Researchers Find Powerful Cellphone Location Surveillance in Europe, Middle East, Australia

Security researchers have found evidence that multiple governments in Europe, the Middle East, Africa, Asia, and Australia, may have purchased a technology that remotely allows them to track the location of phones and intercept communications potentially beyond their own borders. 

Citizen Lab, a digital rights watchdog at the Munk School of Global Affairs at the University of Toronto, published a new report on Tuesday claiming that it found technical evidence of deployments of the phone spying technology from a company called Circles in 25 countries. Circles merged with controversial government malware vendor NSO in 2014 and sells the ability to track phones via the SS7 phone network. The SS7 network and related protocol is used for roaming, but has security holes that allow it to be exploited by both surveillance firms and financially-motivated criminals.

Motherboard has not independently confirmed that countries listed by Citizen Lab are indeed customers of Circles, but the evidence presented in the report indicates deployments connected to the various countries. The news highlights the seemingly widespread adoption of SS7 surveillance technology, which relies on fundamental flaws in the SS7 network used by telecom providers around the world that have remained a cybersecurity issue for decades. The Citizen Lab report also shows that some countries with a history of using surveillance technology against human rights defenders may be purchasing SS7 technology.

"You can track any phone number from any country and anywhere in the world," said a source with direct knowledge of Circles' technology. The source was speaking generally about SS7, and not about the capabilities of any specific Circles' customer. Motherboard granted the source anonymity as they weren't authorized to speak to the press about Circles issues because of non-disclosure agreements.

According to the Citizen Lab investigation, the researchers suspect Circles' customers include European governments such as Belgium and Denmark. Notably, one of the suspected customers includes a member of the Five Eyes intelligence partnership: Australia. 

In Africa, Citizen Lab pointed to Botswana, Zimbabwe, and Kenya. In South America, potential clients include El Salvador, Chile, and Honduras.

"Many of the government clients described above who appear to have acquired and/or deployed Circles technology have a dismal record of abuses of human rights and technical surveillance capabilities," Citizen lab wrote in its report. "Many lack public transparency and accountability, and have minimal or no independent oversight over the activities of their security agencies."

Most of the governments named in the report did not respond to requests for comment sent through law enforcement and intelligence agencies or embassies. The Estonian Foreign Intelligence Agency declined to comment on its capabilities, the Australian Federal Police declined to comment, and the Danish Army said it would not be able to provide a response in time for the publication of Citizen Lab's report. The Malaysian embassy in Washington D.C. declined to comment "without prior approval from [the] capital."

Citizen Lab says it identified the suspected customers by first querying computer search engine Shodan and examining a series of IP addresses owned by Circles. These results mentioned a firewall from cybersecurity firm Check Point, and contained a domain related to Circles. Citizen Lab says it then searched other datasets for appearances of that domain. Citizen Lab then identified other apparent Circles installations, which in some cases included terms such as "client-circles-thailand," or other firewall tools that mentioned the name of car brands, such as "Mercedes" for a firewall in Mexico, "Aston" in Abu Dhabi, and "Dutton" in Dubai. 

Months ago a former NSO employee provided Motherboard with a list of NSO customers, some of which include vehicle brands as customer codenames. In August Haaretz published vehicle code names associated with a number of NSO clients.

In some cases, Citizen Lab believes it may have identified the particular agency involved in the deployment of Circles. In one case, a Check Point firewall identified the client as the "Chile PDI," the country's main law enforcement agency, according to the report. In another, WHOIS data included a phone number that is linked to the Danish Army, the report says. 

In an email, Check Point’s head of public relations Ekram Ahmed said that “Circles is NOT a customer or partner of Check Point. Furthermore, I’d like to emphasize that any identifiable data that is shown on any web service is configured by the network administrator who owns it, and not by Check Point. Thus, we cannot confirm the linkage made by the name shown on Shodan and the entity in question.”

“We typically never comment on who is or is not a customer of Check Point. However, we made an exception this time to underscore that we are not affiliated with these kinds of companies,” Ahmed added. Sometimes end users or other companies obtain cybersecurity tools through other parties.

The underlying issue with the SS7 network is that it does not verify who sent a request across it. This means that other parties that gain access to the network, such as a surveillance vendor like Circles or criminals, can potentially find the location of phones or reroute text messages like anyone else. Multiple companies do offer defenses against such attacks, but SS7 remains generally vulnerable to exploitation.

The source familiar with Circles explained that the company provides customers with the ability to track cellphones via SS7 in their local territory, and—for an extra price—also phones in other countries. Usually customers purchase the more expensive option to be able to track people across borders, the source said. 

A former NSO employee previously told Motherboard that the marriage between NSO's and Circle's products had issues. 

"Our tactical solution never really worked […] due to awful integration with Circles," the former employee said. Motherboard granted them anonymity as they feared retaliation from the company for speaking to a journalist. "The idea was that the sum will be greater than its parts. That they will increase the attack vector, but in reality there were few successes in integration. They exaggerated in their system abilities," the source said. But they said Circles' geolocation system in Mexico worked "very well."

Motherboard shared the list of suspected Circles customers and Citizen Lab's methodology used to collect them with NSO so the company could provide a more informed statement.

"As we have previously stated, Circles is involved in search and rescue and tactical geolocation technology. We cannot comment on a report we have not seen. Given CitizenLab’s track record, we imagine this will once again be based on inaccurate assumptions and without a full command of the facts. As ever, we find ourselves being asked to comment on an unpublished report from an organization with a predetermined agenda," an NSO spokesperson told Motherboard in an email. NSO's mention of CitizenLab's track record refers to the fact that Citizen Lab has repeatedly published evidence of NSO's work with authoritarian regimes.

"NSO and Circles are separate companies within the same corporate family, both of which lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate," the statement added.

NSO and Circles are not entirely separate, however. In August Motherboard reported that NSO had closed the Cyprus office of Circles and fired multiple employees who worked there. In a statement at the time, NSO said “In order to ensure that we are operating as efficiently as possible, we have recently restructured the development of one of our tactical search and rescue products, and shifted resources to other existing group locations. These changes will further our mission to prevent terrorism and serious crime.”

Subscribe to our pop-up 'zine The Mail.