Is the NSA listening to your mobile calls? Maybe. Here’s what you can do about it.​

Security & Privacy

The newest leak from Edward Snowden may be coming at a terrible time for the Obama White House but it’s not particularly shocking news to security experts.

The Intercept‘s report about the “Great SIM Heist” reveals American and British spies stole the keys that are “used to protect the privacy of cellphone communications across the globe” from Gemalto, the world’s largest manufacturer of SIM cards.

It goes on to report that “With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments,” which sidesteps the needs for legal warrants that should be the foundation of ethical law enforcement.

While this is certainly troubling and speaks to the agencies wanton regard for privacy and some amateurish procedures being used to transport keys, it likely won’t alter the security landscape much.

“The best summary is that an already unreliable communication method became even more unreliable,” F-Secure Labs Senior Researcher Jarno Niemela, the holder of 20 security-related patents, explained.

“Nobody in their right minds would assume GSM  [Global System for Mobile Communicationsthe digital cellular network used by mobile phones] to be private in the first place,” he said. “Phone networks have never been really designed with privacy in mind.”

Mobile operators are much more concerned with being able to prevent their customers from avoiding billing.

While a scope of such a breach does seem huge, Jarno points we’re not sure how many of the billions of cards manufactured by Gemalto may be affected. Keys sent to and from operators via without encryption in email or via FTP servers that were not properly secured are almost certainly compromised.

But according to The Intercept, GCHQ also penetrated “authentication servers,” which allow it to “decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network” regardless who made the cards.

With the cracked keys, users’ calls would be vulnerable but likely only in a limited manner.

“I am told that these keys only expose the encryption and authentication between the mobile device and the local cell tower,” F-Secure Security Advisor David Perry explained. “This means that the NSA or (whoever else) would have to be locally located within radio range of your phone.”

So could the NSA or GCHQ be listening to your calls without a warrant? Maybe. Here’s what you can do about it.

Add a layer of encryption of your own to any device you use to communicate. A VPN like our Freedome will protect your data traffic.

This would not, however, protect your voice calls.

“Maybe it’s time to stop making ‘traditional’ mobile phones calls,” F-Secure Labs Senior Researcher Timo Hirvonen suggests. “Install Freedome, and start making your calls with apps like Signal.”

[Image by Julian Carvajal | Flickr]

0 Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like