Rayzone appears to have used intermediary in 2018 to lease route into networks from Sure Guernsey
Crofton Black, Stephanie Kirchgaessner, and Dan Sabbagh
December 16, 2020, The Guardian
The Israeli private intelligence company Rayzone Group appears to have had access to the global telecommunications network via a mobile operator in the Channel Islands in the first half of 2018, potentially enabling its clients at that time to track the locations of mobile phones across the world.
Invoices seen by the Guardian and the Bureau of Investigative Journalism suggest Rayzone, a corporate spy agency that provides its government clients with “geolocation tools”, used an intermediary in 2018 to lease an access point into the telecoms network via Sure Guernsey, a mobile operator in the Channel Islands.
Such access points, known in the telecoms industry as “global titles”, provide a route into a decades-old global messaging system known as SS7, which allows mobile operators to connect users around the world. It is not uncommon for mobile companies to lease out such access.
However, doing so potentially allows third parties to exploit signalling messages – commands that are sent through a telecoms operator across the global network, unbeknownst to a mobile phone user. Used legitimately, such commands allow operators and others with access to the network to locate mobile phones, connect mobile phone users to one another, and assess roaming charges.
But entities with access to mobile phone networks are also known to use signalling messages for questionable purposes, such as monitoring locations for the purpose of surveillance or even intercepting communications.
Rayzone describes itself as providing “boutique intelligence-based solutions” for fighting terrorism and crime for national law enforcement agencies. It says its geolocation tools are for use by governmental authorities only.
The company did not respond to questions about whether it had directly or indirectly leased a Sure Guernsey title in the first half of 2018, saying the query “entails regulatory and trade secret issues and a risk to our customers’ ongoing operations against terror and severe crime”.
Rayzone added it acted in accordance with all laws and regulations, including export control regulations under the Israeli defence ministry. It also said its geolocation tools were “operated solely by the customers (the end users) and not by us”.
It is not clear whether mobile operators such as Sure Guernsey have access to information about how parties are using the global titles they lease out, particularly if those titles are sub-leased to a third party. Sure Guernsey therefore may not have known if Rayzone had access to its network through an intermediary.
Sure Guernsey said in a statement it leased access to global titles to a “small number” of specialist providers who provide “legitimate services” such as anti-fraud detection for banks and other services.
“Sure does not lease access to global titles directly or knowingly to organisations for the purposes of locating and tracking individuals or for intercepting communications content,” the company said. It added that it monitored signalling traffic and any evidence of abuse of Sure’s assets leads to service being “immediately ceased”.
Details of Rayzone’s apparent access to the SS7 network via a mobile operator in a British crown dependency comes amid mounting concerns about vulnerabilities of telecoms networks in the Channel Islands, which fall outside the UK’s regulatory jurisdiction even though they use the same +44 country code.
Leaked data, documents and interviews with industry insiders who have access to sensitive communications information suggest private intelligence firms regard small mobile operators, often based on tiny islands in offshore jurisdictions, as weak spots to exploit in the telecoms network.
Spy companies regard telecoms firms in both Guernsey and Jersey as potentially soft routes into UK phone networks, said industry and security experts.
Industry sources with access to sensitive communications data say there is recent evidence of a steady stream of apparently suspicious signalling messages directed via the Channel Islands to phone networks worldwide, with hundreds of messages routed via Sure Guernsey and another operator, Jersey Airtel, to phone networks in North America, Europe and Africa in August.
A spokesman for Jersey Airtel said the company took network and customer security seriously and that it had “necessary control measures” to prevent activities that could compromise security. It also said that leasing out global titles was “part of the mobile business ecosystem”. “We are vigilant about any misuse of these [global titles] and in case of any such misuse, we take strict action to block, investigate and initiate strict measures as per the terms of the contracts,” the company said.
Gary Miller, a mobile security researcher at Exigent Media who has studied sensitive messaging signals, said he found evidence suggesting a US mobile phone user was closely tracked while on a trip to Bangladesh in August 2020.
Miller said the apparent surveillance attack, which used signalling messages that could pinpoint the person’s location or intercept communications, appeared to have been routed through Sure Guernsey. It is not known who directed the messages to be sent or if Sure Guernsey would have been aware of the alleged attack. Sure Guernsey did not respond to a request for comment about the case.
British officials have privately expressed concerns about security issues around the SS7 network, particularly in connection to the Channel Islands, and have said smaller mobile operators there have not plugged well-known vulnerabilities.
A Whitehall source described the SS7 protocol as “toxic, horrendous – yet one the world relies on”, adding “it can be abused to geolocate people” but is complex to make secure because “if you get it wrong, you disconnect yourself from the rest of the world”. Security fixes are being implemented in the mainland UK but up to now Channel Islands operators have lagged behind, they added.
British telecoms regulators and the security services have almost no powers to enforce against operators in the Channel Islands, beyond what is described as a “nuclear option” to remove their access to the +44 UK country code.
The UK government appears to acknowledge security risks in mobile phone networks. Ofcom, which regulates phone operators in the UK, said network operators were required under law to take measures to manage security risks, including those related to their signalling networks.
A spokesperson confirmed, however, that Ofcom does not regulate the Channel Islands, Isle of Man or Gibraltar, and added that “we are not currently expecting a change in the extent of jurisdiction” when new laws tightening telecoms security requirements come into force.
Experts warn that fixing the vulnerabilities is unlikely to come quickly or easily – while new technologies such as 5G may be in theory more secure, lots of phones will still use the old networks, exposing every phone to their dangers.
“People say ‘5G will solve everything’,” said Sid Rao, a security researcher at Aalto University in Finland. “But this will not be the case until every network on earth is 4G or 5G. Until this happens, in say 30 years, vulnerabilities in old networks will still be a risk to all other networks.”
A spokesman for the Guernsey Competition and Regulatory Authority said the states of Guernsey had “licence obligations” in place that oblige telecommunications licensees to take “reasonable steps” to prevent their networks from being used in ways that are against the law. The government of Jersey said in a statement it was “committed to the security of its telecoms networks”.
Ron Wyden, the US Democratic senator from Oregon, said in a statement: “Access into US telephone networks is a privilege. Foreign telecom regulators need to police their domestic industry to ensure that SS7 access isn’t abused to spy on Americans – if they don’t, they risk their country being cut off from US roaming agreements.”