PST ignored obvious findings, according to a new analysis by the British security company Delma.
None of the experts Aftenposten contacted support the Police Security Service, which rejected information that fake base stations (IMSI catchers) were active in Norway’s capital before Christmas last year.
For the first time, you may now read in detail what happened in the mobile network when prime minister Erna Solberg most probably was exposed to mobile surveillance. In their new analysis, the security firm Delma opens the door into the 42000 single measurements that were made in Oslo last December.
Aftenposten invited some of the leading experts in Norway, Denmark and Germany to evaluate the report and the basic data.
They are sure about their conclusions:
Petar Popovski Expert on wireless communication at the University of Aalborg, Denmark
— The deviations uncovered are strong symptoms that fake base stations interfere with the normal operations of the mobile networks.
Stig F. Mjølsnes Norwegian Technical University NTNU
— It is a typical tactics for an IMSI-catcher to name an area code which is different from the authorized base stations in the same area. According to Aftenposten’s measurements in December, several such incidents are registered.
Jan Arild Audestad Professor at the Høgskolen in Gjøvik
— There are informations in this material which make me suspect that some of the base stations are fake, in other words IMSI-catchers.
The British: The basic material is incontestable
After the Norwegian Police Security Service rejected the conclusions of Aftenposten’s research, Delma chose to lift the veil. Commissioned by this newspaper, the company recently finished a report according to the same standards as expert analyses in court cases. It includes 90 pages of data, analyses, maps and figures.
«The measurements showed that mobile surveillance is taking place in the city of Oslo», they say.
In certain areas they even go further than last December:
«This report contains evidence that monitoring took place, and the factual basis is incontestable», according to the security experts, who worked for the UN and several Western security- and intelligence services. They also assisted British police in a number of criminal cases.
Says PST ignored important traces
Before Easter PST-director Benedicte Bjørnland said alle the findings had «natural explanations»:— Our conclusion is that no indications on the use of fake base stations or IMSI-catchers have been found in the material Aftenposten based its articles on, and the measurements Aftenposten made in cooperation with several security firms, she said.
Delma thinks the PST ignored the most important traces, and notes that they did not comment on the most interesting findings in the data material:
- In five places the measurements are so serious, that there exists a high probability that fake base stations were active, according to the British company.
- In 27 cases flaws were uncovered in the mobile network, making it easier to conduct surveillance without being detected. These are incidents which might also have been caused by IMSI-catchers.
Criticizes the PST’s method
The Norwegian Police Security Service rejected the results, claiming that the measurements were made in motion and during a too brief period of time. They said the security experts and Aftenposten lacked knowledge about «the normal picture» and «essential, but non-public» information from the telephone companies. This allegedly led to a misinterpretation of the signals.
«The persons who made these statements do not understand the challenges facing the security- miltary- and intelligence organisastions on a daily basis», according to the Delma experts.
They say many of the measurements were static, and the counterintelligence equipment is taking into account movement as well as signal strength. They say the company is surveying the mobile network on 2G and 3G continuously, in order to get an impression of the normal picture. Furthermore, they think it is essential to make such surveys independently, without involving the phone companies.
Odd Helge Rosberg, director of technology with Rosberg System, has a clear assessment: — I am unable to understand the PST’s conclusions, and I think the data give a solid basis to conclude that the IMSI-catchers most probably were active in the centre of Oslo.
Parkveien and Lysaker
In two points, in Parkveien and Lysaker, Delma adjusts its conclusions from December, because they have made additional reference measurements in the mobile network.
The deviatons in signals on certain locations in Oslo are so strong, especially in Netcom’s network, that Delma found it necessarry to raise the limit for deviations resulting in alarms.
At the same time, the British experts note that this fact makes it much more difficult to discover several forms of surveillance which often make little impact in the mobile net.
Four traces indicating mobile surveillance
There were four important traces that indicate mobile surveilance in Aftenposten’s research before Christmas. The PST did only comment on one of them.
1. Major signals-variation
The signal strength from a base station will always vary when you move about. Your mobile phone will continuously calculate the reselection values, based on the strength of signals to the base station, before it links up with the strongest one.
Fake base stations will manipulate both the signal strength and the reselection values in order to attract mobile phones. The PST said the variations were «fully normal», and that the security companies had «misinterpreted» the signals in the Oslo network.
Here is what the measurements showed:
1,2 percent of the base stations showed powerful variations in the strength of signals and the reselection values, even when the mobile phones were hardly moving. In the street outside the government offices, for example, the reselection value from an unknown base station rose from 43 to 83 within six metres. This is supposed never to happen. Big impact was also registered near the embassy offices in Drammensveien, the parliament building Stortinget and the commercial area Aker brygge.
2. Base stations change area code
When the mobile phone moves into a new section of the mobile network, the base stations will send out a new area code. This implies that your phone must surrender ID-data.
Mobile surveillance systems often transmit fake area codes in order to lure the phone into giving up information.
The measurements showed:
8 of the 676 base stations we surveyed changed area code within a few meters’ space, and without changing radio channel. Location: Stortinget, Fornebu, Nydalen and Skøyen. This is not supposed to happen normally in a mobile network.
The PST did not comment on these findings.
3. Two base stations in the same radio channel
The signals to and from your cell phone transmit via a radio channel. In order to avoid major disturbances in the network, the base stations in a specific area shall always transmit in different channels. IMSI-catchers will frequently «hijack» the channels of other base stations in order to be able to transmit signals.
The measurements showed:
22 of the 676 base stations surveyed popped up in a radio channel already in use, with less than a 30 meter distance between the measuring points. Location: Aker brygge, Barcode, Government offices, Skøyen and Stortinget. The telecom companies say there were no technical flaws in these areas. The PST did not comment on these findings.
4. Basestation change networks
The base stations operate in separate networks and in their own channelse. A base station is never supposed to change networks, and never use the network of another phone company. Some types of surveillace equipment lures the cell phones to change networks, in order to drain data from the phone.
The measurements showed:
At the Barcode, one base station from Telenor’s network changed to another belonging to Network Norway. This is not supposed to happen, especially because this single base station was operating on another frequency in the mobile network. The PST did not comment on these findings.
THE ORIGINAL STORY:
Experts on the mobile data
Professor at the institutte for telematics at the NTNU.
— Strong indication there were IMSI-catchers
— Typical tactics for an IMSI-catcher is to provide an area code (LAC) which is different from the authorized base stations nearby. Aftenposten’s measurements last December registered several such incidents, where the same base station identity and the same radio channel as before now transmit a new location code. This is a strong indication that an IMSI-catcher is active, «drowning» an authorized base station and causing a reselection to the IMSI-catcher by cellphones in the area. A normal mobile network should not be able to cause such incidents.
About the PST:
Mjølsnes is critical to their conclusion.
— We concentrated on five «high» alarms in our own analysis of the measured data. All these alarms can be best explained as unauthorized activity in the networks.
Some alarms could have been caused by poor radio planning. Missing more detailed technical description of the counterintelligence equipment.
Professor at the institute for electronic systems at the University of Aalborg.
— Violates basic rules
— The analysis is solid, and definitively gives good basis for the hypothesis about surveillance by means of fake base stations. The deviations found are strong symptoms of how fake base stations break into normal operations in the mobile networks: Strong C2-values, alterations in LAC, deviation in lists of neighbours and similar. The hypothesis can only be proved with active contriubutions from the mobile companies. The reason is that the deviations found in the expert examination potentially can be explained by actions performed by the mobile companies themselves, for instance in correcting a faulty configuration.
— No matter what the final truth is, the authorities must demand an answer from the mobile operators. If this is not surveillance by means of fake base stations, the companies must explain the deviations to the authorities, because they violate the basic rules of operation.
Most important objection:
Wants more data from the mobile phone companies.
Jan Arild Audestad
Professor (ret.) at the Høgskolen i Gjøvik. Former technology-advisor to the management of Telenor.
— Suspects fake cells
— There are informations in this material, which makes me suspect that some of the cells that were monitored are fake, that is IMSI-catchers. That these exist and are in active operation in Norway, is absolutely possible. The equipment is easily accessible, and if wisely used, it may be highly efficient in catching only the interesting cell phones. Audestad considers the material «highly interesting».
— What makes me suspicious, is the fact that an inexplicable reselection is going on, and that users are refused access to certain cells.
About the PST:
— I found it strange that the PST did not show particular interest in IMSI-catchers. We all know they exist and are being used.
— I don’t know how much information the PST has received from the mobile companies, says Audestad. He insists that he is not familiar with details about the structure of the GSM/3G network in Oslo.
Professor at the institute for informatics at the University of Oslo and the University centre at Kjeller.
— Clear documentation
— The findings presented by Aftenposten are a clear documentation on the existence of cases that cannot be explained by way of normal net operations. I think it is highly probable that this can be caused by abnormal network operations from for instance fake base stations or similar equipment.
About the PST:
— The PST analysis is based on simple and obvious parameters. For instance they did not consider the protocols between the cell phones and base stations. The reports from the security companies are far more detailed and thorough, says Noll, who has also assisted the PST as a witness during the investigation.
Professor Josef Noll has been in for questioning with the PST. He says he can see nothing which indicate that the data should be invalid or manipulated.
— My understanding is that the PST only possessed a minimum of information. It seems that it is more important for them to calm the public than to go into the details. We don’t know the counterintelligence equipment in detail, but I can see nothing invalid in these data. There is always a chance that equipment may fail, but I would be surprised if all the indications were caused by flawed measurements.
Points to the fact that the British emphasize heavily the incidents where parameters in the protocols are being altered, for instance cell-ID and codes for the location area.
Odd Helge Rosberg
Director of technology with Rosberg Systems, which last year won the European Cyber Security & Privacy Innovation Awards for best innovation from the EU-project IPACSO.
— Highly probable
Rosberg has examined the data and the expert report, and compared it all with the PST’s status report.
— It is particularly interesting that the PST seems to focus exclusively on reselection values, which is only part of the picture. These alone will normally not be sufficient to detect IMSI-catchers. They must be compared to other data, for instance LAC-values, cell numbers and the transmission of «service denied»-signals, just to mention a few things. Only by considering the sequel of events and compare it to the data collected, I find it highly probable that the illegal use of IMSI-catchers has taken place.
About the PST:
— I am puzzled by their conclusions, and think the basic data give a good reason to conclude that IMSI-catchers most probably were active in the centre of Oslo.
Wish there were longer, cohesive measurements and several types of data.
ANOTHER STORY ABOUT MOBILE SECURITY:
PST: System fault or manipulated values
The PST say that they, on a general basis, are sceptical to the competence of the security company Delma, which made the measurements on Aftenposten’s behalf.
— PST’s investigations have not uncovered any IMSI-catchers in the material, says police attorney Signe Aalling.- On a general basis, we are critical to the competence of the firm, which has undertaken the measurements and written the report, in detecting IMSI-catchers. We wish to underline that the contents in previous reports that we received is based on inadequate information, on misinterpretations of their own measurements and the lack of competence in this field in general, says the police attorney.
— Moreover, measurements made by this company were only undertaken in the 2G-network. In the Oslo-area, most communication takes place in the 3G and 4G networks. This was explained in PST’s status update in the press conference on March 26 this year, she adds.
The PST have been investigating the case since December last year, but do not wish to answer Aftenposten’s questions about the finings the British experts point to in the new report.
- Invalid values
They think the data measured right outside of the prime minister’s offices in Oslo last December are «invalid».— The alleged finding from Myntgata on December 22, 2014 is known to us. We have made comprehensive investigations about it, and we have reached the conclusion that this so called finding contains invalid values for C1 and C2. This means that there are figures included in the material which will not appear in a real case where IMSI-catchers have been activated, says Aaling.
— There may be two reasons for this. The numeric values may have appeared as the consequece of a system error, or the values have been manipulated. In addition we observe that the alleged IMSI-catcher broadcasts in a channel (frequency) which does not exist in the neighbours list for the cell the measuring equipment was connected to (serving cell). In addition to all this, we would like to note that measurements were made during the investigation, in the same area, and at the same time, without any abnormal activity being detected, says Aaling.
The PST is not commenting on the cell or the area code, which experts find to be false.
Delma: - Not surprised by the conclusion
— It is not surprising that the PST conclude the way they do, states Gordon McKay, managing director of the security company Delma.
— The emergence of values which are not valid, is right at the heart of what we are looking for in counter intelligence. So at this point, we are happy that the PST agree with us. We don’t find the values to be normal either, says the Scotsman.
The PST asserts the data consider «invalid values for C1 and C2». Aftenposten has reason to believe that this refers to the values being odd, not even numbers.
— That is pure nonsense. The PST should, as we do, treat these data as abnormal and continue the investigation. This is the sober, scientific conclusion. It is not something they can discredit, just because it does not suit them.
This is how McKay responds to the PST’s alleged refutation that the channel in Myntgata does not exist in the list of neighbours.
— Of course it transmits in a channel which is not listed. It’s the last thing they would do, to use a channel which already exists or is valid for the network.