Cell Phone Surveillance System

I was not surprised that police forces are buying this system, but at its capabilities.

Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area.

The surveillance system has been procured by the Metropolitan police from Leeds-based company Datong plc, which counts the US Secret Service, the Ministry of Defence and regimes in the Middle East among its customers. Strictly classified under government protocol as "Listed X", it can emit a signal over an area of up to an estimated 10 sq km, forcing hundreds of mobile phones per minute to release their unique IMSI and IMEI identity codes, which can be used to track a person's movements in real time.

[...]


Datong's website says its products are designed to provide law enforcement, military, security agencies and special forces with the means to "gather early intelligence in order to identify and anticipate threat and illegal activity before it can be deployed".

The company's systems, showcased at the DSEi arms fair in east London last month, allow authorities to intercept SMS messages and phone calls by secretly duping mobile phones within range into operating on a false network, where they can be subjected to "intelligent denial of service". This function is designed to cut off a phone used as a trigger for an explosive device.

A transceiver around the size of a suitcase can be placed in a vehicle or at another static location and operated remotely by officers wirelessly. Datong also offers clandestine portable transceivers with "covered antennae options available". Datong sells its products to nearly 40 countries around the world, including in Eastern Europe, South America, the Middle East and Asia Pacific.

Company website.

Posted on October 31, 2011 at 12:29 PM • 45 Comments

Comments

kashmarekOctober 31, 2011 12:36 PM

"operated remotely" means it will soon be hacked.

"another static location" means it can be stolen.

Shouldn't be too long before this is in the wrong hands and we all become victims, including those same police units. Who is going to fix that mess?

JohnstonOctober 31, 2011 12:51 PM

"Shouldn't be too long before this is in the wrong hands and we all become victims..."

It's already in the wrong hands. From the article:

"The surveillance system has been procured by the Metropolitan police from Leeds-based company Datong plc, which counts the US Secret Service, the Ministry of Defence and regimes in the Middle East among its customers."

Clive RobinsonOctober 31, 2011 1:17 PM

The funny thing is you can do much of this sort of thing yourself only at a much smaller radius.

In the UK the mobile operator Vodafone has a product called the femto. A number of people have hacked it's linux back end and you can do all sorts of data stripping from mobiles in it's vicinity.

Oh and the femto costs around 160GBP delivered to your door step. You can read details up on the Net, or have a look at the following info to get an idea of where to start,

http://wiki.thc.org/vodafone

LinkTheValiantOctober 31, 2011 1:39 PM

"another static location" means it can be stolen.

Forget stolen. How many times have law enforcement or government employees in general just forgotten stuff and left it lying around?

TSOctober 31, 2011 1:40 PM

"... allow authorities to intercept SMS messages and phone calls..."

That's why my cell phone is encrypted with a twofish algorithm. No one will be listening in.

NobodySpecialOctober 31, 2011 2:11 PM

@kashmarek - it already is in the (other) wrong - according to another linked article criminals are already buying the portable version to check for police surveillance.

Of course a group as technologically and strategically skilled as the UK police would ensure that nobody is carrying a mobile phone while on duty wouldn't they?

NobodySpecialOctober 31, 2011 2:17 PM

@Clive - If I understand correctly the difference between this and running a fake base station is that this isn't limited to one network and it isn't easily detectable by the user - you also don't have to deal with actually handling the call or by raising suspicions by rejecting it.

karrdeOctober 31, 2011 3:41 PM

Ya'know, when I read of such in Tom Clancy's Rainbow Six, I think the 'Rainbow' team had to sent a rep&tech with a van full of equipment to a local phone-company switching tower or some such.

It was used to isolate one hostage-taking terrorist team, after 'Rainbow' figured out that the terrorist team was using mobile-phone comms with an outside leader while negotiating with Authorities.

Clancy loves himself some realistic-and-likely-used-in-the-field technology. I guess he wrote that novel a decade too early or something.

AndrewOctober 31, 2011 3:42 PM

There is a lot of cross-over between The Security Service (MI5) right now and the Metropolitan Police in the run up to London 2012.

We are worried about crime, public disorder and the seriousness of a dirty-bomb being planted.

This is just the tip of the iceberg as to what procurement we have undertaken to protect the public and the city.

Jan SchejbalOctober 31, 2011 4:16 PM

Basically, this is just a fake base station for all networks, does not seem to be anything special. This is well-known (and relatively wide-spread among police etc.) in Germany under the name "IMSI-Catcher".

Dom De VittoOctober 31, 2011 4:17 PM

Geee. This company is at it's 2nd lowest share price in the past 10 years, and this leaks out....weird.

http://investing.thisismoney.co.uk/charts/?...

Almost like a big marketing scam.

Hope operating this stuff is legal.....not sure under what law it could be used, without a warrant.

Which really just depends on what happens next:

a) an act of terror, or
b) bankers voice conversations, MPs texts and Judges MMSs get put on Wikileaks.

If (b) happens first, I think we can see someone in the high court over this.

sanitation engineerOctober 31, 2011 4:17 PM

Dear Datong:

Thank you for informing us of your business venture. Please leave your refuse containers unlocked so industrious souls can search them for engineering manuals to your products.

anonOctober 31, 2011 4:30 PM

I wonder how much RF power this thing puts out, and how big a battery it needs, not to mention a good antenna to cover a 10 sq km area...

If it wants to fool cell phones into thinking it's the cell tower, it needs enough power to cause "FM blanking" in the cell phone's receiver, so the fake signal overpowers the legitimate one.

How covert can it be with those sorts of demands on it's RF footprint?

NobodySpecialOctober 31, 2011 5:17 PM

If this is the device I'm thinking of it doesn't replace the base station so doesn't need to block it out. It simply picks up all the TIMSI (phone NOT sim id) for all the phone sin range - I'm not sure it even has to broadcast to ask the phones for this - the IDs are sent in the clear to the base station regularly

Nick POctober 31, 2011 5:30 PM

@ Clive Robinson

Thanks for the tip!

@ TS

You think your call is private using Twofish on an insecure mobile OS running on and alongside firmware that might have remote update/control capability? It's not. Otherwise, products like Sectera Edge wouldn't be necessary for classified calls.

AlgirdasOctober 31, 2011 8:38 PM

"regimes in the Middle East"

And regimes in UK and USA. When power-hungry criminals rule in Asia, somehow they are "regimes". But when they are on the periphery of the Northern Atlantic ocean, they are "Secret Service", "the Ministry of Defence", and somehow not (implied) oppressive "regimes". Funny, that.

fakufakuOctober 31, 2011 8:47 PM

I believe it is actually fairly easy to setup a rogue GSM base station. A quick rig can be put together using OpenBTS.

As I remember, newer protocols like UMTS were supposedly more robust to this kind of attacks. Is that really the case ?

Peter E RetepOctober 31, 2011 10:55 PM

For sane Cold War democracies, yes, and a prior chain-of-command validated release code.
For the rest, who knows?

Clive RobinsonOctober 31, 2011 11:54 PM

@ TS,

+1 for the smile +3 for back refrencing to last weeks blog post about TwoFish.

@ NobodySpecial,

"Of course a group as technologically and strategically skilled as the UK police would ensure that nobody is carrying a mobile phone while on duty wouldn't they"

+10 for that my cup off midnight tea went all over the place when I read that.

For those who don't know the Met Police like a number of other emergancy service organisations have been stuck with a Trunked Mobile Radio System from Motorola that realy is a bad mismatch for what they do day to day. The result many of the Met police officers carry the "damed radio" and usually two or more mobile phones...

"If I understand correctly the difference between this and running a fake base station is that this isn't limited to one network and it isn't easily detectable by the user - you also don't have to deal with actually handling the call or by raising suspicions by rejecting it"

I'm not sure of all the features of the Datong device has, however the Vodafone femto is a compleate UTMS base station in a package the size of a WiFi router. Because it uses a stripped down version of linux underneath the radio modules once you have root console access, you can make it do quite a lot of things extra. One of which is just sitting on a control channel passivly "slurping up" registration traffic that might be talking to a "proper base station" in the area.

@ Andrew,

"This is just the tip of the iceberg as to what procurement we have undertaken to protect the public and the city"

The question is after the initial purchase of the equipment for the couple of weeks of the 2012 games, what is going to become of all this very expensive equipment and the personnel trained to use it?

Personaly I don't think it's going to sit in some cuboard gathering dust, and the personnel go back to ordinary duties... So the question is where will they go. Parts of the Met have a very poor reputation of spying on peaceful protestors, then giving their private details to various companies so that the companies can take out private prosecutions or worse against these people. Likewise some parts of the Met have been caught in undercover roles for acting as 'agents provocateurs' or for purjuring themselves in court.

@ Dom De Vitto,

"Geee. This company is at it's 2nd lowest share price in the past 10 years"

Datong have been around for some considerable period of time. Originaly they developed kits for the UK Amateur Radio enthusiasts (and allegedly Pirate radio as well) there was also some sugestion they were indirectly involved in the design of very high speed high energy pulse generators that would have ended up going off to a Middle Eastern country. Think solid state version of a krytron and sprytron switch if you want to know why various people (including the CIA & MI6) got twitchy about it ( http://en.m.wikipedia.org/wiki/Krytron ).

Like many companies involved with VHF and above design they were also involved in the surveillance industry (bugs, tracking equipment etc), and I guess like some others they found the very high profit on low volume sales to be to a seductive side line.

"Hope operating this stuff is legal.....not sure under what law it could be used, without a warrant."

It's use and sale are covered by different bits of legislation.

To be sold on the EU "Open Market" it is probably illegal as it's almost certainly not type approved for use on the harmonised European Market (ie it's probably not got the required CE or (!) marks). However if it's sold as a component part, sub assembly or kit of parts then in general those rules don't apply so can be sold to "manufactures" or end users capable of self certifing for type approval. Also as radio equipment it should be type approved if it has a recognised "interface" such as an antenna (see early parts of the RT&TTE Directive).

However if you look at all the EU Radio directives and much other national law within Europe there is an exception of the universal get out of jail free card of "National Security", which means it's OK for a National Government or it's various "Military, LEO's, etc" to operate but not the rest of us.

Likwise the "licence to operate" the "Military, Leo's, etc" will be licenced appropriatly to operate the equipment, the rest of us not.

Now untill not so long ago the Met Police did not do "National Security" that remit was kept to the likes of MI5 (domestic) and MI6 (foreign). However starting with the Special Branch investigating the supply side of "Irish" terrorism they have taken on more of that role. Various side shows thought up by the politico's such as the defunct SOCA have also had their snouts in the trough of "National Security".

Worse "National Security" has been weekend down in it's meaning to the point where it includes "economic benifit" which some regard as an open licence on Industrial Espionage against foreign competitors, a small part of which is "APT".

Clive RobinsonNovember 1, 2011 3:22 AM

@ Andrew,

"SOCA is only defunct because its being desolved into the soon-to-be National Crime Agency (NCA)."

Whilst it is true that some of SOCA's functions are ending up in the NCA not all are. Some are basicaly disapearing or being thrown back onto the various Police forces, without appropriate budget consideration.

SOCA was this dream of a high tech crime fighting organisation that in reality was all but usless and dropped the ball more often than those in charge are prepared to admit, hence the usuall political solution "re-organisation (out of existance)". We saw this with HM Customs and Excise, who had powers of aresst etc, they set up a sting operation, that a judge basicaly described as an illegal money laundering scheme, and a whole bunch of arrests etc got chucked out. HM C&E got "re-organised" with their hated rivals Inland Revenue to become HM Revenue & Customs and lost their ability to make arrests etc.

Oh and the NCA are already showing signs of being to strategic to succeed, but I guess time will tell.

StradNovember 1, 2011 4:27 AM

"untill not so long ago the Met Police did not do "National Security" that remit was kept to the likes of MI5 (domestic) and MI6 (foreign). However starting with the Special Branch investigating the supply side of "Irish" terrorism they have taken on more of that role."

Met Police have had an anti-terrorist unit for at least 15 years, guess it depends on your view of "not so long" :)

Danny MoulesNovember 1, 2011 5:31 AM

"This function is designed to cut off a phone used as a trigger for an explosive device."

Because there are clearly no other devices capable of remotely triggering an explosive device that would be unaffected by this and quickly adopted in light of this technology...

...

DavidNovember 1, 2011 6:06 AM

"This function is designed to cut off a phone used as a trigger for an explosive device."

...and of course we always have the opposite... the bomb goes off when the call drops unexpectedly.

Tim#3November 1, 2011 6:34 AM

Lookibng at Datong PLC's tumbling share price, I sense this isn't going to be a issue for long at all. Their directors pay seem to be holding up very well indeed though, for now.

Clive RobinsonNovember 1, 2011 7:07 AM

@ David,

".. the bomb goes off when the call drops unexpectedly."

Yup, many many moons ago I worked for an organisation that did research for various military organizations. I pointed this out as being a problem with using jammers.

The idiots in charge then sugested some other solution involving their precious jammers (then made by Racal). I pointed out that whatever they suggested using the stupid things was always going to be vulnerable because it radiated energy that the receiver could detect (in most cases by simply using a random "dual tone" ontop of a signal).

Or worse passivly they could use what I called the "doughnut effect" to explode the device when the jammer was right on top of it.

Basically back in the early 1980's jammer designers wanted to radiate out the signal as far as possible so the antennas go ontop of the vehical. But this means at ground level the signal pattern is like an American doughnut, with a deep signal null almost directly under the vehical, so a simple pair of low pass filters on the signal strength will indicate when the signal starts to drop and bottoms out thus with a few op-amps and D-Type latches in TTL you could make a detector that would. triger either in the doughnut or if you wished just after the signal peak or both.

Thankfully your average IED designer thinks differently, but sometimes they go even better. The PIRA once used a photo detector at the end of cheap plastic kidies telescope or binoculars, and to trigger a flash gun mounted in the optics of a better telescope pointing at it. provided they set this up with the detector field of view orthagonal or normal to the jammer or VIP vehicle then it cannot be jammed...

The optical transmitter to the IED can be put on a suitable high point with say a RC receiver so that it can be triggered well outside the jamming radius...

It's why I tell anyone who asks a jammer is a far from fallible last resort device, as always your best defence is good humint first last and at every step in between.

Clive RobinsonNovember 1, 2011 7:24 AM

Opps,

I've just noticed a spell checker human interface gremlin in my above,

s/infallible/fallible/

Note to self "don't press on before correct word has come up"...

cbNovember 1, 2011 7:40 AM

Nothing could go further to undermine public trust of their government, not terrorism, not fraud, not bad policies.

Z.LozinskiNovember 1, 2011 8:42 AM

@Clive, @Strad
"untill not so long ago the Met Police did not do "National Security" that remit was kept to the likes of MI5 (domestic) and MI6 (foreign). However starting with the Special Branch investigating the supply side of "Irish" terrorism they have taken on more of that role."

I'd argue it is the complete opposite: the MPSB keep getting into national security areas and eventually lose the responsibility due to Whitehall politics.

On a point of history. The Metropolitan Police's Special Irish Branch, which was subsequently renamed the Special Branch, was originally formed to counter Fenian (ie Irish) terrorism in 1883. (The Clerkenwell bombings, the Phoenix Park murders etc.) The Met Special Branch lost responsibility for counter-espionage in 1929. The Special Branch retained responsibility for Irish terrorism until the implementation of ASCRIBE in 1992 transferred that responsibility to MI5.

http://www.met.police.uk/history/fenians.htm

paulNovember 1, 2011 9:10 AM

It certainly will make Rupert's job easier if his people don't have to hack individual voicemail accounts.

markNovember 1, 2011 10:42 AM

@anon
I wonder how much RF power this thing puts out, and how big a battery it needs, not to mention a good antenna to cover a 10 sq km area...

A circle of just under 1.8km radius isn't actually that big.

Nick PNovember 1, 2011 12:18 PM

@ mark & anon

Might be able to infer the power required for this fake base station by looking at what's required for a microcell or a WiMax access point. Anyone know?

SwordfishNovember 1, 2011 6:26 PM

Most Cell Phones are made with propietary and obfuscated low level internals with some( if any) open sourced high level APIs. You can't trust them for sensitive usage.

There are some Alpha Quality full open source Cell Phones but they crash like crazy and not security focused

Joe in AustraliaNovember 1, 2011 11:29 PM

There are lots of really interesting things that law enforcement can do with this and with related devices. Here's a Wikipedia page about IMSI catchers. They can track your International Mobile Subscription Identifier (i.e., the data that identifies your phone subscription) via a man-in-the-middle attack, but this would probably require a warrant. So what they can do is, they track and record your TIMSI, the temporary IMSI that's broadcast in the clear, and apply for a warrant afterwards, when they've established that the person carrying the phone was committing a crime. The warrant lets them connect the TIMSI to a particular IMSI and thereby identifies the phone's owner.

So, as a practical example, suppose you take one of these devices along to a demonstration that may turn unlawful. If it does, you record all the TIMSIs, get a warrant to identify the owners via the phone companies' records, and you've now got evidence identifying the rioters. It's not necessarily conclusive, but it's something that a judge would listen to. Take the device to a few riots and you've identified the people who are regularly present - probably the leaders. Now you have enough information to justify tapping their phones properly.

The really funny thing is that I understand that these devices are already used commercially for tracking foot traffic in malls. They're off-the-shelf items. They must be widely accessible to law enforcement and security bureaus. But people - including myself - totally ignore the fact that we're walking around with great big radio transmitters that broadcast our identity.

jkmNovember 2, 2011 9:42 AM

AFAIK, setting up a faked base station is only possible GSM and not in WCDMA or LTE systems as they perform mutual authentication. Not sure about CDMA and WiMAX.

Of course you can block e.g. 3G frequencies and then fake the 2G access that the mobile will fall back to. (Tinfoilhats should disable GSM in their phones..)

Gee WhizNovember 2, 2011 10:26 AM

This system would never be misused by criminals. Especially not white collar criminals contracting for the FBI. Never. Ever.

AdhocNovember 3, 2011 4:55 PM

If you go to demonstrations, risky places, remember to turn OFF your phone when you arrive. I believe, people in arab countries should be more aware of this.

PapagenoNovember 4, 2011 6:41 AM

"This function is designed to cut off a phone used as a trigger for an explosive device."

What a shameless bullshit. Seriously, what is the probability that 1) a plot is discovered by the police 2) who knows the exact location(s) and phone number(s) and 3) successfully jams the cell phone(s) ?

It's the usual argument about "we need this to fight child porn and terrorists" while the devices are actually used for routine police work in the best case and spying citizens, journalists, or political activists most of the time.

jkmNovember 4, 2011 8:10 AM

"This function is designed to cut off a phone used as a trigger for an explosive device."

This is actually a valid statement, so called radio-controlled IEDs (RCEID) has been used a lot by e.g. IRA and in IRAQ/Afghanistan. Bomb disposal units are targeted and very elaborate schemes are used to do so, i.e. secondary and tertiary explosives triggered by wire, motion/heat/cell phone etc. It is common to jam all cell phone frequencies during EOD, not individual phones.

Clive RobinsonNovember 4, 2011 9:03 AM

@ jkm

"It is common to jam all cell phone frequencies during EOD, not individual phones"

It's a bit more complicated than that, it depends on the transmission system as well as the modulation system. For instance GSM and CDMA95/2000 are radicaly different in this respect and require different stratagies.

However for the simple case of an FM system,

To jam a single frequency with a CW signal you can use a class C amp which is efficient and produces a relativly clean output.

However to jam two or more frequencies simultaniously you need to use a linear amp which is not very efficient. Also you cannot use the amp at it's rated output power for a single CW signal, but only (because the rf signals add voltage wise not power wise) at a much lower power than you would expect. So for an amp with 1 signal just limiting at 4W, with 2 signals it would be 1W each, 3 signals 0.5w each, 4 signals 0.25W each etc.

That is to jam just four channels you would have 1/16th of the amps rated power on each channel for 20 channels you would be down to 1/400th of the power... So jamming all channels would be prohibitive, you would just jam the handfull of control channels (assuming the call had not been already been placed).

Another way is to use a sweep jammer, which sweeps across a band of channels. However it's power in any given channel is proportional to the number of channels it scans across (less some for the channel gaps etc). A more modern method is to use frequency hopping using a numericaly controlled oscillator such as a DDS etc.

However there are two problems with this. Firstly you have to sweep/hop across each channel atleast twice as fast as a data frame [1], secondly you have to be on channel long enough to "pull the receiver" off of any signal it's currently on. And this usually means you need atleast a 12dB power advantage in the CW senario and considerably more for a sweeper / hopper depending on the mode of transmission you are trying to jam (phase reversed carrier signalling with a phase locked receiver being a real problem).

[1] For this a data frame is assumed not to use error correction. Some error correction systems will get meaningfull data through with little degradation even when upto 50% of the signal is jammed. If you have the money there are a number of specialised books on the subjects of ECM and ECCM systems which give various mathmatical and computer models.

G. SmileyNovember 4, 2011 12:57 PM

With technology like this, the safest operational methodology will employ legacy tradecraft from the pre-electronic era. The more things change, the more they stay the same.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..