A surveillance technology that can identify the location of a phone anywhere in the world in just seconds with only a telephone number has been detected in 25 countries, some with chequered records on human rights, according to research findings released this week.
Forbes magazine reports that the technology was supplied by the Israeli business Circles, claimed Citizen Laboratory, a University of Toronto organisation that has long tracked the activities of surveillance companies.
Circles is a sister company of NSO Group, an iPhone and Android spyware developer that is currently being sued by Facebook over attacks on the WhatsApp accounts of 1,400 users and has been criticised for selling to nations who went on to spy on activists, journalists and other citizens.
According to Citizen Lab, the Circles tracking tool was detected in both Western, democratic countries, and nations with poor human rights records, says Forbes in a detailed story published on December 3.
The full list, according to Citizen Lab and neither confirmed nor denied by Circles, included: Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates (UAE), Vietnam, Zambia and Zimbabwe.
Circles surveillance technology locates smartphones across the globe.
The technique used by the Circles snooping tech is known as Signalling System 7 (SS7) exploitation, a powerful yet difficult-to-detect tool in government spy arsenals. It is named after the portion of the telecoms network that deals with cross-border functionality and billing.
When, for instance, you travel to another country, the SS7 network is used to move your phone over to a partner telecoms provider and adjust billing accordingly. But should a surveillance vendor have access to SS7 networks, either via hacking or acquiring it, they can send commands to a subscriber’s “home network” falsely indicating the subscriber is roaming. That will, in turn, reveal their location, though only the coordinates of the cell tower closest to the phone.
It may also be possible to intercept calls and texts through SS7 exploitation, though Circles technology is only for location detection, according to two industry sources.
According to trademark filings, it does have a technology called PixCell for “tapping into or intercepting targets’ wireless, telephone, computer, and internet communications.”
If such a significant number of countries have bought access to the Circles tool, it would indicate that all can locate a phone and its owner at rapid speed. Citizen Lab researcher Bill Marczak notes that one of the main selling points of the Circles tool was that it does not need cooperation from a telecoms company.
If used by countries with lax rule of law and human rights controls, it could help repressive government surveillance agencies track targets across borders, without the need for a warrant, Marczak warns.
Many of the countries listed as likely Circles customers have a track record of using surveillance tools against dissidents and activists, Citizen Lab claimed.
Forbes previously reported that Circles’ sales to Mexico, whilst others had reported on deals with the UAE, where it was alleged the company’s tools were used to carry out surveillance on the Emir of Qatar and the prime minister of Lebanon. The UAE, for instance, allegedly targeted the now imprisoned activist Ahmed Mansoor with malware from at least three different companies that included NSO Group, before arresting him in 2017.
Mexico, meanwhile, “serially abused NSO Group’s Pegasus spyware” in targeting at least 25 reporters, human rights defenders and the families of individuals killed or disappeared by cartels, according to previous Citizen Lab research. NSO has always stated that it works for legitimate government agencies on investigations into the worst kinds of crimes and has an ethics committee that reviews contracts, though it cannot comment on the identity of its customers.
“Given Circles’ affiliation with NSO Group, and repeated spyware abuse by NSO customers, it’s disappointing to see Western governments patronizing the company,” added Marczak.
An NSO spokesperson gave Forbes a joint NSO and Circles response, stating: “NSO and Circles are separate companies within the same corporate family, both of which lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate.
As we have previously stated, Circles is involved in search and rescue and tactical geolocation technology.
“We cannot comment on a report we have not seen. Given Citizen Lab’s track record, we imagine this will once again be based on inaccurate assumptions and without a full command of the facts. As ever, we find ourselves being asked to comment on an unpublished report from an organisation with a predetermined agenda.”
The spokesperson could not confirm or deny that the countries listed by Citizen Lab were its customers, Forbes reported.
Citizen Lab said it tracked down Circles customers by looking for a unique “fingerprint” on servers across the globe that helped them identify where the spy tool was deployed. That fingerprint was built on numerous data points, most significantly a web domain that was linked to Circles business, according to the full technical report.
Circles was an independent intelligence agency vendor up until 2014, when it was acquired by private equity company Francisco Partners for $130 million and merged into a larger surveillance company. That umbrella organisation also included NSO Group.
But Circles is not the only SS7 surveillance provider on the market. Cyprus-based Intellexa, set up by former Circles co-founder Tal Dilian, uses SS7 exploitation as one of its many tools to track a target. Israeli companies Verint, Rayzone and 1rstWAP offer similar services, according to one industry executive.
Ability Inc, another Israeli firm, tried to take the technology global, but crashed out of the Nasdaq after failing to secure customers.
Those providers’ days should, in theory, be numbered, if they stick to solely doing SS7 attacks. The flaws that allow SS7 attacks to take place have long been fixable. The attacks are only possible because SS7, in its original form, doesn’t require any authentication to guarantee the legitimacy and safety of messages traversing the network.
It would require some effort by global telecoms networks to address the flaws, but some efforts have been made to patch the vulnerabilities. The UK, for instance, recently proposed telecommunications security legislation that would grant a regulator the authority to ensure the nation’s networks are secure against SS7 attacks.
Nevertheless, whilst those gaping holes remain open across global networks, government spies can continue to track anyone, anywhere, with just their phone number.
– Tell report