Intercept has recently published an article describing that U.S. and British spies hacked into the internal network of Gemalto in 2010 that is one of the largest manufacturers of SIM cards in the world. They stole the encryption keys used to protect the privacy of mobile cellular communications across the globe.
GSM (Global System for Mobile Communications) was originally designed with a moderate level of service security. At the time of that initial security level it was thought that GSM communications cannot be compromised. The basic level security system was designed to authenticate the subscriber using a pre-shared key and challenge-response. However, a higher level security is possible by encrypting the communications between the subscriber and the base station.
GSM uses several cryptographic algorithms for security. The A5/1, A5/2, and A5/3 stream ciphers are used for ensuring over-the-air voice privacy. The Hacker’s Choice started the A5/1 cracking project with plans to use FPGAs that allow A5/1 to be broken with a rainbow table attack. On 28 December 2010 German computer engineer Karsten Nohl announced that he had cracked the A5/1 cipher. He also said that it is possible to build “a full GSM interceptor from open-source components” but that they had not done so because of legal concerns. Nohl claimed that he was able to intercept voice and text conversations by impersonating another user to listen to voicemail, make calls, or send text messages using a seven-year-old Motorola cellphone and decryption software available for free online.
New attacks have been observed that take advantage of poor security implementations, architecture, and development for smartphone applications. Some wiretapping and eavesdropping techniques hijack the audio input and output providing an opportunity for a third party to listen in to the conversation. GSM uses General Packet Radio Service (GPRS) for data transmissions like browsing the web that was cracked by Nohl and his co-researcher Luca Melette in 2011.
U.S. law enforcement agencies have also been using fake cell phone towers to illegally intercept mobile communications and data. Surveillance hardware and software like Stingray, Triggerfish, etc are commonly used in U.S. and other jurisdictions. For instance, India has been using secret wires, central monitoring system (CMS), NETRA, etc to indulge in illegal and unconstitutional-surveillance. There is no parliamentary oversight of these e-surveillance projects and intelligence agencies of India.
Let us now come back to the disclosures of Intercept. What make it relevant for India are the Intercept claims that these spies mined the private communications of Gemalto engineers and employees in multiple countries, including India. Once someone has access to these encryption keys they can monitor all mobile communications on those SIM cards without seeking permission from Indian courts, the government, the mobile operator, etc. And the worst part is that there is no trace on the mobile operator’s network that communications were monitored by a third party since they have the actual keys and are not using brute force to break encryption. But in the Indian context this fallacy seems to be more by a “thoughtful design” than a negligence and lapse on the part of Indian government and telecom operators. It seems India and U.S. are collaborating on illegal and unconstitutional e-surveillance on a mutual basis. This is one of the main reasons why there is no encryption policy of India (PDF) till date and why privacy and data protection (PDF) laws are still missing in India despite much protests.
German Chancellor Angela Merkel’s voice calls were monitored by U.S. spies and this forced the German government to use BlackBerry smartphones with an additional layer of voice encryption. Even Indian Prime Minister Narendra Modi now uses a BlackBerry with possible security mechanisms.
However, the most interesting revelation comes in the form that GCHQ could not intercept keys used by mobile operators in Pakistan, even though Pakistan is a priority target for Western intelligence agencies. This is because Pakistanis used more secure methods to transfer the encryption keys between the SIM card manufacturers and Pakistani mobile operators.
Mobile cyber security in India is in a bad shape. The cyber security trends in India 2013 (PDF) and 2014 by Perry4Law Organisation (P4LO) have proved that mobile cyber security in India is in real bad shape. Even the cyber security trends in India 2015 have also short listed mobile cyber security as a priority area that deserves immediate attention of Indian government. The Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) hopes that Indian government would take mobile cyber security in general and cyber security in particular seriously in the year 2015.