Freely subscribe to our NEWSLETTER

Martin Kuppinger, chief analyst and founder of KuppingerCole, attended the press conference. According to him, Gemalto is correct with their statement that there is no evidence for such a theft: "Too much time has passed since the attack and a significant part of the logs from the affected network components and servers, which are needed for the analysis of such a complex attack, are probably already deleted".

This attack once again makes it clear that manufacturers of security technologies have to monitor and upgrade their own security continuously in order to minimize the risks. Attack scenarios are becoming more sophisticated – and companies like Gemalto have to respond. According to their statement, Gemalto has been doing just that, but they did not provide any relevant details during the press conference.

Gemalto recognizes that more has to be done for security and incident analysis: "Digital security is not static. Today’s state-of-the-art technologies lose their effectiveness over time as new research and increasing processing power make innovative attacks possible. All reputable security products must be re-designed and upgraded on a regular basis".

According to the statements during the press conference, one can expect that the attacks were at least partially successful - not necessarily against Gemalto itself, but against their customers and other SIM card manufacturers.

Gemalto has repeatedly pointed out that the attack has only affected 2G network SIMs. There is, however, no reason to believe that 3G and 4G networks must be safer, especially not against massive attacks of intelligence agencies. Gemalto statements that attacks are increasing in both scale and sophistication are consistent with KuppingerCole’s analysis, such as the recently published study "Digital Risk & Security Survey". According to the spokesperson for the company, Gemalto is constantly facing attacks and outer layers of their protection have been repeatedly breached. Even if Gemalto does maintain a very high standard in security, the constant risks of new attack vectors and stronger attackers should not be underestimated.

According to Martin Kuppinger, the incident at Gemalto has once again demonstrated that the uncontrolled actions of intelligence agencies in the area of cyber security poses a threat not only to fundamental constitutional principles such as privacy of correspondence and telecommunications, but to the economy as well. The image of companies like Gemalto and thus their business success and enterprise value are at risk from such actions. Even more problematic is that the knowledge of other attackers is growing with each published new attack vector. Stuxnet and Flame have long been well analyzed. It can be assumed that the intelligence agencies of North Korea, Iran, and China, as well as criminal groups have studied them long ago.

In this context, Martin Kuppinger has also been critical of the idea of German state and intelligence agencies to procure zero-day exploits in order to carry out investigations of suspicious persons’ computers. To quote his latest article: "With all due respect for the need for states and their intelligence agencies to respond to the threat of cyber-crime, it is necessary to consider two potential problems stemming from this approach. On one hand, it requires a defined state control over this monitoring, especially in light of the government’s new capability of nationwide mobile network monitoring in addition to already available Internet monitoring. On the other hand, government agencies finally need to understand the consequences of their actions: by compromising the security of IT systems or mobile communications they are opening a Pandora’s Box and causing damage of unprecedented scale”.