By Craig Timberg
Makers of surveillance systems are offering governments across the world the ability to track the movements of almost anybody who carries a cellphone, whether they are blocks away or on another continent.
The technology works by exploiting an essential fact of all cellular networks: They must keep detailed, up-to-the-minute records on the locations of their customers to deliver calls and other services to them. Surveillance systems are secretly collecting these records to map people’s travels over days, weeks or longer, according to company marketing documents and experts in surveillance technology.
The world’s most powerful intelligence services, such as the National Security Agency and Britain’s GCHQ, long have used cellphone data to track targets around the globe. But experts say these new systems allow less technically advanced governments to track people in any nation — including the United States — with relative ease and precision.
Users of such technology type a phone number into a computer portal, which then collects information from the location databases maintained by cellular carriers, company documents show. In this way, the surveillance system learns which cell tower a target is currently using, revealing his or her location to within a few blocks in an urban area or a few miles in a rural one.
It is unclear which governments have acquired these tracking systems, but one industry official, speaking on the condition of anonymity to share sensitive trade information, said that dozens of countries have bought or leased such technology in recent years. This rapid spread underscores how the burgeoning, multibillion-dollar surveillance industry makes advanced spying technology available worldwide.
“Any tin-pot dictator with enough money to buy the system could spy on people anywhere in the world,” said Eric King, deputy director of Privacy International, a London-based activist group that warns about the abuse of surveillance technology. “This is a huge problem.”
Security experts say hackers, sophisticated criminal gangs and nations under sanctions also could use this tracking technology, which operates in a legal gray area. It is illegal in many countries to track people without their consent or a court order, but there is no clear international legal standard for secretly tracking people in other countries, nor is there a global entity with the authority to police potential abuses.
In response to questions from The Washington Post this month, the Federal Communications Commission said it would investigate possible misuse of tracking technology that collects location data from carrier databases. The United States restricts the export of some surveillance technology, but with multiple suppliers based overseas, there are few practical limits on the sale or use of these systems internationally.
“If this is technically possible, why couldn’t anybody do this anywhere?” said Jon Peha, a former White House scientific adviser and chief technologist for the FCC who is now an engineering professor at Carnegie Mellon University. He was one of several telecommunications experts who reviewed the marketing documents at The Post’s request.
“I’m worried about foreign governments, and I’m even more worried about non-governments,” Peha said. “Which is not to say I’d be happy about the NSA using this method to collect location data. But better them than the Iranians.”
‘Locate. Track. Manipulate.’
Location tracking is an increasingly common part of modern life. Apps that help you navigate through a city or find the nearest coffee shop need to know your location. Many people keep tabs on their teenage children — or their spouses — through tracking apps on smartphones. But these forms of tracking require consent; mobile devices typically allow these location features to be blocked if users desire.
Tracking systems built for intelligence services or police, however, are inherently stealthy and difficult — if not impossible — to block. Private surveillance vendors offer government agencies several such technologies, including systems that collect cellular signals from nearby phones and others that use malicious software to trick phones into revealing their locations.
Governments also have long had the ability to compel carriers to provide tracking data on their customers, especially within their own countries. The National Security Agency, meanwhile, taps into telecommunication-system cables to collect cellphone location data on a mass, global scale.
But tracking systems that access carrier location databases are unusual in their ability to allow virtually any government to track people across borders, with any type of cellular phone, across a wide range of carriers — without the carriers even knowing. These systems also can be used in tandem with other technologies that, when the general location of a person is already known, can intercept calls and Internet traffic, activate microphones, and access contact lists, photos and other documents.
Companies that make and sell surveillance technology seek to limit public information about their systems’ capabilities and client lists, typically marketing their technology directly to law enforcement and intelligence services through international conferences that are closed to journalists and other members of the public.
Yet marketing documents obtained by The Washington Post show that companies are offering powerful systems that are designed to evade detection while plotting movements of surveillance targets on computerized maps. The documents claim system success rates of more than 70 percent.
A 24-page marketing brochure for SkyLock, a cellular tracking system sold by Verint, a maker of analytics systems based in Melville, N.Y., carries the subtitle “Locate. Track. Manipulate.” The document, dated January 2013 and labeled “Commercially Confidential,” says the system offers government agencies “a cost-
effective, new approach to obtaining global location information concerning known targets.”
The brochure includes screen shots of maps depicting location tracking in what appears to be Mexico, Nigeria, South Africa, Brazil, Congo, the United Arab Emirates, Zimbabwe and several other countries. Verint says on its Web site that it is “a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance,” with clients in “more than 10,000 organizations in over 180 countries.”
(Privacy International has collected several marketing brochures on cellular surveillance systems, including one that refers briefly to SkyLock, and posted them on its Web site. The 24-page SkyLock brochure and other material was independently provided to The Post by people concerned that such systems are being abused.)
Verint, which also has substantial operations in Israel, declined to comment for this story. It says in the marketing brochure that it does not use SkyLock against U.S. or Israeli phones, which could violate national laws. But several similar systems, marketed in recent years by companies based in Switzerland, Ukraine and elsewhere, likely are free of such limitations.
At The Post’s request, telecommunications security researcher Tobias Engel used the techniques described by the marketing documents to determine the location of a Post employee who used an AT&T phone and consented to the tracking. Based only on her phone number, Engel found the Post employee’s location, in downtown Washington, to within a city block — a typical level of precision when such systems are used in urban areas.
“You’re obviously trackable from all over the planet if you have a cellphone with you, as long as it’s turned on,” said Engel, who is based in Berlin. “It’s possible for almost anyone to track you as long as they are willing to spend some money on it.”
AT&T declined to comment for this story.
Exploiting the SS7 network
The tracking technology takes advantage of the lax security of SS7, a global network that cellular carriers use to communicate with one another when directing calls, texts and Internet data.
The system was built decades ago, when only a few large carriers controlled the bulk of global phone traffic. Now thousands of companies use SS7 to provide services to billions of phones and other mobile devices, security experts say. All of these companies have access to the network and can send queries to other companies on the SS7 system, making the entire network more vulnerable to exploitation. Any one of these companies could share its access with others, including makers of surveillance systems.
The tracking systems use queries sent over the SS7 network to ask carriers what cell tower a customer has used most recently. Carriers configure their systems to transmit such information only to trusted companies that need it to direct calls or other telecommunications services to customers. But the protections against unintended access are weak and easily defeated, said Engel and other researchers.
By repeatedly collecting this location data, the tracking systems can show whether a person is walking down a city street or driving down a highway, or whether the person has recently taken a flight to a new city or country.
“We don’t have a monopoly on the use of this and probably can be sure that other governments are doing this to us in reverse,” said lawyer Albert Gidari Jr., a partner at Perkins Coie who specializes in privacy and technology.
Carriers can attempt to block these SS7 queries but rarely do so successfully, experts say, amid the massive data exchanges coursing through global telecommunications networks. P1 Security, a research firm in Paris, has been testing one query commonly used for surveillance, called an “Any Time Interrogation” query, that prompts a carrier to report the location of an individual customer. Of the carriers tested so far, 75 percent responded to “Any Time Interrogation” queries by providing location data on their customers. (Testing on U.S. carriers has not been completed.)
“People don’t understand how easy it is to spy on them,” said Philippe Langlois, chief executive of P1 Security.
The GSMA, a London-based trade group that represents carriers and equipment manufacturers, said it was not aware of the existence of tracking systems that use SS7 queries, but it acknowledged serious security issues with the network, which is slated to be gradually replaced over the next decade because of a growing list of security and technical shortcomings.
“SS7 is inherently insecure, and it was never designed to be secure,” said James Moran, security director for the GSMA. “It is possible, with access to SS7, to trigger a request for a record from a network.”
The documents for Verint and several other companies say that the surveillance services are intended for governments and that customers must abide by laws regarding their use. Yet privacy advocates and other critics say the surveillance industry is inherently secretive, poorly regulated and indiscriminate in selecting its customers, sometimes putting profoundly intrusive tools into the hands of governments with little respect for human rights or tolerance of political dissent.
Refining the techniques
Engel, the German telecommunications security researcher, was the first to publicly disclose the ability to use carrier networks to surreptitiously gather user location information, at a 2008 conference sponsored by the Chaos Computer Club, a hacker activist group based in Germany. The techniques Engel used that day were far cruder than the ones used by today’s cellular tracking systems but still caused a stir in the security community.
From the lectern, he asked for help from a volunteer from the audience. A man in an untucked plaid shirt ambled up with his cellphone in one hand and a beer in the other. Engel typed the number into his computer, and even though it was for a British phone, a screen at the front of the room soon displayed the current location — in Berlin.
Two years later, a pair of American telecommunications researchers expanded on Engel’s discovery with a program they called “The Carmen Sandiego Project,” named after a popular educational video game and television series that taught geography by having users answer questions.
Researchers Don Bailey and Nick DePetrillo found that the rough locations provided by Engel’s technique could be mixed with other publicly available data to better map the locations of users. They even accessed the video feeds of highway cameras along Interstate 70 in Denver to gain a clearer picture of targeted cellphone users.
“We could tell that they were going a certain speed on I-70,” Bailey recalled. “Not only could you track a person, you could remotely identify a car and who was driving.”
An official for AT&T, Patrick McCanna, was in the audience when DePetrillo and Bailey presented their findings at a conference in 2010. McCanna praised the researchers for their work, they later said, and recruited their help to make it harder to gather location data.
Many of the world’s largest cellular networks made similar efforts, though significant loopholes remained.
As some carriers tightened their defenses, surveillance industry researchers developed even more effective ways to collect data from SS7 networks. The advanced systems now being marketed offer more-precise location information on targets and are harder for carriers to detect or defeat.
Telecommunications experts say networks have become so complex that implementing new security measures to defend against these surveillance systems could cost billions of dollars and hurt the functioning of basic services, such as routing calls, texts and Internet to customers.
“These systems are massive. And they’re running close to capacity all the time, and to make changes to how they interact with hundreds or thousands of phones is really risky,” said Bart Stidham, a longtime telecommunications system architect based in Virginia. “You don’t know what happens.”
Paired up with ‘catchers’
Companies that market SS7 tracking systems recommend using them in tandem with “IMSI catchers,” increasingly common surveillance devices that use cellular signals collected directly from the air to intercept calls and Internet traffic, send fake texts, install spyware on a phone, and determine precise locations.
IMSI catchers — also known by one popular trade name, StingRay — can home in on somebody a mile or two away but are useless if a target’s general location is not known. SS7 tracking systems solve that problem by locating the general area of a target so that IMSI catchers can be deployed effectively. (The term “IMSI” refers to a unique identifying code on a cellular phone.)
The FCC recently created an internal task force to study misuse of IMSI catchers by criminal gangs and foreign intelligence agencies, which reportedly have used the systems to spy on American citizens, businesses and diplomats. It is legal for law enforcement agencies in the United States to use IMSI catchers for authorized purposes.
When asked by The Post about systems that use SS7 tracking, FCC spokeswoman Kim Hart said, “This type of system could fall into the category of technologies that we expect the FCC’s internal task force to examine.”
The marketing brochure for Verint’s SkyLock system suggests using it in conjunction with Verint’s IMSI catcher, called the Engage GI2. Together, they allow government agencies “to accurately pinpoint their suspect for apprehension, making it virtually impossible for targets to escape, no matter where they reside in the world.”
Verint can install SkyLock on the networks of cellular carriers if they are cooperative — something that telecommunications experts say is common in countries where carriers have close relationships with their national governments. Verint also has its own “worldwide SS7 hubs” that “are spread in various locations around the world,” says the brochure. It does not list prices for the services, though it says that Verint charges more for the ability to track targets in many far-flung countries, as opposed to only a few nearby ones.
Among the most appealing features of the system, the brochure says, is its ability to sidestep the cellular operators that sometimes protect their users’ personal information by refusing government requests or insisting on formal court orders before releasing information.
“In most cases mobile operators are not willing to cooperate with operational agencies in order to provide them the ability to gain control and manipulate the network services given to its subscribers,” the brochure says. “Verint’s SkyLock is a global geo-location solution which was designed and developed to address the limitations mentioned above, and meet operational agency requirements.”
Another company, Defentek, markets a similar system called Infiltrator Global Real-Time Tracking System on its Web site, claiming to “locate and track any phone number in the world.”
The site adds: “It is a strategic solution that infiltrates and is undetected and unknown by the network, carrier, or the target.”
The company, which according to the Web site is registered in Panama City, declined to comment for this story.