Spy companies using Channel Islands to track phones around the world
By Crofton Black – Long Read 14 mins: Private intelligence companies are using phone networks based in the Channel Islands to enable surveillance operations to be carried out against people around the world, including British and US citizens, the Bureau of Investigative Journalism has revealed following a joint reporting project with the Guardian.
Leaked data, documents and interviews with industry insiders who have access to sensitive information suggest that systemic weaknesses in the global telecoms infrastructure, and a particular vulnerability in Jersey and Guernsey, are being exploited by corporate spy businesses.
These businesses take advantage of some of the ways mobile phone networks across the world interact in order to access private information on targets, such as location information or, in more sophisticated applications, the content of calls and messages or other highly sensitive data.
The spy companies see phone operators in the Channel Islands as an especially soft route into the UK, according to industry experts, who say the attacks emanating from the islands appear to be targeted at individuals rather than cases of “mass” surveillance. The Bureau understands that the targets of this surveillance have been spread across the globe, and included US citizens as well as people in Europe and Africa.
Ron Wyden, the Oregon senator and privacy advocate, described the use of foreign telecom assets to spy on people in the US as a national security threat.
“Access into US telephone networks is a privilege,” he said in response to the Bureau’s findings. “Foreign telecom regulators need to police their domestic industry – if they don’t, they risk their country being cut off from US roaming agreements.”
Markéta Gregorová, the European Parliament’s chief negotiator on trade legislation for surveillance technology, called for “immediate regulatory, financial and diplomatic costs on companies and rogue jurisdictions” that enabled these practices.
“Any commercial or governmental entity, foreign or domestic which enables the facilitation of warrantless cyber-attacks on European citizens deserves the full force of our justice system,” she told the Bureau.
They are also potentially able to intercept calls and other private data, including bank accounts and emails.
SafeSubcribe/Instant Unsubscribe - One Email, Every Sunday Morning - So You Miss Nothing - That's It
The investigation has found that private intelligence companies are able to rent access from mobile phone operators and this can then be exploited to allow the tracking of the physical location of users across the world. They are also potentially able to intercept calls and other private data, including bank accounts and emails.
These intrusions, which are very widely exploited, rely on commands designed to help phone operators track their customers’ whereabouts. Such commands, known as “signals”, are sent via a kind of global switchboard for the telecoms industry called SS7.
These are vital to the functioning of telecoms networks, and are a routine part of ensuring accurate billing when roaming overseas. But they can also be used by sophisticated state and corporate security agencies for more questionable purposes.
Concerns about SS7 signalling, a communications system dating back to the 1970s, are well established. But little progress has been made in resolving the situation in the past decade.
A Whitehall source described the system as “toxic, horrendous – yet one the world relies on,” adding that “it can be abused to geolocate people”. However, securing the system is complex: “if you get it wrong, you disconnect yourself from the rest of the world.”
Security fixes are being implemented in the UK, but up to now there have been concerns that Channel Islands operators have not done so, the source added.
The problem can affect phones in the UK and abroad. Telecommunications queries sent from Channel Islands networks to phone numbers in the UK can be treated as domestic, and may evade firewalls put in place to prevent foreign signalling intrusions.
But such messages may also evade detection globally, because by using a +44 country code they appear to be emanating from the UK, generally a well-trusted territory. Although Channel Islands networks share the UK country code they are not covered by UK regulations, opening up a weak link which spy companies can exploit.
Senior British officials have expressed concerns about the security of the Channel Islands’ networks, particularly that some smaller operators across the islands have not plugged well-known vulnerabilities. Sources told the Guardian and the Bureau that some operators, in effect, have leased access to their networks to surveillance businesses, allowing people’s mobile phones to be tracked around the world. Shadow digital minister Chi Onwurah said: “This is a critical situation and it needs fixing urgently. A secure and resilient telecoms network can’t mean only worrying about China and Huawei. Our national security should be the government’s priority and we must act to protect our networks.”
Sure Guernsey, one of the Channel Islands telecoms operators identified in this investigation as a transit point for malicious signals, told the Bureau that it “does not lease access directly or knowingly to organisations for the purposes of locating and tracking individuals or for intercepting communications content”. Sure acknowledged that network access points could be misused, but said its traffic goes through “UK operators’ firewalls in the same way as any other international operators’ traffic”.
Jersey Airtel, another operator whose network has been identified as having been used for these purposes, said: “We take network and customer security seriously and we do have necessary control measures in place to address and prevent activities that could compromise security.”
A new Telecoms Security Bill, presented to Parliament three weeks ago, aims to strengthen UK networks and safeguard them from these kinds of attacks, while raising the costs for non-compliant phone operators. The UK government does not have jurisdiction over the Channel Islands or other offshore British territories, however.
A government spokesperson said in response to the Bureau’s findings that the new bill will mean that “UK network operators must protect themselves from malicious cyber activity, wherever it originates, and there will be tough penalties for operators which do not comply”.
However, British telecoms regulators and the security services have almost no powers to enforce against operators in the Channel Islands, beyond what is described as a “nuclear option” to remove their access to the +44 UK country code. Instead, they hope that the Channel Islands can be pressured or encouraged to ensure security measures are increased in line with those planned for the UK.
The spokesperson added: “Channel Islands operators do not automatically have the same security obligations as UK operators, but the self-governing islands have committed to align their forthcoming Telecoms Security Frameworks to the UK’s bill.”
Guernsey’s regulator said operators are obliged “to take reasonable steps to prevent their licensed networks and services from being used in, or in relation to, the commission of offences” and that the island is “developing frameworks in line with the UK security bill”.
Jersey’s regulator said it supported the island’s government in its commitment to the security of its telecoms networks.
Experts warn that vulnerabilities will remain even after the switch to 5G as long as some networks rely on older 2G and 3G technology.
Companies that enable the exploitation of the SS7 system for surveillance operations have typically insisted that the use of their products has been limited to national law enforcement agencies fighting serious crime and terrorism. In fact, as the Bureau’s investigation reveals, in some cases the net seems to have gone significantly wider.
“The Channel Islands cannot allow itself to be used as an offshore global spy centre. It is scandalous that this has been allowed to happen. It not only threatens the security of anyone in the UK, it undermines the UK’s own interests in supporting the work of human rights defenders, journalists, and democratic movements abroad.”
Network security analysts have told the Bureau the British +44 country code has consistently led the world in the number of origin points for malicious traffic for the past two years, and the Channel Islands is believed to account for the majority of this.
Recent aggregated data seen by the Bureau shows a steady stream of signalling intrusions flowing from the Channel Islands into phone networks worldwide. The data, which is only a small snapshot, shows hundreds of intrusion attempts were sent via Sure Guernsey and Jersey Airtel into networks in North America, Europe and Africa in August of this year.
In one case shared with the Guardian by Gary Miller, a mobile security researcher at Exigent Media who has studied sensitive messaging signals, a US mobile phone user who works for a communications company was closely tracked using signals that can pinpoint a user’s location and possibly intercept communications while on a trip to Bangladesh in August 2020. This was described by Miller as a surveillance attack emanating through Sure Guernsey. Miller said the tracking messages were highly suspicious and not possible under a “normal usage scenario”.
Industry insiders told the Bureau that some places were believed to rent out network access to third-parties more readily than others, making them potential hotspots for this type of traffic.
“If it’s a small island you’re probably going to get access,” an industry executive with experience of SS7 signalling told the Bureau. “That’s how we look at it anyway. Just go to a small island, not many subscribers, they’ve got all this infrastructure.”
Asked about the Channel Islands, the executive replied: “They’re the experts in it.”
Human rights NGOs have reacted with concern to the revelations.
“The Channel Islands cannot allow itself to be used as an offshore global spy centre,” Edin Omanovic, advocacy director at Privacy International, told the Bureau.
“It is scandalous that this has been allowed to happen. It not only threatens the security of anyone in the UK, it undermines the UK’s own interests in supporting the work of human rights defenders, journalists, and democratic movements abroad.”
In a statement to the Bureau, Sure Guernsey acknowledged that network access points “can be misused” and said that it takes “a number of actions to mitigate this risk”.
“Sure works with global telecommunications companies, including all the UK operators, to monitor signalling traffic,” the company stated. Any complaint “results in the service being immediately ceased and subsequently permanently terminated if malicious or inappropriate traffic is discovered upon investigation. Sure has seen a declining trend in such malicious activity in recent years. Sure works with the UK National Cyber Security Centre where we share our approach to minimising the risk of misuse.”
Jersey Airtel told the Bureau that it leased access points to a “wide spectrum” of third-party agencies. The company added: “In case of any such misuse, we take strict action to block, investigate and initiate strict measures … To this end, we have also invested in an SS7 firewall solution from a trusted and reputable vendor which helps in blocking any misuse … by third-party partners, thus our SS7 security is more robust than that of average operators.”
In recent years a hub of surveillance tech companies has emerged in Israel, selling a variety of interception and hacking tools to governments around the world. They fly largely under the radar, although an ongoing lawsuit in California launched by WhatsApp, the popular messaging service, against NSO Group, a spy company headquartered near Tel Aviv, has brought the industry to greater prominence. WhatsApp, which is owned by Facebook, has accused NSO of sending malware to 1,400 phones in order to break its encryption and access its customers’ messages. NSO Group denies any wrongdoing.
The Bureau’s investigation has confirmed that another Israeli company, Rayzone Group, had leased the Sure Guernsey network access point – technically known as a “global title.”
Rayzone Group’s website advertises “boutique intelligence-based solutions for national agencies”, aimed at countering terrorism and crimes which “pose a direct threat to the security of citizens worldwide, and to international stability and prosperity”. The company offers services to its clients including interception and location tracking.
Vered Ashkenazi, the company’s chief business officer, told the Bureau that Rayzone’s “geolocation tools are operated solely by the customers (the end users) and not by us”.
More recent data seen by the Bureau suggests that over the past two years Rayzone Group has been significantly active in the worldwide phone surveillance market.
A sample of data, believed to cover only a part of Rayzone’s operations, shows that between August 2019 and April 2020 the company enabled the targeting of more than 60 countries, with thousands of signals being sent into more than 130 different networks.
“The delicate balance between lawful governmental surveillance and the sanctity of fundamental rights has been turned on its head.”
Spain – where the Guardian and El País revealed in July that a top Catalan politician was targeted in a “possible case of domestic political espionage” – was high on the list of countries monitored. The data shows thousands of message units requesting phone information from multiple major mobile networks.
Large numbers of signals were also sent into Serbia, the Netherlands, Bulgaria, Denmark, Portugal, Cyprus and Bosnia-Herzegovina. Moreover, the Bureau’s investigation has confirmed that Rayzone Group has also leased access – directly or indirectly – to global titles in Iceland, Sweden and Switzerland.
“The revelations of the sheer scale and global dimension of these attacks are a wake-up call,” Markéta Gregorová, the European surveillance rapporteur, said in response to the Bureau’s findings. “The delicate balance between lawful governmental surveillance and the sanctity of fundamental rights has been turned on its head.”
Overall, the data shows some level of activity in almost every country in Europe, as well as hinting at the extent of companies like Rayzone’s reach elsewhere in the world: networks were more heavily targeted in Israel, Hong Kong, Thailand, Guatemala, the Dominican Republic and the USA, with smaller-scale intrusions into – among others – Morocco, Sudan, Libya, Palestine, Syria and Iran.
The data does not show how many devices were targeted. But it does indicate in which months particular countries were in the crosshairs. In August 2019 the USA and Bosnia were scenes of particular activity; in October, the Netherlands; in December, Spain and Portugal; in March 2020, Serbia, Bulgaria, Pakistan and Israel; and in April, Spain again.
In March, according to a separate tranche of data seen by the Bureau, Rayzone Group sent several thousand intrusive signals to phones in the UK. Although principally aimed at UK-based mobile numbers, the targets also appear to have included people from 27 other countries, among which were Thailand, Jordan, Egypt, Russia, Spain, Ukraine and Malaysia.
The data does not indicate whether an attack succeeded, or what its objective was. But it does show that in some cases, dozens of signals were directed at a device, suggesting a significant attempted surveillance operation.
Rayzone said: “Our company develops intelligence and cybersecurity products for use by governmental authorities only.”
Presented with a detailed list of the Bureau’s findings, Rayzone declined to comment, stating only that all such questions “entail regulatory and trade secret issues and a risk to our customers’ ongoing operations against terror and severe crime, thus we are unable [to] specifically address the questions in a detailed manner and nothing herein shall be construed as to confirm or deny any claims raised in your letter”.
Industry insiders who spoke to the Bureau said that despite revelations some years ago of how network vulnerabilities could be used for surveillance, the situation now is, if anything, worse than before.
The mobile phone industry is evolving at pace, with 5G technology now on the horizon for many. Despite these advances, however, a 2019 survey of security threats, carried out by the mobile operators’ association GSMA, found that older 2G and 3G networks still carry half of the world’s traffic.
Although newer generation networks may be more secure in some ways, they still need to be able to communicate with older ones – otherwise half of all phones would be unable to connect to the other half. This opens newer networks up to signalling attacks.
The GSMA study reported that that nine out of ten text messages are vulnerable to interception, while two-thirds of the networks surveyed had failed to protect properly against malicious signalling. There appears to be no quick fix to the morass of the global telecommunications landscape.
“People say ‘5G will solve everything’,” Sid Rao, a security researcher at Aalto University, Finland, told the Bureau. “But this will not be the case until every network on earth is 4G or 5G. Until this happens, in say 30 years, vulnerabilities in old networks will still be a risk to all other networks.”
Rao’s assessment is blunt: “If there’s one 2G network left on Earth it’s still a problem.”
Crofton Black is a writer and researcher specialising in technology and security. He is a leading expert on the CIA’s rendition, detention and interrogation programme and a specialist in military and intelligence corporate contracting. This artilce was first published by media partner The Bureau of Investigative Journalism.