Global militant organisations are tapping into the vulnerabilities in mobile technologies for propaganda and recruitment, as well as to filch data for financial gain.
While the actions of al-Qaeda are widely covered by mainstream media the world over, there is one aspect of its operations that goes largely unreported – the digital aspect. This is despite the fact that investigations are uncovering the existence of a digital technology branch of al-Qaeda that exists to research and develop advanced methods of using the latest technology to propagate the organisation's campaign messages.
Al-Qaeda's digital R&D division – known as Fariq Jawwal Al-Ansar (FJA) – does not use the Internet as its primary means of communication and promulgation: it uses the same humble smartphone that 80 per cent of the world's population now have in their pockets.
According to Nigel Stanley, IT security practice leader with analyst Bloor Research, 'cellular hacking' is being used by al-Qaeda to great effect, and has been for at least two years. The problem that faces the cellphone community, Stanley says, is that while the mobile phone has to authenticate itself to the cellular network, there is no provision in the GSM (2G) or 3G standard for the network to authenticate itself to the mobile handset.
Because of this specific security weakness, the mobile phone – especially newer smartphones such as the iPhone, the wide range of Android handsets and BlackBerry mobiles – pose a real and unknown security risk to enterprise users. Coupled with a prolific growth in mobile malware, Stanley maintains that there has been an exponential rise of interest in malware that affects smartphones from the mainstream cybercriminals, all the way to terrorists such as al-Qaeda engaged in industrial espionage.
While malware infection results are predictable – most on the smartphone platforms generate premium rate text messages – Stanley says that he is seeing an increasing level of direct hacking of smartphones. 'This is more sinister than hacking laptops [using malware], for the simple reason that mobile phones are much more granular,' he says, adding that the combination of text messages, voice calls and data – which includes email – makes it relatively easy to stage a targeted attack on a user's mobile phone.
From an espionage or terrorist perspective, he explains, this makes the average smartphone an incredibly useful form of reconnaissance, particularly as smartphones have become as powerful as a laptop was just a few years ago.
'It is not just malware that we are talking about here. There's also user stupidity – many users do not understand what a powerful resource a mobile phone is,' Stanley adds.
Fooling the mobile phone
One of the key ways in which smartphones can be subverted is down to their relatively unique characteristic of locking on to the most powerful cellular radio signals. This means that if you install a pico-cell GSM basestation – obtainable for just a few hundred pounds – and drive it with suitable software running on a laptop, it is possible to emulate a regular GSM basestation.
Because the pico-cell – a tiny version of a regular basestation typically used in shopping malls and office complexes for in-fill coverage – will have a strong signal to GSM handsets in its vicinity, typically to a range of a few hundred metres, it is possible to 'fool' a standard GSM smartphone into authenticating itself with a pico-cell basestation instead of a regular station some way distant.
That is the theory, and Bloor Group's Nigel Stanley reports that he has conducted a number of tests using a Faraday cage to prevent mobiles in the vicinity from accessing his 'home-brew' set up – and confirms that impersonating a GSM basestation can be completed for an outlay of around $1,000. Using a USRP-1 (Universal Software Radio'Peripheral) pico-cell, driven by a laptop running under the Ubuntu operating system, and loaded with Open BTS and Asterisk PBX (Private Branch eXchange) software, the security researcher was able to prove his assertion that, with a modicum of kit and ingenuity, it is possible to intercept a user's smartphone voice and data calls.
Open BTS, as the name implies, is an open source basestation transceiver application, developed for research purposes, while Asterisk is another open source application, this time designed to run a PBX in an office environment.
By forwarding the voice calls via a low-cost PAYG VoIP (Internet telephony) service – paid for using an anonymous pre-paid debit card – the user of the smartphone is none the wiser that their mobile has been subverted.
This means that text messages, email and mobile Web service data transmissions can also be forwarded using appropriate anonymous proxy services such the Tor Network to remain totally anonymous.
The irony of this interception and subversion is that the smartphone user will not be billed for their voice calls, meaning there is no audit trail to investigate.
In Stanley's tests, he reports that by transmitting the appropriate codes on the relevant beacon channel – such as MCC 234/MNC 15 for Vodafone UK or MCC 234/MNC 34 for Orange UK – a smartphone with a Vodafone or Orange SIM card inserted will authenticate itself to the 'rogue' base station.
The technical detail
So why is Stanley's research so crucial in proving what al-Qaeda's digital specialists have known for some time? Well, unlike TACS (Total Access Communication System) analogue services – which were phased out in the early part of this century – GSM uses encryption to protect the integrity of the data transmissions, which can either be voice calls (in a packet data format) or a data stream carrying anything from email and picture messages, to a VoIP transmission or a Web-surfing session. The modulation used in GSM is GMSK (Gaussian Minimum-Shift Keying), a continuous-phase frequency shift keying that modulates the signal onto the carrier, suitably smoothed with a Gaussian low-pass filter prior to being fed to a frequency modulator.
The frequency modulator helps ensure that co-channel interference issues do not affect the data transmission's integrity between the mobile and the GSM basestation. Although GSM – also known as PCS in the US and the Far East – operates on many different frequencies, including 800, 900, 1800, and 1900 MHz, the standard mandates the use of timeslots for individual phones to use. Under the basic GSM standard, this allows eight full-rate – or 16 half-rate – speech channels per radio frequency. These eight radio timeslots – or burst periods – are grouped into a TDMA (time division multiplex) framework, with half-rate channels using alternate frames in the same timeslot. The channel data rate for all 8 channels is 270.8 Kbps, and the frame duration is 4.62 ms.
So far, so good. But as with all cellular services, the only means with which a mobile can authenticate itself to the network is over the air interface. This is achieved through a combination of the IMSI (International Mobile Subscriber Identity), the unique electronic serial number of the SIM card inserted into the phone and the IMEI (International Mobile Equipment Identity), which is the mobile's unique serial number.
Both these serial numbers are encrypted using A5/1 encryption, and presented to the cellular network at the start of each outgoing call – and, just to make life difficult for eavesdroppers, the IMSI is normally only transmitted to the network when the handset is switched on. At this point, the network randomly assigns a TMSI (Temporary Mobile Subscriber Identification) number to the mobile, allowing it to be identified by the network at all stages while it is within its current power cycle.
The network also randomly/periodically assigns a new TMSI to the mobile, meaning that only the network 'knows' the IMSI to which the current TMSI is assigned. This makes the task of 'tumbling' – the cracker term for mobile serial number sniffing from radio data channels – all the more difficult, as it is only when the handset is switched on, or when the network randomly/periodically assigns a new TMSI, that the IMSI code is generated by the mobile back to the network. That's unless, of course, the eavesdropper has full control of the voice-based – and other GSM – data streaming from the phone to their own rogue basestation.
The obvious solution to this subversion of GSM technology is to force a smartphone to favour 3G network topologies over GSM, but, says Bloor Research's Stanley, this strategy is countered by simply operating a 3G radio frequency jammer, which can be obtained via online auction sites for a few hundred pounds.
The terrorist perspective
Whilst GSM smartphone subversion can be used for espionage purposes, Stanley argues that there is considerable evidence that terrorist groups such as al-Qaeda are using this technology to gain intelligence from law enforcement officials and agencies working in sensitive countries such as Afghanistan and Iraq. Websites such as Jihadica.com, Stanley says, highlight the fact that there is now a section of al-Qaeda that focuses on using mobile phone technology for the purposes of intelligence gathering and, of course, promulgating the cause's message to the young and impressionable.
Jihadica, Stanley believes, is now using mobile phone technology to broadcast digital media messages of subversion to potential new recruits. Where previously 'digital jihadists' would have used the multimedia features of the Web to get their message across, there is evidence that they are now using the Bluetooth personal area network system to broadcast on a localised pocket-to-pocket basis.
Nico Prucha, a Vienna-based research colleague of Stanley's who is undertaking doctoral research in the Jihadica.com's use of digital technology to recruit new members and continue its illegal activities, points out that young people in Afghanistan, Iran, and Pakistan are subject to very strict controls when it comes to meeting and liaising with members of the opposite sex.
Discoverable by Bluetooth
To circumvent these rules, many young people leave their smartphone's Bluetooth fully discoverable in the hope of receiving messages from admirers.
And this, says Prucha, is where al-Qaeda enters the frame, using high-power Bluetooth transmitters – which can reach many hundreds of feet – to 'broadcast' Jihadist multimedia messages to young phone users. Coupled with digital propaganda, Prucha says that these non-surveilled viral propaganda (NSVP) narrowcasts operate off the grid as far as law enforcement and intelligence agencies are concerned, as they are purely Bluetooth-to-Bluetooth in nature. According to Prucha, who works with the Austrian Institute for International Affairs, and as mentioned earlier, al-Qaeda's mobile detachment is known as the Fariq Jawwal Al-Ansar, or FJA.
Interestingly, Prucha suggests that without technologies such as the Internet and smartphones al-Qaeda could well have withered away some time ago. In pre-Internet times, he explains, al-Qaeda used videotape magazines to disseminate its messages and, if you copy a tape ten times, the quality gets unacceptably bad. With digital media, he argues, no matter how many times you copy it, the content remains of the same quality.
And because Bluetooth-enabled digital media transmissions are broadcast in what Prucha calls a favourable (to al-Qaeda) environment, there is usually no problem in discussing the existence of the NSVP media transmissions between like-minded individuals.
The professional approach that militant groups are taking has reached the stage where the brigades of al-Qaeda and its affiliates now have their own screen logo – similar to a satellite TV ident – to certify its authenticity. *