Wireless carrier T-Mobile US has been quietly upgrading its network in a way that makes it harder for surveillance equipment to eavesdrop on calls and monitor texts, even on the company’s legacy system.
The upgrade involves switching to a new encryption standard, called A5/3, that is harder to crack than older forms of encryption. Testing by The Washington Post has found T-Mobile networks using A5/3 in New York, Washington and Boulder, Colorado, instead of the older A5/1 that long has been standard for second-generation (2G) GSM networks in the United States. More advanced technologies, such as 3G and 4G, already use stronger encryption.
T-Mobile, the fourth-largest wireless carrier in the United States, declined to describe the extent of its network upgrades, saying in a statement, “T-Mobile is continuously implementing advanced security technologies in accordance with worldwide recognized and trusted standards.”
Deutsche Telekom, the majority shareholder of T-Mobile, last year announced plans to make A5/3 standard on all of its 2G networks in Germany. That came after news reports, based on documents provided by former National Security Agency contractor Edward Snowden, that the NSA was eavesdropping on phone calls by German Chancellor Angela Merkel, causing massive backlash in Germany. (The Post reported in December that the NSA can decode texts and conversations using A5/1 encryption.)
In places where T-Mobile is using A5/3 encryption, mass surveillance becomes more difficult because equipment that passively collects cellular signals from the air often cannot decode calls. Active attacks, involving a device called an “IMSI catcher,” may still be able to eavesdrop on individual calls by manipulating a phone’s security settings directly, without having to crack the encryption.
AT&T, the largest provider of GSM cell phone services in the country, said last year that it was deploying A5/3 encryption for parts of its network. “AT&T always protects its customers with the best encryption possible in line with what their device will support,” the company said in a statement.
Tests by the Post in New York, Washington, and Boulder, Colorado showed that AT&T calls used the older A5/1 encryption, making them more vulnerable to interception by law enforcement officials or criminals with access to advanced surveillance technology. The tests were performed using a custom application called Darshakwhich was released at the Black Hat security conference in August.
AT&T plans to shut down its 2G network in 2017, replacing it with newer, more secure technology. Nationwide, an estimated 13 percent of cellular connections used 2G technology in 2013, and that percentage is expected to fall to 7.2 percent by 2018, according to Cisco, a leading manufacturer of telecommunications network equipment. Internationally, 2G calls are much more prevalent, making up 68.4% of the market in 2013.
By Ashkan Soltani and Craig Timberg