Israeli private intelligence company Rayzone Group appears to have accessed the global telecommunications network through a mobile operator in the Channel Islands in the first half of 2018, potentially allowing its customers to track the locations of cell phones around the world at the time.
Bills seen by the Guardian and the Bureau of Investigative Journalism suggest that Rayzone, a corporate espionage agency that provides its government clients with ‘geolocation tools’, used an intermediary in 2018 to lease an access point to the telecom network through Sure Guernsey, a mobile operator. in the Channel Islands.
Such access points, known in the telecom industry as “global titles”, provide a route to a decades-old global messaging system known as SS7, which allows mobile operators to connect users around the world. It is not uncommon for mobile companies to rent out such access.
However, this allows third parties to potentially take advantage of signaling messages – commands sent through a telecom operator across the global network without the knowledge of a mobile phone user. When used legitimately, operators and others with access to the network can locate mobile phones, connect mobile phone users and charge roaming charges.
But entities with access to cellular telephone networks are also known to use signaling messages for questionable purposes, such as monitoring sites for surveillance or even interception of communications.
Rayzone describes itself as providing “boutique intelligence-based solutions” for combating terrorism and crime for national law enforcement agencies. It says its geolocation tools are for government use only.
The company did not respond to questions about whether it had directly or indirectly leased a Sure Guernsey title in the first half of 2018, saying that the question “involves regulatory and trade secrets and poses a risk to our ongoing business. clients against terror and serious crime. ”.
Rayzone added that it was acting in accordance with all laws and regulations, including export control regulations under the Israeli Defense Ministry. It also said that its geolocation tools were “operated solely by the customers (the end users) and not by us”.
It is not clear whether mobile operators such as Sure Guernsey have access to information on how parties use the global titles they rent, especially if those titles are subleased to a third party. Of course, Guernsey was therefore unsure whether Rayzone had access to its network through an intermediary.
Of course, Guernsey said in a statement that it leases access to global titles to a “small number” of specialist providers who provide “legitimate services”, such as anti-fraud banking and other services.
“Certainly does not directly or knowingly rent out access to global titles to organizations to locate and track individuals or to intercept communications content,” the company said. It added that it monitored signaling traffic and that any evidence of misuse of Sure’s assets resulted in the service being “shut down immediately.”
Details of Rayzone’s apparent access to the SS7 network through a UK crown mobile operator stem from growing concerns about the vulnerabilities of Channel Islands telecom networks, which are outside of UK regulatory jurisdiction, even though they use same +44 country code.
Leaked data, documents and interviews with industry insiders who have access to sensitive communications information suggest that private intelligence companies view small mobile operators, often based in small islands in offshore jurisdictions, as vulnerabilities to exploit in the telecom network.
Espionage companies view telecom companies in both Guernsey and Jersey as potentially soft routes to UK telephone networks, industry and security experts said.
Industry sources with access to sensitive communications data say there is recent evidence of a steady stream of seemingly suspicious signaling messages being sent to telephone networks worldwide via the Channel Islands, with hundreds of messages routed to telephone networks through Sure Guernsey and another operator, Jersey Airtel. in North America, Europe and Africa in August.
Do you have any information about this story? Send an email to [email protected], or (if using a non-work phone) use Signal or WhatsApp to send a message on +1646886 8761.
A Jersey Airtel spokesperson said the company took network and customer security seriously and had “necessary controls” to prevent activities that could compromise security. It also said the rental of global titles was “part of the mobile business ecosystem.” “We are vigilant against any misuse of this [global titles] and in the event of such abuse, we take strict measures to block, investigate and initiate strict measures under the terms of the contracts, ”the company said.
Gary Miller, a mobile security researcher at Exigent Media who has studied sensitive messaging signals, said he found evidence to suggest that a US cell phone user was being closely monitored on a trip to Bangladesh in August 2020.
Miller said the apparent surveillance attack, which used signaling messages that could pinpoint the person’s location or intercept communications, appeared to have been routed through Sure Guernsey. It is not known who sent the messages to be sent or if Sure Guernsey would have been aware of the alleged attack. Guernsey, of course, did not respond to a request for comment on the matter.
British officials have privately raised concerns about security concerns surrounding the SS7 network, particularly those related to the Channel Islands, and have said smaller mobile operators have not plugged known vulnerabilities there.
A Whitehall source described the SS7 protocol as “toxic, hideous – yet the world relies on”, adding “it can be exploited to geolocate people,” but it’s difficult to secure because “if you do wrong, you disconnect yourself from the rest of the world ”. Security solutions are being implemented in the mainland of the UK, but so far Channel Islands operators have been lagging behind, they added.
UK telecom regulators and the security services have almost no powers to enforce Channel Islands operators, other than what is described as a “nuclear option” to deny their access to the +44 UK country code.
The UK government appears to recognize security risks in mobile phone networks. Ofcom, which regulates telephone operators in the UK, said network operators are legally obliged to take measures to control security risks, including those related to their signaling networks.
However, a spokesperson confirmed that Ofcom does not regulate the Channel Islands, Isle of Man or Gibraltar, adding that “we currently do not expect a change in the scope of jurisdiction” when new laws come into force that tighten telecommunications security requirements.
Experts warn that fixing the vulnerabilities is unlikely to come quickly or easily – while new technologies like 5G may be more secure in theory, many phones will still use the old networks, exposing any phone to their dangers.
“People say ‘5G will solve everything,'” said Sid Rao, a security researcher at Aalto University in Finland. “But that will only be the case when every network on earth is 4G or 5G. Until this happens, in say 30 years, vulnerabilities in old networks will still pose a risk to all other networks. “
A spokesman for the Guernsey Competition and Regulatory Authority said the states of Guernsey had “licensing obligations” requiring telecom licensees to take “reasonable steps” to prevent their networks from being used in ways that are illegal. The Jersey government said in a statement that it is “committed to the security of its telecom networks.”
Ron Wyden, the US Democratic Senator from Oregon, said in a statement, “Access to US telephone networks is a privilege. Foreign telecom regulators must monitor their domestic industry to ensure that SS7 access is not misused to spy on Americans – if they don’t, they risk cutting their country off from US roaming deals. “