Brothers in Arms - Human Rights and Electronic Surveillance ±
Enter more text here
UPDATE 20180108 – I AM SHORTLY UPDATING THIS ARTICLE FROM 2016. PLEASE READ IT BEFORE I MAKE THE CHANGES.
These days electronic surveillance, usually warrantless, is a disgraceful abuse of process and most people do not know it’s going on. This post is version 5 of an introduction to IMSI Catchers, what they are and how to deal with them using inexpensive Android Applications freely available from the Google Play Store as well as USD 3000 Cryptophones with Baseband firewalls.
I am still writing it as there is a lot of data…
GSM Call Interception
Not all GSM providers can afford to have ‘land lines’ connecting their antennas on the street with the switching station and the rest of the telephone network. If you have ever seen a GSM base station antenna mast, you might notice that some of them have little round ‘dishes’, or ‘beamers’ at the side of it. These are the directional antennas for the microwave links that provide the connection to the rest of the network.
Over these links, all calls made in the area are transmitted to a point where they are fed into landlines. These links are very vulnerable, because no encryption is used on most of them. An interceptor can tap into the radio signal, and listen in to many call simultaneously.
Commercial equipment for this kind of interception is available on the market at moderate prices. Interception of microwave links is commonly used when targeting a fixed facility, like a competitor’s office building.
Attacks on corporations can be quite effective with this method, since there is often a company standard for the network operator of choice, so just one intercepted microwave link could yield all mobile phone calls taking place in the facility.
Nothing more is required than a very small rooftop antenna in the path or vicinity of the microwave link, a wideband receiver and the appropriate channel demultiplexing and recording equipment. Embassies of foreign countries are known to use microwave link interception from their various premises to stay secretly informed on what is happening in their host country.
Embassies are usually located near the business and government centers, so this kind of interception has the potential to yield substantial information. Since the antenna radiation patterns of the microwave links contain so called sidelobes, receiption of their signals with sensitive receivers is also possible outside the straight line of the link.
The NSA (National Security Agency, the electronic surveillance intelligence agency) is also known to have satellite-based microwave link interception capabilities. Since the directional microwave beam does not stop at the receiving antenna, but travels further on in the original direction, it can be intercepted from space with a satellite placed at the appropriate position.
An IMSI-catcher is a device that can be used to determine the electronic identities of all phones in its vicinity. Most IMSI-Catchers also come with the ability to listen into calls directly. The electronic identity consists of the so called International Mobile Subscriber Identity (IMSI), which is associated with your SIM card and the International Mobile Equipment Identifier (IMEI), which is the serial number of your phone.
With the IMSI your calls can be easily identified at any point in the telephone network and targeted for interception and traffic analysis. An IMSI-catcher is frequently used if the attacker does not know the telephone number of the victim or wants to illegally intercept calls.
The IMSI-catcher performs a so called man-in-the-middle-attack, putting itself between you and the network. It is essentially a small GSM base station that forces your phone to use it instead of the real network, determines your IMSI, and can then be used to disable or degrade the GSM encryption mode while transmitting your call on to the legitimate network.
This mode of operation allows the attacker to directly listen into your calls. He can also disable your phone service and intercept or fake SMS messages to and from your phone.
At this moment we know of many different companies producing IMSI-catcher devices, and the list is growing rapidly. For a company manufacturing GSM test equipment, developing IMSI-catchers is a trivial task.
Examples of publicly available IMSI-catcher equipment also include regular laptops that are connected to a small portable ‘femtocell’ base station and running publicly available GSM network simulation software.
Even when IMSI-catchers are used by legitimate law-enforcement agencies, they frequently affect a high number of calls that are not their target. The resulting number of unintended intercepts is called “by-catch” and is frequently used for all sorts investigations, especially popular with tax authorities in some countries.
Telecommunications interception has developed into a major industry in the last decades. Intelligence agencies of all countries routinely try to intercept calls that might yield them political, economic or military information.
Several large intelligence agencies, such as NSA together with GCHQ run global surveillance networks that work like a big hoover, sucking in huge amounts of telecommunication with a vast worldwide system of antennas, special satellites, undersea and land cable taps, backdoors in switching stations and any other means available.
The biggest computer capacities on earth are subsequently used to evaluate the calls, SMS, emails and faxes based on complex sets of criteria, forwarding the ones matching specific criteria to human analysts and database storage.
Today even small countries run their own sprawling listening and monitoring stations. They also try to get access to the big players’ interception capabilities by trading them the access to bases, facilities and interception results. The targets of these listening networks are not very specific.
More and more of the capabilities are being used for economic espionage, but of course also to further the more or less noble intentions of the nation states that paid for them. If you think that these systems are only used in rare cases where national security is at stake, you are wrong.
Telecommunications surveillance has become a fairly routine method for intelligence agencies and governments to stay informed on anyone who is even remotely capable of interfering with political or business interests. A set of agreements between intelligence agencies makes sure that the local provisions that hinder them to listen to their own people are not of any consequence. If NSA wants to listen to a US citizen it asks the British GCHQ to do the intercept and then put the results into a shared database used by both agencies.
Other potential listeners work at the various phone companies. All network operators have listening capabilities for the purpose of “network trouble shooting” and “fraud detection”. These capabilities have been used routinely by corrupt phone company employees for their personal gain, selling call data and contents to criminal elements and industry spooks.
Private investigators also routinely and illegally try to get access to calls by a variety of means, for purposes of industrial espionage, business intelligence and economic warfare between competing companies. Large corporations have often have their own capabilities for telecommunications interception, especially in high-risk fields such as oil, minerals, fishery, mergers & acquisition and investment banking, to name just a few.
Law enforcement agencies have in the last years acquired an ever-rising set of capabilities, with ever-shrinking restrictions on their use. In almost all cases of even legitimate lawful interception a significant number of innocent people also got caught in the dragnet of surveillance (so called “by-catch”).
Even if state laws would have required the innocent people to be notified, this often does not take place. Legal oversight in most countries is poor at best and routinely circumvented using various pretexts. Trusting that law enforcement agencies use interception carefully and only under strictly warranted circumstances is no longer justified. The number of reports about abusive and excessive use of interception without proper cause and even for minor infractions is raising substantially.
Intercept systems for law enforcement are often designed in such a way as to make it impossible to perform independent reviews on the usage of the surveillance devices. Even simple statistics on the number of interceptions are routinely held secret. The interception technology for law enforcement is also frequently sold by rather dubious companies.
Almost all of these manufacturers have strong ties to foreign intelligence agencies. Practically all lawful interception products contain remote maintenance facilities, so it must be assumed that they contain backdoors. Such a backdoor is of course an interesting bargaining chip on the international intelligence bazaar.
“Lawful interception” also means a very different thing from country to country. In a dictatorship or some other less then democratic state, it is frequently “lawful” to intercept anyone at will. The technology for interception is available on the open market and is widely deployed even in the poorest areas of the world. It would be naive to assume that the term “lawful interception” somehow automatically meant that the interception is performed under even the most basic legal oversight.
First of all, the encryption in GSM is only used to protect the call while it is in the air between the GSM base station and the phone. During its entire route through the telephone network (which may again include wireless links) the call is not protected by encryption anymore.
Secondly, it has been shown over and over again that standard GSM encryption is not good enough to protect your calls. GSM providers claim there is no problem, because a proprietary set of encryption algorithms named A5 is used. They tend to forget to tell you that most varieties of A5 in current use are weak and that experts have proven time and time again that this encryption is by far not sufficient against a determined listener.
There a four modes of A5 encryption currently in use:
- A5/0 means no encryption at all. Even in regular network operation this mode is used from time to time because of technical difficulties or outside interference. In certain countries network operators have been forced to switch back to A5/0 in times of “crisises”. Being between the GSM network and the phone the IMSI-Catcher can also direct telephones to use A5/0. Some network operators switch to A5/0 to save a little bit of bandwith in times of high network usage. The GSM specification requires phones to indicate to the user when crypto is set to A5/0, but there are several phones known not to comply with this requirement.
- A5/1 is the encryption mode used in Europe and other western countries. It is a bit stronger than A5/2, but can still be broken with moderate resources that are available to any private attacker with sufficient determination.
- A5/2 is the encryption mode used in Australia and several other countries worldwide. It has been broken time and again in realtime, on a standard personal computer. See our list of academic papers detailing the vulnerabilities.
- A5/3 is the algorithm that will be introduced for the next generation of networks and phones. It is claimed to be stronger then A5/2, but A5/3, too, has been shown to be broken by leading academic researchers. Plus, of course, even with A5/3 you are still vulnerable to man-in-the-middle-attacks like with an IMSI-catcher and it still your call is encrypted only in the air, not on the telco network. Over the past few years we have seen mathematical breakthroughs reducing the amount of computer-time needed to decode GSM calls. Since the cryptographic algorithms in GSM are currently the most widely used crypto system on earth, it is a very tempting target for cryptographers and mathematicians. GSMK CryptoPhones protect against this kind of interception.
Detecting Call Interception and IMSI Catchers using Android Apps
Identifying Cellular Interception via Selected Android Apps
GSMK CryptoPhones are the only secure telephones on the market that come with full source code published for independent security assessments. They feature the strongest and most secure encryption algorithms available today as well as the longest key lengths available on the global market, thereby offering true strategic security and peace of mind today and in the future. GSMK CryptoPhone secure mobile, fixed-line and satellite phones use latest-generation voice codecs and are fully compatible so that encrypted calls can be made across network borders – mobile to mobile, mobile to fixed-line, fixed-line to satellite, all with seamless interoperability.
All GSMK CryptoPhone secure mobile phones feature voice as well as SMS message encryption. With a 4096-bit Diffie-Hellman key exchange and 256-bit AES and Twofish symmetric encryption, they reliably protect confidential calls and messages without any compromises in usability. Secure international messaging comes standard with special features like self-destructing “Eyes Only” messages.
Mobile Device Security
A truly secure communication device must not only protect its communication links, it must also be able to withstand attacks against the device itself. To achieve this, all GSMKCryptoPhone secure mobile phones are based on a “hardened” operating system with granular security management and streamlined, security-optimized components and communication stacks. The hardened operating system reliably protects the device against outside attacks, thus offering true 360-degree protection when it counts most.
GSMK CryptoPhone secure mobile phones also come with an encrypted storage system for contacts, messages, and keys. Smart folders protects confidential data against unauthorized access should the phone be lost or stolen.
The GSMK CryptoPhone 500i is an Android-based secure mobile phone with 360° mobile device security for secure messaging and voice over IP communication on any network.
The CryptoPhone 500i is a highly secure mobile phone that comes with full source code available for independent review. Finally, you can perform an independent assessment to ensure that you can rely on strong encryption without any backdoors in the communications device that you entrust with your confidential data and telephone calls. The GSMK CryptoPhone 500i enables you to put the trust where it belongs – in a trustworthy, open and scientific verification process.
GSMK CryptoPhone encryption technology is based on strong, well-researched algorithms combined with key lengths that provide peace of mind today and in the future.
The Baseband Firewall protects the microchip in the CryptoPhone that manages the communication with the mobile network, the so-called baseband chip, against attacks. The Baseband Firewall was programmed to recognize certain patterns of phone behavior, it will notify you if it detects too many suspicious events and will then reset the baseband chip to get rid of possible attack malware. It will also detect any attempt to force the CryptoPhone’s base band to connect to a rogue base station (e.g. a so-called IMSI Catcher) by providing manipulated network parameters and notify you if such a situation occurs.
Note that in certain situations, events will be flagged as suspicious that are due to misconfiguration of the mobile network, can be explained by spotty network coverage, or unusual cell site configurations. The Baseband Firewall is configured to err on the side of caution and rather reset the baseband more frequently than overlook an attack and expose the CryptoPhone to risks. You can configure the Baseband Firewall’s sensitivity, logging and rebooting options directly from the Baseband Firewall screen by pressing the menu button and then selecting “Preferences”. In the Baseband Firewall’s preferences menu you also have the option to send a log file containing all detected suspicious events to GSMK for analysis by email.
No SIM card in the phone incidentally, but numerous IMSI pagings:-
Cell neighbour list is empty and has entries in the space of only a few seconds:-
IMSI Catcher failure – Recording of Intercepted Call
A rare example of an intercepted call between myself and Daljit Gill, whom I assisted with obtaining a judgement for AUD 247,137 in connection with Margaret Cunniffe. It was therefore another call of interest but demonstrates an IMSI catcher failure. I am speaking in real-time and his part of the call repeats twice – they should have dropped the call to avoid this embarrassment!
All part of the re-writing of phone firmware/remote destruction of evidence that I face every day, and people have the audacity to say that I edit calls! I record them for protection otherwise it is so easy to be framed by the construction of my voice from phonemes and the production of entire sentences that I did not even say! People would just not believe this has happened![insert evidence]
Joseph S R de Saram (JSRDS)