Mobile phones and total surveillance by the NSA: how it works
Thanks to the revelations of former US intelligence officer Edward Snowden, everyone has heard that the National Security Agency (NSA) has total mobile surveillance capabilities. But how exactly this surveillance is set up, few know. In this overview, we have gathered some details about the technology used by the NSA — and not just the NSA.
And, of course, the possibilities for wiretapping have greatly expanded thanks to the development of the mobile app market. Many of them regularly transmit significant amounts of user data to third parties. Thus, it is not necessary to hack into an OS in order to eavesdrop — it is enough to convince the user to install a “useful” mobile app.
But even more possibilities for surveillance were found in the mobile phone networks themselves. Snowden’s files contained a description of the NSA’s spy directory, the Ant Project, which contains solutions for manipulating mobile networks for all occasions. It is not necessary to intercept data through vulnerable software — it is possible to plant bookmarks at the manufacturing stage of communication devices. Here, for example, is a compromised radio module for a phone:
Another option is fake base stations that can be used to intercept a subscriber’s traffic and manipulate the data on their phone:
Or an entire cellular network in one box:
Determining a location using a cellular network is quite approximate. There is a separate hand-held tool for accurately locating a victim in the field:
Of course, the mere existence of such a catalogue of devices does not mean that anyone is already using them for total surveillance. However, following the publication of the catalogue, evidence of practical applications began to emerge.
In September 2014, a suspicious booth was discovered on the roof of the IZD-Tower, opposite the UNO-city complex (Vienna International Centre). The box is enclosed by a sturdy metal fence and monitored by 10 cameras. It is most likely a fake mobile network base station.
Vienna is the third United Nations resident city (after New York and Geneva) and is home to OPEC and OSCE headquarters. It is understandable that the NSA would be interested in a place where dignitaries of most countries gather. And here is the supposed coverage area of this station:
Such base stations can intercept the IMSI (aka IMSI-catcher) and then track the victim’s location via the SS7 network. Once a victim’s IMSI has been tracked, their movements can be tracked around the world until the user changes their SIM card. We’ve already covered more about such attacks here.
Snowden’s documents indicate that the Vienna-Annex station is only part of the global SIGINT tracking network. The list of countries and cities mentioned in these documents can be searched further. Here is a photo of a similar structure found on a rooftop in Rome:
By the way, US intelligence agencies are not limited to fixed tracking systems. They have long used StingRay interceptor stations on special vehicles that can drive up to a given target. And in November, the Wall Street Journal reported that the US Department of Justice was using Cessna planes with fake base stations to intercept user data:
Who is to blame and what to do?
The first thing to note is that, despite the headlines, the technology described is not only available to the intelligence services. In fact, wiretapping of mobile networks and protection against it has become a new high-tech market. And like any market, new, cheaper solutions are constantly emerging.
Popular Science magazine has described how ESD America’s security team is promoting its own development — the Android-based CryptoPhone 500 “highly secure” smartphone. Since there are already several similar products on the market, the developers used an unconventional promotional move. Using their advanced smartphone, they discovered 17 fake base stations across the US that forcibly disable data encryption:
One such wiretap station was found near a major casino in Las Vegas, and several others near US military bases. Who else but the NSA could use such technology? Anyone. However, commercial complexes are expensive — over $100 thousand. However, it is possible to significantly reduce the cost of the solution, if you use free software to create your own base station.
How can you get rid of it? One option already mentioned above is a “secure” smartphone. However, this is not cheap: a CryptoPhone costs $3,500. For that money, the client gets to “close” a number of attack vectors that appeared in our list above. In particular, there’s control of known Android OS vulnerabilities, control of suspicious mobile app activity, and even baseband processor monitoring: this very feature allows you to detect the connection of a fake base station interceptor, something that ordinary smartphones don’t notice.
Defending against fake base stations is more difficult with an ordinary phone, but something can be done. UMTS (G3) networks use mutual authentication of the mobile station to the cellular network and the cellular network to the mobile station. For this reason, one of the signs of a wiretap is a forced switchover from G4 and G3 to the less secure G2 mode. If the user disables the 2G mode in advance, this will make it more difficult for an intruder to intercept the radio airwaves. Some mobile phone models allow you to switch the type of network you are using:
Many Android phones also have a service menu called *#*#4636#*#* where you can select the network type. However, this solution is fraught with increased battery consumption as well as loss of connectivity if there is no 3G network coverage.
Spoofed base stations can intercept any data transmitted over the cellular network — but this requires the subscriber to be physically within range of the base station. A more advanced method of surveillance could therefore be considered SS7 network attacks, which allow the interception of subscriber data, as well as their location, from anywhere in the world. Here too, there are commercial solutions: in a previous post, we talked about the SkyLock system of the American company Verint, which allows you to track any subscribers around the world. How can you prevent eavesdropping in this case? Since attacks are based on legitimate SS7 signalling network messages, crude filtering of these messages can have a negative impact on the entire service. In the experience of Positive Technologies experts, adequate protection against SS7 attacks should be a set of measures on the operator side, including monitoring of SS7 traffic and smart filtering controls that allow blocking only attempted attacks and forcings.