« Sealand, a former offshore Data Haven, catches fire | Main | Intelligence and Security Committee Report 2006 »

Iraq insurgents intercepting British soldiers' mobile phone data - hype ?

Communications Traffic Data from mobile phones is in the media today:

The Sunday Telegraph came up with a story yesterday:
"Army wives get phone death threats from Iraq", which has been quoted by the online versions of their rival media yesterday, e.g. Mail on Sunday, or The Press Association.

Today's tabloids like The Sun or even The Times are also running this story, without bothering to follow it up with any more investigations, and without any credit the Sunday Telegraph at all, which is unethical, and something which most bloggers who comment on this story, hopefully will not emulate.

We are sceptical about the details and claims made in these stories, and in the supposed briefing document leaked by the Territorial Army London Regiment.

  • Lots of people get "nuisance calls" in the UK

  • Lots of people get "silent calls" from automated dialing machines waiting not to hear a fax or modem tone, and then pass the call on to a call centre worker, who then tries to sell them mobile phones or kitchen units or double glazing etc. Many times these systems fail to hand over to a busy call centre , hence the "silent calls".

  • What evidence is there that these "20 nuisance calls" have actually originated from Iraq ? Dialing 1471 will not reveal the number which has called, neither from a foreign based call centre. nor from the alleged "Iraqui insurgents".

The Territorial Army document supposedly says:

The document warns soldiers preparing to take part in operations that insurgents in southern Iraq have managed to obtain the home telephone numbers of soldiers by using electronic intercept devices to hack into mobile phone systems.


The military document states that there have been "many instances in the last weeks of relatives and friends of personnel serving abroad on operations getting nuisance phone calls" from Iraq.

It adds: "Investigations indicate that the 'callers' of these nuisance calls have acquired the numbers from personnel using their own mobiles to phone. This is fairly easy using today's technology. It makes no difference whether the mobile is of UK origin or sourced abroad.

Such claims are exrtremely hard to believe. Why did these supposedly professional journalists not check such claims with some mobile phone network experts ?

  • We simply do not believe that "Iraqi insurgents" have access to passive GSM Mobile Phone snooping equipment. Breaking the standard A5/1encryption which protects the phone handset to base Station transmitter radio leg of the voice phone call or text messaging is possible, using a pre-computed lookup table which would need "only" about 200 Gb of disk space, but getting hold of a fast enough frequency hopping radio scanner is not so easy.

  • The deliberately weakened "export" version of the GSM encryption A5/2 can now, with modern computing power, be broken in real time, thanks to some design flaws in the protocol which were not exploitable other than by national governments, when it was designed. To expolit this, an attacker still needs access to frequency hopping scanner equipment fast enough to follow the channel hopping which a GSM phone does, not really for security, but to counteract temporary interference and borderline radio transmission effects like reflection of the radio signals etc., especially at the edge of a Cell, or whilst on the move.

  • "Insurgents" would have to be insane to use a man-in-the-midde attack micro-cell or fake Base Station transmitter in Iraq, since this would have to transmit and easily betray its own location, within seconds, to the military Electronic Warfare teams on the ground or in the air.

Both of the above techniques only work in a limited area i.e. within one Mobile phone transmitter cell.

If the alleged "Iraqui insurgent nuisance callers" have access to the GSM Mobile Phone core networks in Southern Iraq or Kuwait , then the British Army should be far more worried about the Location Based Service tracking of any mobile phones which they are carrying, even without making any calls, as this will warn the insurgents of troop movements, and could possibly be used to set up ambushes.

Given the importance of preventing the local GSM mobile phone networks from being used to detonate booby traps and bombs remotely, surely these networks have always been under the direct control of the British and Iraqui military forces ? If not, then why not ?

What will the Ministry of Defence do in response to these tabloid headlines ?

  • Will they ban British soldiers from carrying or using mobile phones ?

  • Will they vastly increase the amount of secure communications available for soldiers to contact their families back home ?

  • Will they snoop on all the Communications Traffic data of all the families of British military personnel, and of all the innocent people who happen to call them ?

  • Will they get an independent security audit of the security of the mobile phone core networks in Iraq ?

  • Will they check that the personnel with authorised access to the Communications Traffic Data in Iraq and in the UK are not betraying these details ?


There have been reports of fake BTSs discovered in Iraq, whether for electronic warfare or as part of an unauthorised commercial network.

@ Alex - surely any such BTS equipment (i.e. mobile phone cell masts and transmitters), if it is ever switched on, is trivially easy for the military to radio locate, put under surveillance, capture or destroy ?

Its possible that the Iraqi GSM network runs without any encryption at all to make tapping quick and easy. This wouldn't be a first as far as I can tell none of the Indian GSM networks use any encryption either. As a result quite a few Indian companies make GSM intercept gear and although it isn't cheap I wouldn't be surprised if the Iranians have provided it to their Iraqi allies.

@ 1327 - surely nobody could be so stupid as to enforce A5/0 null cipher in Iraq today ?

Circa 2000, there was talk of fake base stations which tricked handsets into thinking that they were in Iraq, which being subject to cryptography export sanctions, supposedly selected A5/0 the null cipher option.

The post invasion network equipment in Iraq is only a couple of years old at most, so there should be no excuse regarding performance, which is the only reason that the Indian networks might be so stupid.

Interception by the authorities can and should be done via the core network, which is architecturally unencrypted (although there could be point to point encrypted backhaul links)

If there really is no encryption on todays GSM networks in Iraq, e.g. MTS=Vodaphone / then whoever made that decision almost certainly has blood on their hands.

Any Spy Blog readers out there in Iraq with access to the engineering test options on their mobile phone handsets are welcome to confirm or deny this hypothesis.

I'm not 100% sure how many GSM networks there are in India but of the 5 tested all (including Orange) used A5/0 which makes me think this is Indian policy rather than anything else. But yes its stupid and explains why so much low end GSM intercept equipment comes from that country.

Running A5/0 in any country would be daft but especially so in Iraq ! I would be very interested to hear of anyone running Netmonitor there also.

@Spyblog: yes, if they are looking for it. no, if they aren't.

The US response to the cellular command detonated IEDs has always shown signs of low clue availability - they put considerable effort into jamming the 900MHz GSM network from an aircraft, when surely monitoring the corenet would have been more useful, as it would produce very valuable intelligence information.

The jamming defeated the cellular IEDs, with the result that the insurgents abandoned radio as a means of triggering them and turned to first active, and now passive, IR.

Regarding unauthorised commercial cellular networks: some six are known to have existed in Iraq, and at least one in Afghanistan.

What they're suggesting is a very realistic scenario.

All you have to do is record new connections to the BTS... Because all GSM connections are of a fixed size, you know when the phone is sending the CC SETUP, and only have to record up to that point.

You can then spend as long as you want decrypting that data ... On a normal PC it would likely take a week or two, and the source code is readily available on the Internet for anyone with the technical knowhow and a modified MS.

Just want to add, that such an attack it totally passive. There is almost no chance of being discovered over your next door neighbor using a television.

Post a comment