How did NSA and GCHQ eavesdrop?

February 19, near the national Lunar New Year, the Guardian of the United Kingdom has also burst a aniseed-the U.S. National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) has invaded the world's largest sim card manufacturer Gemalto (Gemalto), allowing the free tapping of billions of of mobile phone communications worldwide.

A few days later, the company Gemalto two responses, the two Governments were silent, protests from all walks of life, and the continued tracking of the overseas media gave us a "splendid blockbuster".

Gemalto said the investigation did not reveal that the SIM core secret key was compromised and that its product was safe. However, this claim has not been recognized by the security sector, many circles Montana are skeptical, and even the founder of the Pwn2Own Hacker Challenge Dragos Ruiu on Twitter ridicule, Gemalto practice is tantamount to burying his head in the sand, self-deception (the words "implies go full ostrich, Gemalto. ").

The event has occurred. Although we have no way of knowing whether the NSA and GCHQ are really using this eavesdropping capability, what exactly they have done, but the ability to eavesdrop on it can be discussed. How did NSA and GCHQ do it? Only they can do it? This article is to discuss this topic.

Eavesdropping: First steal and then listen

Tapping a mobile phone, texting and surfing the internet takes two steps. One is stealing, that is, the communication signal stolen over; the second is to listen, the encryption of the signal to untie, become we can understand the voice, text, flow.

The most convenient way is to monitor the operator gateway, two steps in place. But this requires a formal legal mandate, similar to a police search warrant, that cannot be made. So other people are unlikely to do so except for the departments concerned.

Wood has procedures, the use of wireless signals to the free transmission of the principle of the air, a manual signal monitoring equipment is not difficult. The technology for intercepting wireless signals has been used since the Second World War and has been transparent, and now radio players will.

Manual equipment monitoring, intercepted signal is encrypted. Different network mode of encryption, generally speaking security LTE > 3G > GSM (the most direct manifestation is that the pseudo base station can only send mass spam SMS), but the core is based on the secret key of the symmetric encryption, the secret key called Ki code.

The wood has the Ki code, is unable to decrypt the signal. However, it should be noted that the domestic GSM network is said to be encrypted wood, the specific reasons unknown, but the author has heard at least several times, higher credibility.

Ki code: Universal key

The Guardian revealed that the NSA and GCHQ had stolen the SIM card's Ki code when they invaded Gemalto. The Intercept also disclosed that the NSA had tried another approach-cracking the KI code, which had the ability to crack 12 million to 22 million secret keys per second in 2009.

The first way, is the content of the material, only state agencies or top hackers have the strength, the second is the civilian program, more than the two intelligence agencies used in the domestic also very popular.

Some domestic users, for a variety of purposes, need to crack cards to achieve replication card, a Ricardo, one of the important part is to crack the Ki code. This area of demand is very large, spawned a variety of forum experience paste, a key to crack software and Taobao on behalf of the crack service.

There is a friend said, if it is a SIM card, Unicom must solve, mobile October 2009 before the card must be solved, after the luck, if the upgrade of the Usim card, there is still wood out of the Raiders. But now the Usim cards are Sim+usim composite cards, simple Usim card can not be used under 2G network, so there are loopholes.

Domestic crack method, need to get cards and card reader to operate on the computer, do not have the practical practice of eavesdropping. The NSA's approach is unclear, and speculation should be needed to get the original card or combine other means.

Hazard: Warning more than actual

Back to the original question, how did the NSA and other intelligence agencies eavesdrop on any SIM phone? Without legal formalities, it intercepts radio signals in the air by erecting listening devices and decrypts them with a stolen or cracked Ki code.

This is not perfect, because the monitoring device is limited in scope and requires someone to take the device around the party, for example, before the NSA listens to the German Prime Minister and minister's phone calls.

For ordinary people in the country, the basic need not worry about their mobile communications by the NSA to steal, but the domestic network environment complex, have to worry (GSM network) monitoring equipment, pseudo base station, fraud phone and so on, this is the most worrying.