December 17, 2020, Haaretz
Investigation claims Rayzone used arcane cell network point to ‘track the locations of mobile phones across the world’; network vulnerability may have been exploited to track down UAE Princess Sheikha Latifa in attempted 2018 escape ■ Rayzone denies report
The private Israeli intelligence firm Rayzone Group exploited a loophole in a mobile phone network to enable their clients to track people around the world, a joint investigation by the Bureau of Investigative Journalism and The Guardian revealed on Wednesday.
According to the investigation, Rayzone rented access to an arcane global messaging system in the Channel Islands that allowed them to “geolocate” mobile phone users across the world. The report also claims that this point in the Channel Islands was also used in efforts to locate Princess Sheikha Latifa al-Maktoum bint Mohammed Al Maktoum when she attempted to escape her father, Dubai’s ruler, in 2018.
The access point in the Channel Islands, known as a “global title,” allows entry to a decades-old global messaging system called SS7. Established in the 1970s, SS7 can be thought of as a kind of global switchboard for the transmission of commands or “signals” that “help phone operators track their customers’ whereabouts.” The commands, also known as “signals,” are “vital to the functioning of telecoms networks, and are a routine part of ensuring accurate billing when roaming overseas,” said the full report.
However, as the full report explains, SS7 can be exploited for “more questionable purposes,” such as “the tracking of the physical location of users across the world” or to “intercept calls and other private data, including bank accounts and emails” or “the content of calls and messages.” Although concerns about the system are well established, “little progress has been made in resolving the situation in the past decade.”
Renting access to a global title, as the investigation claims Rayzone did in 2018 through a local provider called Sure Guernsey, potentially allows third parties, such as private intelligence companies to exploit signalling messages – commands that are sent through a telecoms operator across the global network, unbeknownst to a mobile phone user,” explained Crofton Black, Stephanie Kirchgaessner and Dan Sabbagh, the authors of The Guardian article. According to the report, “the attacks emanating from the islands appear to be targeted at individuals rather than cases of ‘mass’ surveillance.”
The Bureau’s investigation was based on invoices and a review of the network data itself.
One example of a potential usage of the Channel Islands exploit, revealed exclusively by the Bureau, were efforts made to locate Princess Latifa, the daughter of Dubai ruler Sheikh Mohammed, as she attempted to flee her father on a yacht she had chartered from the UAE in 2018. Princess Latifa was eventually recaptured off the coast of India and taken back to Dubai, and her friends say she has not been seen since. The princess had claimed that she had been subjected to inhuman treatment by her father, including beatings and solitary confinement. In March, a British court ruled that Dubai’s ruler had subjected the princess to inhuman treatment and had abducted her, as he had her elder sister Shamsa, almost two decades earlier.
“Data reviewed by the Bureau shows that a series of signals designed to reveal phone location were sent to a U.S.-registered mobile belonging to the yacht’s skipper, Hervé Jaubert, the day before commandos stormed the yacht and seized the princess,” the report revealed.
“The effort appears to have been part of a huge bid by the Emiratis – mobilising boats, a surveillance plane and electronic means – to track down the fleeing princess. Signals were sent via mobile networks in Jersey, Guernsey, Cameroon, Israel, Laos and the U.S.” Specifically, the report notes that the Sure Guernsey access point leased by Rayzone, among other entities, was “used in connection with the apparent attempted surveillance of Princess Latifa at the time of the operation.” However, the authors note that it is impossible to know if the SS7 exploit was actually instrumental in locating her yacht.
Rayzone bills itself as “boutique intelligence-based solutions for national agencies,” focused on “countering terrorism and crimes which ‘pose a direct threat to the security of citizens worldwide, and to international stability and prosperity.’” It offers “geolocation tools” to its roster of government clients.
Rayzone Group has denied claims that it was involved in the Princess Latifa tracking effort, telling the Bureau that “any attempt to associate our company with activities that could have been performed by others, is misleading and untrue.”
Vered Ashkenazi, the company’s chief business officer, was quoted in the report as saying that its “geolocation tools are operated solely by the customers (the end users) and not by us.” She further said that in wake of the report’s publication, Rayzone “conducted a thorough internal investigation into these claims [and] can confidently state that, to the best of our knowledge, none of our company’s products have been (or could have been) associated with this case in any way.”
According to the Bureau, “more recent data suggests that over the past two years Rayzone Group has been significantly active in the worldwide phone surveillance market.” For example, a partial review of data linked to Rayzone revealed that “between August 2019 and April 2020 the company enabled the targeting of more than 60 countries, with thousands of signals being sent into more than 130 different networks.”