Last week in Norway, hell broke loose. Aftenposten, one of the major newspapers here, published a story of how Oslo were set up as a spy-hub where the cellular networks had been replaced by a hostile 3rd party. Someone are spying in Norway, and both the Parliament and our Prime Minister are being spied on. Aftenposten published numbers that, according to their words, where extremely suspicious. So suspicious in fact that they alerted the government, the police and the public at the same time. Hell broke loose, everyone believing that the numbers were in fact as dramatic as claimed.
Let us step back for a minute to understand what happened. Aftenposten, together with a so-called secure cell-phone maker, ran (or drove) around Oslo a few weeks, collecting data from the cellphone towers. Out of some 50 000 (fifty thousand) records of cellphone connection data, some 1200 where considered suspicious. 1200 of 50 000, or roughly 2.4% of the total data being flagged by the device as suspicious. That may sound alarming, and we may even consider that number to be statistically significant, until we look at what kind of events the device will flag as suspicious:
- Switching between cell towers
- Change in cell tower power received by the device
- Moving between the bands (2g, 3g, 4g etc)
- Reflection of signals (as caused by bridges, tunnels, buildings etc)
- Disturbance of signals (as caused by bridges, tunnels, buildings etc)
- Signal abnormalities of any sort (tower down, tower having problems, general technical problems etc)
It does not take a lot of sense to realize that any of the sources above may create weak signals and signal drops, events that the device is considering suspicious, frequently and possibly without a trace. To remove such errors, the 1200 events initially flagged were filtered down to 122 highly suspicious events, or critical events, according to the news. So out of the 50 000 records, a mere 122 events are found to be critical. That is 0.244% according to my math. Here is my problem: 0.244% is not a statistically significant number. It´s not even alarming. It´s just a small number that can easily be explained by a number of possible reasons, where the use of IMSI-catchers is one, and one that seems highly unlikely. There are number of ways we may explain such a number just by looking at the cellular technology itself:
- Cell phones use radio waves. Radio waves fluctuate, they are dynamic in nature. They move, they change and they bounce off of things.
- Cell phone networks are computer networks. Computer networks are filled with systematic errors, some of which we don´t even find. A broke switch, an earthing error, a software glitch – so many possible sources of network errors. Tell me: in your networks, would a 0.244% of events be considered significant? Most likely not. You may consider to look into it, but it is no way you consider your network to be 100% free from errors.
- Some companies and offices use repeaters to enhance their cell phone connectivity. These devices would trigger an event on the phone(s) used in the assessment.
- Other devices may have interfered with the cell phone signals – both rogue and legal devices.
- It could be devices owned and operated by police, e-services and other legal, Norwegian entities.
- You are driving around in a city. When was the last time you did not have some occasional problems with connectivity?
In my understanding of technology (and mind you, I am not an expert on mobile and cell phone technology, I am just good at spotting the elephant in the room), a 0.244% anomaly is not really a big issue. Unless of course, someone is really out there trying to interfere and listen in on my phone calls. So let us consider the IMSI-catcher tech too. An IMSI-catcher is designed to get the IMSI number off of your SIM-card, and the IMSI number is a unique identifier that may be used to identify the owner of that card (this is not automatic, as the IMSI number don´t know the phone number). With that number, you are able to listen in on voice calls where that SIM-card is being used. Unless you are just picking random numbers to listen in on, identifying the right person to wire-tap may be a challenge. Of course, if you hack into the databases of each of the telcos here, you can just look it up yourself. But if you hack your way into the telcos, why not just do the wiretap directly? And get access to SMS, data and location? Or why not just create a secure communication app, which you have people register to use, and then you just listen in on everything they do? Or, why not do like Huawei did when they successfully replace the backbone of the two major telcos in Norway a few years ago? If you want to own me, own my network core!
From my perspective, this whole story is another example of cheap FUD – Fear, Uncertainty and Doubt. The newspaper Aftenposten is playing the kid who cries «Wolf! Wolf!», and everybody runs to the field to save the sheep and hunt the wolf. Only, there is no wolf. In the story, the kid got away with it a few times, before people started to ignore his calls. One day the wolf came and took the sheep, and no-one came to rescue because no-one no longer trusted the kid´s cries. The same may become the issue here: what if there are no IMSI-catchers, and there are no foreign entity spying on our parliament and the embassies and hotels and what not. All there is so far, are speculations without clear analytics, no proof, a lot of crying, and the usual panic of pretending to do something while we have no clue what is really going on and what we should really be doing. Let´s get back to the news stories:
As of December 17th:
- No IMSI-catchers or other devices have been found
- A number of the critical anomalies reported are being dismissed
- Investigations are in place to find the IMSI-catchers the paper claims are there
- The blame-game is going around the table («We did not know», «This is not our domain», «This is someone else´s responsibility»)
I may be too quick to dismiss this event as nothing but a trick to sell papers. Perhaps the journalists and the editor printed the story out of good will. Perhaps some nation, a group of criminals or some others do have a network of IMIS-catchers in Oslo. I still would like them, and their readers, to ask the question
«Who is benefiting from this story?»
The answer is pretty clear: the paper, the secure cell-phone maker, the FUDers out there, and very few others.
I would also love to have the paper consider it´s responsibilities towards the society – perhaps it would be better for all if the police / e-services were informed and allowed to investigate the issues before the story went public? Or was it more important to sell papers and create havoc?
—Disclaimer: technology is being used to spy on us on all fronts, and the possibility that rogue cell towers are being used, is real. —