Schneier on Security
A blog covering security and security technology.
« DROPOUTJEEP: NSA Exploit of the Day |
| GOPHERSET: NSA Exploit of the Day »
February 13, 2014
Finding People's Locations Based on Their Activities in Cyberspace
Glenn Greenwald is back reporting about the NSA, now with Pierre Omidyar's news organization FirstLook and its introductory publication, The Intercept. Writing with national security reporter Jeremy Scahill, his first article covers how the NSA helps target individuals for assassination by drone.
Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional information about how the agency's programs work. From this and other articles, we can now piece together how the NSA tracks individuals in the real world through their actions in cyberspace.
Its techniques to locate someone based on their electronic activities are straightforward, although they require an enormous capability to monitor data networks. One set of techniques involves the cell phone network, and the other the Internet.
Tracking Locations With Cell Towers
Every cell-phone network knows the approximate location of all phones capable of receiving calls. This is necessary to make the system work; if the system doesn't know what cell you're in, it isn't able to route calls to your phone. We already know that the NSA conducts physical surveillance on a massive scale using this technique.
By triangulating location information from different cell phone towers, cell phone providers can geolocate phones more accurately. This is often done to direct emergency services to a particular person, such as someone who has made a 911 call. The NSA can get this data either by network eavesdropping with the cooperation of the carrier, or by intercepting communications between the cell phones and the towers. A previously released Top Secret NSA document says this: "GSM Cell Towers can be used as a physical-geolocation point in relation to a GSM handset of interest."
This technique becomes even more powerful if you can employ a drone. Greenwald and Scahill write:
The agency also equips drones and other aircraft with devices known as "virtual base-tower transceivers"—creating, in effect, a fake cell phone tower that can force a targeted person's device to lock onto the NSA's receiver without their knowledge.
The drone can do this multiple times as it flies around the area, measuring the signal strength—and inferring distance—each time. Again from the Intercept article:
The NSA geolocation system used by JSOC is known by the code name GILGAMESH. Under the program, a specially constructed device is attached to the drone. As the drone circles, the device locates the SIM card or handset that the military believes is used by the target.
The Top Secret source document associated with the Intercept story says:
As part of the GILGAMESH (PREDATOR-based active geolocation) effort, this team used some advanced mathematics to develop a new geolocation algorithm intended for operational use on unmanned aerial vehicle (UAV) flights.
This is at least part of that advanced mathematics.
None of this works if the target turns his phone off or exchanges SMS cards often with his colleagues, which Greenwald and Scahill write is routine. It won't work in much of Yemen, which isn't on any cell phone network. Because of this, the NSA also tracks people based on their actions on the Internet.
Finding You From Your Web Connection
A surprisingly large number of Internet applications leak location data. Applications on your smart phone can transmit location data from your GPS receiver over the Internet. We already know that the NSA collects this data to determine location. Also, many applications transmit the IP address of the network the computer is connected to. If the NSA has a database of IP addresses and locations, it can use that to locate users.
According to a previously released Top Secret NSA document, that program is code named HAPPYFOOT: "The HAPPYFOOT analytic aggregated leaked location-based service / location-aware application data to infer IP geo-locations."
Another way to get this data is to collect it from the geographical area you're interested in. Greenwald and Scahill talk about exactly this:
In addition to the GILGAMESH system used by JSOC, the CIA uses a similar NSA platform known as SHENANIGANS. The operation—previously undisclosed—utilizes a pod on aircraft that vacuums up massive amounts of data from any wireless routers, computers, smart phones or other electronic devices that are within range.
And again from an NSA document associated with the FirstLook story: "Our mission (VICTORYDANCE) mapped the Wi-Fi fingerprint of nearly every major town in Yemen." In the hacker world, this is known as war-driving, and has even been demonstrated from drones.
Another story from the Snowden documents describes a research effort to locate individuals based on the location of wifi networks they log into.
This is how the NSA can find someone, even when their cell phone is turned off and their SIM card is removed. If they're at an Internet café, and they log into an account that identifies them, the NSA can locate them—because the NSA already knows where that wifi network is.
This also explains the drone assassination of Hassan Guhl, also reported in the Washington Post last October. In the story, Guhl was at an Internet cafe when he read an email from his wife. Although the article doesn't describe how that email was intercepted by the NSA, the NSA was able to use it to determine his location.
There's almost certainly more. NSA surveillance is robust, and they almost certainly have several different ways of identifying individuals on cell phone and Internet connections. For example, they can hack individual smart phones and force them to divulge location information.
As fascinating as the technology is, the critical policy question—and the one discussed extensively in the FirstLook article—is how reliable all this information is. While much of the NSA's capabilities to locate someone in the real world by their network activity piggy-backs on corporate surveillance capabilities, there's a critical difference: False positives are much more expensive. If Google or Facebook get a physical location wrong, they show someone an ad for a restaurant they're nowhere near. If the NSA gets a physical location wrong, they call a drone strike on innocent people.
As we move to a world where all of us are tracked 24/7, these are the sorts of trade-offs we need to keep in mind.
This essay previously appeared on TheAtlantic.com.
Edited to add: this essay has been translated into French.
Posted on February 13, 2014 at 6:03 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"If the NSA gets a physical location wrong, they call a drone strike on innocent people."
Even if they get the location right it can result in a drone strike on innocent people. Family members are unlikely to have a say in their husband/father/brother being a member of an organisation the US doesn't like but if they're in the house/in the car/at the wedding with them they still get killed too.
There are SO many ways to defeat cell phone tracking I would think by now it is useless for tracking SERIOUS bad guys.
But, then again, who are the bad guys anymore?
@qwertyuiop & Bruce: the accuracy of the NSA's information regarding the location of a particular individual has no bearing whatsoever on their guilt or innocence. Whatever the circumstances this is extra-judicial assassination and accurate technical information does not amount to due process or moral justification.
If another state so blatantly carried out such actions against US citizens, particularly on US soil, there would be uproar from outraged politicians, media and citizens and no doubt massive indicriminate retalliation with cruise missiles, "smart" bombs and whatever else was at hand.
This is just PLAIN WRONG!
I think you mean SIM (subscriber ID module) not SMS (short message service) when talking about swaping cards.
Spoofing your cell phone location is not exactly dificult...
Even though the drone might emulate some of the "RustyRivet" functionality, the simple fact is the higher up the EM spectrum you go the harder it is to either evesdrop or find.
It's fairly trivial to modulate a narow beam light source and using "hooded telescopes" communicate line of sight over very many miles.
So putting the phone on top of a building on a hill means you can use it with a large geographic seperation between you and it.
If you wanted to be nasty you'ld hide it ontop of a hospital etc. You'ld need to design a fairly simple keyboard replacment interface which could be easily done with a 1USD micro controler from MicroChip or many others.
The simple fact is humans will adapt their tactics fast both to save their lives but also to make their enemy look like murdering meglomaniacs.
And contary to wat the US may bluster "diplomatic immunaty" does not apply for things like torture and war crimes. And there is such a thing a "universal juresdiction" for such crimes.
Further "host nations" as I've indicated before have culpability if they allow diplomats from a foreign nation to carry out such crimes from their soil.
As has been found in the UK people injured by UK government employees have the right to seek damages under various European and International treaties.
Some of you may remember George W Bush's visit to Switzerland being suddenly curtailed and he was bunndeled out of the country fast... It's been indicated that an aproach had been made to the Swiss judicial system for various crimes...
Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional information about how the agency's programs work.
Legal and political implications are discussed here.
So "Smart Citiy" free Wi-Fi is more like free cheese in mousetrap...
The criticism of the reliability of the intelligence used to launch a strike is the article's weakest point.
Two former UAV operators are used as sources for this article. One, whose identity is in the open and who has spoken extensively on his experiences for some time, has said that UAV operators have little to no access to the intelligence used to determine that the target sought is in fact what they're tracking.
The other, who remains anonymous, makes a number of claims to the effect that only signals intelligence is relied upon, and that it is very unreliable. He gives a number of tactics used by groups to defeat such tracking.
The contradiction between the accounts of the two is found in the middle of the article, and is passed over quickly.
Personally, I find the named source's account more persuasive. There's no reason for a UAV operator to know if there is human intelligence or other forms of intelligence involved. They need to know how to track a target with the instruments available to them, and for that purpose need certain identifying characteristics. But for the rest... background and context is important to understanding the mission, but I'd guess that the background given omits any especially sensitive collection. The UAV operators are pilots, and their task is not to conduct a complete reassessment of the target identification and selection.
All of this makes the article's criticisms of the reliability of the intelligence used to launch strikes much more uncertain and tenuous than the tone of the article would imply.
In fact the authors simply don't know how reliable or unreliable the intelligence used is, or what the analytical process and standards are for determining whether identification is strong enough to justify a strike.
A journalist whose goal was to be as objective and fact-based as possible would have written a very different article. The number of unsupported conclusions and loaded terms included are truly remarkable.
Sorry but I'm not seeing the slightest need for "advanced mathematics" here, just 17th century cartesian geometry and (its implied) inverse square law for signal weakening with distance.
I suppose if there were thousands of similar signals being collected simultaneously by a given overflight, these would have to be sorted out into those tuples consistent with a unique ground location but that would simply involve sorting through a massive compute all possible tuples.
Again no need for any 18th century math. Recall the state of math back then: Gauss computing the (elliptical) orbit of Ceres in 1801.
I wonder though if massive variation in cell phone antenna transmit signals for the wide assortment of cell phone models in a given town doesn't greatly simplify the problem.
@Ian McNee & @Clive Robinson:
The problem as you both clearly pointed to is the idea of double standards and disrespect to the International Law (signed and ratified international agreements in particular).
As all not politically blind could see, such going such path creates more enemies than friends. During World War II Germans wanted to surrender to Americans because America was the model of following all International Agreements on POWs. As result, many lives of Americans and Germans were saved at the end of the War. You can see that American history has good example how compliance with International Law even in the time of War is productive in the long run - just opinion.
The criticism is my comment is entirely directed at Greenwald & Scahill's article, simply to be clear. "The article" in the comment refers to their article, not to the essay posted here.
Bruce writes: "None of this works if the target turns his phone off *or exchanges SMS cards often with his colleagues*, which Greenwald and Scahill write is routine."
SIM cards are only one identifier. Each phone also has a unique number (IMEI=International Mobile Equipment Identity) which is enough to identify it. Changing SIM cards does not change that number. After changing the SIM the NSA only has to search for that number to find you again.
There was one report from the Snowden-files that explained exactly that capability.
One would have to change SIMs and phones and not swap these in a group as that would give the group existence & members away.
Changing SIM cards in a group is not good security but makes things worse as one gives away social connections the NSA may not have been aware off before the change happened.
Also - with many new cellphones phone "off" does not really mean off. There were reports that the NSA can awake some "off" phones without the user noticing. Even removing the battery may not be enough to keep some phones off the electromagnetic spectrum.
One has to shield them to be sure that they do not transmit or receive.
I personally believe that Google's street-view cars that were found to collect Wi-Fi ID data and PW as they drove throuhg the cities of the world were actually collecting data for both Google and for the NSA, and due to existing laws Google executives were allowed to lie and claim an "engineer's error".
you dont usually quote one article so much. and the info in the original article is hardly shocking. free advertisement for the intercept?
I don't know about swapping SIMs. Seems like it would be easier just to hand the phone off, but I'm not an expert on that tradecraft other than having watched a fair bit of Burn Notice (I'm probably just smart enough to be dangerous...).
Interestingly, about a month ago there was a wireless network that showed up near my workplace that had an SSID of "SHENANIGANS." I was unable to locate its source before it disappeared a week or so later. There is a big NSA base here in town, so I don't know if that's a coincidence or not... but they have had major effects here (once, they did something heavy with wireless transmissions that caused all garage doors remote controls to stop working).
These are definitely interesting times, in the chinese-curse sort of way.
I remember reading this study while at the femtocell briefing at Black Hat. It adds some perspective on reliability and also notes that they could uniquely identify and track individuals if they simply knew their corresponding location at 2-4 points in time.
From MIT Technology Review:
"This study published this March, using records provided by a European wireless carrier, shows the surveillance power of telecommunications metadata. Vincent Blondel, an applied mathematician at MIT and the Université Catholique de Louvain in Belgium, and collaborators analyzed 15 months of anonymous call records from 1.5 million people. His team was able to uniquely pinpoint the movements of 95 percent of people from only four records, using only the location of a nearby cellular station and the time each call was made."
So, basically you're saying to jump onWigle's map, pick a random wifi point, set your router's mac and ssid to that?
Ho ho ho!
Seems to me that if the "bad guys" were as clever and as well-organized as the fear that is exploited to justify this kind of program makes them out to be, they could leverage this targeting strategy into a pretty effective "drone trap". Even more interesting, they could quite possibly entice the drone operators to make much more politically costly errors than killing innocent children of "Islamic militants". For example, striking a wedding party that includes close relatives of an official with a "friendly" government.
My understanding is that members of criminal organizations do not swap SIM cards with each other, but swap out sims on a daily basis. The sims are preprogrammed with the numbers of their criminal enterprise contacts who are also inserting a new sim each day.
Once a week you are given a new set of sims to be used the following week, as is everyone else in your network. Everyone has a new number daily, and a new set of contact numbers daily. They probably use those pill reminder/organizer boxes to distribute the sims.
IMEIs are dealt with by changing phones.
Regarding Google's street-view, it also opens up the potential for fusion with location tracking data to form a kind of "experience map" for an individual showing the stream of impressions that they have been exposed to.
Experience maps can be used for targeting zersetzung operations. For example, messages can be sent to specific individuals in a crowd using the mechanism of Bruner-Potter interference. Since a person's perception is somewhat conditioned by their recent experience, a message defined relative to that experience will only be perceived as the intended message by a person with the relevant prior experience.
Hmm, these IMEI seem pretty fluid to me.
Buy a case of $10 cheap new handsets just for their valid IMEIs or copy one off a repair shop, or discarde or burner, put it on your real phone with Z3X, ditch the junker. Or buy them from a radio shack vendor in South America, duplicates are not going to collide with any service in Yemen.
Who exactly gets to issue IMEIs? BABT. "To apply for a range of numbers, you must first register your company onto the IMEI database. If successful, you will be allocated a unique access code (Organization ID) and passwords. This will allow you to apply for [a range of] IMEI) numbers."
Let's suppose a small Chinese phone manufacturer is given a large range of valid unused IMEIs to put on their products. Later, authorities could wonder if every IMEI came to be actually associated with a physical phone-- might be more profitable just to sell a subset of unused IMEIs online, if caught say you were hacked or that an employee stole them.
"The French newspaper Le Monde (Google Translate) reports that mobile theft in France has dropped 20 percent between April 2011 and April 2012, suggesting that this measure has been somewhat effective.
However, the Paris police department has now announced that it has discovered the use of software called Z3X, which has apparently been found in 50 mobile phone shops in eastern Paris. Z3X is a Ukrainian-made tool that offers what appears to be a specific way to reset IMEI numbers on various specific phones, including models of Samsung, LG, NEC and other phones. The group has listed resellers scattered across the United States, Europe, Russia, Ukraine, and Libya.
The software apparently allows the IMEI number on the phone to be reprogrammed... Not surprisingly, these reprogrammed phones end up back on Parisian and French streets. The newspaper also reports that the French Ministry of the Interior and the French Federation of Telecoms have been looking into how to deal with this new software."
Mobile phone manufacturers in China have sold up to 25 million of their grey market phones in India, and those phones often lack international mobile equipment numbers. An IMEI is a unique 15-digit code that identifies the handset. Each time a call is made, the telecommunications company uses the IMEI to identify the caller via a universal registry of phones. If a phone lacks an IMEI, the telecommunications company can still route the number to the destination, but it does not know which phone is making the call.
The thieves, with the help of some local mobile vendors, replace the stolen phone’s IMEI number with a cheap or a Chinese handset IMEI number. Telephone Regulatory Authority of India) has ordered all the mobile operators not to allow calls to be processed on handsets without valid IMEI numbers.Your handset will not work with any network as your handset has an invalid IMEI number. How much time will it take to change the IMEI number ? The whole process takes about 10 – 30 minutes.
The IMEI thing is well known. It is also a big privacy issue. This is why I got a chinese cell phone with a MTK CPU. Everytime I change my SIM, I also change my IMEI (I buy anonymous prepaid SIMs for a data plan on my phone, and connect to my SIP provider over my server). The IMEI can be changed with a simple app (MTK tools) which opens the engineer menu. I can use it to run AT commands to rewrite my IMEI (which I generate using a known TAC). This is the best way to prevent mobile phone tracking.
"If the NSA gets a physical location wrong, they call a drone strike on innocent people."
Actually these people are always innocent as long as not proven guilty. And you can't prove somebody guilty without give him a proper trial in the court.
@andrej According to our politicians who like to commit it, murder can only happen in our country. Everywhere else it's perfectly legal, since our laws don't apply. Hey world, welcome to your new overlords, you may kneel and kiss our feet.
I agree with Skeptical... just like with Snowden, we got another "tech guy" here (the drone operator) who is taken as a witness for things he has no knowledge about or experience with. If Greenwald wants to discuss intelligence assessments, he should interview analysts, not people who are at the bottom end of the chain of command.
Also, people should first read some old-fashioned hard copy books about NSA before starting to read all these online pamflets from Greenwald. Start for example with Deep State, by Marc Ambinder and D.B. Grady, published just months before the Snowden-leaks began. This book shows NSA and the US military have many more, and als some unexpected and some still very secret, ways to track and monitor terrorists. Why aren't those things mentioned in the Greenwald-article?
The Chinese produce generic mobiles in vast numbers with identical or random IMEI numbers. If the phone does not work on a network, the user can usually change the IMEI to something that does work. So, would we rather be spied on by the Chinese? Obviously!
If we could get someone in the European tool-chain prosecuted for "aiding and abetting" in a targeted killing, then we could throw some grit in the empire's machinery. I doubt that Obamas NDAA 2012, which f.ex. Declares anyone in the vicinity of a drone strike to be "enemy combatants", would pass in Europe.
Scrambling SIM cards and/or phones is common in contested areas now.
Method: There is a meeting somewhere. SIM cards removed and put in a bag, shake several times, pick one from the bag.
There are software ID spoofers available, too.
So what does the NSA really get once the cat is out of the bag?
That's right, surveillance of the good guys. Then they need to think up a way to justify it.
Oh right! POLITICS. Complainers are suspicious you know!
Skeptical is right, reliability is neither here nor there. Nobody cares about the data integrity of information used to direct a plan and program of indiscriminate extrajudicial killings, torture, and disappearance in breach in breach of Rome Statute Article 7.1.a, 7.1.f and 7.1.i and corresponding universal-jurisdiction law. The NSA's dim-witted alacrity at killing by numbers is not going to exculpate any US government murderers.
Nobody even cares about the data source. Why, a posse of Orsh's old sleeper agents disappeared Karim Khan, and he wasn't even alleging targeting by candy-ass cowardly SIGINT weasels:
US agents disappeared Khan, in a per se breach of the Convention Against Torture, because they were panicked about exposure of their universal-jurisdiction crimes.
Regarding the new relevations on drone attacks:
Süddeutsche.de has revealed before, that the drones start from Dschibuti but the pilots sit, because of shorter transmission time, in the US Base Ramstein, and the targets are nominated at the US Africa corps AFRICOM which has its headquaters in stuttgart:
the quys are publicly offering jobs for target nominations, and drone pilots from stuttgart openly list this in their linkedin page, e.g http://de.linkedin.com/pub/danielle-moore/52/b97/... and talk to the tv on this: http://www.youtube.com/watch?v=_4Ueq9ZKB3I the general public prosecutor already has a begun a monitoring process of this, http://www.sueddeutsche.de/politik/... to clarify wether garmeny has helped in murder with this drone piloting from Stuttgart and Rammstein. Eliminating terrorists would not count as murder, since germany is at war in somalia to, with frigates cruising in the sea. The problem is the collateral damage. The german government claims that before the relevations of süddeutsche Zeitung, it did not know what the americans were doing. But now this is known and juristically the german government has an obligation to stop this. So when collateral damage happens, germany could be accused of helping in a murder by the relatives of the victims. The americans themselfes are safe because of diplomatic immunity for troops.
For example, Kareem Khan has lost his brother and his son in a drone attack. And now he planned to visit europe:
He wanted to meet with Christian Ströbele, members of the german government, and then he wanted to visit the international court in Den Haag.
Well, that meetings now have to be cancelled, as Khan got visited himself by 20 men recently, and was kidnapped in front of his wife. He was never seen again.
In the western media, it is often said that one can not understand why the Afghan Presindent refuses to sign a treaty that would extend the period in which us troops in afghanistan have diplomatic immunity.
Afghans, living in a country with years of war, where suicide bombers are almost part of the culture, these killings by drones must look as the most cowardly thing they know. As Afghans usually fight by going after the enemy. With the US forces retreating from afghanistan, the only possibility to protect afghanistan further from the taliban would be an increase of drone strikes. So the afghan president has the following choice.
Either he signs that treaty. Then, the US forces retreat by order from obama and will increase their drone strikes. The consequence would be that we have Taliban who sell their mobile phones after one day to stupid innocents, leading the drones to kill innocent afghans.
Or the afghan president does not sign the treaty. then the us can be persecuted juristically if they kill an innocent victim. So the US will decrease the number of drone strikes, leading afthanistan to be overrun from Taliban.
All in all the afghan president actually has a choice between pest and cholera.
All of the bullshit the NSA is doing was completely worth it, just so we could find out that they actually have a program named SHENANIGANS !
"Although the article doesn't describe how that email was intercepted by the NSA, the NSA was able to use it to determine his location."
Anyone remember when Lavabit shut down because Levison refused to allow a device to be installed on his network that could give real time information on the location of everyone that signed into his email servers? According to interviews with Ladar Levison, the FBI agents came in with an attitude of, "why not let us install this on your network? none of the other email providers had a problem with it."
It seems as though if you sign into an email server that's in the United states (or probably a lot of email servers outside the US) and you aren't connecting to it through TOR, then it's pretty easy to find your location.
@Peter: that's pure FUD - NSA analysts going to be interviewed by Greenwald? Oh yeah, Gen. Alexander is gonna be fine with that!
As for the NSA's "very secret" stuff not mentioned by Greenwald...well I think you answered your own question there. This is just a lame attempt to draw attention from the NSA's (and other arms of the US state) criminal activities at home and abroad.
Well, if NSA's intelligence assessments were really very bad and sloppy, why aren't there more leakers or whistleblowers like Snowden, but from somewhat higher echelons, from positions where they are actually working on those things? NSA has some 35,000 employees...
The answer is fairly trivial so I'm supprised you need to ask.
Firstly the NSA is actually rather more than 35,000 government employees theres all the employees of the companies that work on the 7000+ contracts that eat up 70% of their budget to consider as well.
By and large like nearly all employees they suffer from "groupthink" and thus behave in general like "hurd animals" with the view of sticking to the hurd is the safe way to survive.
We see this all over the world with LEO's who know full well that what they or some of their colleagues do is actually illegal and inocent people get hurt or killed. If they think about it at all then they rationalise it away as "the means justifies the ends".
We have seen this through out history with the age old excuse of "Only Following Orders". It was realised that many of the atrocities of war are in effect as the result of following orders therefore international law on war removed the right to use it as a defence for war crimes and genocide, now you have to show you were following "lawfull orders" if not then you end up swinging from a hemp neck tie briefly.
I suspect that many direct or indirect workers for the NSA are more than aware that much of their activities are not lawful. But they also know what happens to those who try to report it up the chain of command, refuse to do such work or whistle blow. That is there life comes to an end, their security clearance is revoked, they are dismissed without benifits or they are hounded legaly into bankruptcy or imprisoned indefinatly in solitary confinment or they simply cease to exist.
Now if you cannot see why that acts as a significant deterant I'm not sure you understand the basic idea of coercion by threat.
It's very easy to change IMEI of many MTK phones made in China .
go into phone interface , type *#*#3646633#*#*
,then enter GPRS->write IMEI , and input a new IMEI. restart the phone and IMEI changed.
and there are also many apps online you can use to change IMEI.
> By triangulating location information from different cell phone towers
Technically, I believe they're using *trilateration*, not triangulation.
In the course of my work and research at Anonymizer.com, I discovered that Google is using behavior to establish the true location of IP addresses.
Based on search terms, map locations, and corrections to Googles search, Google is able to create much more accurate IP -> location databases than are available from any other sources.
Regarding the Guhl killing, did they simply point a missile at the Internet Cafe? If so, that meets my definition nof a war crime, and probably the legal definition.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..