Passively 'Sniffing' Data How Mobile Network Spying Works

British intelligence agency GCHQ has been targeting mobile phone company networks. Telecoms security expert Philippe Langlois explains what they can find this way, and how users can protect themselves from such snooping.
British intelligence has allegedly been tapping into data from mobile phone companies.

British intelligence has allegedly been tapping into data from mobile phone companies.


SPIEGEL ONLINE: The British intelligence agency GCHQ is hacking into the networks  of mobile phone companies operating so-called GRX routers. What are these networks and why are they an attractive target?

Philippe Langlois: These are the "roaming tubes" of the worldwide mobile system. You can basically track every user in the world who is roaming with their smartphone. When roaming, all the Internet  surfing and accesses to corporate networks go through these exchanges, and can be eavesdropped on by passively "sniffing" all data, all web pages and all emails.

SPIEGEL ONLINE: Is it possible to defend against that kind of snooping?

Langlois: Basic security such as encrypted web pages (https), encrypted email (PGP) or encrypted chat (Jabber OTR) will prevent such interception. In that sense, the GRX is not different from a traditional Internet Service Provider. If you're using safe Internet best practice there, you can protect your communication secrecy, but you cannot protect your location.

SPIEGEL ONLINE: Can one track a user this way only while he's roaming with his handset? Or does the GRX hacking allow tracking even when the targets are in their home country?

Langlois: By listening passively to a GRX network, one can know where any user is roaming with a coarse location granularity: i.e. their city or region. But GRX also enables making requests that can basically target any subscriber, not only those that are roaming. Though this is an advanced security attack.

SPIEGEL ONLINE: Could this kind of access also be used to implant spying software directly on someone's phone?

Langlois: If you control what goes into these "roaming tubes," if you can see what people surf, you can probably also change that. And if you can change the content, you can possibly suggest some application to the user through a trusted content provider. By doing that, you may compromise his handset, and implant hidden software features such as GPS location acquisition, covertly taking pictures or even video, listening to calls and even ambient conversation when the phone is in "sleep mode." Some companies such as Gamma have provided this kind of software to many different governments and regimes.

SPIEGEL ONLINE: Does access to a GRX network also allow access to other, local mobile networks from there?

Langlois: A GRX network is called a "walled garden." The theory is that only "nice people" are on the network, that is, only clean telecom mobile operators. That was the theory, so the mobile operators didn't really protect themselves against other operators on the GRX network. The user traffic, which is potentially harmful to operators, is neatly encapsulated into the "roaming tubes," preventing users from reaching the infrastructure of the GRX network itself. But operators themselves can do that. And therefore, anyone having compromised one operator or the GRX network can attack other mobile operators with a much better chance to compromise them than by attacking through, say, Internet access. The unknown, dark, insider-only networks are always less secure than the ones which are heavily exposed and attacked, and thus more protected.

SPIEGEL ONLINE: According to material from whistleblower and former National Security Agency contractor Edward Snowden , GCHQ is also attacking the networks of billing clearinghouses like MACH. How could a secret service benefit from accessing the networks of such companies?

Langlois: The billing clearinghouses get a very particular kind of data: the call detail records (CDRs). These add up to make bills for all users. This way, mobile operators know who owes them what. But this data can also be used by intelligence agencies to know who calls whom, when, and for how long. CDRs don't have the content of the call, just caller number, called number, duration, sometimes even caller location, etc. In intelligence jargon, that's called "traffic analysis," and it's way faster than listening to conversations from a user. That's the main tool that police forces use to gain insight into the extent of criminal rings, for example. But it's also very useful to perform counter-insurgency work by tracking who calls whom to a rally, or to know who calls the political leader of one party or another.

SPIEGEL ONLINE: Could access to billing house networks be used to gain access to actual mobile networks from there?

Langlois: Billing clearinghouses have the same "walled garden" pattern. You don't expect to be hacked by your accountant. Here, it is similar: You may fear the Russian mafia on the Internet, but not the service that generates the biggest part of your revenues. Therefore, mobile operators are not protected enough on these networks, and can be compromised this way.

SPIEGEL ONLINE: One GCHQ document says that the intelligence service would like to be able to implant software on any device based "just on the MSISDN," or the phone number. Do you think that's feasible, given what we know about the current capabilities of the GCHQ andNSA ?

Langlois: Yes, since intelligence agencies are routinely buying previously unknown vulnerabilities from the gray market (it's called zero day exploit trading), they probably have some of them which enable compromise of some or most of the target operating systems or standard applications of these phones.