Catchers And The Spies

at

90329847Tynan
Threat3

[Above: An excerpt from the Garda Síochána Ombudsman Commission's briefing note to Justice Minister Alan Shatter, before he spoke in the Dáil on Tuesday, in relation to the alleged bugging of GSOC's office. Top GSOC HQ in Dublin. Middle: Dr Richard Tynan]

The third ‘threat’ to security at the Garda Ombudsman’s office revealed the presence of a UK mobile network in the vicinity. .

What’s that all about?

Surveillance expert Dr Richard Tynan, of Privacy International, writes:

A misconfigured base station hastily rolled out by an Irish mobile operator could have caused this. However, if one of the Irish mobile telcos deployed such a misconfigured device then one would hope the firm would have come forward by now.

Yet, no one has. The only remaining possibility, then, is that a device used to conduct surveillance was intentionally deployed that purported to be a legitimate mobile phone tower. In surveillance circles, such a device is called an IMSI Catcher (aka IMSI Grabber or Stingray).

IMSI Catchers are used by authorities around the world to put large groups of people under indiscriminate mass surveillance via their mobile phone. IMSI Catchers started off infiltrating GSM networks with the only goal: capture the unique SIM card number that identifies the user called the International Mobile Subscriber Identity (IMSI) – hence the name IMSI Catcher.

When the IMSI Catcher is turned on, it signals to all nearby devices that it is a legitimate part of the mobile communications network, even though it isn’t. The IMSIs of the mobile phones are voluntarily surrendered by the mobile phone when it connects to the tower. By having the strongest signal or manipulating certain parameters, an IMSI Catcher entices all phones to connect to it and thereby get the unique identifier for every individual in an area. This works remarkably well in protests and public demonstrations and events, as was reported by the people of Ukraine recently during their protests.

However, in the last 10-15 years as the use of IMSI Catchers has likely grown, they have evolved to include much more sophisticated capabilities. Nowadays, they can:

- Force phones to stop using encryption (A5/1) and move to unencrypted channels (A5/0) to allow for easier interception;
- Jam the 3G spectrum so phones would default back to 2G where interception could occur;
- Get an accurate location of every individual within its reach of around 1km
- Deny service to one or all users;
- Intercept the content of calls, text messages and data;
- And reportedly alter messages in transit.

Nowadays, full 3G IMSI Catchers are the pride of many surveillance companies attending government-sponsored trade shows to sell their wares to any interested agency. Companies such as CellXion, Forensic Telecommunications Services, and Gamma International provide such products. Not only have the capabilities improved but the devices have shrunk to the size of a large mobile phone and costing around €250-€500.

However, if you prefer to get your hands dirty, you can build one for yourself using a Software Defined Radio and free software called OpenBTS. You can also put together a full GSM call, text and data interception device (even where the target’s data is encrypted) using a €10 phone, free software from Osmocomm and a laptop running open source software. The legality of doing this, however, will vary by jurisdiction.

Given the number of mobile network operators and handsets in a given area, IMSI Catchers need to operate as multiple fake towers simultaneously to harvest as much data as possible in a short amount of time. Some report a rate of 1200 IMSIs per minute across 5 networks while others boast simultaneous voice intercepts as featured on the Surveillance Industry Index. Often it will operate by purporting to be many towers from the same network provider thereby reducing the time it takes to get all the IMSIs from users on a popular network.

Each fake tower will emit a signal containing numbers to tell a mobile phone how to talk to it when it wants to make a call or send a text. Or information on how to register with it so the tower can contact it when an incoming call or text arrives. Specifically, the tower will send a country code and an operator code to the handset. In normal circumstances, this allows phones to stay connected to their operators’ towers and not to start roaming in border areas if another native tower is present.

It is these values that were problematic in the GSOC case. Irish towers should not be identifying themselves as being in the UK or offering the service of a UK network provider. The mobile phone of a UK visitor to GSOC would have spotted its native tower and connected to it. Depending on the model of IMSI Catcher used, full intercept of all data to and from that handset would then be possible.

It is interesting to note that the fake UK network was the only one detected by Verrimus. However, given that IMSI Catchers operate multiple fake towers simultaneously, it is highly likely that one or more Irish networks were also being intercepted. Very often a misconfiguration, such as an incorrect country code, is the only evidence available of an IMSI Catcher being deployed when forensic tools are not being used to look for one. This recently occurred around the Ecuadorian Embassy in London where base stations from a Ugandan telco were mysteriously popping up.

It is remarkable that this type of invasive and mass interception is so easily done over Ireland’s critical infrastructure, which is relied upon by citizens in their daily lives. Given the utility and ubiquity of modern cell phones, from mobile commerce, personal and business communications, to emergency phone calls, the threat this type of surveillance poses to the security and privacy of citizens cannot be understated.

 

Despite the public’s reliance on these devices, the vulnerabilities exploited by IMSI Catchers are encouraged by security services, such as the NSA and GCHQ, to facilitate their offensive surveillance campaigns, as revealed by Edward Snowden. However, vulnerabilities in a global standard, such as GSM, expose every user to potential harm from a huge range of malicious actors. It is ironic that citizens who entrust the security services to protect them are rendered vulnerable by the conduct of these very same agencies.

At this point, it would seem to be appropriate for the Garda Siochana to review the evidence that Verrimus have obtained, release some of the technical evidence of the surveillance, and determine if fake Irish towers were active alongside the fake UK tower. Critically, they must determine if the private communications of Irish citizens were unlawfully intercepted. Additionally, this case highlights the desperate need for a wholesale review of how IMSI Catchers are used and regulated in Ireland and around the world. We fear that this will be the first of many stories about their abuse.

Dr Richard Tynan is a research officer on the Global Surveillance Monitor project, with a specific focus on the area of surveillance technologies. He focuses on wired and wireless surveillance mechanisms and the strategies employed by cyber-criminals to harvest valuable private information from a wide range of ubiquitous devices such as cell phones and personal computers. Richard holds a first class honours BSc (Hons) degree and a PhD in Distributed Artificial Intelligence for Embedded Sensor Networks from University College Dublin, and has also completed a Graduate Diploma in Law.

Beirtear na IMSIs: Ireland’s GSOC surveillance inquiry reveals use of mobile phone interception systems (Dr Richard Tynan, Privacy International)

35 thoughts on “Catchers And The Spies

        1. Stash

          Yes, but to use a Femto cell, the IMSI for your particular phone would need to be registered in an xml on the device itself. This would normally be configured by the network provider, but could be manually hacked if you know what you’re doing.

          It would be difficult for an outfit like Threat 3 not to be able to spot the difference between an IMSI catcher and a femtocell. Which would only have a maximum signal radius of around 10-15m compared to 300m for the example of the Neosoft NS-17-2.

  1. Seamus Obair GnuisLeabhair

    Exactly me own thoughts on the matter.
    Some-one trying to keep their local UK mobile plan whilst in Dublin.

    Quite a bit of it about.
    Working for a nameless mobile company last year I noted UK signals in Kildare and Wexford a far throw from any security surveillance watch dog.

      1. Seamus Obair GnuisLeabhair

        Sometimes there is a simple explanation – But where’s the enquiry in that?

        Outrage ensues…..

        1. well

          “Some-one trying to keep their local UK mobile plan whilst in Dublin.”

          Please explain how you think this would work

          1. Stash

            Technically as long as the femtocell doesn’t have any GPS capability which a network operator can use to track it’s location, or if they aren’t tracking detection of foreign 3g signals through the device, you could use a site to site VPN connection between the UK and Ireland.

            It’s a bit of effort to go to and relies on the network operator not doing anything to detect and stop you. It is certainly against the terms & conditions of the Vodafone offering.

          2. Stash

            But to clarify the above – the company doing the sweep would have recognised it as a easily femtocell and not an ISMI catcher.

            For arguments sake, Given the location on Abbey Street, if it was a residential femtocell in use and they didn’t recognise it as such, it would have to have been in one of the Jervis Place apartments as the signal of those devices is so limited. It limits the options to a very small number of flats – which doesn’t rule it out but makes the odds less likely that it was as suggested.

  2. Panty Christ

    This ismi thing will be the barb they can’t remove *puts microwave popcorn in the microwave and hides under the stairs with tinfoil hat on*

  3. dave g k

    I wish people like this who know what they’re talking about would stay out of our business. Our Minister for Justice and Tánaiste have already told us that there definitely wasn’t any evidence of surveillance and that this wasn’t done by the Gardaí.

    1. David Roe

      Exactly, after reading this article I now find myself better informed. How can we expect our Masters to confuse and frighten us when people like this keep contradicting what they say?

    1. Stash

      If you have an Irish mobile account, then no it isn’t. Unless somehow all other legitimate Irish network signals disappeared, your phone wouldn’t connect to a foreign signal, unless you specifically requested it.

      Specifically, the tower will send a country code and an operator code to the handset. In normal circumstances, this allows phones to stay connected to their operators’ towers and not to start roaming in border areas if another native tower is present.

      As explained in the article.

  4. dhaughton99

    I’ll now be spending my weekend trying to build one of these with OpenBTS. Thanks BS

    I’ll let you know how I get on or contact you on Monday for bail money.

  5. Mark

    A base station has a range of 1km. Dublin Castle is across the river – maybe GSOC wasn’t even the target.

    1. Stash

      A base station yes, a mobile IMSI catcher has a more limited range than that.

      I would assume that with the lack of any evidence on where this was based, if it truly was in the area, you would have to look at what else may be “of interest” in the vicinity to determine the probability of it being targeted at the GSOC.

      But you’d also take into account the other findings of their sweep and the suggestion that the landline also seemed to be under surveillance. Given multiple positive findings, the likelihood of any mobile interception in the area being targeted at the GSOC would increase.

  6. Zynks (I One Eye Institute)

    This has probably been already dismissed as the cause (and it may have changed recently), but: 3 in Ireland don’t have a core network, they use their UK core (unless it has changed since last I checked, all calls on 3 network cross the Irish sea). Since they have free roaming between ‘sister’ networks, they could easily bring a base station from the UK and forget to adjust it, with little impact on the operations. Isn’t that as plausible as this ultra-sophisticated IMSI spying system with a wrong network on its configuration?

    1. Neil

      “if one of the Irish mobile telcos deployed such a misconfigured device then one would hope the firm would have come forward by now.” Not if it were 3, they’re idiots.

  7. marti_gibney@hotmail.com

    Is there not a GSM solution center almost across the road from GSOC which may be using similar equipment in the purpose of repairing devices or some other reason? I find it strange that this shop has not been mentioned as even a remote possibility as being a genuine reason why this signal may have been emitting from the area, especially since it is practically across the road…. ???

  8. jays

    couldn’t track down the call could they? i bet if it was shatter asking they could.

    http://www.irelandip.com/2011/02/articles/privacy-1/president-signs-communications-retention-of-data-act-2011-into-law/

    “The Act requires telephone service providers to retain telephone data for two years, and internet data to be retained by internet service providers for 12 months. Telephone data was previously retained for three years pursuant to Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 (which the Act repeals). Internet data was not previously required by law to be monitored or retained. “

  9. Ron

    Reminds me of this classic simpsons :)

    Mark McGwire: Young Bart here is right. We are spying on you, pretty much around the clock.
    Bart: But why, Mr McGwire?
    Mark McGwire: Do you want to know the terrifying truth, or do you want to see me sock a few dingers?
    Crowd: Dingers! Dingers!

  10. Ron

    and the little snippet at the end of RTE news this evening regarding HSE press release that 5 hospitals have confirmed they are not in line with paycap is just the deflection this government needs.. this is the new story people :)

  11. aretheymyfeet

    Amazed at the amount of people here who do not seem concerned by the possibility our Garda Ombudsman was being bugged, whyere the obvious prime suspect is the Gardai. Three possible threats where one had a chance of almost zero of being innocent. Bizarre. You’d swear The Du Plantier case, McBreartys, The Heavy Gang, Kieran Boylan, The points quashing etc.. never happened. If it walks like a duck and talks like a duck, it’s unlikely to be horse. Why are the Gardai so unwilling to be open and transparent with GSOC??

    1. Matty Beattie

      Threat 1: WiFi transmitter communicating with an easily hacked outside LAN. In a building that does not have a WiFi network for Gods sake!
      Threat 2: Dedicated line conference phone rings at 1:00am after an oscillator test.
      Threat 3: Fake mobile phone network set up near the building to intercept calls.

      Idiots still think that all these threats do not add up to surveillance!!!

      If the Gardai done it, Shatter knew about it.

      Why do you think they have tried to kill it from the start.

      The whole thing stinks to high heaven in my opinion.

Comments are closed.