OPERATION AURORAGOLD

HOW THE NSA HACKS CELLPHONE NETWORKS WORLDWIDE

 

In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military’s Africa Command needed help to hack into Libya’s cellphone networks and monitor text messages.

For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers’ internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks.

The NSA’s assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program—global in its scope and ramifications—targeted not just at hostile countries.

According to documents contained in the archive of material provided toThe Intercept by whistleblower Edward Snowden, the NSA has spied on hundreds of companies and organizations internationally, including in countries closely allied to the United States, in an effort to find security weaknesses in cellphone technology that it can exploit for surveillance.

The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into—a controversial tactic that security experts say could be exposing the general population to criminal hackers.

Codenamed AURORAGOLD, the covert operation has monitored the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators, intercepting confidential company planning papers that help the NSA hack into phone networks.

One high-profile surveillance target is the GSM Association, an influential U.K.-headquartered trade group that works closely with large U.S.-based firms including Microsoft, Facebook, AT&T, and Cisco, and is currently being funded by the U.S. government to develop privacy-enhancing technologies.

Karsten Nohl, a leading cellphone security expert and cryptographer who was consulted by The Intercept about details contained in the AURORAGOLD documents, said that the broad scope of information swept up in the operation appears aimed at ensuring virtually every cellphone network in the world is NSA accessible.

THE OPERATION APPEARS AIMED AT ENSURING VIRTUALLY EVERY CELLPHONE NETWORK IN THE WORLD IS NSA ACCESSIBLE.

“Collecting an inventory [like this] on world networks has big ramifications,” Nohl said, because it allows the NSA to track and circumvent upgrades in encryption technology used by cellphone companies to shield calls and texts from eavesdropping. Evidence that the agency has deliberately plotted to weaken the security of communication infrastructure, he added, was particularly alarming.

“Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities,” Nohl said, “because once NSA introduces a weakness, a vulnerability, it’s not only the NSA that can exploit it.”

NSA spokeswoman Vanee’ Vines told The Intercept in a statement that the agency “works to identify and report on the communications of valid foreign targets” to anticipate threats to the United States and its allies.

Vines said: “NSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements—regardless of the technical means used by foreign targets, or the means by which those targets attempt to hide their communications.”

Network coverage

The AURORAGOLD operation is carried out by specialist NSA surveillance units whose existence has not been publicly disclosed: the Wireless Portfolio Management Office, which defines and carries out the NSA’s strategy for exploiting wireless communications, and the Target Technology Trends Center, which monitors the development of new communication technology to ensure that the NSA isn’t blindsided by innovations that could evade its surveillance reach. The center’s logo is a picture of the Earth overshadowed by a large telescope; its motto is “Predict – Plan – Prevent.”

tttc-logoThe NSA documents reveal that, as of May 2012, the agency had collected technical information on about 70 percent of cellphone networks worldwide—701 of an estimated 985—and was maintaining a list of 1,201 email “selectors” used to intercept internal company details from employees. (“Selector” is an agency term for a unique identifier like an email address or phone number.) From November 2011 to April 2012, between 363 and 1,354 selectors were “tasked” by the NSA for surveillance each month as part of AURORAGOLD, according to the documents. The secret operation appears to have been active since at least 2010.

The information collected from the companies is passed onto NSA “signals development” teams that focus on infiltrating communication networks. It is also shared with other U.S. Intelligence Community agencies and with the NSA’s counterparts in countries that are part of the so-called “Five Eyes” surveillance alliance—the United Kingdom, Canada, Australia, and New Zealand.

Aside from mentions of a handful of operators in Libya, China, and Iran, names of the targeted companies are not disclosed in the NSA’s documents. However, a top-secret world map featured in a June 2012 presentation on AURORAGOLD suggests that the NSA has some degree of “network coverage” in almost all countries on every continent, including in the United States and in closely allied countries such as the United Kingdom, Australia, New Zealand, Germany, and France.

map-coverage

One of the prime targets monitored under the AURORAGOLD program is the London-headquartered trade group, the GSM Association, or the GSMA, which represents the interests of more than 800 major cellphone, software, and internet companies from 220 countries.

The GSMA’s members include U.S.-based companies such as Verizon, AT&T, Sprint, Microsoft, Facebook, Intel, Cisco, and Oracle, as well as large international firms including Sony, Nokia, Samsung, Ericsson, and Vodafone.

The trade organization brings together its members for regular meetings at which new technologies and policies are discussed among various “working groups.” The Snowden files reveal that the NSA specifically targeted the GSMA’s working groups for surveillance.

Claire Cranton, a spokeswoman for the GSMA, said that the group would not respond to details uncovered by The Intercept until its lawyers had studied the documents related to the spying.

“If there is something there that is illegal then they will take it up with the police,” Cranton said.

By covertly monitoring GSMA working groups in a bid to identify and exploit security vulnerabilities, the NSA has placed itself into direct conflict with the mission of the National Institute for Standards and Technology, or NIST, the U.S. government agency responsible for recommending cybersecurity standards in the United States. NIST recently handed out a grant of more than $800,000 to GSMA so that the organization could research ways to address “security and privacy challenges” faced by users of mobile devices.

The revelation that the trade group has been targeted for surveillance may reignite deep-seated tensions between NIST and NSA that came to the fore following earlier Snowden disclosures. Last year, NIST was forced to urge people not to use an encryption standard it had previously approved after it emerged NSA had apparently covertly worked to deliberately weaken it.

Jennifer Huergo, a NIST spokewoman, told The Intercept that the agency was “not aware of any activities by NSA related to the GSMA.” Huergo said that NIST would continue to work towards “bringing industry together with privacy and consumer advocates to jointly create a robust marketplace of more secure, easy-to-use, privacy-enhancing solutions.”

gstreetview

Encryption attack

The NSA focuses on intercepting obscure but important technical documents circulated among the GSMA’s members known as “IR.21s.”

Most cellphone network operators share IR.21 documents among each other as part of agreements that allow their customers to connect to foreign networks when they are “roaming” overseas on a vacation or a business trip. An IR.21, according to the NSA documents, contains information “necessary for targeting and exploitation.”

The details in the IR.21s serve as a “warning mechanism” that flag new technology used by network operators, the NSA’s documents state. This allows the agency to identify security vulnerabilities in the latest communication systems that can be exploited, and helps efforts to introduce new vulnerabilities “where they do not yet exist.”

The IR.21s also contain details about the encryption used by cellphone companies to protect the privacy of their customers’ communications as they are transmitted across networks. These details are highly sought after by the NSA, as they can aid its efforts to crack the encryption and eavesdrop on conversations.

Last year, the Washington Post reported that the NSA had already managed to break the most commonly used cellphone encryption algorithm in the world, known as A5/1. But the information collected under AURORAGOLD allows the agency to focus on circumventing newer and stronger versions of A5 cellphone encryption, such as A5/3.

The documents note that the agency intercepts information from cellphone operators about “the type of A5 cipher algorithm version” they use, and monitors the development of new algorithms in order to find ways to bypass the encryption.

In 2009, the British surveillance agency Government Communications Headquarters conducted a similar effort to subvert phone encryption under a project called OPULENT PUP, using powerful computers to perform a “crypt attack” to penetrate the A5/3 algorithm, secret memos reveal. By 2011, GCHQ was collaborating with the NSA on another operation, called WOLFRAMITE, to attack A5/3 encryption. (GCHQ declined to comment for this story, other than to say that it operates within legal parameters.)

The extensive attempts to attack cellphone encryption have been replicated across the Five Eyes surveillance alliance. Australia’s top spy agency, for instance, infiltrated an Indonesian cellphone company and stole nearly 1.8 million encryption keys used to protect communications, the New York Times reported in February.

The NSA’s documents show that it focuses on collecting details about virtually all technical standards used by cellphone operators, and the agency’s efforts to stay ahead of the technology curve occasionally yield significant results. In early 2010, for instance, its operatives had alreadyfound ways to penetrate a variant of the newest “fourth generation” smartphone-era technology for surveillance, years before it became widely adopted by millions of people in dozens of countries.

The NSA says that its efforts are targeted at terrorists, weapons proliferators, and other foreign targets, not “ordinary people.” But the methods used by the agency and its partners to gain access to cellphone communications risk significant blowback.

According to Mikko Hypponen, a security expert at Finland-based F-Secure, criminal hackers and foreign government adversaries could be among the inadvertent beneficiaries of any security vulnerabilities or encryption weaknesses inserted by the NSA into communication systems using data collected by the AURORAGOLD project.

“If there are vulnerabilities on those systems known to the NSA that are not being patched on purpose, it’s quite likely they are being misused by completely other kinds of attackers,” said Hypponen. “When they start to introduce new vulnerabilities, it affects everybody who uses that technology; it makes all of us less secure.”

“IT AFFECTS EVERYBODY WHO USES THAT TECHNOLOGY; IT MAKES ALL OF US LESS SECURE.”

In December, a surveillance review panel convened by President Obama concludedthat the NSA should not “in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.” The panel also recommended that the NSA should notify companies if it discovers previously unknown security vulnerabilities in their software or systems—known as “zero days” because developers have been given zero days to fix them—except in rare cases involving “high priority intelligence collection.”

In April, White House officials confirmed that Obama had ordered NSA to disclose vulnerabilities it finds, though qualified that with a loophole allowing the flaws to be secretly exploited so long as there is deemed to be “a clear national security or law enforcement” use.

Vines, the NSA spokeswoman, told The Intercept that the agency was committed to ensuring an “open, interoperable, and secure global internet.”

“NSA deeply values these principles and takes great care to honor them in the performance of its lawful foreign-intelligence mission,” Vines said.

She declined to discuss the tactics used as part of AURORAGOLD, or comment on whether the operation remains active.

BY RYAN GALLAGHER

REVEALED: GCHQ’s BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE

Exclusive Above-top-secret details of Britain’s covert surveillance programme – including the location of a clandestine British base tapping undersea cables in the Middle East – have so far remained secret, despite being leaked by fugitive NSA sysadmin Edward Snowden. Government pressure has meant that some media organisations, despite being in possession of these facts, have declined to reveal them. Today, however, the Register publishes them in full.

Read more

Obama can’t point to a single time the NSA call records program prevented a terrorist attack

National Security Agency defenders, including President Obama, continue to cite the terrorist attack on Sept. 11, 2001 when defending the program that scoops up domestic call records in bulk. But asked specifically, on Friday, if he could identify a time when that program stopped a similar attack, President Obama couldn’t. That’s because the program hasn’t prevented a second 9/11.

At the end of the year news conference, Reuters’s Mark Felsenthal asked:

As you review how to rein in the National Security Agency, a federal judge says that, for example, the government has failed to cite a single instance in which analysis of the NSA’s bulk metadata actually stopped an imminent attack. Are you able to identify any specific examples when it did so? Are you convinced that the collection of that data is useful to national security to continue as it is?

But President Obama never answered the question about a specific examples. Instead he spoke more broadly and tied the program, again, back to 9/11.

What I’ve said in the past continues to be the case, which is that the NSA, in executing this program, believed, based on experiences from 9/11, that it was important for us to be able to track, if there was a phone number of a known terrorist outside of the United States calling into the United States, where that call might have gone and that having that data in one place and retained for a certain period of time allowed them to be confident in pursuing various investigations of terrorist threats.

The president’s reliance on a 9/11 narrative is expected. The terrorist attack was a defining moment for a generation and now serves as a tragic reminder of a time when the U.S. government failed to protect its citizens. It’s understandable that any president would want to be seen as vigilant in preventing another such attack.

But the reason the president can’t cite a specific time the phone meta-data program stopped a similar tragedy is because it hasn’t.

Law professor Geoffrey Stone, a member of the presidential task force charged with reviewing NSA programs, told NBC News the group specifically looked for times when the program may have helped prevent a terrorist attack, but “found none.” The task force’s final report reflects that, saying:

Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional section 215 orders.

But the lack of evidence that the program is effective will probably not prevent the NSA’s defenders from continuing to invoke 9/11 to protect the program. Another member of the task force, former acting CIA Director Michael Morell, on CBS’s “Face the Nation” on Sunday, admitted the group had found that “the program to date has not played a significant role in stopping terrorist attacks in the United States,” but earlier in his interview credited the NSA as one of the agencies responsible for the lack of successful terrorist attacks in the United States since 9/11.

NSA phone surveillance program likely unconstitutional, federal judge rules

A federal judge in Washington ruled on Monday that the bulk collection of Americans’ telephone records by the National Security Agency is likely to violate the US constitution, in the most significant legal setback for the agency since the publication of the first surveillance disclosures by the whistleblower Edward Snowden.

Judge Richard Leon declared that the mass collection of metadata probably violates the fourth amendment, which prohibits unreasonable searches and seizures, and was “almost Orwellian” in its scope. In a judgment replete with literary swipes against the NSA, he said James Madison, the architect of the US constitution, would be “aghast” at the scope of the agency’s collection of Americans’ communications data.

The ruling, by the US district court for the District of Columbia, is a blow to the Obama administration, and sets up a legal battle that will drag on for months, almost certainly destined to end up in the supreme court. It was welcomed by campaigners pressing to rein in the NSA, and by Snowden, who issued a rare public statement saying it had vindicated his disclosures. It is also likely to influence other legal challenges to the NSA, currently working their way through federal courts.

The case was brought by Larry Klayman, a conservative lawyer, and Charles Strange, father of a cryptologist killed in Afghanistan when his helicopter was shot down in 2011. His son worked for the NSA and carried out support work for Navy Seal Team Six, the elite force that killed Osama bin Laden.

In Monday’s ruling, the judge concluded that the pair’s constitutional challenge was likely to be successful. In what was the only comfort to the NSA in a stinging judgment, Leon put the ruling on hold, pending an appeal by the government.

Leon expressed doubt about the central rationale for the program cited by the NSA: that it is necessary for preventing terrorist attacks. “The government does not cite a single case in which analysis of the NSA’s bulk metadata collection actually stopped an imminent terrorist attack,” he wrote.

“Given the limited record before me at this point in the litigation – most notably, the utter lack of evidence that a terrorist attack has ever been prevented because searching the NSA database was faster than other investigative tactics – I have serious doubts about the efficacy of the metadata collection program as a means of conducting time-sensitive investigations in cases involving imminent threats of terrorism.”

Leon’s opinion contained stern and repeated warnings that he was inclined to rule that the metadata collection performed by the NSA – and defended vigorously by the NSA director Keith Alexander on CBS on Sunday night – was unconstitutional.

“Plaintiffs have a substantial likelihood of showing that their privacy interests outweigh the government’s interest in collecting and analysing bulk telephony metadata and therefore the NSA’s bulk collection program is indeed an unreasonable search under the fourth amendment,” he wrote.

Leon said that the mass collection of phone metadata, revealed by the Guardian in June, was “indiscriminate” and “arbitrary” in its scope. “The almost-Orwellian technology that enables the government to store and analyze the phone metadata of every telephone user in the United States is unlike anything that could have been conceived in 1979,” he wrote, referring to the year in which the US supreme court ruled on a fourth amendment case upon which the NSA now relies to justify the bulk records program.

Snowden welcomes ruling

In a statement, Snowden said the ruling justified his disclosures. “I acted on my belief that the NSA’s mass surveillance programs would not withstand a constitutional challenge, and that the American public deserved a chance to see these issues determined by open courts,” he said in comments released through Glenn Greenwald, the former Guardian journalist who received leaked documents from Snowden.

“Today, a secret program authorised by a secret court was, when exposed to the light of day, found to violate Americans’ rights. It is the first of many.”

Senator Mark Udall, a leading critic of the dragnet collection, welcomed the judgment. “The ruling underscores what I have argued for years: [that] the bulk collection of Americans’ phone records conflicts with Americans’ privacy rights under the US constitution and has failed to make us safer,” said Udall, a Democrat.

Jameel Jaffer, the deputy legal director of the ACLU, praised what he called Leon’s “thoughtful” ruling: “This is a strongly worded and carefully reasoned decision that ultimately concludes, absolutely correctly, that the NSA’s call-tracking program can’t be squared with the constitution.”

At the White House, spokesman Jay Carney said he had no comment on the on the case, saying he had not heard of the decision when the press briefing started and referred reporters to the Justice Department for reaction.

“We’ve seen the opinion and are studying it. We believe the program is constitutional as previous judges have found. We have no further comment at this time,” said Justice Department spokesman Andrew Ames.

News of the ruling came as the White House revealed that its review into NSA activities has made more than 40 separate recommendations in a report received by Barack Obama on Friday. Carney said the president would be reviewing the group’s conclusions before making their findings public. “Over the next several weeks we will be reviewing the review group’s report and its more than 40 recommendations as we consider the path forward, including sorting through which recommendations we will implement and which might require further study and which will choose not to pursue,” Carney said.

“We expect the overall internal review to be completed in January. After that, the president will deliver remarks to outline the outcome of our work and at that time we will make public the review group’s full report and other conclusions of our work.”

The White House also poured cold water on suggestions by an NSA official that whistleblower Edward Snowden could be offered an amnesty by the US in exchange for returning documents. “Our position has not changed on that matter – at all,” said Carney. “Mr Snowden has been accused of leaking classified information and he faces felony charges in the US. He should be returned to the United States as soon as possible, where he will be accorded full due process.”

Asked about the NSA official’s suggestion, the White House added: “He was expressing his personal opinion; these decisions are made by the Department of Justice. There has been no change in our position.”

In his ruling, Judge Leon expressly rejected the government’s claim that the 1979 supreme court case, Smith v Maryland, which the NSA and the Obama administration often cite to argue that there is no reasonable expectation of privacy over metadata, applies in the NSA’s bulk-metadata collection. The mass surveillance program differs so much from the one-time request dealt with by the 1979 case that it was of “little value” in assessing whether the metadata dragnet constitutes a fourth amendment search.

‘Defying common sense’

In a decision likely to influence other federal courts hearing similar arguments from the ACLU, Leon wrote that the Guardian’s disclosure of the NSA’s bulk telephone records collection means that citizens now have standing to challenge it in court, since they can demonstrate for the first time that the government is collecting their phone data.

“The government asks me to find that plaintiffs lack standing based on the theoretical possibility that NSA has collected a universe of metadata so incomplete that the program could not possibly serve its putative function,” Leon wrote. “Candor of this type defies common sense and does not exactly inspire confidence!”

Leon also struck a blow for judicial review of government surveillance practices even when Congress explicitly restricts the ability of citizens to sue for relief. “While Congress has great latitude to create statutory schemes like Fisa,” he wrote, referring to the seminal 1978 surveillance law, “it may not hang a cloak of secrecy over the constitution.”

The case will almost certainly be heard next by the US court of appeals for the District of Columbia circuit, recently bolstered with two new liberal justices following a change in Senate rules relating to confirmation votes. Were the appeal court to uphold the ruling, the Department of Justice would seek another stay, pending a final verdict from the US supreme court or a “bench” decision by all justices on the appeal court.

In his ruling on Monday, Judge Leon predicted the process would take six months. He urged the government to take that time to prepare for an eventual defeat. “I fully expect that during the appellate process, which will consume at least the next six months, the government will take whatever steps necessary to prepare itself to comply with this order when, and if, it is upheld,” wrote Leon in his opinion.

“Suffice it to say, requesting further time to comply with this order months from now will not be well received and could result in collateral sanctions.”

The three DC appeal court judges who will first hear the case are chosen are random from the bench, currently comprising 10 justices.

However, it may prove a test of new Obama appointees, Patricia Millett and Nina Pillard, who were confirmed by the Senate last week in the face of bitter opposition from Republicans who said the administration was trying to “pack the court” with like-minded justices. A third, Robert Leon Wilkins, awaits confirmation by the Senate.

Though known as a straight-shooter when it comes to interpreting the law, Pillard, a Georgetown law professor, is married to prominent NSA critic and academic David Cole, who has argued that privacy is a “human right”.

Military secretly developed mobile app games that spied on users, report says

The NSA, FBI, and CIA are infiltrating and spying on multi-player role playing games such as World of Warcraft and Second Life, according to an NSA document leaked by Edward Snowden and published jointly by The Guardian, New York Times, and ProPublica.

According to the reports, the various intelligence agencies have so many undercover players inside these games that they established a “deconfliction” group to ensure that they weren’t spying on one another or interfering with the other agents’ missions. And true to NSA form, there’s zero evidence these spy games are worthwhile for counterterrorism purposes. The NSA document describing the efforts to spy on the private communications and activities of gamers does not include even one instance of the programs producing useful information for spies.

And it isn’t just World of Warcraft or Second Life. The NYT report cites anonymous sources who claim the Department of Defense has for years worked secretly with mobile app developers to create games that serve as intelligence collection streams for the NSA. We’ve known for some time that app developers often siphon sensitive information from users, who are kept in the dark about what exactly that free flashlight is doing on their phone. But now we have reason to believe the government is in on the app snooping:

The Pentagon’s Special Operations Command in 2006 and 2007 worked with several foreign companies — including an obscure digital media business based in Prague — to build games that could be downloaded to mobile phones, according to people involved in the effort. They said the games, which were not identified as creations of the Pentagon, were then used as vehicles for intelligence agencies to collect information about the users.

And it wouldn’t be a real spy story if the billion dollar global spy industry didn’t get a piece of the action. Unsurprisingly, war and intelligence contractors took notice of the government’s interest in infiltrating and spying on gaming networks.

Eager to cash in on the government’s growing interest in virtual worlds, several large private contractors have spent years pitching their services to American intelligence agencies. In one 66-page document from 2007, part of the cache released by Mr. Snowden, the contracting giant SAIC promoted its ability to support “intelligence collection in the game space,” and warned that online games could be used by militant groups to recruit followers and could provide “terrorist organizations with a powerful platform to reach core target audiences.”

It is unclear whether SAIC received a contract based on this proposal, but one former SAIC employee said that the company at one point had a lucrative contract with the C.I.A. for work that included monitoring the Internet for militant activity. An SAIC spokeswoman declined to comment.

In spring 2009, academics and defense contractors gathered at the Marriott at Washington Dulles International Airport to present proposals for a government study about how players’ behavior in a game like World of Warcraft might be linked to their real-world identities. “We were told it was highly likely that persons of interest were using virtual spaces to communicate or coordinate,” said Dmitri Williams, a professor at the University of Southern California who received grant money as part of the program.

After the conference, both SAIC and Lockheed Martin won contracts worth several million dollars, administered by an office within the intelligence community that finances research projects.

Did the government get any measurable intelligence benefit from those millions of dollars it gave to private corporations for research into players’ behavior in online games? Not exactly.

It is not clear how useful such research might be. A group at the Palo Alto Research Center, for example, produced a government-funded study of World of Warcraft that found “younger players and male players preferring competitive, hack-and-slash activities, and older and female players preferring noncombat activities,” such as exploring the virtual world. A group from the nonprofit SRI International, meanwhile, found that players under age 18 often used all capital letters both in chat messages and in their avatar names.

Those involved in the project were told little by their government patrons. According to Nick Yee, a Palo Alto researcher who worked on the effort, “We were specifically asked not to speculate on the government’s motivations and goals.”

While it may seem silly that the NSA, FBI and CIA are all up in your virtual world, the fact that the government is investing significant time, money, and energy into unmasking and understanding players is not a game.

Get Involved...

Share ideas or articles.