Researcher Says Simple Security Fixes From Carriers Would Have Prevented NSA Collection Of Cell Communications

from the we're-nos.-1-whatever,-why-try-harder? dept

Hanlon's Razor states: never attribute to malice that which is adequately explained by stupidity. Replace "stupidity" with "laziness" and you've got one researcher's theory as to why cell phone carriers failed to make basic efforts to provide a secure product -- one that would have prevented the NSA's collection of communications. (h/t to DSLreports)

The world's mobile phone carriers have failed to implement technology fixes available since 2008 that would have thwarted the National Security Agency's ability to eavesdrop on many mobile phone calls, a cyber security expert says.

Karsten Nohl, chief scientist with Berlin's Security Research Labs, told Reuters ahead of a highly anticipated talk at a conference in Germany that his firm discovered the issue while reviewing security measures implemented by mobile operators around the world…

None of the carriers surveyed had implemented measures for thwarting a method that allows the NSA to eavesdrop on most mobile calls by unscrambling a widely used encryption technology known as A5/1[…] Nohl said that method would have been blocked if carriers had applied two patches released in 2008.
Were carriers compelled to leave this hole open for NSA exploitation? It's a good question, but Nohl says the more likely explanation is that carriers simply didn't find the problem worth addressing.
"I couldn't imagine it is complicity. I think it is negligence," he said. "I don't want to believe in a worldwide conspiracy across all worldwide network operators. I think it is individual laziness and priority on network speed and network coverage and not security."
As has been observed everywhere, the path of least resistance is favored by many entities, even those not explicitly performing government work. Making a minimum of effort dumped customers' conversations right into the NSA's lap.

Of course, if the NSA had knocked on these carriers' doors and asked for a small favor, like leaving a security hole big enough to drive a semi full of unused privacy protections through, chances are many would have said, "Sure, why not." Verizon and AT&T have only very belatedly joined the national conversation on intelligence gathering, after spending months shuffling around the periphery while staring at the floor. For years, these providers have handed over everything the agency's asked for and shown an active interest in helping it anticipate what it might need next.

But Nohl's theory dismisses a worldwide conspiracy to dump cell phone customers' conversations into the waiting ears of the NSA -- something that's more likely to be true. While American carriers have proven to be useful NSA allies, very little has been exposed about the compliance rate of foreign carriers. Not that their resistance would matter much (or that they'd even be approached directly), as foreign intelligence agencies have been just as "helpful" as AT&T and Verizon in terms of granting access to data and communications -- much of which ultimately ends up in the NSA's sprawling lockboxes.

The moral here, if Nohl is correct, is that the industry's idle hands are the NSA's workshop. Not doing something can be just as harmful as complete complicity.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: carriers, nsa, privacy, security, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 14 Jan 2014 @ 8:05am

    ....

    Plausible deniability?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.