by Mike Krieger
Liberty Blitzkrieg
When you first go on duty at CIA headquarters, you raise your hand and swear an oath — not to government, not to the agency, not to secrecy. You swear an oath to the Constitution. So there’s this friction, this emerging contest between the obligations and values that the government asks you to uphold, and the actual activities that you’re asked to participate in.
By preying on the modern necessity to stay connected, governments can reduce our dignity to something like that of tagged animals, the primary difference being that we paid for the tags and they’re in our pockets. It sounds like fantasist paranoia, but on the technical level it’s so trivial to implement that I cannot imagine a future in which it won’t be attempted. It will be limited to the war zones at first, in accordance with our customs, but surveillance technology has a tendency to follow us home.
– From the post: A Whistleblower Manifesto by Edward Snowden
Yesterday, Forbes published an interesting and disturbing article profiling a company called Ability Inc in the post: For $20M, These Israeli Hackers Will Spy On Any Phone On The Planet.
First, the good news. As the article notes, the company has been struggling as of late with lawsuits and it seems obvious to me that the reason Ability agreed to talk to Forbes is for some free advertising. If the company was performing particularly well, there’d be no need to agree to this interview and executives would try to keep their business practices as clandestine as possible. That’s the good news.
The bad news is that a global “industry” like this exists in the first place. While virtually all countries in the world have harsh penalties for individuals who decide to do drugs on their own time and to their own bodies, governments appear to have no problem with corporations that exist solely to violate people’s privacy. Probably because these same governments as the main clients of such companies. The fact that we put up with this and pretend it’s a legitimate business practice is an embarrassment to us as a species.
Now, without further ado, here are some excerpts from the Forbes piece:
With just a few million dollars and a phone number, you can snoop on any call or text that phone makes – no matter where you are or where the device is located.
That’s the bold claim of Israel’s Ability Inc, which offers its set of bleeding-edge spy tools to governments the world over. And it’s plotting to flog its kit to American cops in the coming months.
Ability’s most startling product, from both technical and price perspectives, is the Unlimited Interception System (ULIN). Launched in November last year, it can cost as much as $20 million, depending on how many targets the customer wants to surveil. All a ULIN customer requires is the target’s phone number or the IMSI (International Mobile Subscriber Identity), the unique identifier for an individual mobile device. Got those? Then boom – you can spy on a target’s location, calls and texts.
ULIN has no such geographic limitation. A quarterly update document posted only on May 2, spells out the tech’s power: “ULIN enables interception of voice calls, SMS messages and call-related information of GSM/UMTS/LTE phones, without the need to be close to the intercepted phone and without the consent of mobile network operators [emphasis by FORBES] and requires only the mobile device’s phone number or IMSI. Customers can use ULIN to intercept calls, and gather other information, from anywhere in the world.”
Ability’s service – it is the sole licensee from an unknown third party – exploits a weakness resident in SS7, the Signalling System No. 7. A core part of the world’s shared networking infrastructure, SS7 helps route calls between different carriers and switching centers. Service providers often use SS7 to support communications in areas where the customer’s normal network isn’t available, such as when the user is abroad. For instance, when a Verizon user is holidaying in Spain, local carriers will use SS7 to “speak” with the customer’s operator to determine who provides its service.
Hackers, however, use weaknesses in the SS7 network for a number of nefarious purposes. For instance, to forward calls heading to voicemail to their own devices. They can do this because wireless networks do not have the necessary safeguards to block these attacks. Concerns around SS7 have led House Democrat Ted Lieu to demand a Congressional investigation and the Federal Communications Commission has launched its own probe.
Ted Lieu is one of the few members of Congress worth anything. See:
This is What Happens When a Member of Congress Holds a Computer Science Degree (*Hint: Logic).
and
Apple Vows to Defend Its Customers as the FBI Launches a War on Privacy and Security
Previously, government contractors selling SS7 exploitation tools had to work with wireless service providers to access the SS7 network. These tools, according to a Washington Post report in 2014, were only able to detect users’ locations, not intercept communication. Ability, however, can do much more.
According to documents seen by FORBES, one of which was leaked by an anonymous source (published below and on Document Cloud), Ability’s ULIN service allows it to locate targets and snoop on calls and texts – without any assistance from the cellular networks. According to whitehat hacker Drew Porter from security consultancy Red Mesa, this is technically feasible, and could be done in two ways: by hacking the SS7 network or by leasing a system from a carrier that has the ability to “talk” to large parts of the network.
“Having access to SS7 is really a golden key of surveillance, I’m not surprised [Ability] capitalized on it,” said Claudio Guarnieri, a security and human rights advocate who this week helped launch a map of attacks on journalists and activists, as well as the surveillance vendors facilitating global spying. He plans to add Ability to the map this week.
Karsten Nohl, a German whitehat hacker from Security Research Labs who has frequently highlighted security shortcomings in SS7, said the intercept capabilities that SS7 provides “are probably the most powerful currently available.”
SS7 exploit services have created anxieties around a lack of oversight over their use. Until last year, cops in the United States used Stingrays without warrants. Following complaints from civil rights bodies, the Department of Justice mandated warrants, but the invasive tool had already been deployed and the damage done.
The same could happen with tools like ULIN, warned Nathan Wessler, staff attorney at the American Civil Liberties Union. “This system means that law enforcement will have the ability to conduct wiretaps and location tracking without anybody scrutinizing what they’re doing, and nobody may have the opportunity to push back and demand appropriate legal process,” Wessler told FORBES.
While U.S. law enforcement officers are able to get phone records from carriers with the right warrant, the Ability service means they don’t need to get such permission, he added. “There is a significance to cutting the phone companies out of that transaction, because it makes it trivially easy to totally bypass the legal protections that are required under the U.S. Constitution and federal law.”
American cops may soon be paying big bucks for Ability’s tech. The Israeli company is planning a significant expansion in America this year and is currently looking for a partner to help it sell to U.S. law enforcement, says Ability’s CEO, Anatoly Hurgin, who I spoke with as he was driving to his office in Tel Aviv on Thursday morning and later that afternoon from his company HQ.
“You cannot just ignore such a huge market. It’s about half of the world market for our kind of technology,” he said. An SEC filing detailing Ability’s merger with Cambridge Capital Acquisition Corporation, which helped the Israeli company go public, indicates the market is indeed blowing up; the U.S. lawful intercept industry worth $3.8 billion in 2015 is expected to hit $6.3 billion in 2020. That same document valued Ability at $225 million, though it’s current market cap is down at $71.1M.
Notice how he describes violating the U.S. Constitution as a “huge market.”
Hurgin’s tools may allow for easy snooping on others, but he told me he cares about his own privacy. There’s very little public information about him. His LinkedIn profile reveals nothing beyond his position at Ability. His Google+ and Skype avatars show a thin man, grey hair, sunglasses. Hurgin says he started Ability with its equally enigmatic Russian co-founder Alexander Aurovsky after a long stint in the Israeli Defense Forces, but he won’t tell me what division. He says it wasn’t the noted Unit 8200 or Shin Bet. “I started as an electronic engineer,” is all he says.
Despite the bold claims, Ability’s tool may not be as “unlimited” as advertised. Kohl notes that some operators have already deployed firewalls that prevent SS7 attacks. Many more will do so this year, he claimed, noting he is helping a handful of unnamed operators set up those firewalls. “SS7 firewalls block messages types that are clearly abusive and also some other possibly abusive messages from strange senders. A few firewall rules go a long way to solve 90 per cent of the SS7 security issue.”
Is Hurgin concerned about his pricey product becoming obsolete? “This concern does exist. But talking about [fixing the networks] and doing something are different things.”
But this month, the company suddenly found itself under threat of legal action from its own investors. Having started trading publicly on the Nasdaq in December, Ability had a steady start, but in May shares started tanking. Though Hurgin put a positive spin on profits, they masked a glaring issue: Ability had been compelled to restate its results for 2015, 2014, 2013 and 2012 as it had failed to report money owed to an unnamed third-party vendor across two of those years and had improperly reported allocation and timing of revenue.
By September, Hurgin believes ULIN will be able to intercept internet traffic, including web and app use. He can’t promise, however, it will be able to hoover up encrypted data.
ULIN is a young product, and may not be in wide use. According to May’s results document, Ability has sold only one ULIN product at the low end of its price scale, but has “received inquiries from a number of existing and potential customers.” It will treat that first customer, who will not be doing cross-border exploitation but focusing on targets within their own country, as a beta test. Hurgin tells me the firm has customers in Europe, Asia and Latin America. Did that include the UK? “Let’s say we’re in touch.”
Ability isn’t the only company to target SS7 so aggressively. Indeed, Ability didn’t actually design the ULIN product, nor does it own the technology, but licenses it from an unnamed third-party. The company is investing research and development for the system, and is the only one deploying the tool on its own infrastructure, but it has relied on another firm for the core system. That other firm is only described in SEC filings as “a newly established corporation with a short operating history and is still unknown in the industry.”
It’s clear, though, that at least one company is happy to expose the security of the telecoms backbone for significant profit. And the surveillance is only getting more invasive. As with any technology, where one crosses the Rubicon, others will follow, regardless of the potential degradation of people’s privacy.
So how does this unethical person justify the obvious harm to humanity his company is attempting to inflict?
Hurgin, meanwhile, says governments need the technology to counter the rising threat of terrorism. “It is a war.”
Terrorism. The authoritarian and financial opportunists’ justification to do absolutely anything.