View Full Version : Silent SMS messages - secret tracking used by many SIS with legal loop hole

Magda Hassan
03-25-2012, 06:35 AM

BY FABIEN SOYEZ (http://owni.eu/author/fabiensoyez/) ON JANUARY 27, 2012

In June 2011, Colette Giudicelli, a senator representing the Maritime Alps region of France, wrote to Claude Gueant, the French Interior Minister:
Many foreign police and intelligence services use clandestine “Silent” SMS to locate suspects or missing persons. This method involves sending an SMS text message to the mobile phone of a suspect, an SMS that goes unnoticed and sends back a signal to the sender of the message. Colette Giudicelli would like to know whether this procedure has been used in France.

Seven months later, and there has still been no response from the French government. The subject might well have faded from memory, had it not been for the 28th Chaos Communication Congress (http://events.ccc.de/congress/2011/wiki/Welcome), held in Berlin at the end of December. At the international hackers conference, the researcher and mobile security expert Karsten Nohl announced (http://www.youtube.com/watch?v=YWdHSJsEOck&feature=youtu.be): “In Germany in 2010, police sent thousands of Silent SMS in order to locate suspects.”
Also known as Flash-SMS, the Silent SMS uses an invisible return signal, or “ping”. Developers from the Silent Services (http://www.silentservices.de/HushSMS.html) company, who created some of the first software for sending this type of SMS, explain:
The Silent SMS allows the user to send a message to another mobile without the knowledge of the recipient mobile’s owner. The message is rejected by the recipient mobile, and leaves no trace. In return, the sender gets a message from a mobile operator confirming that the Silent SMS has been received.

Silent SMS (http://en.wikipedia.org/wiki/SMS#Silent_SMS) were originally intended to allow operators to ascertain whether a mobile phone is switched on and to “test” the network, without alerting the users. But now, intelligence services and police have found some other uses for the system. Neil Croft, a graduate of the Department of Computer Science at the University of Pretoria in South Africa, explains:
Sending a Silent SMS is like sending a normal SMS, except that the mobile does not see the message it has received. The SMS’s information is modified, within the data coding scheme (http://www.cardboardfish.com/support/bin/view/Main/DataCoding), so that the user who receives the message doesn’t notice anything. A Silent SMS can help police to detect a mobile without the person concerned being aware of the request.

Technical bit: in order to tamper with the SMS’s information and make it silent, the security services go through a network for sending and receiving SMS known as an SMS gateway, such as theJataayu SMS (http://www.jataayu.co.in/wireless-modems.html) gateway. This allows them to interconnect the processing and GSM (http://en.wikipedia.org/wiki/GSM) systems. Neil Croft, now president of an SMS marketing company (http://www.mahalamobile.co.za/), explains:
These Silent SMS are also used by some hackers to organise attacks known as “distributed denial of service” (DDOS) attacks. These run down the battery on a mobile abnormally fast, rendering it unable to receive calls. Such a procedure is not expensive: to send one Silent SMS per second for one hour costs about €36 euros.

This method of mass sending appears to be widely used by these security services. In November 2011, Anna Conrad (http://anna-conrads.de/) of the Die Linke (The Left) party in Germany, posed a written question (http://owni.eu/2012/01/27/silent-sms-germany-france-surveillance-deveryware/www.landtag.nrw.de/portal/WWW/dokumentenarchiv/Dokument/MMD15-2905.pdf) (pdf) to her local state assembly concerning the use of Silent SMS by the German police. Her local assemblyresponded (http://www.heise.de/tp/artikel/35/35905/1.html): in 2010, her state conducted 778 investigations and sent 256,000 Silent SMS.
Mathias Monroy, a journalist with Heise Online (http://www.heise.de/), argues this surveillance technology is flourishing largely as a result of a legal vacuum:
This is very problematic for privacy, because legally it is unclear whether or not a Silent SMS counts as a communication (…) The state found that it was not one, since there is no content. This is useful, because if it is not a communication, it does not fall under the framework of the inviolability of telecommunications described inArticle 10 (http://www.iuscomp.org/gla/statutes/GG.htm#10) of the German Constitution.

On December 6, the German Interior Minister Hans-Peter Friedrich announced that German police and intelligence had been sending an average (http://www.heise.de/newsticker/meldung/Zoll-BKA-und-Verfassungsschutz-verschickten-2010-ueber-440-000-stille-SMS-1394593.html) of 440,000 Silent SMS a year since they began using the system.
After each SMS was sent, investigators went to the four German mobile operators – Vodafone, E-Plus, O2 and T-Mobile – in order to access the recipient’s information. To aggregate this raw data provided by operators, the police use Koyote (http://www.rola.de/article-160-koyote-software.html) and rsCase (http://www.rola.ch/index.php/en/products/rola-germany-products/rscase), software supplied by Rola Security Solutions (http://www.rola.com/), a company that develops “software solutions for the police”.
Smile, you’re being tracked

Silent SMS allow the user to precisely locate a mobile phone by using the GSM network, as Karsten Nohl explains:
We can locate a user by identifying the three antennas closest to his mobile, then triangulating the distance according to the speed it takes for a signal to make a return trip. A mobile phone updates its presence on the network regularly, but when the person moves, the information is not updated immediately. By sending a Silent SMS, the location of the mobile is instantly updated. This is very useful because it allows you to locate someone at a given time, depending on the airwaves.

This technique is much more effective than a simple cellular location (Cell ID (http://developer.att.com/developer/tier2page.jsp?passedItemId=3100144)), as François-Bernard Huyghe, a researcher at IRIS (http://www.iris-france.org/en/), sets out:
This is the only instantaneous and practical method to track a mobile constantly when it’s not in use. We’re talking then about geopositioning rather than geolocation. After that, either the police track the information via the operators, or private companies process the data and, for example, refer the investigator to a map where the movements of the monitored phone appear in real time.

The benefits of Silent SMS don’t stop there: by sending a large number of these SMS, security services can also disrupt the mobile or remotely reactivate its signal and wear out the battery. A spokesman for the German Interior Ministry tells OWNI:
German police and intelligence services use Silent SMS to reactivate inactive mobile phones and refine the geolocation of a suspect, for example when they move during an interview. The Silent SMS is a valuable investigative tool, which is used only as part of a telecommunications surveillance operation sanctioned by a judge, in a specific case, without violating the fundamental right to protection of privacy.

Remote reactivation

In France, police and intelligence services work with Deveryware (http://www.deveryware.com/), a “geolocation operator”. Deveryware also market a “geolocation employee punchcard”, the Geohub (http://www.deveryware.com/Geopointage), to businesses.
Deveryware combine cellular localization (http://en.wikipedia.org/wiki/Mobile_phone_tracking), GPS, and other “real-time location” techniques. Questioned by OWNI whether Silent SMS were one of these techniques, the company’s response was evasive:
Regretfully we are unable to provide an answer, given the confidentiality imposed on us by legal requisitions.

Deveryware’s applications enable investigators to map and compile a history of a suspect’s movements. Laurent Ysern, head of investigations for SGP Police (http://www.unitesgppolice.com/index.php?id_site=1), states:
All investigative services have access to the Deveryware platform. With this system, one can follow a person without having to be behind them. There’s no need for shadowing, so less staff and equipment needs to be mobilized.

While in Germany the Ministry of the Interior responded within 48 hours, the French government remains strangely silent. There has been one single response, from the Press Department of the National Police:
Unfortunately, no one at the PJ (Police Judiciare) or the public safety office is willing to comment on the subject, these are investigative techniques …

Silence too from the French telecoms operators SFR and Bouygues Telecom. Sebastien Crozier, a union delegate at France Telecom-Orange, says:
Operators always collaborate with the police, it’s a public service obligation: they act in accordance with judicial requests…There is no definitive method, sending SMS is one of the methods used to geolocate a user. We mainly use this technique to “reactivate” the phone.

By 2013, the use of these surveillance methods is expected to reach an industrial scale. The Department of Justice will set up, with the help of the arms company Thales, a new national platform of judicial interception (PNIJ), which is expected to centralize all legal interception, i.e, phone-tapping, but also summons such as requests for cell location. Sebastien Crozier remarks:
This interface between police officers and operators will streamline court costs and reduce processing costs by half, because until now summons have been handled station by station…There will be more applications, but it will be less expensive for operators like the police.