The latest documents from the National Security Agency leaked by Edward Snowden show that government spies are capable of listening in on mobile phone calls that use a common form of encryption, according to a Washington Post report. But if you're vulnerable, blame your carrier — this code has been cracked for years.
The Post on Friday published confidential government documents provided by Snowden that show that the NSA can "process" cellular phone calls on GSM networks, even if they are encrypted. GSM, which stands for Global System for Mobile communications, is the world's most widely used cellphone technology — though several large networks, notably Verizon and Sprint, rely on a different network technology called CDMA.
The report may sound scary, but there's a bit of explanation required that puts this in perspective.
First, it's only calls and not data that can be eavesdropped on, in this way at least. Second, it's only calls that have been encrypted according to a common standard called A5/1 — which was developed in 1987. The vulnerability comes into play on 2G networks, which modern cellphones may resort to it when 3G or 4G networks are not available or too congested.
It's not uncommon for old cryptography methods to be in use for decades, or become relevant after years of disuse. But A5/1 has remained in use despite several serious vulnerabilities being demonstrated by cryptographers. The methods are too technical to get into here, but a modern PC would have little trouble performing the attacks; a number of papers on the subject are stored at Cryptome.
Why are carriers and phone manufacturers around the world using such an out-of-date cypher? It's not clear, but some carriers are already making the change to the newer A5/3 method of encryption.
One other thing to consider is that these conversations, however strong their encryption, are automatically decoded upon reaching the carrier's internal network. So even if the NSA can't listen in between a target and the tower, they could bring a judge-signed order to the carrier and not have to decrypt anything at all.
Lastly, the NSA has repeatedly stated that it only snoops on conversations involving foreign citizens, as it has no legal basis by which to conduct such surveillance on Americans. But if they can crack A5/1, others can as well — for everyone from hackers to foreign intelligence services, the cat's been out of the bag for a long time.
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.
First published December 13 2013, 5:57 PM