Updated: 2 pm, Wednesday
CONCERNS HAVE BEEN raised over Gemalto, the Dutch company at the centre of a new Edward Snowden leak, after it emerged that the firm provides Irish motorists with their new, credit card sized driver’s licences.
According to documents released by the whistleblower, the American National Security Agency (NSA) and British GCHQ (Government Communications HQ) together broke into the internal network of Gemalto beginning in early 2010.
The Road Safety Authority has confirmed that it has contacted Gemalto about the breach, which experts have warned will have wide-spread implications.
The primary aim of the covert intelligence agencies appears to have been to steal the encryption keys on Gemalto mobile phone SIM cards – allowing spies to monitor the voice and text data of potentially many millions of customers throughout the world.
The Dutch multinational provides some 2 billion SIM cards a year to 450 companies worldwide – including Vodafone and O2/Three in Ireland – and it is not known exactly how many of these were compromised.
Inquiries by TheJournal.ie, however, have found that Gemalto is also the firm responsible for the new “Sealys” driver’s licence in operation in Ireland since October 2013.
A statement on the company’s website describes the importance of security in its roll-out of e-Passports, e-IDs, and Sealys drivers licences in countries including the UK, France, the Netherlands, India, Morocco, and many others.
Very often, it [the licence] also serves as an identity document, particularly in countries which do not have a national identity card program. This is just one more reason why it has to be highly secure.
The smaller, credit-card sized licences were introduced under then Transport Minister Leo Varadkar, following an EU directive to harmonise driver’s licenses across the continent.
A spokesperson for the Road Safety Authority (which oversees Ireland’s driver’s licences) would not say whether the RSA was concerned about the alleged breach, but issued this statement:
The RSA is, through the licence card producer, in touch with Gemalto who are undertaking an investigation into the allegations made around covert surveillance.
Fergal Crehan, a barrister and data protection expert, expressed concern at the reports:
If [the NSA and GCHQ] can hack into Gemalto to target SIM cards, there’s nothing to stop them hacking into Gemalto to breach driver’s licences.
‘We have their entire network’
It has also emerged that Gemalto provides “additional security” to AIB’s online banking service, having signed a multi-year contract in 2011.
“Gemalto is delivering the complete, future-proof Ezio solution including strong authentication software, Ezio Club EMV card readers as well as consulting services,” said a statement at the time.
A spokesperson for the bank told TheJournal.ie they had been in contact with Gemalto, but claimed: “The alleged infringement relates to Gemalto’s SIM production network. We engage with Gemalto for a different product entirely.”
This does not, however, appear to be the case. One of the top-secret slides leaked by Snowden includes a statement by British spies that “We believe we have their entire network.”
Fergal Crehan told TheJournal.ie the alleged British-American hack was “a huge over-reach in what’s considered ‘offering aid to terrorists.’”
Gemalto employees were targeted simply for doing their jobs – because they had useful information. Does that mean everyone who works in a bank, or in the post office, is now fair game?
He added that the Irish government should raise such concerns with their British and American counterparts – pointing to “tough talk” among politicians from the Netherlands, in the wake of the revelations.
Dutch MEP Sophie in ‘t Veld last week said US and UK governments were “behaving like cowboys, and nobody is holding them to account.”
Information security consultant Brian Honan summed up the “very worrying” implications of the alleged hack.
It would mean that anyone using a SIM card made by Gemalto in their mobile phone or other devices, is at risk of mass surveillance by these agencies.
He also pointed to a certain double standard on the part of the US government, if the allegations are proved true.
The NSA allegedly hacked into the network of a commercial operator in a foreign country [the Netherlands.]But just a few months ago we saw the United States imposing sanctions on North Korea for allegedly hacking Sony to prevent the release of a film.
Three Ireland confirmed in a statement that they have “issued SIMs to customers that were manufactured by Gemalto,” but said they “have no reason to believe that any of our customers are at risk.”
Vodafone, for its part, told TheJournal.ie:
We have no further details of these allegations which are industry-wide in nature and are not focused on any one mobile operator.We will support industry bodies and Gemalto in their investigations.
Gemalto, for its part, on Wednesday confirmed that the NSA/GCHQ attack “probably happened,” but claimed that only the company’s “office networks” were breached.
Their week-long investigation concluded that the hack “could not have resulted in a massive theft of SIM encryption keys.”
Originally published 8.30 pm, Tuesday.
To embed this post, copy the code below on your site
have your say