As soon as the target switches the phone on, it’s already too late. Digital spies have pinpointed the phone’s location and, without hacking the device itself, are tracking it from tens of thousands of miles away. This is not a capability limited to superpowers—private firms now provide global phone tracking and interception.
But whereas this used to be a fairly niche product, now a myriad of companies based all over the world offer this service to law enforcement and intelligence agencies, perhaps including those who may wish to spy on the U.S., according to a review of surveillance company websites and brochures by The Daily Beast. The spying technique, which takes advantage of vulnerabilities in a mobile data network that U.S. senators have repeatedly tried to get the government to fix, is now a standard offering throughout the surveillance industry.
“It’s extremely attractive because it is completely remote, targeted surveillance,” Karsten Nohl, a security researcher who has worked extensively on this type of spying, told The Daily Beast.
Many of these companies’ global phone tracking products, if not all of them, rely on issues with SS7, or Signaling System No. 7, a mobile network and related set of protocols. SS7 is especially important for data-roaming, when a user leaves their provider’s own coverage but still needs calls and messages to be transmitted over another carrier.
The underlying issue with SS7, however, is that the network believes whatever you tell it: anyone with access to the SS7 network can send a message, and the network may not check where the message is coming from, or whether a legitimate telecoms company sent it.
This leaves room for spying companies, or, increasingly, financially-motivated cyber criminals, to tap into the network and use it for their own gains.
Previous media reports focused on a handful of established surveillance vendors offering SS7 capabilities. In 2014, The Washington Post reported on ‘SkyLock’, a geolocation product from contractor Verint. And other firms have tried to break into this space: last year Forbes covered Ability Inc., an Israeli firm offering a global intercept service for some $20 million (the company faces financial difficulties, according to a recent Cyberscoop report).
But judging by product brochures and descriptions online, many more firms now advertise worldwide phone tracking products.
Wolf Intelligence is a German company that offers malware for hacking phones, jammers, and security-focused phones. A company brochure also mentions a product that can “report the location of a specific mobile phone device anywhere in the world, if within the range of the nearest antennae.” Wolf was previously involved in a spy deal gone wrong with the Mauritanian government, in which an Italian bodyguard was arrested.
Almenta Group, with offices in Hong Kong and Bulgaria, advertises a similar product called “Observer” that provides “worldwide geo location,” according to a blurb for the company on Milipol’s website. Milipol is a regular military and surveillance trade fair. A brochure for “Observer” shows that armed with just a target’s mobile phone number, the phone’s location can be found and displayed on a Google Maps interface.
And on its website Israeli firm Picsix lists its P6-GEO product, which the company says “provides operational agencies the ability to locate, track and covertly manipulate GSM & UMTS subscribers virtually anywhere in the world, including roaming incoming or outgoing.”
Most SS7 surveillance companies The Daily Beast contacted did not respond to a request for comment, and Picsix declined. Several of the firms claim on their respective websites that the technology is to catch terrorists, drug traffickers, or other serious criminals.
“Rayzone Group provides solutions only to security federal and governmental authorities in the field of cyber and intelligence, all under Israeli MOD [Ministry of Defense] export license regulations,” Ron Zilka, senior vice president of product and marketing from Rayzone, another firm offering geolocation services, told The Daily Beast. Zilka added that obtaining an end-user certificate, so Rayzone knows the identity of the customer, is necessary.
Other firms involved in global tracking services include Circles from Bulgaria; Cleversig; Ukraine-based Proximus; Intercept Monitoring Systems from Russia and Trovicor, which claims to have an office in Pakistan. Some firms offer communication interception too. Interestingly, Rayzone provides its website in various languages, including Russian and Thai.
Indeed, this is the major concern with SS7-based products: that private surveillance firms, which are largely free to sell to whomever they can within export restrictions, may provide their services to agencies that usually wouldn’t have this sort of international capability, and which could then spy on the U.S.
“SS7 is almost entirely used for out of country surveillance,” Nohl, the security researcher, said.
And the private spying industry has already caused headaches for U.S. national security. Speaking about lawful-intercept firms in 2013, former Director of National Intelligence James Clapper told the US Senate in written testimony, “Foreign governments already use some of these tools to target U.S. systems.”
Governments have used products from private surveillance companies to spy on private individuals and groups in the U.S. too. In 2015 security researchers found Ethiopia hacked journalists based in the U.S. using tools from an Italian spying firm.
AN IGNORED PROBLEM
On Tuesday, Senator Ron Wyden announced he had secured an amendment to the Intelligence Authorization Act, ordering a report into whether foreign governments have used SS7 vulnerabilities to surveil Americans.
“Phone companies and the government have known for years how easy it is to spy on Americans through wireless networks,” Wyden, who has pushed for fixes for the SS7 issue along with Congressman Ted Lieu, told The Daily Beast in a statement. “The FCC needs to push wireless carriers to fix the SS7 vulnerability to protect Americans’ security.”
On Thursday the Federal Communications Commission encouraged service providers to implement security measures to counter the exploitation of SS7. The measures are voluntary, however. (A lobby group representing AT&T, T-Mobile and other telecom companies recently pushed back against Homeland Security’s call for greater regulation of this area).
“Protection is still lacking in most places,” Nohl said.
So, for the time being, SS7 remains wide open for surveillance companies to tap and use to spy.
“There’s no excuse for companies to continue ignoring the growing threat this security hole poses to Americans,” Wyden added.