Threat Research

NSA Has Large Disks

By Axelle Apvrille | July 30, 2012

top secret folder and magnifying glass mdOne of the hottest buzz of the moment certainly is the breaking news about NSA collecting phone records of Verizon subscribers. According to court order, Verizon has been asked to provide NSA daily information for all its phone records between April 25th and July 19th.

According to the Wall Street Journal, AT&T and Sprint would have received the same order and it would make much sense if T-Mobile hadn't too.

Many journalists have been reacting on the obvious infringement on our privacy, especially also with the recent disclosure of the PRISM program where major Internet firms - namely Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple - have been asked to provide data regarding their end-users. As background reading, Richard Stallman's refusal to own a mobile phone is enlightening, so are EFF's statements on privacy issues with mobile phones.

As a security researcher, I will not comment more on this, but would rather like to dig in some technical facts.

200G of metadata per day

That's probably a low estimation of the volume Verizon has to send to the NSA every day. Indeed, Verizon has more than 60 million subscribers. With a basic estimation of 2.5 million calls per day, and 100 bytes for each, this means more than 200G. Huge, but feasible with good bandwidth.

Operators do not have visibility over the entire route

NSA asks Verizon to provide them with routing information. In reality, similarly to IP addresses routing, a phone call may go over several hops. Each operator knows the previous one, the next one, the origin and the final one. Note however, that operators do not have visibility over the entire route.

IMSIs are not entirely reliable

NSA asks Verizon for IMSIs. However, in case SIM card cloning took place, the IMSI no longer identifies a single person. The cloned SIM card carries identical information as the original one, in particular the same subscriber identifier (IMSI). The owner of the cloned device is able to place calls and have the original owner (victim) be charged for it. NSA or Verizon would probably however be able to spot something wrong using geographic locations and IMEIs: two identical IMSIs would appear to be calling from different locations and different handsets.

For the average Joe, collecting unreliable identifiers is an issue when their 'identity' is spoofed by suspects.

Spyware on our phones

As an AV company, we see a high amount of trojan spyware for mobile phones. The last week we have studied instances of mobile malware forwarding incoming SMS message (Android/Perkel) or all phone's contacts (Android/AckPosts). So, spying can be not only at operator's level, but also at device level.

-- the Crypto Girl

Join the Discussion