The cell phone network can betray anyone’s location: Were the Arab princess and her Finnish friend abducted from a luxury yacht because of the captain’s phone?

Laura Halminen
January 22, 2021, Helsingin Sanomat

THE captain of NOSTROMO had decided that the group would take a course towards Goa, India. The 30-meter-long luxury yacht was running out of fuel.

It was March 3, 2018 somewhere in the Arabian Sea. On board Nostromo, Princess Latifa bint Mohammed al-Maktoum of Dubai traveled with her friend Tiina Jauhiainen. In addition, Captain Hervé Jaubert and a three-member crew were on board.

The party departed from Oman and had already traveled for eight days.

They never got to Goa and did not continue from there to Mumbai. Latifa was to travel through India to the United States and apply for asylum there. She is the adult daughter of the Prime Minister of the United Arab Emirates, the ruler of Dubai, Mohammed bin Rashid al-Maktoum.

On the evening of the fourth of March, the princess was brushing her teeth as the Indian Border Guard and special forces attacked the ship with members of the United Arab Emirates navy. Everyone was captured, and Princess Latifa is still a prisoner of her father.

When Nostromo was attacked and the escape went awry, a video made by Princess Latifa before she left was posted online, in which the princess accuses her father of imprisoning her sister and herself.

Mohammed bin Rashid al-Maktoum, Vice President and Prime Minister of the United Arab Emirates, in Beijing in April 2019.  (PHOTO:  NICOLAS ASFOURI / REUTERS)

Other detainees were released after two and a half weeks, but Latifa was seen next, and so far the only time, for Christmas 2018. That is when the ruler of Dubai released photos of Latifa staring into the void, together with the former President of Ireland, and former UN Human Rights Commissioner Mary Robinson. Robinson suggested that Latifa had serious mental health problems and confirmed that the princess was considered medicated. However, she argued that isolation would be in Lafita’s own best interest.

Meeting Robinson was a publicity stunt. It was arranged by the Prime Minister’s wife, Princess Haya of Jordan, who soon fled to Britain and divorced because she too was intimidated and threatened.

Screenshot of a long video taken by Latifa before leaving.  (IMAGE:  YOUTUBE)

To date, there is no complete certainty as to why Latifa’s escape was interrupted, even though it had been carefully prepared.

According to the new information, the party could be caught in an attack via the SS7 protocol, which takes advantage of the features of the mobile network.

IN DECEMBER, an international investigative journalism organization The Bureau of Investigative Journalism (TBIJ) published a story with leaked billing traffic from an Israeli company. A billing transaction from a company called Rayzone showed that the company had leased an access point owned by an operator on the island of Guernsey from January 2018 for the next three months. Leases had also been made to similar access points for small operators on the island of Jersey and in the United States.

Guernsey and Jersey are British enclaves in the English Channel that do not belong to the United Kingdom.

Rayzone had made location inquiries from the Guernsey Island Contact Point to a U.S. cell phone subscriber on March 3, 2018. The subscription was owned by Hervé Jaubert: a French-American adventurer and owner and captain of the Nostromo yacht used in Princess Latifa’s escape.

The night after the attempted locating of Jaubert’s phone, Indian special forces attacked the ship, captured the entourage and the ship’s crew, and handed them over to the United Arab Emirates authorities.

THE INFORMATION ABOUT locating the captain’s phone is new. It is still not possible to say with certainty whether the location of the party was caught by an attack made via the SS7 protocol.

That is entirely possible, says Sid Rao of Aalto University. He is a dissertation researcher specializing in cell phone network encryption.

“This is a feature of the cellular network that is being misused because they lack authentication,” says Rao.

Signaling System 7, or SS7, is a mobile communication protocol that allows operators to connect calls to each other. It is especially used for connecting international calls. SS7 is used especially on 2G and 3G networks, which are still the most common mobile networks in the world.

“SS7 was built in 1975, when all operators were still state-owned and private operators had no access to telephone traffic,” Rao says. At that time, the priority was to enable international connections between operators, so little attention was paid to security.

Security was only an afterthought, and some of the world’s operators use a variety of technologies to prevent abuse. However, not all of them, so abuse is more difficult, but has not been completely prevented.

NOT only state-owned mobile operators in Saudi Arabia and China, for example, but also private operators leasing their own networks have become a PROBLEM.

When the SS7 feature is abused, commands are sent from one operator network to another to first retrieve routing information for the mobile subscriber. Some operators have anti-abuse methods in place, but they are operator-specific. Thus, if one operator query fails, a well-prepared villain will deploy another operator’s network.

Once the routing information is obtained, the attacker uses the leased network to send a command to locate the cell phone subscriber. In this way, the location of the target can be known with the accuracy of even one base station.

POSITIONING is very useful if you happen to get lost in nature, for example. By calling the emergency center, the emergency center attendant can use the emergency positioning command, and the lost caller will be found. There are several different positioning commands for different purposes.

TBIJ organization received information showing that the SS7 feature is used continuously for locating people under questionable circumstances in almost every European country.

This everyday feature can locate almost anyone from anywhere in the world with an accuracy of up to 30 meters.

The method is remarkably accurate. It can put people at considerable risk, especially if their lives and health have been threatened in the past.

The problem with these inherent functions come when a person does not want to be found.

Mobile network base station. (PHOTO:  FRANK HOERMANN / SVEN SIMON / ZUMA PRESS)

In December, China was caught spying on SS7. It both used a state-owned cell phone operator and leased a cellular network from the Caribbean and illegally located up to tens of thousands of people in the United States during these one-month or two-month periods. The issue was reported by the British newspaper The Guardian.

In the winter of 2020, Saudi Arabia roared. The Guardian received information from an anonymous whistleblower about how often location commands were sent from the networks of the three Saudi operators to the networks of U.S. operators – far too often to be anything other than espionage.

THE UNITED ARAB EMIRATES is a rich and technically advanced state. It has been caught using technology to trample on human rights many times already.

The United Arab Emirates, for example, set up a company called DarkMatter on the side of state authorities, which developed methods for spying on iPhones and broke into the phone of a former Turkish prime minister, for example.

The emirates have purchased services from an Israeli company, NSO. It sells to oppressors a service that could have been used, for example, to target cyber-dissidents through WhatsApp. The emirates have also set up their own instant messaging service, ToTok, whose ultimate purpose may well have been mainly spying on reckless citizens.

There is no trick for such an administration and nothing misuses mobile networks.

Hervé Jaubert and Tiina Jauhiainen at a Detained in Dubai press conference in London in April 2018 after they were released by UAE authorities but Princess Latifa had disappeared. (PHOTO:  JOONAS SALO)

TBIJ reached Hervé Jaubert in December. Jaubert claimed he was not involved with his U.S. subscription while transporting Princess Latifa and Jauhiainen in the winter of 2018.

Tiina Jauhiainen lives in Britain and continues to campaign for the release of her friend Latifa. After Latifa’s abduction, Jauhiainen was detained and interrogated in the United Arab Emirates for a few days before the authorities gave her a plane ticket to Finland.

“I don’t know if Jaubert had his U.S. mobile phone with him because I dealt with him myself for his Filipino issue,” Jauhiainen tells HS.

“But Jaubert had several different phones with him. Also a satellite phone,” says Jauhiainen. “He was careless anyway and encouraged us to use the ship’s wireless internet while on the yacht.”

HACKER LANGUAGE has the concept of attack SURFACE. It includes all visible information systems, the telecommunications that are open in them and the services that the information system provides. In practice, the attack surface is a means of gaining access to the target. Mobile subscriptions in several countries are an attack surface. Satellites are also spying, so the satellite phone is an attack surface. The same goes for the wifi network.

Captain Jaubert thus seems to have created quite a lot of attack surface around himself and his clients, Princess Latifa and Tiina Jauhiainen.

“Hervé [Jaubert] was really badly prepared. He flinched and hurried. There was not even enough fuel,” Jauhiainen says now.

When Jauhiainen was arrested from the ship and released after a few days, her seized laptop was not returned. Jauhiainen’s ProtonMail email address, which was considered safe, was messed up so that she could never log in to her mail again. All data on the smartphone was erased.

Authorities cleaned their tracks.

View of Dubai Global Village in November 2020. (PHOTO:  AHMED JADALLAH / REUTERS)