Crofton Black
December 16, 2020, The Bureau of Investigative Journalism

Private intelligence companies are using phone networks based in the Channel Islands to enable surveillance operations to be carried out against people around the world, including British and US citizens, the Bureau of Investigative Journalism can reveal following a joint reporting project with the Guardian.

Leaked data, documents and interviews with industry insiders who have access to sensitive information suggest that systemic weaknesses in the global telecoms infrastructure, and a particular vulnerability in Jersey and Guernsey, are being exploited by corporate spy businesses.

These businesses take advantage of some of the ways mobile phone networks across the world interact in order to access private information on targets, such as location information or, in more sophisticated applications, the content of calls and messages or other highly sensitive data.

The spy companies see phone operators in the Channel Islands as an especially soft route into the UK, according to industry experts, who say the attacks emanating from the islands appear to be targeted at individuals rather than cases of “mass” surveillance. The Bureau understands that the targets of this surveillance have been spread across the globe, and included US citizens as well as people in Europe and Africa.

Ron Wyden, the Oregon senator and privacy advocate, described the use of foreign telecom assets to spy on people in the US as a national security threat.

“Access into US telephone networks is a privilege,” he said in response to the Bureau’s findings. “Foreign telecom regulators need to police their domestic industry – if they don’t, they risk their country being cut off from US roaming agreements.”

Markéta Gregorová, the European Parliament’s chief negotiator on trade legislation for surveillance technology, called for “immediate regulatory, financial and diplomatic costs on companies and rogue jurisdictions” that enabled these practices.

“Any commercial or governmental entity, foreign or domestic which enables the facilitation of warrantless cyber-attacks on European citizens deserves the full force of our justice system,” she told the Bureau.

The investigation has found that private intelligence companies are able to rent access from mobile phone operators and this can then be exploited to allow the tracking of the physical location of users across the world. They are also potentially able to intercept calls and other private data, including bank accounts and emails.

These intrusions, which are very widely exploited, rely on commands designed to help phone operators track their customers’ whereabouts. Such commands, known as “signals”, are sent via a kind of global switchboard for the telecoms industry called SS7.

“The Channel Islands
cannot allow itself to be
used as an offshore global
spy centre”

– Privacy International

These are vital to the functioning of telecoms networks, and are a routine part of ensuring accurate billing when roaming overseas. But they can also be used by sophisticated state and corporate security agencies for more questionable purposes.

Concerns about SS7 signalling, a communications system dating back to the 1970s, are well established. But little progress has been made in resolving the situation in the past decade.

A Whitehall source described the system as “toxic, horrendous – yet one the world relies on,” adding that “it can be abused to geolocate people”. However, securing the system is complex: “if you get it wrong, you disconnect yourself from the rest of the world.”

Security fixes are being implemented in the UK, but up to now there have been concerns that Channel Islands operators have not done so, the source added.

The problem can affect phones in the UK and abroad. Telecommunications queries sent from Channel Islands networks to phone numbers in the UK can be treated as domestic, and may evade firewalls put in place to prevent foreign signalling intrusions.

But such messages may also evade detection globally, because by using a +44 country code they appear to be emanating from the UK, generally a well-trusted territory. Although Channel Islands networks share the UK country code they are not covered by UK regulations, opening up a weak link which spy companies can exploit.

Senior British officials have expressed concerns about the security of the Channel Islands’ networks, particularly that some smaller operators across the islands have not plugged well-known vulnerabilities. Sources told the Guardian and the Bureau that some operators, in effect, have leased access to their networks to surveillance businesses, allowing people’s mobile phones to be tracked around the world. Shadow digital minister Chi Onwurah said: “This is a critical situation and it needs fixing urgently. A secure and resilient telecoms network can’t mean only worrying about China and Huawei. Our national security should be the government’s priority and we must act to protect our networks.”

Sure Guernsey, one of the Channel Islands telecoms operators identified in this investigation as a transit point for malicious signals, told the Bureau that it “does not lease access directly or knowingly to organisations for the purposes of locating and tracking individuals or for intercepting communications content”. Sure acknowledged that network access points could be misused, but said its traffic goes through “UK operators’ firewalls in the same way as any other international operators’ traffic”.

Jersey Airtel, another operator whose network has been identified as having been used for these purposes, said: “We take network and customer security seriously and we do have necessary control measures in place to address and prevent activities that could compromise security.”

A new Telecoms Security Bill, presented to Parliament three weeks ago, aims to strengthen UK networks and safeguard them from these kinds of attacks, while raising the costs for non-compliant phone operators. The UK government does not have jurisdiction over the Channel Islands or other offshore British territories, however.

A government spokesperson said in response to the Bureau’s findings that the new bill will mean that “UK network operators must protect themselves from malicious cyber activity, wherever it originates, and there will be tough penalties for operators which do not comply”.

However, British telecoms regulators and the security services have almost no powers to enforce against operators in the Channel Islands, beyond what is described as a “nuclear option” to remove their access to the +44 UK country code. Instead they hope that the Channel Islands can be pressured or encouraged to ensure security measures are increased in line with those planned for the UK.

The spokesperson added: “Channel Islands operators do not automatically have the same security obligations as UK operators, but the self-governing islands have committed to align their forthcoming Telecoms Security Frameworks to the UK’s bill.”

Guernsey’s regulator said operators are obliged “to take reasonable steps to prevent their licensed networks and services from being used in, or in relation to, the commission of offences” and that the island is “developing frameworks in line with the UK security bill”.

Jersey’s regulator said it supported the island’s government in its commitment to the security of its telecoms networks.

Experts warn that vulnerabilities will remain even after the switch to 5G as long as some networks rely on older 2G and 3G technology.

Companies that enable the exploitation of the SS7 system for surveillance operations have typically insisted that the use of their products has been limited to national law enforcement agencies fighting serious crime and terrorism. In fact, as the Bureau’s investigation reveals, in some cases the net seems to have gone significantly wider.

In one example, disclosed here for the first time, networks in the Channel Islands were used in an effort to locate Princess Latifa al-Maktoum as she attempted to evade her father, Sheikh Mohammed, the ruler of Dubai.

Latifa, who claimed that her father had her held in solitary confinement, in the dark, beaten and sedated over a period of several years when she was in her teens and early twenties (allegations which have been denied), fled the United Arab Emirates on a chartered yacht, but was recaptured off the coast of India a week later.

Data reviewed by the Bureau shows that a series of signals designed to reveal phone location were sent to a US-registered mobile belonging to the yacht’s skipper, Hervé Jaubert, the day before commandos stormed the yacht and seized the princess. The effort appears to have been part of a huge bid by the Emiratis – mobilising boats, a surveillance plane and electronic means – to track down the fleeing princess. Signals were sent via mobile networks in Jersey, Guernsey, Cameroon, Israel, Laos and the USA.

It is impossible to know if SS7 was the key to locating the yacht: Jaubert told the Bureau that he did not have this phone with him at the time, and that even if successfully compromised it could not have revealed his location.

But the method of the attack, using a string of mobile networks around the world to send queries in quick succession, casts a stark light on how widespread the penetration of global telecoms infrastructure for surveillance purposes has become – and on the fact that such surveillance is not always just directed at criminal masterminds.

The operation began around 2:30am local time on 3 March 2018, when Jersey Airtel and Sure Guernsey made a series of SRI (“send routing information”) requests directed at Jaubert’s US-registered phone. These requests can disclose the subscriber identification number used to obtain further levels of access to a phone’s confidential data.

Seconds later, a network in Cameroon sent a further SRI command to the same number, followed by what telecoms engineers call an ATI – an “any time interrogation” request. The ATI command can generate a “Cell-ID”, which discloses, within a certain radius, the last known location of a phone. More ATI requests followed in quick succession, sent via Jersey Airtel and networks in Israel and Laos.

On this occasion these attempts to use foreign networks to locate Jaubert’s phone were blocked by international firewalls. The attackers tried a different tactic: they switched to a US network, signalling into the phone via a small operator in Minnesota, NewCore Wireless.

Albert Kangas, head of NewCore Wireless, said that his company had leased the access point used in the operation to another US-based wireless network, which in turn had subleased it to a “wholesale partner”. Kangas did not identify the network which NewCore had rented its access point to, but disclosed that, the month after the operation, “it was disconnected due to some suspicious activity”.

Informed that reporters were investigating how his phone network had seemingly been used as part of a surveillance operation prior to a kidnapping, he replied: “That’s not good.”

The use of Jersey and Guernsey for this operation was not an isolated incident.

Network security analysts have told the Bureau the British +44 country code has consistently led the world in the number of origin points for malicious traffic for the past two years, and the Channel Islands is believed to account for the majority of this.

Recent aggregated data seen by the Bureau shows a steady stream of signalling intrusions flowing from the Channel Islands into phone networks worldwide. The data, which is only a small snapshot, shows hundreds of intrusion attempts were sent via Sure Guernsey and Jersey Airtel into networks in North America, Europe and Africa in August of this year.

In one case shared with the Guardian by Gary Miller, a mobile security researcher at Exigent Media who has studied sensitive messaging signals, a US mobile phone user who works for a communications company was closely tracked using signals that can pinpoint a user’s location and possibly intercept communications while on a trip to Bangladesh in August 2020. This was described by Miller as a surveillance attack emanating through Sure Guernsey. Miller said the tracking messages were highly suspicious and not possible under a “normal usage scenario”.

Industry insiders told the Bureau that some places were believed to rent out network access to third parties more readily than others, making them potential hotspots for this type of traffic.

“If it’s a small island you’re probably going to get access,” an industry executive with experience of SS7 signalling told the Bureau. “That’s how we look at it anyway. Just go to a small island, not many subscribers, they’ve got all this infrastructure.”

Asked about the Channel Islands, the executive replied: “They’re the experts in it.”

Human rights NGOs have reacted with concern to the revelations.

“The Channel Islands cannot allow itself to be used as an offshore global spy centre,” Edin Omanovic, advocacy director at Privacy International, told the Bureau.

“It is scandalous that this has been allowed to happen. It not only threatens the security of anyone in the UK, it undermines the UK’s own interests in supporting the work of human rights defenders, journalists, and democratic movements abroad.”

In a statement to the Bureau, Sure Guernsey acknowledged that network access points “can be misused” and said that it takes “a number of actions to mitigate this risk”.

“Sure works with global telecommunications companies, including all the UK operators, to monitor signalling traffic,” the company stated. Any complaint “results in the service being immediately ceased and subsequently permanently terminated if malicious or inappropriate traffic is discovered upon investigation. Sure has seen a declining trend in such malicious activity in recent years. Sure works with the UK National Cyber Security Centre where we share our approach to minimising the risk of misuse.”

Jersey Airtel told the Bureau that it leased access points to a “wide spectrum” of third-party agencies. The company added: “In case of any such misuse, we take strict action to block, investigate and initiate strict measures … To this end, we have also invested in an SS7 firewall solution from a trusted and reputable vendor which helps in blocking any misuse … by third-party partners, thus our SS7 security is more robust than that of average operators.”

In recent years a hub of surveillance tech companies has emerged in Israel, selling a variety of interception and hacking tools to governments around the world. They fly largely under the radar, although an ongoing lawsuit in California launched by WhatsApp, the popular messaging service, against NSO Group, a spy company headquartered near Tel Aviv, has brought the industry to greater prominence. WhatsApp, which is owned by Facebook, has accused NSO of sending malware to 1,400 phones in order to break its encryption and access its customers’ messages. NSO Group denies any wrongdoing.

The Bureau’s investigation has confirmed that another Israeli company, Rayzone Group, had leased the Sure Guernsey network access point – technically known as a “global title” – used in connection with the apparent attempted surveillance of Princess Latifa at the time of the operation.

Rayzone Group’s website advertises “boutique intelligence-based solutions for national agencies”, aimed at countering terrorism and crimes which “pose a direct threat to the security of citizens worldwide, and to international stability and prosperity”. The company offers services to its clients including interception and location tracking.

Rayzone Group denied any role in the operation to capture Latifa al-Maktoum, stating that “any attempt to associate our company with activities that could have been performed by others, is misleading and untrue”.

Vered Ashkenazi, the company’s chief business officer, told the Bureau that Rayzone’s “geolocation tools are operated solely by the customers (the end users) and not by us”.

After the Bureau’s inquiry, she said, Rayzone had “conducted a thorough internal investigation into these claims” and “we can confidently state that, to the best of our knowledge, none of our company’s products have been (or could have been) associated with this case in any way”.

Ashkenazi declined to respond to a detailed series of questions about the global titles used in the operation. Two industry sources have corroborated Rayzone Group’s rental of the Sure Guernsey global title, +44 7781 001065, that signalled at the yacht captain’s mobile phone.

According to invoices seen by the Bureau, Rayzone rented this access point in January 2018 for a three-month period, via a subsidiary in the British Virgin Islands, at a cost of $13,000 per month. The Latifa operation, on March 3 of that year, would fall within this period.

More recent data seen by the Bureau suggests that over the past two years Rayzone Group has been significantly active in the worldwide phone surveillance market.

A sample of data, believed to cover only a part of Rayzone’s operations, shows that between August 2019 and April 2020 the company enabled the targeting of more than 60 countries, with thousands of signals being sent into more than 130 different networks.

Spain – where the Guardian and El País revealed in July that a top Catalan politician was targeted in a “possible case of domestic political espionage” – was high on the list of countries monitored. The data shows thousands of message units requesting phone information from multiple major mobile networks.

Large numbers of signals were also sent into Serbia, the Netherlands, Bulgaria, Denmark, Portugal, Cyprus and Bosnia-Herzegovina. Moreover, the Bureau’s investigation has confirmed that Rayzone Group has also leased access – directly or indirectly – to global titles in Iceland, Sweden and Switzerland.

“People say ‘5G will solve
everything’ … but this
will not be the case until
every network on earth is
4G or 5G.”

“The revelations of the sheer scale and global dimension of these attacks are a wake-up call,” Markéta Gregorová, the European surveillance rapporteur, said in response to the Bureau’s findings. “The delicate balance between lawful governmental surveillance and the sanctity of fundamental rights has been turned on its head.”

Overall, the data shows some level of activity in almost every country in Europe, as well as hinting at the extent of companies like Rayzone’s reach elsewhere in the world: networks were more heavily targeted in Israel, Hong Kong, Thailand, Guatemala, the Dominican Republic and the USA, with smaller scale intrusions into – among others – Morocco, Sudan, Libya, Palestine, Syria and Iran.

The data does not show how many devices were targeted. But it does indicate in which months particular countries were in the crosshairs. In August 2019 the USA and Bosnia were scenes of particular activity; in October, the Netherlands; in December, Spain and Portugal; in March 2020, Serbia, Bulgaria, Pakistan and Israel; and in April, Spain again.

In March, according to a separate tranche of data seen by the Bureau, Rayzone Group sent several thousand intrusive signals to phones in the UK. Although principally aimed at UK-based mobile numbers, the targets also appear to have included people from 27 other countries, among which were Thailand, Jordan, Egypt, Russia, Spain, Ukraine and Malaysia.

The data does not indicate whether an attack succeeded, or what its objective was. But it does show that in some cases, dozens of signals were directed at a device, suggesting a significant attempted surveillance operation.

Rayzone said: “Our company develops intelligence and cybersecurity products for use by governmental authorities only.”

Presented with a detailed list of the Bureau’s findings, Rayzone declined to comment, stating only that all such questions “entail regulatory and trade secret issues and a risk to our customers’ ongoing operations against terror and severe crime, thus we are unable [to] specifically address the questions in a detailed manner and nothing herein shall be construed as to confirm or deny any claims raised in your letter”.

Industry insiders who spoke to the Bureau said that despite revelations some years ago of how network vulnerabilities could be used for surveillance, the situation now is, if anything, worse than before.

The mobile phone industry is evolving at pace, with 5G technology now on the horizon for many. Despite these advances, however, a 2019 survey of security threats, carried out by the mobile operators’ association GSMA, found that older 2G and 3G networks still carry half of the world’s traffic.

90%
of text messages
are vulnerable
to interception

Although newer generation networks may be more secure in some ways, they still need to be able to communicate with older ones – otherwise half of all phones would be unable to connect to the other half. This opens newer networks up to signalling attacks.

The GSMA study reported that that nine out of ten text messages are vulnerable to interception, while two-thirds of the networks surveyed had failed to protect properly against malicious signalling. There appears to be no quick fix to the morass of the global telecommunications landscape.

“People say ‘5G will solve everything’,” Sid Rao, a security researcher at Aalto University, Finland, told the Bureau. “But this will not be the case until every network on earth is 4G or 5G. Until this happens, in say 30 years, vulnerabilities in old networks will still be a risk to all other networks.”

Rao’s assessment is blunt: “If there’s one 2G network left on Earth it’s still a problem.”

Our reporting on Decision Machines is funded by Open Society Foundations. None of our funders have any influence over the Bureau’s editorial decisions or output.