A phone signal grabber or IMSI-catcher is one of the most powerful devices for conducting surveillance and invading your privacy – legally or illegally. Which is why not just anyone is allowed to possess one. This little beauty can perform loads of magic tricks including cloning your phone, intercepting calls and SMSes, turning your phone into a transmitter and much, much more.
Last week an Israeli-made cellphone signal grabber, or IMSI-catcher, made headlines after amaBhungane published an investigation into Willie Lotter and Joseph Pooe, who were arrested by the Hawks for the alleged illegal possession of an IMSI-catcher.
The implications of this device are enormous. In the wrong hands, it can be used to eliminate political rivals, curb a free press by targeting investigative journalists, and in the case of Lotter and Pooe, allegedly help bug members of the Airports Company of South Africa’s bid adjudication committee which makes decision on contracts worth hundreds of millions of rand, according to The Star.
What is even more frightening is that in recent years, IMSI-catcher technology – which was previously only within the grasp of governments – is now accessible to hackers and researchers who have been able to successfully build their own grabbing devices.
Most recently, a research team from Helsinki and Berlin were able to build an IMSI-catcher device that works on newer 4G/LTE networks (more advanced even than the Engage PI2’s capabilities) and is able to precisely pinpoint a cellphone’s location based on the signals it transmits when using apps such as WhatsApp and Facebook, with no knowledge from the owner of the phone that tracking is taking place.
But what exactly is the device, and what can it do?
IMSI-catchers, or grabbers, have been around since 1996, with German and Israeli companies pioneering the early technologies. The first publicly known IMSI-catcher was made by German electronics manufacturer Rohde & Schwarz. Subsequent manufacturers have marketed the devices as “anti-terror equipment” with many law enforcement and intelligence agencies across the world making use of the devices – most notably and controversially perhaps is the use of the Stingray phone tracker by US police.
Thanks to our friends from the amaBhungane Centre for Investigative Journalism, Daily Maverick is in possession of a user manual for the Verint Engage GI2, a grabber which functions very similarly to the Engage PI2 device confiscated from Lotter and Pooe by the Hawks. (See main photo)
Simply, the device works as a cellphone tapper, tracker and locator. It does this by masquerading as a cellphone tower and forcing nearby handsets to connect to it. Once a handset has connected, the device can identify the target handset’s international mobile subscriber identity (IMSI) number and use the number to track the phone’s movements, pinpoint its location, intercept its calls, or eavesdrop on conversations occurring around the phone.
This is all done covertly, and the data collected is analysed in real time by the device. Some grabbers, such the Engage PI2 and GI2, have sim cards that allow them to reroute the captured calls to third parties.
The device comes in either a trolley case or attache-style case, and is controlled by a laptop computer. Most often the device is operated from a vehicle to allow it to get closer to target handsets – in the case of Lotter and Pooe, the unit was installed in a Mercedes Viano.
The device falls under a special category of equipment in South Africa designated for the interests of national security and can therefore only be bought with presidential authority, and is said to be worth more than R25-million.
The Engage GI2 has a number of features:
GSM Call Routing: The unit allows the user to route a target phone’s call through the device and into the real GSM network, effectively acting as an invisible “man in the middle” who is able to eavesdrop on the target’s conversation.
Cloning: The device allows the user to clone a target’s phone and make/receive calls and text messages that will appear as if they are coming from the target’s number.
SMS: The device allows the user to simulate a cell network, forcing phones over a large area to connect to the device. Once connected, the device is able to capture all text messages sent over that period.
Silent call: This function initiates a call to the target phone, turning the phone’s transmitter into a location tracking beacon. While a silent call is active, the target phone is disconnected from the real network, shifted to an unused channel and cannot make or receive any calls. While a silent call is active, the phone appears to be in standby mode and can be used as a tracking device to determine the target’s movements.
Eavesdropper: The device allows the user to listen and record audio from the target phone’s handset. As described in the manual, “This functionality turns a target’s own mobile phone against the target by turning it into a ‘bug’. The voice from the target’s mobile is being recorded from the time the mobile starts ringing. The voice will continue to be recorded after the target hangs up.”
The device enables its operator to identify potential and known targets and build an intelligence picture in an area of operation. It also can help identify a potential target – it records all calls and SMSes and enables operators to listen to any call that appear relevant. The operator can choose to focus the operation on the targets for ongoing monitoring.
It can build an intelligence picture of a known target by intercepting target’s traffic according to predefined cellular identifiers, key words and voiceprints.
“The real scandal here is not around this particular grabber,” says Murray Hunter, spokesperson for the Right2Know Campaign, “but rather that the state has its own such devices. We don’t know how many, we don’t know how they’re used, but what we do know is that the use of these devices is almost certainly illegal in terms of RICA.
“A judge has to sign a warrant before the state can intercept someone’s phone information,” he continues, “and a grabber is a mass surveillance device so when you turn it on you’re immediately intercepting 10,000 signals and you’re tapping the phone of everyone in that radius.”
In September last year, Right2Know submitted a Promotion of Access to Information Act (PAIA) request to SAPS and SSA for evidence that they were given warrants to use these surveillance services, but all PAIA requests were denied.
All’s not lost, however. There are some steps that can be taken to prevent the government (or anyone else) from snooping on you with one of these devices. Various smartphone apps are now available which can minimise the risk of your signals being intercepted. One is the Android IMSI-Catcher Detector which alerts you if an IMSI-catcher attempts to connect to your phone and then blocks the signal. Another is SnoopSnitch which operates in a similar way.
Some may not be concerned about this device and its capabilities because they may think they have “nothing to hide”, but that fundamentally misses the point. These capabilities in the wrong hands fundamentally violate our constitutional right to privacy of communications, and as Edward Snowden said, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
“The next step for the public is not just about seeing the prosecution of a few shady characters,” Murray Hunter says, “but really pushing government to come clean on how it uses surveillance and how it created the situation in which these men can be caught with an imported grabber in the boot of their car.”
This produced by the Daily Maverick, and republished with thanks.