Mobile phones and total NSA surveillance: how it works

The name of Edward Snowden regularly flashes in the news on the topic of information security over the past two years. Thanks to the revelations of this former US intelligence officer, everyone has already heard that the National Security Agency (NSA) has the power of total mobile surveillance of citizens. But how exactly this surveillance is arranged, few people know. In this review, we have gathered some details about the technologies used by the NSA - and not only that.

One of the first unpleasant news from Snowden concerned the erosion of trust in cryptographic technology . Within the framework of a secret NSA project called Bullrun , the possibility of circumventing many encryption systems was obtained - but not at the expense of hacking, but at the expense of operating bookmarks specially left by manufacturers at the request of the NSA. In some cases, vendors were simply obliged to hand over encryption keys to the agency. Thus, many safety standards that were considered reliable and used in large business and government organizations were discredited .
')


Just recently, the development of this story appeared in the media - some details of the AuroraGold operation, within the framework of which the NSA monitored the telecom employees, reading their electronic correspondence and internal documents. Already in May 2012, the NSA thus collected technical data on 70% of the mobile networks around the world. The GSM Association, the international organization of telecoms, where recommendations for new communication standards are being developed, was also tapped. The goal of AuroraGold’s operation is the same as that of the Bullrun project: to introduce bookmarks or learn about vulnerabilities that will help circumvent the A5 / 3 encryption algorithm and other new protection technologies. Judging by the documents from the Snowden archive, the first attempts to hack the G4 succeeded to the NSA agency back in 2010 — that is, before this “safe” standard was widely distributed.

Another vector of NSA attacks is mobile OS and applications . As it turned out, the special service has access to a lot of data on smartphones: lists of contacts and calls of subscribers, as well as their SMS and GPS data. To do this, the NSA gathered teams of hackers, each of which was engaged in hacking one of the popular OS. The publication of the German magazine Spiegel emphasizes that the Blackberry operating system was one of the first hacked, although traditionally it was considered more secure than iOS and Android.



And of course, the opportunities for wiretapping have significantly expanded due to the development of the mobile application market. Many of them regularly transfer a significant amount of user data to third parties. Thus, for eavesdropping, it is not necessary to hack the OS - it is enough to convince the user to install a “useful” mobile application.

But even more possibilities for surveillance were found in the mobile communication networks themselves. In the documents of Snowden there was a description of the NSA spy directory - the Ant project , which has solutions for manipulating mobile networks for all occasions. It is not necessary to intercept data through vulnerable software - you can set bookmarks at the manufacturing stage of communication devices. For example, a compromised radio module for a telephone:



Another option is fake base stations with which you can intercept subscriber traffic and manipulate data on his phone:



Or the whole cellular network in one box:



There is also a spectrum analyzer based on the Motorola L9 mobile phone, which allows you to record a radio spectrum for further analysis:



Determining a location using a cellular network is approximate. To accurately locate the victim, there is a separate portable tool on site:



Of course, the mere existence of such a device catalog does not mean that someone already uses them for total surveillance. However, following the publication of the catalog, evidence of practical application began to appear.

In September 2014, a suspicious roof booth was discovered on the IZD-Tower, opposite the UNO-city complex (Vienna International Center). The booth is fenced with a solid metal fence, under the supervision of 10 cameras. Most likely, this is a fake base station mobile network.



Vienna is the third city-residence of the United Nations (after New York and Geneva), the headquarters of OPEC and the OSCE are located there. The interest of the NSA to the place where high-ranking officials of most countries gather is quite understandable. But the estimated coverage of this station:



Such base stations can intercept the IMSI (the so-called IMSI-catcher) and then track the victim’s location via the SS7 network. Once you have tracked the victim's IMSI, you can track its movement around the world until the user changes the SIM card. More about these attacks, we have already told here .

Snowden documents show that the Vienna Station (Annex Vienna) is only part of the global tracking network SIGINT . It is already possible to search further on the list of countries and cities mentioned in these documents. Here is a photo of a similar structure found on the roof in Rome:



By the way, US intelligence agencies are not limited to stationary tracking systems. They have long been using StingRay interceptor stations on special vehicles that can drive up to a given target. And in November, the Wall Street Journal reported that the US Department of Justice was using Cessna airplanes with fake base stations to intercept user data:

Who is to blame and what to do?

First of all, it should be noted that despite the loud headlines of the newspapers, the described technologies are now available not only to special services. In fact, wiretapping of mobile networks and protection from it have become a new high-tech market. And as in any market, new, cheaper solutions are constantly appearing here.

In August 2014, Popular Science magazine spoke about how the ESD America security team is promoting its own development, the “specially protected” CryptoPhone 500 Android-based smartphone. Since there are already several similar products on the market, the developers used an unofficial advertising move. With the help of their advanced smartphone, they found 17 fake base stations in the United States that forcefully disable data encryption:



One such wiretapping station was found near a large casino in Las Vegas, a few more - near US military bases. Who, except the NSA, can use this technique? Yes, anyone. True, commercial complexes are expensive - more than $ 100 thousand. However, you can significantly reduce the price of a solution if you use free software to create your own base station.

How to escape from this? One of the options already mentioned above - "protected" smartphone. However, the pleasure is not cheap: CryptoPhone costs $ 3,500. For this money, the client receives a "closure" of a number of attack vectors that appeared higher on our list. In particular, there is control of known vulnerabilities of Android OS, control of suspicious activity of mobile applications, and even baseband processor monitoring: it is this feature that allows you to determine the connection of a fake base interceptor station, which is not noticed by ordinary smartphones.

It is more difficult to protect yourself from fake base stations with a regular phone, but you can still do something. UMTS (G3) networks use mutual authentication of a mobile station in a cellular network, and a cellular network in a mobile station. Therefore, one of the signs of wiretapping is forced switching from the G4 and G3 modes to the less safe G2 mode. If the user disables 2G mode in advance, this will make it more difficult for an attacker to intercept a radio broadcast. Some mobile phone models allow you to switch the type of network used:



Also, many Android-based phones have a service menu, called by the * # * # 4636 # # # command, where you can select the type of network. However, such a decision is fraught with increased battery consumption, as well as loss of communication in the absence of 3G network coverage.



Fake base stations allow you to intercept any data transmitted over the cellular network - but this requires the physical presence of the subscriber in the coverage area of ​​the base station. Therefore, a more advanced method of surveillance can be considered attacks on the SS7 network , allowing you to intercept subscriber data, as well as its location, from anywhere in the world. It also has its own commercial solutions: in one of the past posts we talked about the SkyLock system of the American company Verint, which allows you to track any subscribers around the world.

How can you prevent wiretapping in this case? Since the attacks are based on legitimate messages from the SS7 signaling network, coarse filtering of these messages can have a negative impact on the entire service. According to the experience of experts of Positive Technologies, adequate protection against attacks on SS7 should be a set of measures on the operator’s side, including monitoring of SS7 traffic and “smart” filtering control, which allows blocking only attempts of attacks and fraud. More information about how this is implemented on the basis of our products can be found in the article “ Security of mobile communication networks based on SS7 ”.