Skip navigation
CLN bookstore
× You have 2 more free articles available this month. Subscribe today.

Cellular Roaming’s Inadequate Security

by Michael Dean Thompson

Cellphones must be able to continue providing service when connected to networks other than those to which their owners subscribe. The ability to roam beyond the subscriber’s borders without interruption of service is available because network providers across the globe have agreed to some basic communication protocols provided by the organization Global System for Mobile Communications Association (“GSMA”). Unfortunately, weaknesses in the same protocols enable secret surveillance of that phone or cellular device so that it can be precision located anywhere in the world. Strengthening of these outdated and overly permissive protocols is long overdue.

Background

At the heart of the problem is a private network called the IP Exchange (“IPX”). The IPX services a range of global corporations, such as cellular networks and international roaming providers. Every day massive quantities of messages (signals) traverse the network, allowing the corporations to discover the identities of the cellular device and its home network. That authentication system also allows IPX users to collect significant amounts of information about the user. Most importantly, that information can include geolocation data.

There were relatively few cellular networks when IPX began. That number has exploded as smaller global cellular providers have sought to increase profits by effectively selling access to the network. In doing so, IPX has become a facilitator for the corporate and governmental surveillance apparatuses.

Recognition of the surveillance potential of the network has not escaped the attention of corporate developers who have created tools to take advantage of IPX’s weaknesses. The tools have the ability to track device locations, capture text messages, listen to phone calls, and even prevent the device from working. Using the very same messaging structures used by the providers to authenticate users, the surveillance vendors have access to a tremendous amount of information about global cellular customers who happen to be roaming on unprotected networks. This effectively allows smaller countries and agencies wishing to hide their efforts to outsource their surveillance.

Technologies

IPX must be able to communicate with the modern 5G networks as well as the outdated 3G networks that are prevalent in Africa. It is that 3G compatibility that enables the most surveillance due to its use of Signaling System Number 7 (“SS7”). SS7 is a set of messages that are sent between networks. Yet, those messages have enabled vendors to provide nearly anonymous access to roaming data using a variety of methods without concern of financial or legal ramifications.

Firewalls that block unwanted messages and a set of best practices regarding which messages to accept are available. However, there are no ramifications for not using them. That problem is exacerbated by the fact that several operators may share a single network, facilitating local roaming. The cliché that “a chain is only as strong as its weakest link” applies here. An operator with poor security runs the risk of exposing the entire network to surveillance.

The SIM card within the phone, or the software version of it (called an eSIM), provides a unique phone identifier. That identifier is called the Integrated Circuit Card ID (“ICCID”). The ICCID is combined with network specific information to create an identifier known to be unique throughout the world, identifying the phone, customer, and network to anyone who possesses it. The International Mobile Subscriber Identity (“IMSI”) is therefore a critical feature for those interested in tracking people on cellular networks. In fact, it is therefore IMSI that cell-site simulators use to track cellphones as they broadcast to the nearest cell tower.

Much like with a cell-site simulator, surveillance systems can be either active or passive. A passive surveillance “listens” to the traffic on the IPX network as it passes through the local hardware. If an IMSI of interest passes through, the information about the signal can be recorded and forwarded to the interested parties. Passive surveillance is often the effort of a government that mandates network operators provide access. This sort of monitoring is occurring within the United States under Section 702 of the Foreign Intelligence Surveillance Act, which allows the government to force operators like AT&T to intercept, copy, and forward phone calls, text messages, and internet communications of foreign targets. All that is needed to achieve passive surveillance is that a device be installed on the network or that an interested party be given access to the VPN. For that reason, it would not be too great a challenge for foreign or hostile governments to setup passive surveillance without corporate knowledge.

There are a number of tools that passively monitor cellular networks for orthodox reasons, making illegitimate monitors that are much more difficult to detect. One such legitimate passive monitor would be used for network troubleshooting. In those cases, recorded packets are processed and forwarded for upstream offline analysis. That data is then available to the operator for aggregation of key performance indicators as well as individual user data. A government or other surveillance actor given copies of that data through either formal or surreptitious means can process it through a link analysis tool that creates a node map, showing who communicates with whom, how often, and for how long, and potentially even summarize the content as the uploaded data can include content as well as metadata (phone numbers, locations, times, etc.).

Because third parties may gain access to the IPX network through leases, they can then send false signals into the network to discover information. The IPX architecture stipulates that only cellular network operators may have access to the IPX. Yet, as stated earlier, some network operators looking to supplement their profits may lease access to the IPX by selling blocks of cell numbers. The Swedish telecom provider Telenabler AB has been among those openly selling access. Some even have gone so far as listing prices on their websites. In addition, sponsored Internet of Things (“IoT”), SMS (text messaging), and private network providers also have access to IPX. An example of this is the telematics system in a modern vehicle that uses the cellular network to update remote servers with the vehicle status. There are at least 750 cellular networks across the globe covering 195 countries. Among all the networks, network operators, and third-party leases, there are significant, potentially unrestrained opportunities to gain active access to the IPX network.

Active surveillance works by sending false signals into the network targeting a specific device. As an example, one message called a Provide Subscriber Location (“PSL”) explicitly requests precision location information—GPS—about a subscriber. There are many less explicit routes to that information as well. A similar explicit message requests information about the subscriber—PSI, including personal addresses. Because the signals are being sent by actors with apparently legitimate access to IPX, they may be very difficult to differentiate from proper requests. The problem of identifying false signals is exaggerated for distinct operators on the same network. That is, if the actor requesting information is on the same domestic network but under a different operator, they may be indistinguishable from appropriate traffic.

Bad Actors

The Guardian looked into the problem of IPX-based surveillance and found that Saudi Arabia may have used the network to track some of its citizens. The country allegedly exploited the SS7 protocol on IPX and followed the devices as they visited the United States. The three largest mobile operators in Saudi Arabia forwarded a large number of PSI messages (nearly eight million) tracking IMSIs. Among the data returned to the requestor is the Cell ID, which can identify the tower to which a phone is attached. Knowing tower connections, and for how long they were connected, reveals where the person was and their mobility patterns. Those messages were sent many times per hour, establishing a granular view of those patterns. In effect, American network operators became inadvertent participants in Saudi Arabian intelligence efforts as they geolocated their citizens an average of roughly every 11 minutes. Yet, IPX network operating procedures should not have allowed it.

One of the reasons Saudi Arabia allegedly found success here in the United States is that the phones were registered in Saudi Arabia. Presumably, had a telecom from some other country issued the PSI requests, they would have been blocked by a firewall. That is not always certain, however. Statistics provided by Mobile Surveillance Monitor show that 171 networks from 100 countries sent targeted requests for geolocation data to networks in Africa during the first half of 2023. The data shows that the networks Millicom Chad and Celtel DRC were likely attempting to harvest cellular location data. Another company, Fink Telecom Services, was exposed by Lighthouse Reports for selling commercial phone surveillance services based on the IPX.

Conclusion

Domestic roaming may be secured by national laws that dictate the types of information shared. International roaming, however, is a different beast. Those are generally dictated by bidirectional agreements that are rarely updated or monitored. Because there is a lack of strict agreements, not all providers are necessarily motivated to make sure that their systems are secure from attack. It was only after providers began monitoring their networks that the problem was even discovered. The GSMA’s Fraud and Security Group then developed requirements for a signaling firewall that would isolate systems. Despite releasing the resultant guidelines, there are no enforcement mechanisms for universal accountability.

It was 2017 before network operators began installing firewalls. By that time, however, network operators had already begun selling blocks of cellular device numbers, known as Global Title Addresses (“GT”), which diminishes the ability of the firewalls to work because it sidesteps the mechanisms the firewalls use.

New network solutions using 5G may seem to be more secure at first glance. It provides a number of mechanisms to obscure user identities and locations. One such feature designed specifically to address international roaming insecurities is Secure Edge Protection Proxy (“SEPP”). SEPP provides mechanisms to encrypt and authenticate at each end of the connection. However, out of 351 network operators implementing 5G, only 41 had implemented native 5G architectures as of April 2023. The remaining 310 operators gained the speed of 5G but, without features like SEPP, are not as secure. At the Mobile World Congress in March 2023, it was disclosed that only a relative few operators have even deployed SEPP, much less were using it.

The opportunities for malicious surveillance are myriad. The vast number of attack vectors and non-compliant vendors minimize the effectiveness of any attempts at security. And this is for any cellular device, whether a 5G-enabled phone or a 3G-based automotive telematics system. When traveling abroad, it is best to assume someone knows where you are.   

 

Sources: Lawfaremedia.org, Citizen Lab

As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login

 

 

The Habeas Citebook Ineffective Counsel Side
Advertise Here 4th Ad
BCI - 90 Day Campaign - 1 for 1 Match