In News That Will Surprise No One, NSA Has Cracked Mobile Phone Encryption To Listen In On Calls

from the duh dept

Mon, Dec 16th 2013 3:33am — Mike Masnick

One of the latest reports from the Snowden documents over at the Washington Post falls more into the "well, duh" category than many previous reports. The NSA has easily cracked the A5/1 encryption used to encrypt mobile phone conversations on many GSM mobile networks. Of course A5/1 has been around forever, and others have shown that it's not particularly secure for quite some time. But, it's just a reminder that, yes, of course, the NSA could listen in on calls. Some networks do use more modern encryption, which is much harder for the NSA to crack, and it sounds like the recent revelations are leading at least some mobile operators to upgrade the encryption on their network. Still, at this point, it seems safe to assume that if you want to have a truly private conversation, you shouldn't use a phone.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: a5/1, encryption, mobile phones, nsa, privace

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

silverscarcat (profile), 16 Dec 2013 @ 1:41am

Learn telepathy...
Then they can't listen in without you knowing.
[ link to this | view in chronology ]
- Ninja (profile), 16 Dec 2013 @ 1:46am
  
  Re: Learn telepathy...
  Until it becomes a common communications method and they develop devices to read them. Not that they can read thoughts yet. Right.
  [ link to this | view in chronology ]
- That One Guy (profile), 16 Dec 2013 @ 2:52am
  
  Re: Learn telepathy...
  I'm not sure how smart an idea that would be, given some governments/courts(mostly in the UK so far I believe) already seem to be entertaining the idea of 'thought crimes'. They really don't need more encouragement to head down that path, do they?
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Dec 2013 @ 4:05am
    
    Re: Re: Learn telepathy...
    Lets just hope Tom Cruise is still around to save us.
    [ link to this | view in chronology ]
    - Anonymous Coward, 16 Dec 2013 @ 5:31am
      
      Re: Re: Re: Learn telepathy...
      Ha! Tom Cruise is working for them, not us. Besides, if anyone develops a way to crack telepathy "encryption" it'll be the Scientologists.
      [ link to this | view in chronology ]
    - NOT APPLICABLE, 16 Dec 2013 @ 6:02am
      
      Re: Re: Re: Learn telepathy...
      Sorry but could we all just hope that Tom 'Thumb' Cruise will Not 'still be around' at all.
      [ link to this | view in chronology ]
  - silverscarcat (profile), 16 Dec 2013 @ 5:41am
    
    Re: Re: Learn telepathy...
    If I know telepathy, I'd use it to make them see naked, ugly women all the time, so they can't do anything.
    [ link to this | view in chronology ]
Capt ICE Enforcer, 16 Dec 2013 @ 3:50am

Old School
When I was younger, my friends and I would use Dixie cups and a really long string to communicate. We were always baffled by the stranger in our house who brought his own dixie cup and sat between us. But now I know it was the NSA ensuring my safety. Thank You NSA agents who made sure I was safe from terror bu listening into our Dixie cup conversation. Because of yoi the Boogey man only attacked me twice.
[ link to this | view in chronology ]
- Vidiot (profile), 16 Dec 2013 @ 4:55am
  
  Re: Old School
  Only twice? The NSA says they protected you from Boogey Man plots 54 times.
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Dec 2013 @ 8:18am
    
    Re: Re: Old School
    And that explains why there was always a goat staked outside the bedroom.
    [ link to this | view in chronology ]
    - Pragmatic, 17 Dec 2013 @ 5:55am
      
      Re: Re: Re: Old School
      100 internets for the Jurassic Park reference! XD
      [ link to this | view in chronology ]
- Frank, 25 Dec 2013 @ 2:24pm
  
  Re: Old School
  [ link to this | view in chronology ]
- Frank, 25 Dec 2013 @ 2:28pm
  
  Re: Old School
  I will steal your comment, copy it, edit it, and
  put it on old tee-shirts for sale at $1.00 each.
  I plan to make gillions of yaun and not give you
  a thing.
  [ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2013 @ 4:18am

Electronic means of communication is to the point of pretty much everything used by the public is no longer guaranteed private. If you want a private conversation take it to the farmer's field with nothing in the pockets. Walking out in the middle of the field is most likely more secure.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Dec 2013 @ 4:37am
  
  Re:
  Walking out to the middle of a field could be suspicious behaviour, and is not proof against shotgun microphones. A quiet conversation in a noisy environment, away from any possible microphones is better, like playing loud music in the room, with speakers close to any windows to defeat listening by a laser on the window.
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Dec 2013 @ 5:23am
    
    Re: Re:
    "Walking out to the middle of a field could be suspicious behaviour"
    
    Actually, that is a sign of a good farmer.
    - Outstanding in their field -
    [ link to this | view in chronology ]
    - silverscarcat (profile), 16 Dec 2013 @ 5:40am
      
      Re: Re: Re:
      Okay, dad, get off of techdirt.
      
      You and your dad jokes.
      [ link to this | view in chronology ]
  - John Fenderson (profile), 16 Dec 2013 @ 8:16am
    
    Re: Re:
    Two words: parabolic microphone.
    [ link to this | view in chronology ]
- NOT APPLICABLE, 16 Dec 2013 @ 6:05am
  
  Re:
  walking in bullshit to avoid bullshit . . irony at it's best
  [ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2013 @ 5:18am

Ciphering indication
How do you really know that your phone is using encryption at all? The answer is: you don't. Few phones show a "ciphering indication" to the user, and even for these, the carrier can suppress the ciphering indication by setting a flag in the SIM.

This article talks about the A5/1 cipher. There is an even less secure cipher, A5/2. According to Wikipedia, "[...] the 3GPP has approved a change request to prohibit the implementation of A5/2 in any new mobile phones. If the network does not support A5/1, or any other A5 algorithm implemented by the phone, then an unencrypted connection can be used." Of course, if that happens, you will not know due to the lack of a ciphering indication.

The older 2G protocols also have other problems, for instance the lack of mutual authentication making it easier to spoof a base station. If you know how to do it and are in an area with good 3G/4G coverage, it is a good idea to disable the use of the older protocols by your phone (set it to "WCDMA and LTE only" or similar). This does not fix everything, but is a good first step.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Dec 2013 @ 5:25am
  
  Re: Ciphering indication
  "How do you really know that your phone is using encryption at all?"
  
  How do you know they are not listening and watching even when the device is (supposedly) turned off?
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Dec 2013 @ 5:34am
    
    Re: Re: Ciphering indication
    How do you know they are not listening and watching even when the device is (supposedly) turned off?
    Faraday cage.
    
    �
    
    Physics.
    [ link to this | view in chronology ]
    - Anonymous Coward, 16 Dec 2013 @ 5:36am
      
      Re: Re: Re: Ciphering indication
      I like this game.
      
      How do you know that there is not a caching system waiting to get a signal when it is turned on that sends the collected data?
      [ link to this | view in chronology ]
      - Anonymous Coward, 16 Dec 2013 @ 5:37pm
        
        Re: Re: Re: Re: Ciphering indication
        haha - good one
        [ link to this | view in chronology ]
    - Anonymous Coward, 16 Dec 2013 @ 5:38am
      
      Re: Re: Re: Ciphering indication
      I prefer the term 'no-room'
      [ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2013 @ 5:27am

I am all for the NinjaTel Van's to start appearing everywhere.
[ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2013 @ 5:45am

VOIP using ZRTP encryption is pretty secure.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Dec 2013 @ 7:00am
  
  Re:
  Only if you and the people you talk to control the keys. If a third party controls the keys, assume that they will give them to governments so that they can remain in business and out of jail.
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Dec 2013 @ 7:52am
    
    Re: Re:
    The whole point of ZRTP is that you and the people you talk to control the keys.
    [ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2013 @ 6:48am

There are no private conversations unless you are in the wilderness, far away from technology.
[ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2013 @ 7:39am

"it seems safe to assume that if you want to have a truly private conversation, you shouldn't use a phone."

Or you can speak a foreign language since no one working for the government seems to have the merit to do so.

Then again I guess they can hire a translator. My theory, fire the worthless monolinguals and keep the translators since everyone in the intelligence community should be at least bilingual and the monolinguals are simply a deadweight to taxpayers. Hiring predominantly monolingual English speakers simply biases the spying against English speaking Americans while reducing the extent that foreign language speakers get spied on which isn't fair to English speakers who are, allegedly, less likely to be terrorists anyway, right?
[ link to this | view in chronology ]
Brandt, 16 Dec 2013 @ 12:10pm

Living in a Society of Fear
The dystopian fantasies of yesteryear are now a reality. We�ve allowed the coming of an age where the civil liberties our forefathers fought so hard for are being eroded by the day. Freedom of Press, Freedom of Speech and Freedom of Assembly are mere ghostly images of their original intent. We�ve woken up to an Orwellian Society of Fear where anyone is at the mercy of being labeled a terrorist for standing up for rights we took for granted just over a decade ago. Read about how we�re waging war against ourselves at http://dregstudiosart.blogspot.com/2011/09/living-in-society-of-fear-ten-years.html
[ link to this | view in chronology ]
- John Fenderson (profile), 16 Dec 2013 @ 2:34pm
  
  Re: Living in a Society of Fear
  I remain unafraid. I encourage everyone to join me.
  [ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2013 @ 2:15pm

A lot of people don't realize this, but the codec used in the landline network (uLaw) is pretty capable; it's basically the equivalent to 14-bit linear PCM.

This is important because you can use basically any form of encryption or obfuscation radio people have implemented, so long as it fits into a 4 khz channel. The "speech optimized" CELP algorithms used in cellular phones by contrast make this impossible. So while cell phones are certainly not as secure as they should be, this isn't an inherent bottleneck in the entire network.
[ link to this | view in chronology ]
Derek Kerton (profile), 17 Dec 2013 @ 10:04am

Stop Saying "Will Surprise No One"
Mike,

You do great work in fighting for our freedoms, of late, specifically the 4th.

However, every time anyone uses some reductive lingo like:
"surprising no one"
"in a move we all expected"
"Duh"
"obviously"

...it actually changes the tone of the discussion from one of discuss to one of inevitability. People are already far too apathetic, and a sense of futility just feeds that apathy. We should use language more like:

"constitutional shocker"
"What's next?"
"Now this is awful"
"confirming your worse fears"

Now, I KNOW YOU are disgusted, and that you believe you can play a role in change. So be sure to use language that shows it.
[ link to this | view in chronology ]
Dennys, 17 Dec 2013 @ 10:45am

zrtp is just a choise
calling via any zrtp enabled provider - or - via xvoice.eu for example is a good "secure calls" solution
[ link to this | view in chronology ]
Anonymous Coward, 17 Dec 2013 @ 1:17pm

i like that one a lot. good show!
[ link to this | view in chronology ]