During the last two years, you could often see Edward Snowden’s name in the news about Information Security. Thanks to the disclosures made by this former contractor of the US Intelligence Agency, all of us now know that the National Security Agency (NSA) possesses the necessary means for the total mobile surveillance of citizens. But we don’t really know much about the way this surveillance is organized. We are going to take a look at some details of the technologies the NSA use. And not only them, by the way.
One of the first news from Snowden was about the erosion of confidence in the cryptography techniques. Within the limits of the NSA Bullrun secret project, they had the capabilities to bypass a lot of encryption systems, not by hacking, but by using markings, that were left intentionally by the NSA request. In some cases vendors were forced to pass encryption keys to the Agency. Thus, a lot of security standards have been discredited despite the fact that they were considered to be safe and were applied in big companies and government organizations.
A short while ago, the media revealed some details of the AuroraGold operation, detailing the limits of which the NSA spied on employees of telecoms by reading their e-mail correspondence and internal documents. By May 2012, the NSA had gathered technical data of 70% of mobile networks around the world. The GSM Association (an International Organization of telecoms) developing recommendations on new communication standards, has also been wiretapped. The goal of the AuroraGold operation is the same as that of the Bullrun project:inject markings or find out about vulnerabilities that would help them to bypass the A5/3 encryption algorithm and other new protection technologies. According to documents from Snowden’s archive, the first attempts of the NSA to hack the G4 were successful in 2010. So, it had happened before the “safe” standard became so widespread.
Another vector of NSA attacks concerns mobile OS and applications. As it turned out, the Intelligence Agency has access to plenty of data on smartphones, such as contacts, phone calls, SMS and GPS data. The NSA gathered hacker teams and each of them worked on hacking one of the popular OS. It is emphasized in one of the publications of the Spiegel German magazine that the Blackberry OS has been the first one to be hacked, though it was traditionally considered to be safer than iOS and the Android platform.
The wiretapping capabilities enhanced significantly thanks to the development of the Mobile Applications Market. Many of them regularly pass a lot of user data to third parties. Thus, it’s not really necessary to hack an OS, as it’s enough to persuade a user to install a “useful” mobile application.
But they got even more capabilities for surveillance in mobile connection networks. Snowden’s documents revealed the description of the NSA spy catalogue – the Ant project. It has solutions for all occasions to manipulate mobile networks. It is not necessary to intercept data via the vulnerable software. It’s enough to set markings at the development stage of communication devices. Here’s the compromised radio-module for a cell phone:
They also use fake base stations that help them to intercept user’s traffic and manipulate the data on his cell phone:
Or an entire cell network in one box:
There’s also a spectral analyzer on the basis of Motorola L9 cell phone that allows recording the radio spectrum for further analyzing:
It is possible to quite approximately determine the location with the help of a mobile network. To perform the exact search of a victim, there’s a portable tool:
The fact that such catalogue exists does not mean that someone uses it for the mass surveillance. But after the catalogue was published, there suddenly appeared evidences of the practical use.
In September 2014, a suspicious hut was detected on the roof of the IZD-Tower, opposite the UNO-city (the Vienna International Centre). The hut was rounded by a solid metal fence, and there were 10 surveillance cameras around it. Most likely, it’s a fake base station of a mobile network.
Vienna is the third UNO-city (after New York and Geneva). The OPEC and OSCE headquarters are also located there. It’s quite obvious why the NSA is so interested in the place where top-level officials of many countries come to. Here’s the assumed coverage area of the given station:
Such base stations can intercept the IMSI (the so-called IMSI-catcher), and then monitor a victim’s location via the ES7 network. Having traced the victim’s IMSI once, they can trace its moves around the world till the user changes the SIM card (we are going to talk about such attacks in our next article).
Snowden’s documents tell us that the station in Vienna (Vienna-Annex) is just a part of the global SIGINT surveillance network. We can search by the list of countries and cities mentioned in these documents. Take a look at the picture of a similar construction found at a roof in Rome:
By the way, the Intelligence Agencies do not restrict themselves to stationary surveillance systems. They also use StingRay intercepting stations placed on special cars that can come close to the target. In November, the Wall Street Journal announced that the Department of Justice uses Cessna airplanes with fake base stations to intercept users data:
Whose Fault is This and What Can We Do About It?
First of all, we should note that despite the eye-catching newspaper headlines, the described technologies are available not only to the Intelligence Agency. Actually, the wiretapping of mobile networks and the protection from it became a new high-tech market. As at any market, there constantly appear new cheaper solutions.
An article from Popular Science magazine told us in August 2014 how a team of security experts of ESD America promotes their own development — a highly protected CryptoPhone 500 smartphone on the basis of Android. Since the market has a few similar products, developers have used an interesting promotion. Using their advanced smartphone, they detected 17 fake base stations at the territory of the USA that turn off the data encryption:
One of such wiretapping stations has been found near a big casino in Las Vegas and a few more near the USA military bases. Who else can use such equipment, besides the NSA? Anyone. To tell the truth, commercial are a bit too expensive – they cost more than $100,000. But one can cheapen the cost significantly by using free software for creating his own base station.
How can we protect ourselves from it? One of the mentioned variants is the “protected” smartphone. But it isn’t cheap at all. The CryptoPhone costs $3,500. The client will get “shutdowns” of series of attack vectors mentioned in our list. In particular, it provides the control over popular vulnerabilities of the Android OS, controls suspicious activities of mobile applications, and even baseband-processor monitoring – this feature specifically allows detecting the connection of a fake base of a wiretapper, which can not be done by regular smartphones.
It’s more difficult to protect ourselves when we use a regular phone. Still, there are some things we can do about it. UMTS (G3) networks use the mutual authentication of a mobile station in a cellular network, and a cellular network in a mobile station. That's why one of the indications of wiretapping is the forceful switching from G4 and G3 modes to the less safer G2. If a user turns off the 2G mode beforehand, this will complicate the attacker’s task to intercept the radio air. Some mobile phone models allow changing the network type being used:
A lot of phones on the basis of Android platform have a service menu invoked by the *#*#4636#*#* command, in which we can choose the network type. It’s worth saying that this solution can lead to heavy battery consumption and loss of connection in case if 3G network coverage is not available.
Fake base stations allow to intercept any data being passed across the cellular network, but the physical presence of a user is required in the coverage area of a fake station. That’s why attacking S7 Network is considered to be a more advanced surveillance method. It enables the interceptions of user’s data, as well as his location, from any spot of the Earth. There are also commercial solutions. One of them is SkyLock, a tracking system sold by Verint, which can track any device in the world.
How can we prevent the wiretapping in this case? Since attacks are based on legitimate messages of the ES7 signal system, rough filtration of these messages can have a negative affect on the entire service. According to the Positive Technologies experts’ experience, the adequate protection from attacks on SS7 should represent a series of actions on the operator’s side, including the ES7 traffic monitoring and the “smart” filtration control, which blocks attacks and fraud attempts only.