Whether you're watching something like HBO's The Wire or the BBC's Line Of Duty, the fictional detectives in gritty TV crime dramas are often seen scrolling through cellular calling records to determine which numbers their suspects have been calling. This is factually accurate: in real-world policing, call data records are a precious resource for confirming links between gang members.
Or rather, forensics experts thought they were a precious resource.
One day in November 2017, the phone rang in Angus Marshall's office at N-Gate Ltd., a digital forensics consultancy in Darlington, U.K., and everything changed. "A U.K. police force called saying that they were struggling to understand why, instead of revealing the telephone numbers their suspects had called, the call data records were instead listing utterly nonsensical data, random phone numbers, unissued phone numbers, and the numbers of innocent third parties," Marshall says.
As a result, he says, time and effort was being wasted during an investigation into mass import of Class A drugs (such as heroin, cocaine, ecstasy, and LSD) into the U.K.
Other police forces soon found they were having the same problem, and that the issue was in fact an international one, with police forces abroad having the same problem.
So Marshall, an advisor to the U.K. National Crime Agency on digital forensics, working with Peter Miller of the West Midlands Police in Birmingham, U.K., set about trying to understand what was going on. Their findings are now the subject of a disturbing research paper in the June 2019 edition of the journal Digital Investigation.
Marshall and Miller found that organized crime gangs had worked out how to harness the call routing features of 2G, 3G, and 4G cellular phone networks in such a way that they could obfuscate the number that has been called, and sometimes the number that was calling, too. "You simply cannot see who has been calling who," says Marshall.
He explained, "Previously, if you could get hold of a single drug dealer's phone, say, you can get their call records and identify the end points of calls. That lets you very quickly build up a map of what the drug distribution network looks like, based on things like the duration and frequency of calls. This obfuscation technique is designed to break that pattern."
The gangs' obfuscation technique requires the use of a modified SIM card called a stealth SIM and works on a basic feature phone which, compared to a smartphone, leaks little ID data into the phone's signal, the investigators found.
The stealth SIM makes use of a flaw in GSM networks that, when a call is redirected into a network's own low-cost VOIP channel for some of its journey, gives the network the option to shed number data. "Normally, the VOIP network would transmit the original calling handset's phone number, but it doesn't have to, so they can just insert fake numbers at that point," says Marshall. That is what they now do, sending nonsensical character strings, repeated numbers, non-issued numbers or numbers of innocent third parties, instead of actual calling data.
Thought to be based on a legitimate mobile network's SIM that has been reprogrammed, the stealth SIM effectively creates its own mobile virtual network, which shields the stealth SIM from forensic analysis. Some stealth SIMs are sold in grey online markets, for sums that can reach more than $900 for a prepaid phone service, to business people who, perhaps for reasons of commercial confidentiality, do not want their called numbers to be recorded, and sometimes to celebrities who, similarly, want to keep their networks private in the era of phone hacking.
"There are definitely people out there who can provide the technology for gangs. They have a wonderful business model where they actually look fairly clean themselves, because they are providing a service that potentially is attractive to celebrities, journalists going into hostile territories, or politicians who need an anonymizing service of some sort," Marshall says.
Marshall and his colleagues at U.K. police departments have developed a technique that uses statistical timing analysis to correlate who has spoken to whom by examining hundreds of calls made on suspects' seized phones, and seeking out those calls that start and stop at the right times far too often. They seek out cases where "the timing pattern is far too regular for it to be coincidence," says Marshall.
As a result, over the last 18 months, Marshall and his colleagues managed to successfully present evidence based on their statistical timing analyses to the Crown Prosecution Service—which decides if a case goes to court—and then to the judge, jury, and defense counsel when it did. Marshall says the technique has been accepted as valid evidence in successful prosecutions.
Yet the timing technique is laborious, he says, involving a painstaking manual analysis of call start and end times (for hundreds of calls for each pair of communicating criminals) using call record documents from many different networks, all of whom present information in different ways, in different types of spreadsheets.
One potential ray of hope is that upcoming 5G networks may not allow the stealth SIM to work, as they will be a very different type of network (running 10 times faster than 4G on a network that dynamically allocates signal resources) from microwave macrocells and millimeter-wave picocells. "Until I've seen a bit more detail on the niceties of 5G call routing, I can't be sure if their stealth SIM technique will work on 5G," says Marshall.
According to Alan Woodward, a digital forensics specialist at the University of Surrey and an advisor to Europol, "This research shows that criminals are finding ways of manipulating the SIM cards themselves so that, whilst they give network access, they allow them to remain anonymous. It's a bit like Tor for phones, although unlike Tor, this is both contrary to what the service providers allow, and it's difficult to see any legitimate use for it."
Sadly, says Woodward, "I suspect we'll see more of this. It demonstrates just how technically sophisticated criminals have become."
For Marshall and his colleagues, it is far from the first time a promising forensics technology has failed them.
"We used to get a lot of good evidence and intelligence from some of the big social media platforms, because criminals like counterfeiters, or those selling dangerous goods, would use Facebook and Facebook Marketplace. But then they migrated to encrypted messaging services, like WhatsApp and Telegram, or Snapchat, where the messaging is ephemeral," and much of it was lost to them, Marshall says.
"This research underscores the importance of continuing to push the envelope on analysis," says Barbara Guttman, head of digital forensics research at the U.S. National Institute of Standards and Technology in Gaithersburg, Maryland. "Both criminals and law enforcement continue to innovate in the use and analysis of cellphones and other digital technology."
Asked whether the crooks or the cops are showing more smarts, Guttman says, "There's a lot of innovation on both sides of the fence."
Paul Marks is a technology journalist, writer, and editor based in London, U.K.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment