-2000s might employ. The assumption always was that if a government wanted to listen in, they'd ask with a warrant, so attempting to create a security solution impervious to them was never a requirement. Nobody expects the Spanish Inquisition.

Don't misunderstand me: this p***es me off more than I can express, both as a private citizen and as a core team member of a cellular company. But I don't believe for one second that the people responsible are doing anything more than privately crowing that now the whole world knows just how 1337 they are.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

Dell

Shop now for Dell laptops and other devices (affiliate link).

jpoc

1043 posts

Uber Geek
+1 received by user: 289

#1244073 22-Feb-2015 11:49

SaltyNZ:
...
If you think you'd be safe against the combined might of the NSA and the GCHQ making a determined, targeted attack against you, then you would unpleasantly surprised.
...

Oh really, you _know_ this do you?

What I know is that the SIM manufacturer that I used to work for came under sustained phishing, and other social engineering attacks for most of the time that I worked there. The staff and contractors were all given advice about what was going on and what to look out for. Nobody got their keys.

notesgnome

130 posts

Master Geek
+1 received by user: 91

ID Verified

Lifetime subscriber

#1244075 22-Feb-2015 11:57

jpoc:

Oh really, you _know_ this do you?

What I know is that the SIM manufacturer that I used to work for came under sustained phishing, and other social engineering attacks for most of the time that I worked there. The staff and contractors were all given advice about what was going on and what to look out for. Nobody got their keys.

... that you know of

SaltyNZ

8862 posts

Uber Geek
+1 received by user: 9539

Trusted

2degrees

Lifetime subscriber

#1244236 22-Feb-2015 16:25

jpoc:
What I know is that the SIM manufacturer that I used to work for ... Nobody got their keys.

These documents date from 2010, showing efforts from at least 2009, and probably earlier. Gemalto are only just finding out they were hacked, from those documents, now. In 2015. They were pwned for at least six years without realising and still would be if Snowden hadn't leaked them. I don't know who you worked for, but if the NSA wanted your keys, they'd have them, and there is nothing you could do to stop them. These are the guys responsible for Flame, Stuxnet, and the Equation Group.

If New Zealanders are safe from these attacks so far, it's only because this country is small and boring. Not because we have some super-unbeatable security.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#1244313 22-Feb-2015 18:55

Remember the earlier release about the German Chancellor's mobile being tapped. #justsay'n

1 | 2