{"id":50847,"date":"2014-12-08T13:43:12","date_gmt":"2014-12-08T13:43:12","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=50847"},"modified":"2015-05-05T21:27:12","modified_gmt":"2015-05-05T20:27:12","slug":"operation-auroragold-how-the-nsa-hacks-cellphone-networks-worldwide","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/12\/operation-auroragold-how-the-nsa-hacks-cellphone-networks-worldwide\/","title":{"rendered":"Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide"},"content":{"rendered":"

\"nsa<\/a><\/p>\n

4 Dec 2014 – <\/em>In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military\u2019s Africa Command needed help to hack into Libya\u2019s cellphone networks and monitor text messages.<\/p>\n

For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers\u2019 internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks.<\/p>\n

The NSA\u2019s assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program\u2014global in its scope and ramifications\u2014targeted not just at hostile countries.<\/p>\n

According to documents<\/a> contained in the archive of material provided to The Intercept<\/em> by whistleblower Edward Snowden, the NSA has spied on hundreds of companies and organizations internationally, including in countries closely allied to the United States, in an effort to find security weaknesses in cellphone technology that it can exploit for surveillance.<\/p>\n

The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into\u2014a controversial tactic that security experts say could be exposing the general population to criminal hackers.<\/p>\n

Codenamed AURORAGOLD, the covert operation has monitored the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators, intercepting confidential company planning papers that help the NSA hack into phone networks.<\/p>\n

One high-profile surveillance target is the GSM Association<\/a>, an influential U.K.-headquartered trade group that works closely with large U.S.-based firms including Microsoft, Facebook, AT&T, and Cisco, and is currently being funded by the U.S. government to develop privacy-enhancing technologies.<\/p>\n

Karsten Nohl, a leading cellphone security expert and cryptographer who was consulted by The Intercept<\/em> about details contained in the AURORAGOLD documents, said that the broad scope of information swept up in the operation appears aimed at ensuring virtually every cellphone network in the world is NSA accessible.<\/p>\n

\u201cCollecting an inventory [like this] on world networks has big ramifications,\u201d Nohl said, because it allows the NSA to track and circumvent upgrades in encryption technology used by cellphone companies to shield calls and texts from eavesdropping. Evidence that the agency has deliberately plotted to weaken the security of communication infrastructure, he added, was particularly alarming.<\/p>\n

\u201cEven if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities,\u201d Nohl said, \u201cbecause once NSA introduces a weakness, a vulnerability, it\u2019s not only the NSA that can exploit it.\u201d<\/p>\n

NSA spokeswoman Vanee\u2019 Vines told The Intercept<\/em> in a statement that the agency \u201cworks to identify and report on the communications of valid foreign targets\u201d to anticipate threats to the United States and its allies.<\/p>\n

Vines said: \u201cNSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements\u2014regardless of the technical means used by foreign targets, or the means by which those targets attempt to hide their communications.\u201d<\/p>\n

Network Coverage<\/strong><\/p>\n

The AURORAGOLD operation is carried out by specialist NSA surveillance units whose existence has not been publicly disclosed: the Wireless Portfolio Management Office, which defines and carries out the NSA\u2019s strategy for exploiting wireless communications, and the Target Technology Trends Center, which monitors the development of new communication technology to ensure that the NSA isn\u2019t blindsided by innovations that could evade its surveillance reach. The center\u2019s logo is a picture of the Earth overshadowed by a large telescope; its motto is \u201cPredict \u2013 Plan \u2013 Prevent.\u201d<\/p>\n

\"tttc-logo-295x300<\/a>The NSA documents reveal<\/a> that, as of May 2012, the agency had collected technical information on about 70 percent of cellphone networks worldwide\u2014701 of an estimated 985\u2014and was maintaining a list of 1,201 email \u201cselectors\u201d<\/a> used to intercept internal company details from employees. (\u201cSelector\u201d is an agency term for a unique identifier like an email address or phone number.) From November 2011 to April 2012, between 363 and 1,354 selectors were \u201ctasked<\/a>\u201d by the NSA for surveillance each month as part of AURORAGOLD, according to the documents. The secret operation appears to have been active since at least 2010.<\/p>\n

The information collected from the companies is passed onto NSA \u201csignals development\u201d teams that focus on infiltrating communication networks. It is also shared with other U.S. Intelligence Community agencies and with the NSA\u2019s counterparts in countries that are part of the so-called \u201cFive Eyes\u201d surveillance alliance\u2014the United Kingdom, Canada, Australia, and New Zealand.<\/p>\n

Aside from mentions of a handful of operators in Libya, China, and Iran, names of the targeted companies are not disclosed in the NSA\u2019s documents. However, a top-secret world map featured in a June 2012 presentation on AURORAGOLD suggests that the NSA has some degree of \u201cnetwork coverage<\/a>\u201d in almost all countries on every continent, including in the United States and in closely allied countries such as the United Kingdom, Australia, New Zealand, Germany, and France.<\/p>\n

\"map-coverage<\/a>

Click to ENLARGE<\/p><\/div>\n

One of the prime targets monitored under the AURORAGOLD program is the London-headquartered trade group,\u00a0the GSM Association<\/a>, or the GSMA, which represents the interests of more than 800 major cellphone, software, and internet companies from 220 countries.<\/p>\n

The GSMA\u2019s members<\/a> include U.S.-based companies such as Verizon, AT&T, Sprint, Microsoft, Facebook, Intel, Cisco, and Oracle, as well as large international firms including Sony, Nokia, Samsung, Ericsson, and Vodafone.<\/p>\n

The trade organization brings together its members for regular meetings at which new technologies and policies are discussed among various \u201cworking groups.\u201d The Snowden files reveal that the NSA specifically targeted<\/a> the GSMA\u2019s working groups for surveillance.<\/p>\n

Claire Cranton, a spokeswoman for the GSMA, said that the group would not respond to details uncovered by The Intercept <\/em>until its lawyers had studied the documents related to the spying.<\/p>\n

\u201cIf there is something there that is illegal then they will take it up with the police,\u201d Cranton said.<\/p>\n

By covertly monitoring GSMA working groups in a bid to identify and exploit security vulnerabilities, the NSA has placed itself into direct conflict with the mission of the National Institute for Standards and Technology<\/a>, or NIST, the U.S. government agency responsible for recommending cybersecurity standards in the United States. NIST recently handed out a grant<\/a> of more than $800,000 to GSMA so that the organization could research ways to address \u201csecurity and privacy challenges\u201d faced by users of mobile devices.<\/p>\n

The revelation that the trade group has been targeted for surveillance may reignite deep-seated tensions between NIST and NSA that came to the fore following earlier Snowden disclosures. Last year, NIST was forced to urge people<\/a> not to use an encryption standard it had previously approved after it emerged NSA had apparently covertly worked to deliberately weaken it.<\/p>\n

Jennifer Huergo, a NIST spokewoman, told The Intercept<\/em> that the agency was \u201cnot aware of any activities by NSA related to the GSMA.\u201d Huergo said that NIST would continue to work towards \u201cbringing industry together with privacy and consumer advocates to jointly create a robust marketplace of more secure, easy-to-use, privacy-enhancing solutions.\u201d<\/p>\n

\"GSMA<\/a>

GSMA headquarters in London (left)<\/p><\/div>\n

Encryption Attack<\/strong><\/p>\n

The NSA focuses on intercepting obscure but important technical documents circulated among the GSMA\u2019s members known as \u201cIR.21s.\u201d<\/p>\n

Most cellphone network operators share IR.21 documents among each other as part of agreements that allow their customers to connect to foreign networks when they are \u201croaming\u201d overseas on a vacation or a business trip. An IR.21, according to the NSA documents<\/a>, contains information \u201cnecessary for targeting and exploitation.\u201d<\/p>\n

The details in the IR.21s serve as a \u201cwarning mechanism\u201d that flag new technology used by network operators, the NSA\u2019s documents state<\/a>. This allows the agency to identify security vulnerabilities in the latest communication systems that can be exploited, and helps efforts to introduce new vulnerabilities \u201cwhere they do not yet exist<\/a>.\u201d<\/p>\n

The IR.21s also contain details about the encryption used by cellphone companies to protect the privacy of their customers\u2019 communications as they are transmitted across networks. These details are highly sought after by the NSA, as they can aid its efforts to crack the encryption and eavesdrop on conversations.<\/p>\n

Last year, the Washington Post <\/em>reported<\/a> that the NSA had already managed to break the most commonly used cellphone encryption algorithm in the world, known as A5\/1. But the information collected under AURORAGOLD allows the agency to focus on circumventing newer and stronger versions of A5 cellphone encryption, such as A5\/3.<\/p>\n

The documents note<\/a> that the agency intercepts information from cellphone operators about \u201cthe type of A5 cipher algorithm version\u201d they use, and monitors the development of new algorithms in order to find ways to bypass the encryption.<\/p>\n

In 2009, the British surveillance agency Government Communications Headquarters conducted a similar effort to subvert phone encryption under a project called OPULENT PUP<\/a>, using powerful computers to perform a \u201ccrypt attack\u201d to penetrate the A5\/3 algorithm, secret memos reveal. By 2011, GCHQ was collaborating with the NSA on another operation, called WOLFRAMITE<\/a>, to attack A5\/3 encryption. (GCHQ declined to comment for this story, other than to say that it operates within legal parameters.)<\/p>\n

The extensive attempts to attack cellphone encryption have been replicated across the Five Eyes surveillance alliance. Australia\u2019s top spy agency, for instance, infiltrated an Indonesian cellphone company and stole nearly 1.8 million encryption keys used to protect communications, the New York Times<\/em> reported<\/a> in February.<\/p>\n

\"planning-cycle2-540x424<\/a><\/p>\n

The NSA\u2019s documents show that it focuses on collecting details about virtually all technical standards used by cellphone operators, and the agency\u2019s efforts to stay ahead of the technology curve occasionally yield significant results. In early 2010, for instance, its operatives had already found ways to penetrate<\/a> a variant of the newest \u201cfourth generation\u201d smartphone-era technology for surveillance, years before it became widely adopted by millions of people in dozens of countries.<\/p>\n

The NSA says that its efforts are targeted at terrorists, weapons proliferators, and other foreign targets, not \u201cordinary people.\u201d But the methods used by the agency and its partners to gain access to cellphone communications risk significant blowback.<\/p>\n

According to Mikko Hypponen, a security expert at Finland-based F-Secure<\/a>, criminal hackers and foreign government adversaries could be among the inadvertent beneficiaries of any security vulnerabilities or encryption weaknesses inserted by the NSA into communication systems using data collected by the AURORAGOLD project.<\/p>\n

\u201cIf there are vulnerabilities on those systems known to the NSA that are not being patched on purpose, it\u2019s quite likely they are being misused by completely other kinds of attackers,\u201d said Hypponen. \u201cWhen they start to introduce new vulnerabilities, it affects everybody who uses that technology; it makes all of us less secure.\u201d<\/p>\n

In December, a surveillance review panel convened by President Obama concluded<\/a> that the NSA should not \u201cin any way subvert, undermine, weaken, or make vulnerable generally available commercial software.\u201d The panel also recommended that the NSA should notify companies if it discovers previously unknown security vulnerabilities in their software or systems\u2014known as \u201czero days\u201d because developers have been given zero days to fix them\u2014except in rare cases involving \u201chigh priority intelligence collection.\u201d<\/p>\n

In April, White House officials confirmed<\/a> that Obama had ordered NSA to disclose vulnerabilities it finds, though qualified that with a loophole allowing the flaws to be secretly exploited so long as there is deemed to be \u201ca clear national security or law enforcement\u201d use.<\/p>\n

Vines, the NSA spokeswoman, told The Intercept<\/em> that the agency was committed to ensuring an \u201copen, interoperable, and secure global internet.\u201d<\/p>\n

\u201cNSA deeply values these principles and takes great care to honor them in the performance of its lawful foreign-intelligence mission,\u201d Vines said.<\/p>\n

She declined to discuss the tactics used as part of AURORAGOLD, or comment on whether the operation remains active.<\/p>\n

Documents published with this article:<\/strong><\/em><\/p>\n