How the NSA Gets Into Your Smartphones

By now, it probably comes as no surprise that the National Security Agency (NSA), aside from collecting Americans' telephone data and foiling the vast majority of Internet security protocols, can spy on people's smartphones.

But thanks to an article in German magazine Der Spiegel, we now know more about the extent to which the NSA has broken into the security of Google, Apple and even BlackBerry, which was once thought to be uncrackable.

Der Spiegel worked with Laura Poitras, the documentary filmmaker and Berlin resident who along with journalist Glen Greenwald is one of the few people with full access to the documents leaked by former NSA contractor Edward Snowden.

The documents obtained by Der Spiegel suggest that neither Google, Apple nor BlackBerry willingly cooperated with the NSA to infiltrate their devices. Nevertheless, with or without their help, if the NSA wants to target a smartphone, it appears it has the resources to make it happen.

MORE: Why the Latest NSA Leak is the Scariest of All

It's no surprise that Android devices are vulnerable — the same open-source policies and lack of security software that make Android devices a prime target for malware also make them easily susceptible to surveillance.

But BlackBerry has long been known for its extremely strong security. Unable to compete with iPhones and Androids in terms of features, user experience and perceived "coolness," BlackBerry has long counted on its security chops to keep its dwindling market edge. 

It's unclear exactly how the NSA compromised BlackBerry security, but if the agency has actually managed to crack the advanced "elliptic curve cryptography" that BlackBerry devices employ, the NSA's cryptography capabilities are far more extensive than was previously suspected.

"That's very unlikely," security expert Nadim Kobeissi, the founder of encrypted messaging service Cryptocat, told Tom's Guide. According to Kobeissi, it would be "very shocking" if the NSA has managed to crack elliptic curve cryptography, which is considered the 'next generation' of encryption.

Amidst the string of impressive NSA victories is one surprising failure: The report in Der Spiegel seems to suggest that the NSA might not have an easy way into Apple devices.

However, according to the article, co-authored by Marcel Rosenbach, Laura Poitras and Holger Stark, "the documents leave no doubt that if the intelligence service defines a smartphone as a target, it will find a way to gain access to its information."

Is Apple the most secure smartphone?

Google Play, the Android app store, is far less regulated than those of Apple and BlackBerry, though Google has taken steps in recent years to better police the store for malicious software.

Android's operating system is designed to give users the maximum amount of control over their devices. That includes security; it falls on Android users, not Google or the carriers or the manufacturers, to put security software on their phones.

Apple, however, is another story. The company takes full control of its phone security, meaning users don't need to do anything to be secure.

Apparently, that approach has paid off: Der Spiegel's article is light on details, but seems to suggest that the NSA can only get into iPhones by hacking into the computers with which the iPhones sync.

But newer iPhones no longer need to sync with computers; instead the devices get over-the-air updates and can sync data wirelessly via iCloud.

This suggests that Apple's security is much more difficult to thwart than other smartphones'—but again, Der Spiegel is vague and did not disclose the actual documents on which it is reporting.

MORE: 10 Pros and Cons of Jailbreaking Your iPhone or iPad

Der Spiegel also reports that the NSA was able to retroactively track iPhone users' whereabouts by accessing backlogged location data. However, starting with version 4.3.3 of the iOS operating system in 2011, iPhones store location data for no more than seven days, thereby limiting the NSA's surveillance options.

But that's not the only way the NSA can track a smartphone user's location. Most smartphone apps request access to the device's GPS and may store location-based data for much longer periods of time. For many smartphone users, the convenience of these location-based apps outweighs the security vulnerabilities.

Putting the 'crack' in CrackBerry

When BlackBerrys first came on the market, they were nicknamed "CrackBerrys" because they were so popular that people joked they were more addictive than crack cocaine. But after Der Spiegel's revelations, "CrackBerry" has a whole new meaning — one that reflects far less positively on the device.

Even though BlackBerrys only rank a distant ninth place on the list of terrorists' favorite mobile devices (Nokia is reportedly No. 1), the NSA has devoted significant resources to cracking the BlackBerry, a system that was once considered impregnable.

Thanks to its "BlackBerry Working Group," a team of specialists devoted to finding new workarounds to BlackBerry security, the NSA could access text messages and emails sent across the BlackBerry Internet Service. That is, until 2009, when BlackBerry purchased the cryptography company Certicom and integrated its advanced "elliptic curve cryptography" into the BlackBerry operating system.

That was enough to keep the NSA out of BlackBerrys for almost a year. But according to the Snowden documents viewed by Der Spiegel, in March 2010, the NSA found a way back in. "Champagne!" the self-congratulatory memo cheers.

By 2012, the NSA was also able to listen in on a number of BlackBerry telephone calls.

Does this mean the NSA has cracked elliptic-curve cryptography? "If that was the case it would be most definitely outrageous news," Kobeissi told Tom's Guide. "Especially because the NSA itself lists elliptic-curve cryptography as the standard they use internally for top secret information. If they actually cracked it and they say they use it themselves they would be lying about their own standard of encryption."

Robert Graham of Errata Security doesn't want to discount the possibility, however. "We think the NSA has  made breakthroughs in mathematics," he told Tom's Guide. "That breakthrough may the newer elliptical curves. We just don't know where."

Perhaps ironically, another NSA memo shows the agency worries that BlackBerry's steadily decreasing popularity means that Americans are less secure. This seems to suggest that the NSA believes it is the only one to have penetrated BlackBerry's security, Der Spiegel reports.

Email or follow her @JillScharr. Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • firefoxx04
    What is the deal with the NSA scare articles lately? If you people are suprised by any of this crap then you are years behind.

    No one is looking to get into your phone, computer, bla bla bla unless you have something to hide. Anyone with any sensitive data has it encrypted onto a drive that isnt even plugged into a network. Cant hack into something that isnt plugged in.
  • _Bruce_
    "... even BlackBerry, which was once thought to be uncrackable."

    Not by anyone with half a brain. Did they even try to claim this? Who 'once thought' this anyway?

    "It's no surprise that Android devices are vulnerable — the same open-source policies and lack of security software that make Android devices a prime target for malware also make them easily susceptible to surveillance."

    That idea that open source is insecure is pure FUD. There is nothing to back this claim up at all. Furthermore what does 'lack of security software' even mean? Security is a part of the existing software, extra software is not required for a secure system.

    The problem with Android, above all others, is still that vendors do not issue updates.
  • _Bruce_
    Also, perhaps the title should be "We Do Not Know How the NSA Gets Into Your Smarphones"
  • sonofliberty08
    Apple takes full control of your iPhone...... that means the Government can take full control of your iPhone too
  • _Bruce_
    otacon72 :
    "Android is known to have security holes"

    Yes and they are known to be fixed. As with every other OS in existance. Only question is how many unknown issues are in the closed source OSs?

    "which is astonishing to me because Android is based off of Linux which is a very secure OS."

    How is Linux any more or less secure than Android? They both regularly have exploits found, and fixed. Again, just like every other OS.

    "Unless BB gives you the keys to the server you're not breaking elliptic curve cryptography."

    The comment wasn't about breaking the theoteritc cyptography it was about BlackBerry being uncrackable. There are tons of methods to crack a device that affect the implementation of the security rather than the concept itself.
  • _Bruce_
    Additionally my comments where not that Android is great, but that being open source is not a problem for security, which you seem to back up with your position on Linux anyway. And that anyone ever stating that any security can't be cracked needs their head examined.
  • chowmein

    These articles are coming because it is from documented evidenced leaked by the NSA whistleblower. The documents have provided direct evidence as to how far these capabilities go.

    On your second point, and this goes for anyone in the "nothing to hide" crowd. This doesn't work out in practice. There are literally 10s of thousands of government employees, contractors and military professionals that have access to these systems and information. The leaks have shown there is no effective auditing or oversight in place (any sysadmin can create an account at any time and impersonate a 4 star general). The amount of people involved makes it an almost certainty that this information can fall into the hands of spies, people who have taken bribes, people who are working for criminal groups etc. Additionally, these systems are internet-connected and are a prime target for any attack to get access to huge quantities of very interesting information. Finally, this information can be used by any of those 10s of thousands of people to blackmail anyone who is in a position of power such as politicians, business owners, foreign diplomats etc.

    For the "nothing to hide" crowd. Ask yourself, do you trust 100,000 people with various personalities, motivations and intent to have access to all of your email, photos, conversations, bank accounts, phone calls and political donations?

    Do you trust them to have this information about the rest of your family as well?
  • Bloob
    Seeing how silent Apple has been during all this (seeing how they, like other companies, are prone to shouting out the faults of others), I'd actually think they are willingly working together with NSA.
  • milktea
    What I'm waiting for is the breaking news on identifying spies in those Google, Apple, MS, BB, etc.
    Let the men/women hunt begin in those large corps...
  • cats_Paw
    Am i Getting this right? Apple more secure than blackberry? And next they are going to say that hamburgers from McDonalds are healthier than salad.

    Personally, i dont care about any of this.
    First of all, i dont have a smartphone (seems like beeing outdated pays off sometimes), and second, if I was hiding something, it would be on an offline only device.