Beirtear na IMSIs: Ireland's GSOC surveillance inquiry reveals use of mobile phone interception systems
The recent revelations surrounding the bugging of the Garda Siochana Ombudsman Commission (GSOC) has raised a number of important questions about the use of surveillance technologies in Ireland, including whether fake base stations were deployed in order to monitor mobile networks near GSOC's office.
First, some background. The Garda Siochana are the Irish police force and are overseen by GSOC, who have investigated members of the police force on a number of occasions. Approximately a year ago, GSOC decided to conduct a security sweep of their office and brought in Verrimus, a UK-based counter-surveillance company. During the course of their investigation, they uncovered 3 anomalies that gave rise to suspicion that the GSOC office had been subjected to surveillance. Two of the potential breaches related to surveillance of specific internal telephone equipment, and a third breach which revealed the presence of a UK mobile network in the vicinity of the GSOC office that purported to be from a UK network operator that does not operate in Ireland.
Possibly, a misconfigured base station hastily rolled out by an Irish mobile operator could have caused this. However, if one of the Irish mobile telcos deployed such a misconfigured device then one would hope the firm would have come forward by now.
Yet, no one has. The only remaining possibility, then, is that a device used to conduct surveillance was intentionally deployed that purported to be a legitimate mobile phone tower. In surveillance circles, such a device is called an IMSI Catcher (aka IMSI Grabber or Stingray).
IMSI Catchers
IMSI Catchers are used by authorities around the world to put large groups of people under indiscriminate mass surveillance via their mobile phone. IMSI Catchers started off infiltrating GSM networks with the only goal: capture the unique SIM card number that identifies the user called the International Mobile Subscriber Identity (IMSI) - hence the name IMSI Catcher.
When the IMSI Catcher is turned on, it signals to all nearby devices that it is a legitimate part of the mobile communications network, even though it isn't. The IMSIs of the mobile phones are voluntarily surrendered by the mobile phone when it connects to the tower. By having the strongest signal or manipulating certain parameters, an IMSI Catcher entices all phones to connect to it and thereby get the unique identifier for every individual in an area. This works remarkably well in protests and public demonstrations and events, as was reported by the people of Ukraine recently during their protests.
However, in the last 10-15 years as the use of IMSI Catchers has likely grown, they have evolved to include much more sophisticated capabilities. Nowadays, they can:
- force phones to stop using encryption (A5/1) and move to unencrypted channels (A5/0) to allow for easier interception;
- jam the 3G spectrum so phones would default back to 2G where interception could occur;
- get an accurate location of every individual within its reach of around 1km
- deny service to one or all users;
- intercept the content of calls, text messages and data;
- and reportedly alter messages in transit.
Nowadays, full 3G IMSI Catchers are the pride of many surveillance companies attending government sponsored trade shows to sell their wares to any interested agency. Companies such as CellXion, Forensic Telecommunications Services, and Gamma International provide such products. Not only have the capabilities improved but the devices have shrunk to the size of a large mobile phone and costing around €250-€500.
However, if you prefer to get your hands dirty, you can build one for yourself using a Software Defined Radio and free software called OpenBTS. You can also put together a full GSM call, text and data interception device (even where the target’s data is encrypted) using a €10 phone, free software from Osmocomm and a laptop running open source software. The legality of doing this, however, will vary by jurisdiction.
Given the number of mobile network operators and handsets in a given area, IMSI Catchers need to operate as multiple fake towers simultaneously to harvest as much data as possible in a short amount of time. Some report a rate of 1200 IMSIs per minute across 5 networks while others boast simultaneous voice intercepts as featured on the Surveillance Industry Index. Often it will operate by purporting to be many towers from the same network provider thereby reducing the time it takes to get all the IMSIs from users on a popular network.
Each fake tower will emit a signal containing numbers to tell a mobile phone how to talk to it when it wants to make a call or send a text. Or information on how to register with it so the tower can contact it when an incoming call or text arrives. Specifically, the tower will send a country code and an operator code to the handset. In normal circumstances, this allows phones to stay connected to their operators' towers and not to start roaming in border areas if another native tower is present.
It is these values that were problematic in the GSOC case. Irish towers should not be identifying themselves as being in the UK or offering the service of a UK network provider. The mobile phone of a UK visitor to GSOC would have spotted its native tower and connected to it. Depending on the model of IMSI Catcher used, full intercept of all data to and from that handset would then be possible.
It is interesting to note that the fake UK network was the only one detected by Verrimus. However, given that IMSI Catchers operate multiple fake towers simultaneously, it is highly likely that one or more Irish networks were also being intercepted. Very often a misconfiguration, such as an incorrect country code, is the only evidence available of an IMSI Catcher being deployed when forensic tools are not being used to look for one. This recently occurred around the Ecuadorian Embassy in London where base stations from a Ugandan telco were mysteriously popping up.
Critical infrastructure is vulnerable
It is remarkable that this type of invasive and mass interception is so easily done over Ireland's critical infrastructure, which is relied upon by citizens in their daily lives. Given the utility and ubiquity of modern cell phones, from mobile commerce, personal and business communications, to emergency phone calls, the threat this type of surveillance poses to the security and privacy of citizens cannot be understated.
Despite the public's reliance on these devices, the vulnerabilities exploited by IMSI Catchers are encouraged by security services, such as the NSA and GCHQ, to facilitate their offensive surveillance campaigns, as revealed by Edward Snowden. However, vulnerabilities in a global standard, such as GSM, expose every user to potential harm from a huge range of malicious actors. It is ironic that citizens who entrust the security services to protect them are rendered vulnerable by the conduct of these very same agencies.
At this point, it would seem to be appropriate for the Garda Siochana to review the evidence that Verrimus have obtained, release some of the technical evidence of the surveillance, and determine if fake Irish towers were active alongside the fake UK tower. Critically, they must determine if the private communications of Irish citizens were unlawfully intercepted. Additionally, this case highlights the desperate need for a wholesale review of how IMSI Catchers are used and regulated in Ireland and around the world. We fear that this will be the first of many stories about their abuse.