Late last week, word came out that one of the largest producers of SIM cards for cell phones, Gemalto, had been hacked by the NSA and GCHQ (Britain's NSA-type agency). According to the documents, these agencies stole the keys that were being used to encrypt traffic on wireless networks.
Gemalto provides SIM cards to over 450 carriers worldwide, including all of the major U.S. carriers. It also makes the chips for many of the smart cards and passports. Gemalto transmitted these keys with little security (sometimes, with no security), allowing governmental agencies easy access to the master lists. Using these keys allowed them to decrypt wireless traffic it had collected.
The GHCQ figured out a way to maximize the number of keys it obtained each month by targeting specific sources. Some estimates say that they could process over 100,000 SIM keys each month, and that by 2009, the NSA had already obtained at least 12 million encryption keys. Not only does this allow them to decrypt the wireless traffic of a particular target, but it also allows them to look back and decrypt wireless traffic that it collected before it obtained the key.
While we do not know the exact number of keys that the NSA and the GHCQ have obtained, the fact that they obtained such a large number of keys in the time covered by these documents makes it very likely that your SIM card's key has already been compromised. Unless you are suspected of criminal activity, it is unlikely that any law enforcement agency is actually looking at your data, but they are collecting it and probably have the means to decrypt it if they desire.
How Can I Protect Myself?
While the compromised key allows the NSA to decrypt data that is traversing the wireless networks, it will not be able to decrypt data that has an extra layer of encryption on your phone. Most major email providers already provide this encryption with their apps, and you have this additional encryption when browsing on secure sites. If you want added protection, you can download Firefox for Android and add the HTTPS everywhere extension. This will ask all sites to communicate using an encrypted session. (It does not mean that every site will be encrypted; it will only force your browser to use an encrypted session if one is available. Many sites do not offer encryption.)
To protect your text messages, you can use a text messaging app like TextSecure or Silent Text, and you can protect your phone calls by using an app like RedPhone or Silent Phone. (I have not used any of these apps, so I cannot recommend them, but they are the most common recommendations on the sites that I follow.) Obviously, if the government wants to obtain your communications using one of these apps, it can target them like it targeted Gemalto.
Finally, a new technology, called Perfect Forward Security (PFS), would help protect communications in the future. PFS would use unique, one-time encryption keys to better protect your communications. It would not stop the NSA or any other agency from decrypting your wireless traffic in real-time, but it would prevent them from going back and decrypting traffic it obtained previously. Unfortunately, this requires mobile phone companies to adopt PFS for their networks, something that no carrier has yet done.
No comments:
Post a Comment