The NSA spies on the internal emails and documents of major mobile carriers and their industry body, the GSM Association, according to an article published Thursday by The Intercept.
According to the piece, the spy agency is or was running a program called AURORAGOLD, which involved targeting the GSMA in order to find or even create weak spots in carriers’ network technology. If this is the case, it may be yet another example of the foolhardy breaking of widely used security mechanisms in ways that other spies and criminals can potentially also exploit.
The GSMA’s “IR.21” documents are shared between carriers to allow customers to roam internationally between their networks. According to the NSA documents published by The Intercept, IR.21s provide valuable information about new technology that the carriers are using, helping spies to figure out how to “discover vulnerabilities,” “introduce vulnerabilities where they do not yet exist” and find threats to the spies’ existing surveillance methods.
The GSMA is also a hub for the development of new cellular privacy technology. Worryingly, the article suggests that the AURORAGOLD program may have aided NSA attempts to crack A5/3, a type of encryption for cellular communications. Earlier stories based on the Snowden leaks indicated that the NSA has already cracked the older and weaker — but widely used — A5/1 cipher.
It’s not entirely clear whether or not the NSA and GCHQ have had success in cracking A5/3 yet, but some experts are worried:
What we know now should be enough evidence to drop A5/3 in favor of more robust encryption. It's already vulnerable to theoretical attacks.
— Matthew Green (@matthew_d_green) December 4, 2014
As the piece noted, the U.K.-based GSMA receives funding from the U.S. National Institute of Standards and Technology (NIST), which has already had to warn companies off using one of its own security standards because Snowden’s leaks indicated the NSA had tampered with it.
GSMA spokeswoman Claire Cranton told me by email: “We are aware of the Intercept story and are currently investigating the claims made in the piece. We are unable to offer any further comment at this time.”