Exclusive: Whistleblower’s data suggests millions of tracking requests sent over four-month period
Stephanie Kirchgaessner in Washington @skirchy Email
Sun 29 Mar 2020 09.30 EDT Last modified on Sun 29 Mar 2020 10.15 EDT
Saudi mobile phones were being tracked as often as 13 times per hour as they travelled through the US, the data appears to suggest. Photograph: Westend61/Getty Images
Saudi Arabia appears to be exploiting weaknesses in the global mobile telecoms network to track its citizens as they travel around the US, according to a whistleblower who has shown the Guardian millions of alleged secret tracking requests.
Data revealed by the whistleblower, who is seeking to expose vulnerabilities in a global messaging system called SS7, appears to suggest a systematic spying campaign by the kingdom, according to experts.
The data suggests that millions of secret tracking requests emanated from Saudi Arabia over a four-month period beginning in November 2019.
The tracking requests, which sought to establish the US location of Saudi–registered phones, appeared to originate from Saudi’s three biggest mobile phone companies.Advertisement
The whistleblower said they were unable to find any legitimate reason for the high volume of the requests for location information. “There is no other explanation, no other technical reason to do this. Saudi Arabia is weaponising mobile technologies,” the whistleblower claimed.
The data leaked by the whistleblower was also seen by telecommunications and security experts, who confirmed they too believed it was indicative of a surveillance campaign by Saudi Arabia.
The data shows requests for mobile phone location data that were routed through the decades-old SS7 global messaging system, which allows mobile operators to connect users around the world. For example, a mobile user from the US travelling in Germany and seeking to make a call back to the US is connected through the SS7 network.
The SS7 system also enables tracking of phones, which has been a cause for concern by security experts. When a US carrier – such as Verizon, T-Mobile or AT&T – receives what is known as a Provide Subscriber Information SS7 message (or PSI) from a foreign mobile phone operator, they are getting, in effect, a tracking request.
Such requests are legitimately used to help foreign operators register roaming charges. But excessive use of such messages is known in the mobile telecoms industry to be indicative of location tracking.
Experts expressed alarm at the tracking request data because of the apparently persistent high frequency of the requests that appeared to be emanating from Saudi operators seeking to locate their subscribers once they entered the US.
It is not known whether the Saudi mobile operators that were requesting large amounts of location tracking data about their subscribers were knowingly complicit in any government–run surveillance programme.
However, it has already been widely reported that the Saudi government uses cyberweapons to hack dissidents and critics of the kingdom’s crown prince, Mohammed bin Salman. In January the Guardian revealed that the Amazon billionaire Jeff Bezos’s mobile phone was “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of Prince Mohammed.
One Middle East expert, Andrew Miller, a former member of Barack Obama’s national security council, said surveillance was part of the kingdom’s modus operandi. “I think they are surveilling not only those they know are dissidents, but those they fear may deviate from the Saudi leadership,” Miller said. “They are particularly worried about what Saudi nationals will do when they are in western countries.”
The whistleblower’s data appears to show PSI requests from Saudi Arabia that pinged a major US mobile phone operator. It suggests that the three largest Saudi mobile operators – Saudi Telecom, Mobily and Zain – sent the US mobile phone operator a combined average of 2.3m tracking requests per month from 1 November 2019 to 1 March 2020.
The data appears to suggest the Saudi mobile phones were being tracked as they travelled through the US as often as two to 13 times per hour. Expert said that frequency suggests users could probably have been tracked on a map to within hundreds of metres of accuracy in a city.
The data seen by the Guardian did not identify the individual Saudi mobile users who were being tracked.
The Saudi embassies in Washington and London did not respond to multiple requests for comment. Neither did Saudi Telecom, Zain or Mobily.
Sid Rao, a security and privacy researcher and technologist at Nokia Bell Labs, said he believed the data indicated it was “highly likely” that the Saudis were engaged in a surveillance campaign, based on the magnitude of the location requests.
Rao said it could be difficult to determine how many PSI messages might be considered normal, but additional data provided by the whistleblower made him very confident that the requests were not legitimate.
For example, one of the Saudi operators also apparently sent separate location requests – known as PSL, or Provide Subscriber Location, requests – that were blocked by US mobile operators, indicating a high level of suspicious activity.
John Scott-Railton, a senior researcher at the citizen lab at the Munk school at the University of Toronto, said the data seen by the Guardian appeared to show foreign agents “flagrantly abusing” the US cellular network to track people moving around the country.
“In this moment of crisis, phone companies, regulators and the Department of Justice should step up to prevent foreign powers from tracking us through our phones,” he said.
The Guardian requested comments from the three largest US mobile operators – T-Mobile, AT&T and Verizon – and asked the companies whether they allowed PSI tracking requests to be sent for location tracking purposes.
T-Mobile and Verizon did not comment. AT&T said: “We have security controls to block location-tracking messages from roaming partners.”
Ron Wyden, a Democratic senator from Oregon on the Senate intelligence committee, has previously said in a letter to the US telecoms regulator that “malicious attackers” were exploiting SS7 vulnerabilities. He alleged that the Federal Communications Commission had failed to act on such warnings, and blamed the FCC chairman, Ajit Pai, for not regulating US carriers.
In a statement to the Guardian, Wyden said: “Because of [Pai’s] inaction, if this report is true, an authoritarian government may be reaching into American wireless networks to track people inside our country.”