{"id":175281,"date":"2020-12-21T12:00:46","date_gmt":"2020-12-21T12:00:46","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=175281"},"modified":"2020-12-17T05:53:11","modified_gmt":"2020-12-17T05:53:11","slug":"spy-companies-using-channel-islands-to-track-phones-around-the-world","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2020\/12\/spy-companies-using-channel-islands-to-track-phones-around-the-world\/","title":{"rendered":"Spy Companies Using Channel Islands to Track Phones around the World"},"content":{"rendered":"<div id=\"attachment_175283\" style=\"width: 510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/bangkok-protest-2020-cloud.jpeg\" ><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-175283\" class=\"wp-image-175283\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/bangkok-protest-2020-cloud-1024x682.jpeg\" alt=\"\" width=\"500\" height=\"333\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/bangkok-protest-2020-cloud-1024x682.jpeg 1024w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/bangkok-protest-2020-cloud-300x200.jpeg 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/bangkok-protest-2020-cloud-768x511.jpeg 768w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/bangkok-protest-2020-cloud-1536x1022.jpeg 1536w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/bangkok-protest-2020-cloud.jpeg 1600w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><p id=\"caption-attachment-175283\" class=\"wp-caption-text\">A protester using his phone at a rally in Bangkok August 2020.<br \/>Credit: Lillian Suwanrumpha\/AFP via Getty Images<\/p><\/div>\n<p><em>16 Dec 2020 &#8211;<\/em>Private intelligence companies are using phone networks based in the Channel Islands to enable surveillance operations to be carried out against people around the world, including British and US citizens, the Bureau of Investigative Journalism can reveal following a joint reporting project with the Guardian.<\/p>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Leaked data, documents and interviews with industry insiders who have access to sensitive information suggest that systemic weaknesses in the global telecoms infrastructure, and a particular vulnerability in Jersey and Guernsey, are being exploited by corporate spy businesses.<\/p>\n<p>These businesses take advantage of some of the ways mobile phone networks across the world interact in order to access private information on targets, such as location information or, in more sophisticated applications, the content of calls and messages or other highly sensitive data.<\/p>\n<p>The spy companies see phone operators in the Channel Islands as an especially soft route into the UK, according to industry experts, who say the attacks emanating from the islands appear to be targeted at individuals rather than cases of \u201cmass\u201d surveillance. The Bureau understands that the targets of this surveillance have been spread across the globe, and included US citizens as well as people in Europe and Africa.<\/p>\n<p>Ron Wyden, the Oregon senator and privacy advocate, described the use of foreign telecom assets to spy on people in the US as a national security threat.<\/p>\n<p>\u201cAccess into US telephone networks is a privilege,\u201d he said in response to the Bureau\u2019s findings. \u201cForeign telecom regulators need to police their domestic industry \u2013 if they don&#8217;t, they risk their country being cut off from US roaming agreements.\u201d<\/p>\n<p>Mark\u00e9ta Gregorov\u00e1, the European Parliament\u2019s chief negotiator on trade legislation for surveillance technology, called for \u201cimmediate regulatory, financial and diplomatic costs on companies and rogue jurisdictions\u201d that enabled these practices.<\/p>\n<p>\u201cAny commercial or governmental entity, foreign or domestic which enables the facilitation of warrantless cyber-attacks on European citizens deserves the full force of our justice system,\u201d she told the Bureau.<\/p>\n<p>The investigation has found that private intelligence companies are able to rent access from mobile phone operators and this can then be exploited to allow the tracking of the physical location of users across the world. They are also potentially able to intercept calls and other private data, including bank accounts and emails.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__sidebar\">\n<blockquote>\n<aside class=\"tb-c-story-pullquote\"><strong><em>\u201cThe Channel Islands cannot allow itself to be used as an offshore global spy centre\u201d<\/em><\/strong><\/aside>\n<aside class=\"tb-c-story-pullquote\"><strong> \u2013 Privacy International<\/strong><\/aside>\n<\/blockquote>\n<\/div>\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>These intrusions, which are very widely exploited, rely on commands designed to help phone operators track their customers\u2019 whereabouts. Such commands, known as \u201csignals\u201d, are sent via a kind of global switchboard for the telecoms industry called SS7.<\/p>\n<p>These are vital to the functioning of telecoms networks, and are a routine part of ensuring accurate billing when roaming overseas. But they can also be used by sophisticated state and corporate security agencies for more questionable purposes.<\/p>\n<p>Concerns about SS7 signalling, a communications system dating back to the 1970s, are well established. But little progress has been made in resolving the situation in the past decade.<\/p>\n<p>A Whitehall source described the system as \u201ctoxic, horrendous \u2013 yet one the world relies on,\u201d adding that \u201cit can be abused to geolocate people\u201d. However, securing the system is complex: \u201cif you get it wrong, you disconnect yourself from the rest of the world.\u201d<\/p>\n<p>Security fixes are being implemented in the UK, but up to now there have been concerns that Channel Islands operators have not done so, the source added.<\/p>\n<p>The problem can affect phones in the UK and abroad. Telecommunications queries sent from Channel Islands networks to phone numbers in the UK can be treated as domestic, and may evade firewalls put in place to prevent foreign signalling intrusions.<\/p>\n<p>But such messages may also evade detection globally, because by using a +44 country code they appear to be emanating from the UK, generally a well-trusted territory. Although Channel Islands networks share the UK country code they are not covered by UK regulations, opening up a weak link which spy companies can exploit.<\/p>\n<p>Senior British officials have expressed concerns about the security of the Channel Islands\u2019 networks, particularly that some smaller operators across the islands have not plugged well-known vulnerabilities. Sources told the Guardian and the Bureau that some operators, in effect, have leased access to their networks to surveillance businesses, allowing people\u2019s mobile phones to be tracked around the world. Shadow digital minister Chi Onwurah said: \u201cThis is a critical situation and it needs fixing urgently. A secure and resilient telecoms network can&#8217;t mean only worrying about China and Huawei. Our national security should be the government&#8217;s priority and we must act to protect our networks.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section tb-o-story-section--full-width\">\n<div class=\"tb-c-story-image tb-c-story-image--full-width\">\n<div id=\"attachment_175287\" style=\"width: 510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Jersey-beach.jpeg\" ><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-175287\" class=\"wp-image-175287\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Jersey-beach-1024x768.jpeg\" alt=\"\" width=\"500\" height=\"375\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Jersey-beach-1024x768.jpeg 1024w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Jersey-beach-300x225.jpeg 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Jersey-beach-768x576.jpeg 768w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Jersey-beach-1536x1152.jpeg 1536w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Jersey-beach.jpeg 1600w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><p id=\"caption-attachment-175287\" class=\"wp-caption-text\">Jersey, as a Crown Dependency, is not subject to the UK&#8217;s laws.<br \/>&#8211; Franz Wild for TBIJ<\/p><\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Sure Guernsey, one of the Channel Islands telecoms operators identified in this investigation as a transit point for malicious signals, told the Bureau that it \u201cdoes not lease access directly or knowingly to organisations for the purposes of locating and tracking individuals or for intercepting communications content\u201d. Sure acknowledged that network access points could be misused, but said its traffic goes through \u201cUK operators\u2019 firewalls in the same way as any other international operators\u2019 traffic\u201d.<\/p>\n<p>Jersey Airtel, another operator whose network has been identified as having been used for these purposes, said: \u201cWe take network and customer security seriously and we do have necessary control measures in place to address and prevent activities that could compromise security.\u201d<\/p>\n<p>A new Telecoms Security Bill, presented to Parliament three weeks ago, aims to strengthen UK networks and safeguard them from these kinds of attacks, while raising the costs for non-compliant phone operators. The UK government does not have jurisdiction over the Channel Islands or other offshore British territories, however.<\/p>\n<p>A government spokesperson said in response to the Bureau\u2019s findings that the new bill will mean that \u201cUK network operators must protect themselves from malicious cyber activity, wherever it originates, and there will be tough penalties for operators which do not comply\u201d.<\/p>\n<p>However, British telecoms regulators and the security services have almost no powers to enforce against operators in the Channel Islands, beyond what is described as a \u201cnuclear option\u201d to remove their access to the +44 UK country code. Instead they hope that the Channel Islands can be pressured or encouraged to ensure security measures are increased in line with those planned for the UK.<\/p>\n<p>The spokesperson added: \u201cChannel Islands operators do not automatically have the same security obligations as UK operators, but the self-governing islands have committed to align their forthcoming Telecoms Security Frameworks to the UK\u2019s bill.\u201d<\/p>\n<p>Guernsey&#8217;s regulator said operators are obliged \u201cto take reasonable steps to prevent their licensed networks and services from being used in, or in relation to, the commission of offences\u201d and that the island is \u201cdeveloping frameworks in line with the UK security bill\u201d.<\/p>\n<p>Jersey\u2019s regulator said it supported the island\u2019s government in its commitment to the security of its telecoms networks.<\/p>\n<p>Experts warn that vulnerabilities will remain even after the switch to 5G as long as some networks rely on older 2G and 3G technology.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Companies that enable the exploitation of the SS7 system for surveillance operations have typically insisted that the use of their products has been limited to national law enforcement agencies fighting serious crime and terrorism. In fact, as the Bureau\u2019s investigation reveals, in some cases the net seems to have gone significantly wider.<\/p>\n<p>In one example, disclosed here for the first time, networks in the Channel Islands were used in an effort to locate Princess Latifa al-Maktoum as she attempted to evade her father, Sheikh Mohammed, the ruler of Dubai.<\/p>\n<p>Latifa, who claimed that her father had her held in solitary confinement, in the dark, beaten and sedated over a period of several years when she was in her teens and early twenties (allegations which have been denied), fled the United Arab Emirates on a chartered yacht, but was recaptured off the coast of India a week later.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-image \"><img decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/assets2.thebureauinvestigates.com\/uploads\/_storyImageSmall\/29m-Yacht-NOSTROMO-9496-46.jpg?mtime=20201209102514\" sizes=\"(min-width: 1400px) calc(.45 * 1400px), (min-width: 901px) 45vw, (min-width: 691px) calc(.6666 * 90vw), 90vw\" srcset=\"https:\/\/assets2.thebureauinvestigates.com\/uploads\/_storyImageLarge\/29m-Yacht-NOSTROMO-9496-46.jpg?mtime=20201209102514 1260w, https:\/\/assets2.thebureauinvestigates.com\/uploads\/_storyImageSmall\/29m-Yacht-NOSTROMO-9496-46.jpg?mtime=20201209102514 630w\" alt=\"\" \/><\/div>\n<div class=\"tb-c-story-image \" style=\"text-align: center;\"><span class=\"tb-c-story-media-caption \">The yacht used in Princess Latifa&#8217;s escape attempt <\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Data reviewed by the Bureau shows that a series of signals designed to reveal phone location were sent to a US-registered mobile belonging to the yacht&#8217;s skipper, Herv\u00e9 Jaubert, the day before commandos stormed the yacht and seized the princess. The effort appears to have been part of a huge bid by the Emiratis \u2013 mobilising boats, a surveillance plane and electronic means \u2013 to track down the fleeing princess. Signals were sent via mobile networks in Jersey, Guernsey, Cameroon, Israel, Laos and the USA.<\/p>\n<p>It is impossible to know if SS7 was the key to locating the yacht: Jaubert told the Bureau that he did not have this phone with him at the time, and that even if successfully compromised it could not have revealed his location.<\/p>\n<p>But the method of the attack, using a string of mobile networks around the world to send queries in quick succession, casts a stark light on how widespread the penetration of global telecoms infrastructure for surveillance purposes has become \u2013 and on the fact that such surveillance is not always just directed at criminal masterminds.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-video\">\n<div class=\"tb-o-iframe-video\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube-nocookie.com\/embed\/UBa7R1rU93M?autoplay=0\" width=\"640\" height=\"360\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>The operation began around 2:30am local time on 3 March 2018, when Jersey Airtel and Sure Guernsey made a series of SRI (\u201csend routing information\u201d) requests directed at Jaubert&#8217;s US-registered phone. These requests can disclose the subscriber identification number used to obtain further levels of access to a phone\u2019s confidential data.<\/p>\n<p>Seconds later, a network in Cameroon sent a further SRI command to the same number, followed by what telecoms engineers call an ATI \u2013 an \u201cany time interrogation\u201d request. The ATI command can generate a \u201cCell-ID\u201d, which discloses, within a certain radius, the last known location of a phone. More ATI requests followed in quick succession, sent via Jersey Airtel and networks in Israel and Laos.<\/p>\n<p>On this occasion these attempts to use foreign networks to locate Jaubert&#8217;s phone were blocked by international firewalls. The attackers tried a different tactic: they switched to a US network, signalling into the phone via a small operator in Minnesota, NewCore Wireless.<\/p>\n<p>Albert Kangas, head of NewCore Wireless, said that his company had leased the access point used in the operation to another US-based wireless network, which in turn had subleased it to a \u201cwholesale partner\u201d. Kangas did not identify the network which NewCore had rented its access point to, but disclosed that, the month after the operation, \u201cit was disconnected due to some suspicious activity\u201d.<\/p>\n<p>Informed that reporters were investigating how his phone network had seemingly been used as part of a surveillance operation prior to a kidnapping, he replied: \u201cThat\u2019s not good.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section tb-o-story-section--full-width tb-c-story-mbsc tb-js-story-mbsc\">\n<div class=\"tb-c-story-mbsc__media tb-js-object-fit\" style=\"text-align: center;\">\n<div class=\"tb-c-story-mbsc__image\">\n<div id=\"attachment_175288\" style=\"width: 510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/jersey-cow-telephone-mast.jpeg\" ><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-175288\" class=\"wp-image-175288\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/jersey-cow-telephone-mast-768x1024.jpeg\" alt=\"\" width=\"500\" height=\"667\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/jersey-cow-telephone-mast-768x1024.jpeg 768w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/jersey-cow-telephone-mast-225x300.jpeg 225w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/jersey-cow-telephone-mast-1152x1536.jpeg 1152w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/jersey-cow-telephone-mast-1536x2048.jpeg 1536w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/jersey-cow-telephone-mast.jpeg 1600w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><p id=\"caption-attachment-175288\" class=\"wp-caption-text\">Franz Wild for TBIJ<\/p><\/div>\n<\/div>\n<\/div>\n<div class=\"tb-c-story-mbsc__text\">\n<div class=\"tb-o-layout-width\">\n<div class=\"tb-c-story-mbsc__text-inner\">\n<blockquote><p><em><strong>\u201cIf it\u2019s a small island you\u2019re probably going to get access\u201d<\/strong><\/em><\/p><\/blockquote>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>The use of Jersey and Guernsey for this operation was not an isolated incident.<\/p>\n<p>Network security analysts have told the Bureau the British +44 country code has consistently led the world in the number of origin points for malicious traffic for the past two years, and the Channel Islands is believed to account for the majority of this.<\/p>\n<p>Recent aggregated data seen by the Bureau shows a steady stream of signalling intrusions flowing from the Channel Islands into phone networks worldwide. The data, which is only a small snapshot, shows hundreds of intrusion attempts were sent via Sure Guernsey and Jersey Airtel into networks in North America, Europe and Africa in August of this year.<\/p>\n<p>In one case shared with the <em>Guardian<\/em> by Gary Miller, a mobile security researcher at Exigent Media who has studied sensitive messaging signals, a US mobile phone user who works for a communications company was closely tracked using signals that can pinpoint a user\u2019s location and possibly intercept communications while on a trip to Bangladesh in August 2020. This was described by Miller as a surveillance attack emanating through Sure Guernsey. Miller said the tracking messages were highly suspicious and not possible under a \u201cnormal usage scenario\u201d.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Industry insiders told the Bureau that some places were believed to rent out network access to third parties more readily than others, making them potential hotspots for this type of traffic.<\/p>\n<p>\u201cIf it\u2019s a small island you\u2019re probably going to get access,\u201d an industry executive with experience of SS7 signalling told the Bureau. \u201cThat\u2019s how we look at it anyway. Just go to a small island, not many subscribers, they\u2019ve got all this infrastructure.\u201d<\/p>\n<p>Asked about the Channel Islands, the executive replied: \u201cThey\u2019re the experts in it.\u201d<\/p>\n<p>Human rights NGOs have reacted with concern to the revelations.<\/p>\n<p>\u201cThe Channel Islands cannot allow itself to be used as an offshore global spy centre,\u201d Edin Omanovic, advocacy director at Privacy International, told the Bureau.<\/p>\n<p>\u201cIt is scandalous that this has been allowed to happen. It not only threatens the security of anyone in the UK, it undermines the UK\u2019s own interests in supporting the work of human rights defenders, journalists, and democratic movements abroad.\u201d<\/p>\n<p>In a statement to the Bureau, Sure Guernsey acknowledged that network access points \u201ccan be misused\u201d and said that it takes \u201ca number of actions to mitigate this risk\u201d.<\/p>\n<p>\u201cSure works with global telecommunications companies, including all the UK operators, to monitor signalling traffic,\u201d the company stated. Any complaint \u201cresults in the service being immediately ceased and subsequently permanently terminated if malicious or inappropriate traffic is discovered upon investigation. Sure has seen a declining trend in such malicious activity in recent years. Sure works with the UK National Cyber Security Centre where we share our approach to minimising the risk of misuse.\u201d<\/p>\n<p>Jersey Airtel told the Bureau that it leased access points to a \u201cwide spectrum\u201d of third-party agencies. The company added: \u201cIn case of any such misuse, we take strict action to block, investigate and initiate strict measures &#8230; To this end, we have also invested in an SS7 firewall solution from a trusted and reputable vendor which helps in blocking any misuse &#8230; by third-party partners, thus our SS7 security is more robust than that of average operators.\u201d<\/p>\n<div id=\"attachment_175290\" style=\"width: 510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/tel-aviv-skyline.jpeg\" ><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-175290\" class=\"wp-image-175290\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/tel-aviv-skyline-1024x682.jpeg\" alt=\"\" width=\"500\" height=\"333\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/tel-aviv-skyline-1024x682.jpeg 1024w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/tel-aviv-skyline-300x200.jpeg 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/tel-aviv-skyline-768x512.jpeg 768w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/tel-aviv-skyline-1536x1023.jpeg 1536w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/tel-aviv-skyline.jpeg 1600w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><p id=\"caption-attachment-175290\" class=\"wp-caption-text\">Tel Aviv, Israel. Chris McGrath\/Getty Images<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>In recent years a hub of surveillance tech companies has emerged in Israel, selling a variety of interception and hacking tools to governments around the world. They fly largely under the radar, although an ongoing lawsuit in California launched by WhatsApp, the popular messaging service, against NSO Group, a spy company headquartered near Tel Aviv, has brought the industry to greater prominence. WhatsApp, which is owned by Facebook, has accused NSO of sending malware to 1,400 phones in order to break its encryption and access its customers\u2019 messages. NSO Group denies any wrongdoing.<\/p>\n<p>The Bureau\u2019s investigation has confirmed that another Israeli company, Rayzone Group, had leased the Sure Guernsey network access point \u2013 technically known as a \u201cglobal title\u201d \u2013 used in connection with the apparent attempted surveillance of Princess Latifa at the time of the operation.<\/p>\n<p>Rayzone Group\u2019s website advertises \u201cboutique intelligence-based solutions for national agencies\u201d, aimed at countering terrorism and crimes which \u201cpose a direct threat to the security of citizens worldwide, and to international stability and prosperity\u201d. The company offers services to its clients including interception and location tracking.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Rayzone Group denied any role in the operation to capture Latifa al-Maktoum, stating that \u201cany attempt to associate our company with activities that could have been performed by others, is misleading and untrue\u201d.<\/p>\n<p>Vered Ashkenazi, the company\u2019s chief business officer, told the Bureau that Rayzone\u2019s \u201cgeolocation tools are operated solely by the customers (the end users) and not by us\u201d.<\/p>\n<p>After the Bureau\u2019s inquiry, she said, Rayzone had \u201cconducted a thorough internal investigation into these claims\u201d and \u201cwe can confidently state that, to the best of our knowledge, none of our company\u2019s products have been (or could have been) associated with this case in any way\u201d.<\/p>\n<p>Ashkenazi declined to respond to a detailed series of questions about the global titles used in the operation. Two industry sources have corroborated Rayzone Group\u2019s rental of the Sure Guernsey global title, +44 7781 001065, that signalled at the yacht captain\u2019s mobile phone.<\/p>\n<p>According to invoices seen by the Bureau, Rayzone rented this access point in January 2018 for a three-month period, via a subsidiary in the British Virgin Islands, at a cost of $13,000 per month. The Latifa operation, on March 3 of that year, would fall within this period.<\/p>\n<p>More recent data seen by the Bureau suggests that over the past two years Rayzone Group has been significantly active in the worldwide phone surveillance market.<\/p>\n<p>A sample of data, believed to cover only a part of Rayzone\u2019s operations, shows that between August 2019 and April 2020 the company enabled the targeting of more than 60 countries, with thousands of signals being sent into more than 130 different networks.<\/p>\n<p>Spain \u2013 where the <em>Guardian<\/em> and <em>El Pa\u00eds<\/em> <a target=\"_blank\" href=\"https:\/\/www.theguardian.com\/world\/2020\/jul\/13\/phone-of-top-catalan-politician-targeted-by-government-grade-spyware\" >revealed in July<\/a> that a top Catalan politician was targeted in a \u201cpossible case of domestic political espionage\u201d \u2013 was high on the list of countries monitored. The data shows thousands of message units requesting phone information from multiple major mobile networks.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__sidebar\">\n<blockquote>\n<aside class=\"tb-c-story-pullquote\"><em><strong>\u201cPeople say \u20185G will solve everything\u2019 &#8230; but this will not be the case until every network on earth is 4G or 5G.\u201d<\/strong><\/em><\/aside>\n<\/blockquote>\n<\/div>\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Large numbers of signals were also sent into Serbia, the Netherlands, Bulgaria, Denmark, Portugal, Cyprus and Bosnia-Herzegovina. Moreover, the Bureau\u2019s investigation has confirmed that Rayzone Group has also leased access \u2013 directly or indirectly \u2013 to global titles in Iceland, Sweden and Switzerland.<\/p>\n<p>\u201cThe revelations of the sheer scale and global dimension of these attacks are a wake-up call,\u201d Mark\u00e9ta Gregorov\u00e1, the European surveillance rapporteur, said in response to the Bureau\u2019s findings. \u201cThe delicate balance between lawful governmental surveillance and the sanctity of fundamental rights has been turned on its head.\u201d<\/p>\n<p>Overall, the data shows some level of activity in almost every country in Europe, as well as hinting at the extent of companies like Rayzone&#8217;s reach elsewhere in the world: networks were more heavily targeted in Israel, Hong Kong, Thailand, Guatemala, the Dominican Republic and the USA, with smaller scale intrusions into \u2013 among others \u2013 Morocco, Sudan, Libya, Palestine, Syria and Iran.<\/p>\n<p>The data does not show how many devices were targeted. But it does indicate in which months particular countries were in the crosshairs. In August 2019 the USA and Bosnia were scenes of particular activity; in October, the Netherlands; in December, Spain and Portugal; in March 2020, Serbia, Bulgaria, Pakistan and Israel; and in April, Spain again.<\/p>\n<p>In March, according to a separate tranche of data seen by the Bureau, Rayzone Group sent several thousand intrusive signals to phones in the UK. Although principally aimed at UK-based mobile numbers, the targets also appear to have included people from 27 other countries, among which were Thailand, Jordan, Egypt, Russia, Spain, Ukraine and Malaysia.<\/p>\n<p>The data does not indicate whether an attack succeeded, or what its objective was. But it does show that in some cases, dozens of signals were directed at a device, suggesting a significant attempted surveillance operation.<\/p>\n<p>Rayzone said: \u201cOur company develops intelligence and cybersecurity products for use by governmental authorities only.\u201d<\/p>\n<p>Presented with a detailed list of the Bureau\u2019s findings, Rayzone declined to comment, stating only that all such questions \u201centail regulatory and trade secret issues and a risk to our customers\u2019 ongoing operations against terror and severe crime, thus we are unable [to] specifically address the questions in a detailed manner and nothing herein shall be construed as to confirm or deny any claims raised in your letter\u201d.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section tb-o-story-section--full-width\">\n<div class=\"tb-c-story-image tb-c-story-image--full-width\">\n<div id=\"attachment_175289\" style=\"width: 510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/spain-satellite.jpeg\" ><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-175289\" class=\"wp-image-175289\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/spain-satellite-1024x682.jpeg\" alt=\"\" width=\"500\" height=\"333\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/spain-satellite-1024x682.jpeg 1024w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/spain-satellite-300x200.jpeg 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/spain-satellite-768x511.jpeg 768w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/spain-satellite-1536x1022.jpeg 1536w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/spain-satellite.jpeg 1600w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><p id=\"caption-attachment-175289\" class=\"wp-caption-text\">Spain was high on the list of targets in a cache of data relating to Rayzone&#8217;s signalling attempts.<br \/>Universal History Archive\/Universal Images Group via Getty Images<\/p><\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Industry insiders who spoke to the Bureau said that despite revelations some years ago of how network vulnerabilities could be used for surveillance, the situation now is, if anything, worse than before.<\/p>\n<p>The mobile phone industry is evolving at pace, with 5G technology now on the horizon for many. Despite these advances, however, a 2019 survey of security threats, carried out by the mobile operators\u2019 association GSMA, found that older 2G and 3G networks still carry half of the world&#8217;s traffic.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__sidebar\">\n<div class=\"tb-c-story-breakout tb-c-story-breakout--light\">\n<blockquote>\n<p class=\"tb-c-story-breakout__header tb-c-story-breakout__header--stat\"><strong><em>90% of text messages are vulnerable to interception<\/em><\/strong><\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>Although newer generation networks may be more secure in some ways, they still need to be able to communicate with older ones \u2013 otherwise half of all phones would be unable to connect to the other half. This opens newer networks up to signalling attacks.<\/p>\n<p>The GSMA study reported that that nine out of ten text messages are vulnerable to interception, while two-thirds of the networks surveyed had failed to protect properly against malicious signalling. There appears to be no quick fix to the morass of the global telecommunications landscape.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>\u201cPeople say \u20185G will solve everything\u2019,\u201d Sid Rao, a security researcher at Aalto University, Finland, told the Bureau. \u201cBut this will not be the case until every network on earth is 4G or 5G. Until this happens, in say 30 years, vulnerabilities in old networks will still be a risk to all other networks.\u201d<\/p>\n<p>Rao&#8217;s assessment is blunt: \u201cIf there\u2019s one 2G network left on Earth it&#8217;s still a problem.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tb-o-story-section\">\n<div class=\"tb-o-story-section__body\">\n<div class=\"tb-c-story-text-block\">\n<p>________________________________________________<\/p>\n<p style=\"padding-left: 40px;\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Crofton-black.jpeg\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-175282\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Crofton-black-150x150.jpeg\" alt=\"\" width=\"150\" height=\"150\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Crofton-black-150x150.jpeg 150w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2020\/12\/Crofton-black.jpeg 252w\" sizes=\"auto, (max-width: 150px) 100vw, 150px\" \/><\/a><em>Crofton Black is a writer and researcher specialising in technology and security. He is a leading expert on the CIA\u2019s rendition, detention and interrogation programme and a specialist in military and intelligence corporate contracting. He has a PhD in the history of philosophy from the University of London and is co-author of the award-winning <\/em>Negative Publicity: Artefacts of Extraordinary Rendition.<\/p>\n<p>&nbsp;<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/www.thebureauinvestigates.com\/profile\/croftonblack\" >Go to Original &#8211; thebureauinvestigates.com<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>16 Dec 2020 &#8211; Surveillance firms can track the location of mobile phone users, intercept their messages and calls and access their sensitive data, thanks to vulnerabilities in how phone networks communicate with each other, our story shows. Experts told us the Channel Islands are an easy route in. We found evidence of surveillance attempts in more than 60 countries.<\/p>\n","protected":false},"author":4,"featured_media":175282,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[242],"tags":[1082,1678,1109,461,1112],"class_list":["post-175281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exposures","tag-cellphones","tag-investigative-journalism","tag-spying","tag-technology","tag-telecommunication"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/175281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=175281"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/175281\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media\/175282"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=175281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=175281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=175281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}