NSA, other security agencies, can reportedly listen in to private cellphone conversations

We've know for a while that the A5/1 encryption used by most carriers is vulnerable to exploitation, especially since they seemed not to care at all about its vulnerabilities, but now it looks like the system has been cracked to the extent that the U.S. National Security Agency (NSA), and presumably other intelligence agencies around the world, can listen in on and read our private conversations and text transmissions. The Washington Post:

The extent of the NSA’s collection of cellphone signals and its use of tools to decode encryption are not clear from a top-secret document provided by former contractor Edward Snowden. But it states that the agency “can process encrypted A5/1” even when the agency has not acquired an encryption key, which unscrambles communications so that they are readable.

Experts say the agency may also be able to decode newer forms of encryption, but only with a much heavier investment in time and computing power, making mass surveillance of cellphone conversations less practical.

A5/1 was originally devised in the 1980s for 2G GSM radio, and while many carriers now provide 3G voice channels, they still fall over into 2G often enough for it to be problematic. WaPo states that 80% of worldwide calls still use the old, or no, encryption. The leaked documents do not provide any information on CDMA network vulnerabilities.

There's no Voice over LTE (VoLTE) yet, but when that technology gets deployed, better encryption should proliferate along with it. A5/3, for example, requires 100,000 times the compute power to attack. AT&T already provides better encryption on 3G, but will be upgrading "parts" of its 2G network to A5/3 as well.

Regardless of how you feel about government surveillance, these exploits never remain solely in the hands of governments, or of people who we would trust with our private conversations, texts, and data. Should the carriers be doing more? Should the manufacturers and service providers be doing more? How important is your privacy?

The Washington Post