It appears that Israeli private intelligence company Rayzone Group had access to the global telecommunications network through a mobile phone operator in the Channel Islands during the first half of 2018, which would possibly allow its Customers at that time track the location of mobile phones around the world.
Bills seen by The Guardian and the Office of Investigative Journalism suggest that Rayzone, a corporate espionage agency that provides its government clients with “geolocation tools,” used an intermediary in 2018 to rent an access point. to the telecommunications network through Sure Guernsey, a mobile operator in the Channel Islands.
These hotspots, known to the telecommunications industry as “global titles,” provide a route to a decades-long global messaging system known as SS7, which allows mobile operators to connect users around the world. . It is not uncommon for mobile companies to rent this access.
However, doing so potentially allows third parties to exploit signaling messages: commands that are sent through a telecommunications operator over the global network, without a mobile phone user knowing. Used legitimately, these commands allow operators and other users with network access to locate cell phones, connect cell phone users, and assess roaming costs.
But entities with access to mobile phone networks are also known to use signaling messages for questionable purposes, such as monitoring locations for surveillance purposes or even intercepting communications.
Rayzone describes himself as “boutique intelligence-based solutions” to fighting terrorism and crime in national law enforcement agencies. He says his geolocation tools can only be used by government authorities.
The company did not respond to questions about whether it had directly or indirectly leased a Sure Guernsey title during the first half of 2018, saying the consultation “involves regulatory issues and trade secrets and a risk to the ongoing operations of our clients against terrorism and serious crime “. ”.
Rayzone added that he acted in accordance with all laws and regulations, including the regulations on export control of the Israeli Ministry of Defense. He also said his geolocation tools were “operated only by customers (end users) and not by us.”
It’s unclear whether mobile operators like Sure Guernsey have access to information about how the parties use the global securities they contract, especially if those securities are subleased to a third party. Of course, Guernsey may not have known if Rayzone had access to its network through an intermediary.
Guernsey said in a statement that it leased access to global securities to a “small number” of specialized providers that provide “legitimate services” such as anti-fraud detection for banks and other services.
“Sure does not grant access to global titles directly or knowingly to organizations with the goal of locating and tracking people or intercepting communications content,” the company said. He added that he monitored the signaling traffic and that any evidence of abuse of Sure’s assets leads to immediate cessation of service.
Details of Rayzone’s apparent access to the SS7 network through a mobile phone operator in a British Crown outbuilding are emerging amid growing concerns about the vulnerabilities of telecommunications networks in the Channel Islands, which are outside the UK regulatory jurisdiction even though they use the same +44 country code.
Filtered data, documents, and interviews that have access to sensitive communications information suggest that private intelligence companies view small cell phone carriers, often based on small islands in marine jurisdictions, as weak points to exploit in the telecommunications network.
Spy companies view Guernsey and Jersey telecommunications companies as potentially smooth routes to UK telephone networks, industry and security experts said.
Industry sources with access to sensitive communications data say there is recent evidence of a steady stream of seemingly suspicious signaling messages directed across the Channel Islands to telephone networks around the world, with hundreds of messages sent. to Sure Guernsey and another operator, Jersey Airtel, on the telephone networks. in North America, Europe and Africa in August.
Do you have information about this story? Send an email to [email protected] or, (using a malfunctioning phone), use Signal or WhatsApp to send a message to +1 646 886 8761.
A Jersey Airtel spokesman said the company took network and customer security seriously and had “the necessary control measures” in place to prevent activities that could compromise security. He also said leasing global securities was “part of the mobile business ecosystem.” “We are alert to any misuse of these [global titles] and in case of such misuse, we take strict measures to block, investigate and initiate strict measures under the terms of the contracts, ”the company said.
Gary Miller, a mobile security researcher at Exigent Media who has studied sensitive messaging signals, said he found evidence suggesting an American cell phone user was closely tracked during a trip to Bangladesh in the US August 2020.
Miller said the apparent surveillance attack, which used signaling messages that could identify the person’s location or intercept communications, appeared to have been routed through Sure Guernsey. It is unknown who directed the messages or whether Sure Guernsey was aware of the alleged attack. Surely Guernsey did not respond to a request for comment on the case.
British officials have privately expressed concerns about security issues around the SS7 network, especially in relation to the Channel Islands, and said smaller mobile operators have not connected known vulnerabilities.
A Whitehall source described the SS7 protocol as “toxic, horrible, but the world trusts,” adding that “it can be abused to geolocate people,” but it’s complex to make sure because “if you’re wrong.” , disconnect from the rest of the world “. Security solutions are being implemented in the mainland UK, but so far operators in the Channel Islands have lagged behind, they added.
British telecoms regulators and security services have almost no powers to enforce against Channel Islands operators, beyond what is described as a “nuclear option” to remove their access to the UK country code + 44.
It appears that the UK government recognizes security risks in mobile phone networks. Ofcom, which regulates telephone operators in the UK, said network operators were required by law to take steps to manage security risks, including those related to their signaling networks.
A spokesman confirmed, however, that Ofcom does not regulate the Channel Islands, the Isle of Man or Gibraltar, and added that “we do not currently expect a change in the scope of jurisdiction” when new laws come into force. telecommunications security requirements.
Experts warn that the solution to vulnerabilities is unlikely to arrive quickly or easily; while new technologies, such as 5G, may in theory be more secure, many phones will continue to use old networks and expose each phone to its dangers.
“People say‘ 5G will fix everything, ’” said Sid Rao, a security researcher at Aalto University in Finland. “But it will not be so until all the networks on earth are 4G or 5G. Until that happens, in 30 years’ time, the vulnerabilities of old networks will continue to be a risk to other networks. “
A spokesman for the Guernsey Regulatory and Competition Authority said Guernsey states had established “licensing obligations” that require telecommunications licensees to take “reasonable steps” to prevent their networks from being used by Guernsey. contrary to the law. The Jersey government said in a statement that it was “committed to the security of its telecommunications networks.”
Ron Wyden, the U.S. Democratic senator from Oregon, said in a statement: “Access to U.S. telephone networks is a privilege. Foreign telecommunications regulators must monitor their domestic industry to make sure that SS7 access is not abused to spy on Americans; if they don’t, they risk their country being left out of U.S. roaming agreements. “