NSA Hacking of Cell Phone Networks

Schneier on Security 2014-12-10

The Intercept has published an article -- based on the Snowden documents -- about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a general communications infrastructure, looking for weaknesses and vulnerabilities that will allow it to spy on the bad guys at some later date.

In that way, AURORAGOLD is similar to the NSA's program to hack sysadmins around the world, just in case that access will be useful at some later date; and to the GCHQ's hacking of the Belgian phone company Belgacom. In both cases, the NSA/GCHQ is finding general vulnerabilities in systems that are protecting many innocent people, and exploiting them instead of fixing them.

It is unclear from the documents exactly what cell phone vulnerabilities the NSA is exploiting. Remember that cell phone calls go through the regular phone network, and are as vulnerable there as non-cell calls. (GSM encryption only protects calls from the handset to the tower, not within the phone operators' networks.) For the NSA to target cell phone networks particularly rather than phone networks in general means that it is interested in information specific to the cell phone network: location is the most obvious. We already know that the NSA can eavesdrop on most of the world's cell phone networks, and that it tracks location data.

I'm not sure what to make of the NSA's cryptanalysis efforts against GSM encryption. The GSM cellular network uses three different encryption schemes: A5/1, which has been badly broken in the academic world for over a decade (a previous Snowden document said the NSA could process A5/1 in real time -- and so can everyone else); A5/2, which was designed deliberately weak and is even more easily broken; and A5/3 (aka KASUMI), which is generally believed to be secure. There are additional attacks against all A5 ciphers as they are used in the GSM system known in the academic world. Almost certainly the NSA has operationalized all of these attacks, and probably others as well. Two documents published by the Intercept mention attacks against A5/3 -- OPULENT PUP and WOLFRAMITE -- although there is no detail, and thus no way to know how much of these attacks consist of cryptanalysis of A5/3, attacks against the GSM protocols, or attacks based on exfiltrating keys. For example, GSM carriers know their users' A5 keys and store them in databases. It would be much easier for the NSA's TAO group to steal those keys and use them for real-time decryption than it would be to apply mathematics and computing resources against the encrypted traffic.

The Intercept points to these documents as an example of the NSA deliberately introducing flaws into global communications standards, but I don't really see the evidence here. Yes, the NSA is spying on industry organizations like the GSM Association in an effort to learn about new GSM standards as early as possible, but I don't see evidence of it influencing those standards. The one relevant sentence is in a presentation about the "SIGINT Planning Cycle": "How do we introduce vulnerabilities where they do not yet exist?" That's pretty damning in general, but it feels more aspirational than a statement of practical intent. Already there are lots of pressures on the GSM Association to allow for "lawful surveillance" on users from countries around the world. That surveillance is generally with the assistance of the cell phone companies, which is why hacking them is such a priority. My guess is that the NSA just sits back and lets other countries weaken cell phone standards, then exploits those weaknesses.

Other countries do as well. There are many vulnerabilities in the cell phone system, and it's folly to believe that only the NSA and GCHQ exploits them. And countries that can't afford their own research and development organization can buy the capability from cyberweapons arms manufacturers. And remember that technology flows downhill: today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacker tools.

For example, the US company Verint sells cell phone tracking systems to both corporations and governments worldwide. The company's website says that it's "a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance," with clients in "more than 10,000 organizations in over 180 countries." The UK company Cobham sells a system that allows someone to send a "blind" call to a phone -- one that doesn't ring, and isn't detectable. The blind call forces the phone to transmit on a certain frequency, allowing the sender to track that phone to within one meter. The company boasts government customers in Algeria, Brunei, Ghana, Pakistan, Saudi Arabia, Singapore, and the United States. Defentek, a company mysteriously registered in Panama, sells a system that can "locate and track any phone number in the world...undetected and unknown by the network, carrier, or the target." It's not an idle boast; telecommunications researcher Tobias Engel demonstrated the same capability at a hacker conference in 2008. Criminals can purchase illicit products to let them do the same today.

As I keep saying, we no longer live in a world where technology allows us to separate communications we want to protect from communications we want to exploit. Assume that anything we learn about what the NSA does today is a preview of what cybercriminals are going to do in six months to two years. That the NSA chooses to exploit the vulnerabilities it finds, rather than fix them, puts us all at risk.

This essay has previously appeared on the Lawfare blog.