New official report acknowledges illegal mobile espionage in Norwegian capital
by Marie Baleo
To better understand this follow-up article, take a look at our original story, A Norwegian Watergate?
On 12 December 2014, after weeks of intensive research conducted by a team of journalists and technical experts, Norwegian newspaper Aftenposten exposed evidence of widespread espionage of Norwegian political and economic actors in central Oslo. IMSI catchers, fake base stations capable of tapping cell phones, were found likely to be present in various strategic areas of the capital. In the following months, Aftenposten produced over 130 compelling articles in support of its claim of mobile surveillance in Oslo. The Norwegian Police Security Service (Politiets Sikkerhetstjeneste, or PST) subsequently launched its own investigation, the results of which were unveiled at a press conference on 26 March 2015.
There, PST, seemingly bent on crushing Aftenposten’s reputation, discredited both the newspaper and the foreign experts it had employed, arguing that the collected data did not prove the use of IMSI catchers. Instead, the suspicious activity detected by the newspaper could arguably be explained by so-called natural causes and a lack of technical expertise on Aftenposten’s part.
For several weeks, the case seemed to lose momentum and recede into the background, while Aftenposten continued to work with Delma, a British security firm, which analyzed a second time over all of the 42,000 initial measurements.
On 23 June, Aftenposten presented a new report, based on Delma’s analysis, which confirmed that IMSI catchers were being used all over Oslo, from the Parliament to Prime Minister Erna Solberg’s office, to Aker Brygge and around Parkveien, home to many foreign embassies. Aftenposten had several domestic and foreign experts review PST’s earlier statements: all supported the newspaper’s worrisome analysis. Further, Delma’s report pointed out PST’s failure to address some of the most crucial indications of espionage and interesting findings in the material: in five locations, these findings were so serious that they indicated a high probability of fake base stations being used. Additionally, 27 occurrences of weaknesses in the network were found, which would facilitate secret mobile surveillance and may well be explained by the presence of IMSI catchers. Finally, Delma highlighted the importance of conducting such measurements independently from telecom companies, while PST’s collaboration with telecom providers was presented as its main advantage over Aftenposten, giving its findings more credibility and accuracy than those of the newspaper.
On the very next day, PST issued a press release, rehashing the old refrain: Aftenposten’s findings were based on incorrect interpretation of its measurements and insufficient technical expertise: “We find ourselves critical of the competence of the firm which carried out the measurements and reported to have uncovered IMSI catchers”. PST criticized, inter alia, the choice to conduct measurements on the 2G network, when most communications taking place in Oslo are doing so on 3G and 4G networks. In line, word for word, with the discourse used in March 2015, PST affirmed that the journalists lacked an image of the “normal picture” of the telecom landscape and of the usual ways in which networks operate, due to both its lack of expertise and its inability to access non-public information held by telecom providers.
To those technical criticisms, Gordon McKay, head of Delma, replied: “they mean we are incompetent and do not know what we are doing, (…) but at least we do agree that what was discovered in Oslo is not normal”. Public clients (security, intelligence and law enforcement agencies) routinely employ Delma, whose expertise was seemingly contested by PST, in matters related to hacking and surveillance, while McKay has worked for French giant Thales and Israel’s NICE Systems.
It is no wonder that the revelation by Aftenposten of a letter of apology sent by PST to Delma came as a surprise. “I apologize if you feel that the material Norwegian authorities published gave a negative impression of your company and the work you do”, Ole Jørgen Stensrud, head of the PST investigation, wrote Delma. What is the significance of this apology and how must it be interpreted? From the outside, it certainly seems as though PST is providing the Norwegian public and the political sphere with an official version in which Aftenposten, Delma, et al. are nothing less than incompetent conspiracy theorists, while PST secretly knows the opposite to be true. PST’s behavior regarding this case has been perplexing from the very beginning: just consider its apparent lack of initial interest following Aftenposten’s groundbreaking allegations, or its defensive behavior towards supporters of Aftenposten’s claims.
Oslo under surveillance
In late June, Aftenposten broke news of a new report issued by Norwegian authorities Nkom and NSM in association with several service providers (Telenor, Mobile Norway, TeliaSonera, and Tele2). This report, which has not been made public due to security concerns, shows that both mobile surveillance is occurring in Norway, and that Norwegian service providers are currently not suitably equipped to handle cases of suspected illegal mobile surveillance, with the current mobile networks consisting of “several generations of equipment and has inherent weaknesses which can be exploited for malicious acts”. According to the report, both legal and illegal fake base stations are currently in use in the country:
“In Norway, fake base stations and passive surveillance equipment are primarily used by three groups; our own government, foreign governments, and criminals.”
According to the report still, Norwegian authorities resort to IMSI catchers for counter-intelligence, security, and investigative purposes, while foreign powers would typically use these devices in order to monitor businesses and key individuals. Finally, criminals have an interest in using IMSI catchers and the like for terrorist or profit-motivated purposes.
This news caused an uproar in the political sphere. Hadia Tajik, Chair of the Parliament’s Standing Committee on Justice, told Aftenposten:
“That surveillance is taking place is not surprising. What is surprising is that providers and the National Communications Authority do not have the capability to uncover it. It would seem natural to expect that, in line with increased electronic capabilities and vulnerabilities, the ability and willingness to uncover the exploitation of these vulnerabilities should become a priority.”
Tajik also stressed that authorities must notify and report their own, legal use of fake base stations, as is required by law. PST has used IMSI catchers over 30 times in Oslo over the past three years, while Aftenposten has uncovered that the Oslo police use this type of device once a week on average, i.e., a lot more frequently than the police’s earlier assertion (“a few times a year at most”).
Increased funding for the detection and response to illegal mobile surveillance
Earlier this month, a working group, composed of PST, the National Security Authority (NSM), the National Police, and the National Communications Authority (NKom) and appointed by Justice Minister Anders Anundsen, released a “Report on Safety in Mobile Networks and Illegal Fake Base Stations” proposing increased funding for the detection of illegal mobile surveillance. This sudden request for additional funding to fight IMSI catchers which PST still maintains have never been present in Oslo might strike some observers as strange, and who could blame them? Perhaps the answer lies in this delightful statement at the heart of the report: “Regardless of whether illegal use of fake base stations has occurred in Norway, it is a fact that this type of activity exists”.
The working group advocated an increase in the monitoring capacity of the Nkom and the NSM, as well as the introduction of clear guidelines on how to handle suspicious cases of possible mobile surveillance, including the distribution of responsibilities between different agencies and regulatory bodies. The report concluded that the current lack of clarity in this regard may hinder the successful management of these sensitive situations. Anundsen announced that NKom has already initiated a collaborative effort to draw up these guidelines.
The National Security Authority, which is responsible for ensuring the security of government buildings and operations, admitted to its own weaknesses in the area: “NSM sees a need to reinforce and develop its own capacity in the measured areas, in order to reduce vulnerabilities related to classified information“. Further, Aftenposten revealed that the National Communications Authority (NKom) lacked the equipment required to detect mobile surveillance when the newspaper first published its story in December 2014. A new revised budget allocates funds to NKom in order for it to acquire this equipment. Finally, the working group estimated that large-scale monitoring of the mobile network would be inefficient in preventing illegal eavesdropping and disproportionately costly. Instead, it recommended focusing on strategic areas and performing random checks.
Hadia Tajik responded to this report: “It seems as if Anundsen has tried to cover reality here.” Regarding the sharing of duties between agencies, she added: “He (Anundsen) insisted the distribution of responsibility between the agencies was evident (…) The Minister of Justice is clearly responsible for NSM and PST knowing who should do what when cases of mobile surveillance arise.”
In spite of the report’s findings of illegal mobile surveillance in Norway, which reasonably warranted further consideration of Aftenposten’s claims, PST chose to close the case on July 2, as explained in a press release:
PST initiated an investigation on 14 December 2014 aimed at clarifying whether through fake base stations in the Oslo area, illegal intelligence activities have been going on for the benefit of a foreign state, which falls under the Criminal Code, § 91a. The investigation is completed and the conclusion of the work is that there is no evidence for the use of fake base stations or IMSI-catchers in the evidence collected in the course of the investigation. The case is to be dismissed as no criminal offense has been found (…). Nobody has been suspected in the case.
The investigation has included the collection, review and analysis of Aftenposten measurements, external security companies’ research and (PST’s) own measurements conducted at key locations in the Oslo area. (…) PST has made questioning of four witnesses. It has obtained an expert evaluation of the investigative material and the opinion of Simula Research Laboratory’s Centre for Resilient Networks and Applications.
Entitled “An investigation into the claims of IMSI catchers use in Oslo in late 2014”, the 21-page report authored by Simula Research Lab provides technical rebuttals to many of Aftenposten’s claims.
In its introduction, Simula’s report describes how the lab was tasked by PST to “give an expert opinion on whether the data collected by Aftenposten presents a compelling evidence of fake base stations use in Oslo last year”. Note that this differs from giving an expert opinion on whether fake base stations are in use in Oslo. Simula does not address the question of the existence and/or use of IMSI catchers in downtown Oslo. They do, however, object to Aftenposten’s findings; understanding these objections requires that we take a (simplified) look at the way networks function. The graph below shows four separate components: Mobile Stations (MS), Base Stations (BS), Base Station Controllers (BSC) and Mobile Switching Centers (MSC).
The Mobile Station (MS) is your cell phone. As you may know, your phone comes with a SIM (Subscriber Identification Module) car, as well as a 15-digit serial number, the IMEI (International Mobile Equipment Identity). These two numbers are associated with the IMSI, or “International Mobile Subscriber Identity”. Base Stations (BS) connect cell phones (mobile stations) to Mobile Switching Centers (MSC). Each Base Station is responsible for a given geographic area or “cell”, the size of which varies depending on, inter alia, the area’s population. The Base Station Controller (BSC) manages Base Stations and makes sure they play nicely with each other. Imagine you are walking while talking to your mother on the phone; if, by chance, you were to cross from one cell to another, it would be the Base Station Controller’s role to carry out what is called a handover, transferring your connection to another Base Station in order for your mother to continue lecturing you.
A mobile phone decides which base station to join by measuring the strength of the signals emitted by all base stations in the vicinity. This process is called cell selection. A mobile phone is constantly required to optimize its reception. If several of your provider’s Base Stations are available in the area you are currently in, your cell phone will automatically pick the Base Station with the strongest signal. Similarly, cell reselection is the process by which a phone identifies the best available base station when cellular connection is lost or unavailable. Cell selection and reselection are conducted by calculating cell selection parameters called “C1” and “C2” for each nearby base station.
An IMSI catcher functions by impersonating a Base Station. All cell phones with the same provider and located within the same radius will proceed to log into the fake Base Station, lured by the strength of the signal. A base station does not need to be authenticated in order for a phone to latch onto it; this is part of what made the emergence of IMSI catchers possible. However, 3G and 4G signals require Base Stations to be authenticated, while 2G signals do not. IMSI catchers circumvent this difficulty by blocking 3G and 4G signals in the area. By default, your phone is obliged to switch to 2G; it then detects the IMSI catcher’s strong signal. Your fate is sealed!
In its report, Simula dismisses claims of 25 separate occurrences of radio channel duplication (the use by different cells of the same radio channel in a short period of time) on account that “all cases in this category are consistent with expected network conditions. Operators confirmed in their correspondence with PST the fact that they reuse frequencies in the same area”. This allows Simula to state that this concern lacks basis and to move right on to the two detected cases of cell ID duplication.
Cell ID duplication occurs when a cell is present in two separate providers in the same geographic area. But not to worry, for “Telenor and Netcom have confirmed in their correspondence with PST that they have cells with [the same IDs] in the same area where Delma [expert firm hired by Aftenposten] conducted its measurements”.
Regarding unexpected variations in C1 and C2, the detected cases are dismissed based on the fact that the measuring equipment was moving, and explained instead by the way “the operators have parameterized their equipment”.
Abnormally short-lived cells, which appear and vanish within a suspiciously short time frame, are explained by “expected network conditions”.
Additionally, on LAC anomalies, the report cautiously concludes that it would rather not conclude: “it is therefore not advisable to conclude on these cases without a thorough investigation of the measurement equipment”, an investigation that was not in fact conducted.
Finally, regarding Delma’s report of “the presence of a cell and LAC that do not belong to Telenor (…) their equipment reportedly lost network connectivity and halted after picking the strange cell as a serving cell”, Simula again concludes that “it is not advisable to conclude on this case without a thorough investigation of the measurement equipment”.
Thus, Simula’s report blends technical rebuttals of Aftenposten’s arguments with prudent refusals to comment on certain matters, supported by clever semantics. There are several points on which Simula, a government-owned lab, is not able to disprove Aftenposten’s claims. Simula’s report came at a difficult time for Aftenposten, which had come under fire for what some viewed as sensationalism. Thus, some observers criticized the large step, taken perhaps too eagerly by the newspaper, between detecting the presence of a fake base station and actually producing evidence of conversations being monitored and spied on, i.e., espionage.
Trond Hugubakken, PST’s Head of Communications, told newspaper Dagbladet: “We have investigated this matter since 14 December last year. Now the case has been dismissed. The investigation has come to an end. In the end, there is no evidence of the use of fake base stations, such as Aftenposten concluded.” The Norwegian intelligence services supported PST’s claims, as Lieutenant General Kjell Grandhagen declared: “The intelligence service cannot find that the material presented by Aftenposten contains any proof that IMSI catchers or fake base stations are being used as Aftenposten has claimed”.
Multiple interrogations remain: if the official report disclosing the use of IMSI catchers is correct, who is conducting illegal mobile surveillance in central Oslo, and for what purposes? How long has this been going on? Why has PST shown what resembles bad faith in its initial dismissal of the case and its repeated attempts at publicly squandering Aftenposten’s reputation? And why has PST closed the case, even though the confirmation by the NKom/NSM report of the use of IMSI catchers in Oslo has made Aftenposten’s data and claims more relevant than ever? Similarly, the technical questions Simula’s report declined to address will have to be elucidated in order to assert whether the data collected by Aftenposten is indeed evidence of the alleged ongoing surveillance.
In the end, the entire case comes down to a game of semantics and logic: PST claimed Aftenposten was wrong, but never denied that illegal or legal mobile surveillance might be taking place. Regardless of PST’s ardent wishes and astounding taste for denial, the case is as open as ever – Aftenposten journalists have already announced the publication of new articles, coming this fall.
Notes:  Freely translated from this Aftenposten article.  This short explanation is derived from my understanding of a highly informative paper entitled “IMSI Catcher”, by Daehyun Strobel, dated 13 July 2007. Read also this short NPR article, and this Q&A regarding IMSI catchers published by the Cryptophone’s German manufacturer.