The lawful telephone interception sector with the so-called IMSI Catchers has been shaken by a newcomer Bulgarian company which has developed a new method to intercept 3G calls, Intelligence Online writes.
“Circles Bulgaria” specializes in real-time interception of calls and internet traffic in the 3G (UMTS) networks, something which until recently was considered impossible without the consent and cooperation of the mobile operator that holds the keys for encrypting the sessions.
The used to date popular interception method for breaking in and eavesdropping on encrypted mobile communications was based on forcing the targeted phone to switch from 3G to a 2G connection that is easy to decrypt in real time. This trick, however, can be prevented simply by altering the phone settings to mandatorily use the 3G network. Details about this method and the protection against it were published by Bivol after the scandal with the catchers of the Bulgarian Ministry of Interior in the spring of 2013.
The method of attacking the 3G encryption by using the SS7 network is brand new and was conceived in 2014 by mobile network security specialist Karsten Nohl (see here, here, here and here). It is based on protocol weaknesses which allow obtaining under certain circumstances the keys for symmetric encryption. Without them, eavesdropping in real time is not yet feasible, despite known weaknesses in the encryption schemes used in 3G networks A5 / 1, A5 / 2 and A5 / 3.
To get around the problem with the 3G encryption, “Circles Bulgaria” has listed itself as a virtual operator and obtains encryption keys by direct connections to the inter-operator networks of Magyar Telekom, Telecom Italia and Cogent in the United States, providing it with access to mobile telephone companies all over the world, Intelligence Online writes.
Thus, the company has access to the SS7 network traffic, which is very poorly protected and can be used for various purposes, including not that regulated access to keys for encrypted calls.
It is debatable whether this method is legal and whether it violates the rights of consumers if used without the sanction of the court in the respective country from which the session keys are received. The technical solutions of the company falling into the hands of private entities linked to organized crime or being used by dictatorial regimes that repress dissidents would also be a problem.
Even without the infamous “catchers” from the time of Interior Minister Tsvetan Tsvetanov and the new solution of “Circles”, every subscriber of a Bulgarian mobile operator may be spied on by the State Agency Technical Operations (DATO) and the State Agency for National Security (DANS) both in the country and abroad where they use roaming. This happens under the Special Surveillance Devices Act and the Electronic Communications Act. The difference is that the operators’ eavesdropping equipment is supervised by the Bureau for Control of Special Surveillance Devices, albeit after the fact, and the legal use of “catchers” and other similar technologies is controlled entirely within the service that uses them.
Bivol made several unsuccessful attempts to contact the company and ask questions about the method, its implementation, legality and commercialization.
Besides intercepting the 3G networks, “Circles” also offers geo-localization services based on the SS7 protocol. For example, if a “person of interest” is travelling abroad and has switched to roaming, their location can be established remotely from the cells of the operator.
Eavesdropping – a prosperous business
“Circles Bulgaria” has been established in 2010 by Nadezhda Edie-Petrova Ropleva. The former name of the company is “Danida”. It is currently a subsidiary of the Cypriot offshore “CS – CIRCLES SOLUTIONS LTD”.
The offshore is headed by Eric Banoun, former head of international sales of intelligence solutions at the Israeli company Nice Systems. Banoun is a telephone and internet interception specialist.
Since 2011, the profits of “Circles Bulgaria” have been growing steadily, according to data from the DAXY registry – from 207 thousand levs in net sales in 2011 to 5.5 million in 2014. Its staff has increased from nine employees in 2011 to 84 to date.
The company has not won public tenders. “Circles Bulgaria” had several accounts in the collapsed Corporate Commercial Bank (CCB) and four days before the closure of the bank, on June 16, 2014, it has transferred to another bank 66,259 levs. Upon the closing of CCB, about 2,700 levs, 7500 US dollars and 750 euro, remained in the company’s accounts. Manager Nadezha Ropleva had been out of luck, because her attempt to transfer nearly 4,800 euro on June 20, 2014, the date of closure of the bank, failed.
This post is also available in: Bulgarian