by Stephen Bryen, Ziklag Systems
They didn’t tell us, and we did not ask, out of being polite we can assure you. But we can certainly guess how it was done.
There are both internal and external vulnerabilities in smartphones. Let’s look at them.
In regard to internal vulnerabilities, commercial smartphones (the majority of them manufactured in Asia) contain hardware, firmware and software combined with lots of sensors and radios. The operating systems of smartphones (such as iPhone, Android-phones, Windows phones, Blackberry and the others) are designed to link up the phone’s hardware, its sensors, and its radios together. Most of the computer “code” is written to get the job done, but for the most part security plays second or third fiddle on commercial platforms. Indeed, there is so much social networking and connectivity demanded by smartphone users, that the idea of putting in any kind of security perimeter for the smartphone platform is all but verboten. This makes it easy for intruders, thieves, private eyes, lawyers and governments to spy to their heart’s content. All these need to do is to exploit some social APP (the technique is called ‘Phishing’), plant some malware, or install a spy phone on the mobile device.
What is a Spy Phone
A spy phone is specialized spying software that lives “in the background” on a smartphone. An intruder or hacker controls the smartphone remotely meaning the phone itself can be switched on at any time without the screen lighting up, conversations can be recorded and surreptitiously broadcast, and virtually all the information on the phone can be hijacked. This means contact lists, emails, text messages, photos, videos and files can be grabbed at will.
Spy phones vary in level of sophistication, but if you want to buy one you can find a commercial spy phone for every type of mobile phone and smartphone. It is, of course, illegal to listen to someone’s conversations without their permission, but professional spy phone users, and a fair number of amateur sleuths, don’t worry about the legal nicety. That’s why in the U.K. there is a major phone hacking scandal which has to do with stealing text messages, emails, photos and voice mail messages.
More than 100 major UK firms, not counting a number of newspapers, are said to have engaged in smartphone spying activities, usually working through cutouts (in the main private investigators). This kind of spying either was for economic gain, efforts to compromise a person by learning about their private life, or for salacious reasons. The fact that it was widespread and virtually out of control in the UK should forewarn us that the same is true in the United States.
Chancellor Merkel’s Phone
Angela Merkel has a smartphone, and she likely has APPS installed that please her. So one avenue of attack for an intruder is to plant spy phone software on her mobile. Is this what the German counter-intelligence services (probably the BND or Bundesnachrichendienst) found? While totally speculation, if they did then they probably could “sanbdbox” Mrs. Merkel’s phone and pretty quickly figure out who was doing the listening. We don’t know that this is what happened, but some event certainly triggered Merkel to pick up the phone and complain directly to President Obama. These things, as one knows, just are not done. Gentlemen don’t read the mail of other gentlemen or women, to paraphrase Henry L. Stimson, former U.S. Secretary of War (before we decided we should only be for Defense and not for War).
External Spying and Intercepts
The second way to break into a smartphone is external –that is, to intercept conversations. There are a number of ways to do this. One can create a false cell phone tower and intercept calls that way. This method, called IMSI Catching after the International Mobile Subscribe Number that is in every phone, is how you can grab calls from a near proximity to the caller.
In our initial review we thought that “It is unlikely the U.S. used IMSI Catching. ” Now De Spiegel is reporting that the spying on the Chancellors phone, which may have gone on for more than 10 years, may have been run out of a U.S. installation in the German capital, a spying operation that was not legally registered with the German government. The location is about one mile from the offices of the Chancellor. This would put it in range for an IMSI catcher. Therefore the use of the IMSI catcher cannot be ruled out.
Another way is to get the cooperation of the telephone company or mobile phone company. This works in your home country (as the NSA has proven by downloading all the metadata of the phones of U.S. citizens, and who knows what else) but it is not likely to have worked in Germany because the NSA is not in a position to twist the arms of German cell phone and telephone companies. But it is possible, as an alternative strategy, to tap into trunk lines that carry calls over fiber optic lines. It seems this is a major shared industry between the NSA and their UK counterparts in GCHQ. While they might not get all of Merkel’s calls that way, they could get some of them.
Most Likely Spying Method
In short, NSA had plenty of options. We would think the most likely one was to plant a spy phone on Chancellor Merkel’s phone, but it could also have been through an IMSI catcher.
In Germany there are many that think Merkel should have taken sterner action when the first Snowden revelations about tapping German phones became public. They say Merkel is, in fact, now also a victim because she did not act.
The plain truth is, of course, that the BND and other German security services were either sleeping at the switch or did not care. Otherwise they would not have let their chancellor’s phone get compromised by NSA or by anyone else.