Sign in with
Sign up | Sign in

How the NSA Gets Into Your Smartphones

By - Source: Tom's Guide US | B 19 comments

By now, it probably comes as no surprise that the National Security Agency (NSA), aside from collecting Americans' telephone data and foiling the vast majority of Internet security protocols, can spy on people's smartphones.

But thanks to an article in German magazine Der Spiegel, we now know more about the extent to which the NSA has broken into the security of Google, Apple and even BlackBerry, which was once thought to be uncrackable.

Der Spiegel worked with Laura Poitras, the documentary filmmaker and Berlin resident who along with journalist Glen Greenwald is one of the few people with full access to the documents leaked by former NSA contractor Edward Snowden.

The documents obtained by Der Spiegel suggest that neither Google, Apple nor BlackBerry willingly cooperated with the NSA to infiltrate their devices. Nevertheless, with or without their help, if the NSA wants to target a smartphone, it appears it has the resources to make it happen.

MORE: Why the Latest NSA Leak is the Scariest of All

It's no surprise that Android devices are vulnerable — the same open-source policies and lack of security software that make Android devices a prime target for malware also make them easily susceptible to surveillance.

But BlackBerry has long been known for its extremely strong security. Unable to compete with iPhones and Androids in terms of features, user experience and perceived "coolness," BlackBerry has long counted on its security chops to keep its dwindling market edge. 

It's unclear exactly how the NSA compromised BlackBerry security, but if the agency has actually managed to crack the advanced "elliptic curve cryptography" that BlackBerry devices employ, the NSA's cryptography capabilities are far more extensive than was previously suspected.

"That's very unlikely," security expert Nadim Kobeissi, the founder of encrypted messaging service Cryptocat, told Tom's Guide. According to Kobeissi, it would be "very shocking" if the NSA has managed to crack elliptic curve cryptography, which is considered the 'next generation' of encryption.

Amidst the string of impressive NSA victories is one surprising failure: The report in Der Spiegel seems to suggest that the NSA might not have an easy way into Apple devices.

However, according to the article, co-authored by Marcel Rosenbach, Laura Poitras and Holger Stark, "the documents leave no doubt that if the intelligence service defines a smartphone as a target, it will find a way to gain access to its information."

Is Apple the most secure smartphone?

Google Play, the Android app store, is far less regulated than those of Apple and BlackBerry, though Google has taken steps in recent years to better police the store for malicious software.

Android's operating system is designed to give users the maximum amount of control over their devices. That includes security; it falls on Android users, not Google or the carriers or the manufacturers, to put security software on their phones.

Apple, however, is another story. The company takes full control of its phone security, meaning users don't need to do anything to be secure.

Apparently, that approach has paid off: Der Spiegel's article is light on details, but seems to suggest that the NSA can only get into iPhones by hacking into the computers with which the iPhones sync.

But newer iPhones no longer need to sync with computers; instead the devices get over-the-air updates and can sync data wirelessly via iCloud.

This suggests that Apple's security is much more difficult to thwart than other smartphones'—but again, Der Spiegel is vague and did not disclose the actual documents on which it is reporting.

MORE: 10 Pros and Cons of Jailbreaking Your iPhone or iPad

Der Spiegel also reports that the NSA was able to retroactively track iPhone users' whereabouts by accessing backlogged location data. However, starting with version 4.3.3 of the iOS operating system in 2011, iPhones store location data for no more than seven days, thereby limiting the NSA's surveillance options.

But that's not the only way the NSA can track a smartphone user's location. Most smartphone apps request access to the device's GPS and may store location-based data for much longer periods of time. For many smartphone users, the convenience of these location-based apps outweighs the security vulnerabilities.

Putting the 'crack' in CrackBerry

When BlackBerrys first came on the market, they were nicknamed "CrackBerrys" because they were so popular that people joked they were more addictive than crack cocaine. But after Der Spiegel's revelations, "CrackBerry" has a whole new meaning — one that reflects far less positively on the device.

Even though BlackBerrys only rank a distant ninth place on the list of terrorists' favorite mobile devices (Nokia is reportedly No. 1), the NSA has devoted significant resources to cracking the BlackBerry, a system that was once considered impregnable.

Thanks to its "BlackBerry Working Group," a team of specialists devoted to finding new workarounds to BlackBerry security, the NSA could access text messages and emails sent across the BlackBerry Internet Service. That is, until 2009, when BlackBerry purchased the cryptography company Certicom and integrated its advanced "elliptic curve cryptography" into the BlackBerry operating system.

That was enough to keep the NSA out of BlackBerrys for almost a year. But according to the Snowden documents viewed by Der Spiegel, in March 2010, the NSA found a way back in. "Champagne!" the self-congratulatory memo cheers.

By 2012, the NSA was also able to listen in on a number of BlackBerry telephone calls.

Does this mean the NSA has cracked elliptic-curve cryptography? "If that was the case it would be most definitely outrageous news," Kobeissi told Tom's Guide. "Especially because the NSA itself lists elliptic-curve cryptography as the standard they use internally for top secret information. If they actually cracked it and they say they use it themselves they would be lying about their own standard of encryption."

Robert Graham of Errata Security doesn't want to discount the possibility, however. "We think the NSA has  made breakthroughs in mathematics," he told Tom's Guide. "That breakthrough may be...in the newer elliptical curves. We just don't know where."

Perhaps ironically, another NSA memo shows the agency worries that BlackBerry's steadily decreasing popularity means that Americans are less secure. This seems to suggest that the NSA believes it is the only one to have penetrated BlackBerry's security, Der Spiegel reports.

Email jscharr@techmedianetwork.com or follow her @JillScharr. Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 2 Hide
    _Bruce_ , September 9, 2013 5:30 PM
    "... even BlackBerry, which was once thought to be uncrackable."

    Not by anyone with half a brain. Did they even try to claim this? Who 'once thought' this anyway?

    "It's no surprise that Android devices are vulnerable — the same open-source policies and lack of security software that make Android devices a prime target for malware also make them easily susceptible to surveillance."

    That idea that open source is insecure is pure FUD. There is nothing to back this claim up at all. Furthermore what does 'lack of security software' even mean? Security is a part of the existing software, extra software is not required for a secure system.

    The problem with Android, above all others, is still that vendors do not issue updates.
  • 3 Hide
    _Bruce_ , September 9, 2013 5:36 PM
    Also, perhaps the title should be "We Do Not Know How the NSA Gets Into Your Smarphones"
  • Display all 19 comments.
  • -5 Hide
    otacon72 , September 9, 2013 6:19 PM
    @_Bruce_ You're the WORST kind of fanboy in that you have absolutely no idea what you're talking about. Android is known to have security holes which is astonishing to me because Android is based off of Linux which is a very secure OS. Google really screwed it up. Unless BB gives you the keys to the server you're not breaking elliptic curve cryptography.
  • 7 Hide
    sonofliberty08 , September 9, 2013 6:46 PM
    Apple takes full control of your iPhone...... that means the Government can take full control of your iPhone too
  • 0 Hide
    _Bruce_ , September 9, 2013 7:15 PM
    otacon72 :
    "Android is known to have security holes"

    Yes and they are known to be fixed. As with every other OS in existance. Only question is how many unknown issues are in the closed source OSs?

    "which is astonishing to me because Android is based off of Linux which is a very secure OS."

    How is Linux any more or less secure than Android? They both regularly have exploits found, and fixed. Again, just like every other OS.

    "Unless BB gives you the keys to the server you're not breaking elliptic curve cryptography."

    The comment wasn't about breaking the theoteritc cyptography it was about BlackBerry being uncrackable. There are tons of methods to crack a device that affect the implementation of the security rather than the concept itself.
  • 2 Hide
    _Bruce_ , September 9, 2013 7:36 PM
    Additionally my comments where not that Android is great, but that being open source is not a problem for security, which you seem to back up with your position on Linux anyway. And that anyone ever stating that any security can't be cracked needs their head examined.
  • 4 Hide
    chowmein , September 9, 2013 7:53 PM
    @firefoxx04

    These articles are coming because it is from documented evidenced leaked by the NSA whistleblower. The documents have provided direct evidence as to how far these capabilities go.

    On your second point, and this goes for anyone in the "nothing to hide" crowd. This doesn't work out in practice. There are literally 10s of thousands of government employees, contractors and military professionals that have access to these systems and information. The leaks have shown there is no effective auditing or oversight in place (any sysadmin can create an account at any time and impersonate a 4 star general). The amount of people involved makes it an almost certainty that this information can fall into the hands of spies, people who have taken bribes, people who are working for criminal groups etc. Additionally, these systems are internet-connected and are a prime target for any attack to get access to huge quantities of very interesting information. Finally, this information can be used by any of those 10s of thousands of people to blackmail anyone who is in a position of power such as politicians, business owners, foreign diplomats etc.

    For the "nothing to hide" crowd. Ask yourself, do you trust 100,000 people with various personalities, motivations and intent to have access to all of your email, photos, conversations, bank accounts, phone calls and political donations?

    Do you trust them to have this information about the rest of your family as well?
  • 0 Hide
    Bloob , September 9, 2013 10:03 PM
    Seeing how silent Apple has been during all this (seeing how they, like other companies, are prone to shouting out the faults of others), I'd actually think they are willingly working together with NSA.
  • 0 Hide
    milktea , September 10, 2013 12:26 AM
    What I'm waiting for is the breaking news on identifying spies in those Google, Apple, MS, BB, etc.
    Let the men/women hunt begin in those large corps...
    :) 
  • 0 Hide
    cats_Paw , September 10, 2013 1:26 AM
    Am i Getting this right? Apple more secure than blackberry? And next they are going to say that hamburgers from McDonalds are healthier than salad.

    Personally, i dont care about any of this.
    First of all, i dont have a smartphone (seems like beeing outdated pays off sometimes), and second, if I was hiding something, it would be on an offline only device.
  • 5 Hide
    Repelsteeltje , September 10, 2013 1:27 AM
    @firefoxx04:

    Nothing to hide? Then give me access to your email box, regular mail, phone network ID and all your social media accounts. Also give me access to your medical and banking records. I hope you don't mind me listening in on your discussions with your wife, either electronically or in person, sitting in between you two. Let me see your pictures. I also hope you don't own any illegal software, music or other media files, including Youtube videos in your browser cache; no unpaid pornography, and no pornography – not even a thumbnail or spam banner – that might have a teenager in it, whether you know it or not; and I hope you never discussed strong disapproval with the government, evading taxes, traffic violations, drugs or who ought to get their ass kicked.

    If someone has access to everything you ever said, wrote or even merily suggested, it's going to be trivial to come up with a crime you're guilty of.

    The government is the servant of the people, and has no business invading their lives.

    Besides, even if you'd keep confidential data on an external disk, you're going to have to plug it in sometime to read its contents – not mentioning the physical disk itself can be confiscated.

    My point being, there is no way to safeguard your private data against the goverment, apart from the principle that it should not have the right to get that data in the first place. If you accept that they do have that right to obtain all that data and accept that they are actively trying to, you've lost. "Nothing to hide" is a straw man. People have a right to their own private lives without having to assert not being a terrorist or criminal.
  • 3 Hide
    nitrium , September 10, 2013 1:31 AM
    "No one is looking to get into your phone, computer, bla bla bla unless you have something to hide."

    This is an incredibly naive statement. While you may have "nothing to hide" from this particular government, are you so sure you will have "nothing to hide" from future governments (given that ALL your data will be stored in perpetuity). What did the Jews have to hide from the Hitler German government? Nothing, right? Oh wait.
    The fact the likes of Hitler have ever existed, means the chances of such a government are in fact FINITE, which means we are all 100% guaranteed to get such a government at some stage. When? Who knows, but do you want to give THAT government ALL your information? Yeah, nah.
  • 2 Hide
    pjmelect , September 10, 2013 1:33 AM
    Its not just those who are terrorist or criminals that need to worry, the NSA has been known to carry out industrial espionage on the behalf of American firms.
  • 0 Hide
    mkatkat , September 10, 2013 2:02 AM
    It seems that most casual Internet users have taken online privacy and security for granted until now. And from what I've read on http://vpnexpress.net, it is mostly because they trust online services to guard their data and because they can't imagine anyone would be interested in their data. But this is not true, apparently, and regardless, people simply don't like to be observed.
  • 0 Hide
    ddpruitt , September 10, 2013 7:55 AM
    Quote:
    These articles are coming because it is from documented evidenced leaked by the NSA whistleblower. The documents have provided direct evidence as to how far these capabilities go.


    This "documented" evidence has already shown to be full of inaccuracies (like the fact that the WPs and Guardian identical presentations were different) and have only been used to write more sensational articles with no useful information like this one (smartphones have security flaws? big deal). Until I have some real information I really don't believe what either side is saying.
  • 1 Hide
    byte_my_bits , September 10, 2013 1:10 PM
    Is the article mis-titled, or is the author just a f**king moron?

    At no point does it answer its own question, ffs.
  • 0 Hide
    somebodyspecial , September 11, 2013 3:43 AM
    "but if the agency has actually managed to crack the advanced "elliptic curve cryptography" that BlackBerry devices employ, the NSA's cryptography capabilities are far more extensive than was previously suspected. "

    Followed by ""That's very unlikely," security expert Nadim Kobeissi"

    I'm no longer reading NSA articles at toms. You are wasting my time for hits. All of your articles say there is no proof of anything, so don't bother reading again :) 

    Article should be titled how the NSA does nothing yet and we're about to waste your time again.
  • 0 Hide
    sundragon , September 16, 2013 9:59 AM
    Love how when the security whistleblower says that NSA deems Android as easy and Apple/BBerry is difficult, you fan boys still create a Steve Jobs Reality Distortion Field and state otherwise.
    Until Google updates it's core OS independently of the manufacturers and carriers, it will still be the leas secure. If every Linux disto and Windows that run on far more platforms than all of Android hardware put together, there's no reason for Google to let this continue into Android 5.0 unless they simply don't give a sh*t...

    Go back to your reality distortion field and how Android is the new Jesus phone and Apple is Satan, LMAO
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter