Passively 'Sniffing' Data How Mobile Network Spying Works

British intelligence agency GCHQ has been targeting mobile phone company networks. Telecoms security expert Philippe Langlois explains what they can find this way, and how users can protect themselves from such snooping.

British intelligence has allegedly been tapping into data from mobile phone companies.

British intelligence has allegedly been tapping into data from mobile phone companies.

Interview by

SPIEGEL ONLINE: The British intelligence agency GCHQ is hacking into the networks of mobile phone companies operating so-called GRX routers. What are these networks and why are they an attractive target?

Philippe Langlois: These are the "roaming tubes" of the worldwide mobile system. You can basically track every user in the world who is roaming with their smartphone. When roaming, all the Internet surfing and accesses to corporate networks go through these exchanges, and can be eavesdropped on by passively "sniffing" all data, all web pages and all emails.

SPIEGEL ONLINE: Is it possible to defend against that kind of snooping?

Langlois: Basic security such as encrypted web pages (https), encrypted email (PGP) or encrypted chat (Jabber OTR) will prevent such interception. In that sense, the GRX is not different from a traditional Internet Service Provider. If you're using safe Internet best practice there, you can protect your communication secrecy, but you cannot protect your location.

SPIEGEL ONLINE: Can one track a user this way only while he's roaming with his handset? Or does the GRX hacking allow tracking even when the targets are in their home country?

Langlois: By listening passively to a GRX network, one can know where any user is roaming with a coarse location granularity: i.e. their city or region. But GRX also enables making requests that can basically target any subscriber, not only those that are roaming. Though this is an advanced security attack.

SPIEGEL ONLINE: Could this kind of access also be used to implant spying software directly on someone's phone?

Langlois: If you control what goes into these "roaming tubes," if you can see what people surf, you can probably also change that. And if you can change the content, you can possibly suggest some application to the user through a trusted content provider. By doing that, you may compromise his handset, and implant hidden software features such as GPS location acquisition, covertly taking pictures or even video, listening to calls and even ambient conversation when the phone is in "sleep mode." Some companies such as Gamma have provided this kind of software to many different governments and regimes.

SPIEGEL ONLINE: Does access to a GRX network also allow access to other, local mobile networks from there?

Langlois: A GRX network is called a "walled garden." The theory is that only "nice people" are on the network, that is, only clean telecom mobile operators. That was the theory, so the mobile operators didn't really protect themselves against other operators on the GRX network. The user traffic, which is potentially harmful to operators, is neatly encapsulated into the "roaming tubes," preventing users from reaching the infrastructure of the GRX network itself. But operators themselves can do that. And therefore, anyone having compromised one operator or the GRX network can attack other mobile operators with a much better chance to compromise them than by attacking through, say, Internet access. The unknown, dark, insider-only networks are always less secure than the ones which are heavily exposed and attacked, and thus more protected.

SPIEGEL ONLINE: According to material from whistleblower and former National Security Agency contractor Edward Snowden, GCHQ is also attacking the networks of billing clearinghouses like MACH. How could a secret service benefit from accessing the networks of such companies?

Langlois: The billing clearinghouses get a very particular kind of data: the call detail records (CDRs). These add up to make bills for all users. This way, mobile operators know who owes them what. But this data can also be used by intelligence agencies to know who calls whom, when, and for how long. CDRs don't have the content of the call, just caller number, called number, duration, sometimes even caller location, etc. In intelligence jargon, that's called "traffic analysis," and it's way faster than listening to conversations from a user. That's the main tool that police forces use to gain insight into the extent of criminal rings, for example. But it's also very useful to perform counter-insurgency work by tracking who calls whom to a rally, or to know who calls the political leader of one party or another.

SPIEGEL ONLINE: Could access to billing house networks be used to gain access to actual mobile networks from there?

Langlois: Billing clearinghouses have the same "walled garden" pattern. You don't expect to be hacked by your accountant. Here, it is similar: You may fear the Russian mafia on the Internet, but not the service that generates the biggest part of your revenues. Therefore, mobile operators are not protected enough on these networks, and can be compromised this way.

SPIEGEL ONLINE: One GCHQ document says that the intelligence service would like to be able to implant software on any device based "just on the MSISDN," or the phone number. Do you think that's feasible, given what we know about the current capabilities of the GCHQ andNSA?

Langlois: Yes, since intelligence agencies are routinely buying previously unknown vulnerabilities from the gray market (it's called zero day exploit trading), they probably have some of them which enable compromise of some or most of the target operating systems or standard applications of these phones.


Discuss this issue with other readers!
5 total posts
Show all comments
Page 1
peskyvera 11/15/2013
1. optional
Don't want to be tracked? Don't use any of these gadgets and stop playing into their hands.
fung.pee 11/16/2013
2. Never carry a SIM across a border ...
buy a new, prepaid one. Best way is to have a hotel concierge get one so your name is not associated with it. Use a very basic cell handset, which has had the GPS neutered PHYSICALLY (CUT) and then you can make 'private' calls. I use a 7-year old handset, very comfortable. My new NOTE 3 has NEVER had a SIM in it. Google thinks it is still on a shelf somewhere. I also carry a 3G/4G data modem (another new, prepaid SIM) and plugged into a portable WiFi Hub. My NOTE 3 is 'tethered' to the hub and there are no direct connections to either the InterNet or the cell system. Therefore Google and Samsung can't know where your cell is. Caution: Never download Apps from Google - it requires a login and personal data. Cell techs can load Apps for you. from memory, if you don't know how. Dark in Indochina!
jrnagl 11/16/2013
3. Phone Hacking . . . GCHQ
Apart from scale . . . is the morality of world-wide phone/e-mail hacking as practiced by the British GCHQ different from that previously carried out by journalists and condemned by the same British Government? I suspect not. This then surely raises British Ministers such as their Foreign Minister Hague to another plateau of HYPOCRACY worthy of another whole series of the much loved FAWLTY TOWERS . . .
ego_alphonsus 11/16/2013
4. Smart Phones Are For Dummies
Smartphones are easy to hack. Time to go back to the old one... you'll save money, no one will steal it, you won't cry when you lose it or drop it and you won't get hacked/spied by civilians or governments. Simple as that. But NO, instead of relying on wits and whatever is left of your brain you still want to to keep your nose stuck on a gizmo rather than looking at the world around you.
spon-facebook-10000139396 11/16/2013
5. dirty bomb
Well done in pointing out to terrorists how to avoid detection. When terrorists explode a dirty bomb next to your child's crèche; perhaps then you will understand.
Show all comments
Page 1

All Rights Reserved
Reproduction only allowed with permission

Die Homepage wurde aktualisiert. Jetzt aufrufen.
Hinweis nicht mehr anzeigen.