April 24, 2015

Some equipment that connects NSA with its foreign partners

A close look at a unique photo of NSA computer equipment revealed the names of five countries: Tunisia, the Netherlands, Belgium, Germany and Italy. The devices are routers, but it's not certain what exactly they used for. The circumstances indicate that they enable the exchange of data for military operations in which these NSA partner countries participate.

Presentation about Strategic Analystics at the
NSA's European Cryptologic Center (ECC)
(Click for the full presentation in pdf)

On June 14, 2014, the German magazine Der Spiegel published 53 documents pertaining to the NSA's operations in Germany and its cooperation with German agencies. Many of them got little attention, and so they often contain interesting things which are not yet reported.

One of these documents is an undated presentation about Strategic Analystics used at the NSA's European Cryptologic Center (ECC), which is located near the city of Darmstadt in Germany. This presentation contains some unique photos of what seems to be NSA equipment.

Cisco routers

One of the photo's shows a 19-inch rack for computer equipment modules, which contains 13 common Cisco 2811 routers. In the photo we see the front panels of the routers, with each one having a black power cable and a red network cable, which connects to a computer in order to manage the router. The cables for the actual data are on the rear side, where the device has four high-speed WAN interface card (HWIC) slots, two 10/100 Gigabit Ethernet ports, and a slot for an Enhanced Network Module (ENM).

Slide from the presentation about Strategic Analystics
at the NSA's European Cryptologic Center (ECC)
(Click to enlarge)

Classification labels

Twelve routers have an orange and a yellow label, only the bottom one has a red label. These labels indicate the (highest) classification level of the data that are handled by the equipment. The red label is for Secret, the orange one for Top Secret and the yellow one for Sensitive Compartmented Information (SCI), which means the information is in a "control system" with extra protective measures.

All but one of the routers may therefore transfer data up to the level of Top Secret/SCI. This sounds quite impressive, but actually almost everything NSA does is classified at this level, more specifically as Top Secret//Comint (or SI for Special Intelligence) - the marking that can be seen on almost all Snowden documents.

Sometimes, the photos in the presentation are related to what the slide is about, but here that seems not to be the case. The slide is about MapReduce analytics, with MapReduce being a particular method to filter, sort and generate data from very large databases. This is completely different from what routers do, which is transferring data from one computer network to another.

Photo of the equipment rack with 13 Cisco routers
(Click to enlarge)

The white labels

Most interesting in this photo is the text on the white labels, which unfortunately is very difficult to read. But after I brought these photos under attention, a twitter-user noticed that these labels contained new codewords and names of countries. Eventually the following words could be read, with in gray those that are uncertain:










...... ..../....


ITALY ....

....... ....

Most of the routers are labeled BAYBRIDGE, either accompanied by another codeword or by the name of a country: Tunisia, Belgium and probably Italy. The Netherlands and Germany are mentioned on routers which appear to be related to other systems, which for the Netherlands is codenamed PARTSTREAMER. Germany is related to some kind of EXPANSION.

All these codewords are seen here for the first time, so it's not known what they stand for and the variations make it even more difficult to guess what these routers are actually used for. Maybe some future disclosures of NSA documents can provide an explanation.

Close-up of the white labels for the routers labeled

Third Party partners

One thing that these five countries have in common, is the fact that they are 3rd Party partners of NSA. This means there's a close cooperation based upon a formal agreement between NSA and the agency responsible for signals intelligence in a given country.

Belgium, The Netherlands, Germany and Italy are long-time trusted allies of the US, but Tunisia only came more close to the US after 9/11. It for example supported the war on terrorism, conducted joint training exercises with the US, and US Navy ships regularly visited the ports of Bizerte, Sfax, Sousse and Tunis.*

Initially, Tunisia then fell under responsibility of the US European Command (EUCOM), but came under the newly created US Africa Command (AFRICOM) in 2008. There are even plans to move the AFRICOM headquarters from Stuttgart, Germany to Tunisia, after this small north-african country moved away from its close relationship with France in recent years.

We probably can come even closer to what the purpose of these routers is, by looking at where they are used. As we have seen, the photo isn't related to what's in the slide, but as the presentation as a whole is about certain efforts at the NSA's European Cryptologic Center (ECC), we can assume the routers were photographed there.

The European Cryptologic Center

The ECC is one of several Cryptologic Centers of the NSA. These were established in the mid-1990s to decentralize SIGINT operations and make their systems more redundant. Initially they were called Regional SIGINT Operations Center (RSOC).

Four of these centers are in the United States and named after the state they are in: Georgia (in Augusta), Texas (in San Antonio), Hawaii (in Honolulu) and Colorado (in Denver). There are two known centers outside the US: the European Cryptologic Center (ECC, in Griesheim, Germany) and the Afghanistan Remote Operations Cryptologic Center (AROCC, in Bagram, Afghanistan).

The NSA's European Cryptologic Center (ECC) at the Dagger
Complex in Griesheim near Darmstadt, Germany
(Photo: AP, July 2014 - Click to enlarge)

The European Cryptologic Center (ECC) is located within the US Army's Dagger Complex outside the small town of Griesheim, near the city of Darmstadt in Germany. In 2011, it had some 240 personnel, consisting of military and civilian members of the military services, NSA civilians and contractors.

On behalf of NSA, the center is operated by the US Army Intelligence and Security Command (INSCOM) and as such is part of the NSA's military branch, the Central Security Service (CSS), more specifically of NSA/CSS Europe and Africa (NCEUR/AF).

The ECC conducts the processing, analysis and reporting of signals intelligence in support of both the European Command and the Africa Command - which perfectly fits the countries we saw on the white labels. The ECC is primarily focussed on Counter-Terrorism and supporting military operations in Africa and the Middle East.

Military operations

According to NSA historian Matthew Aid, NSA's European center already supported American troops operating in Bosnia and Kosovo in the late 1990s. There were direct communication links not only with US military units, but also with all the SIGINT agencies and units of the partner nations operating in the Balkan, like Germany, France, Italy, the Netherlands, and others.

In a similar way the routers we see in the photo from the presentation could then be used for the exchange or transfer of data related to specific military and counter-terrorism operations, each involving different countries. For now, this seems the most likely option, as it could also explain the variations of the codewords.

This seems to be different from SIGDASYS, which is a database system where NSA and some partner agencies can put in and pull out military intelligence information on a more regular basis. Also, SIGDASYS is part of the SIGINT Seniors Europe (SSEUR or 14 Eyes) group, which doesn't include Tunisia.

Links and sources
- Matthew Aid: The European Cryptologic Center at Darmstadt, Germany (2013)
- Presentation about the US Army Intelligence and Security Command (INSCOM) (pdf, 2013)
- NIST: Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy (pdf, 2005)

April 8, 2015

Torus: the antenna to significantly increase satellite interception

(Updated: April 15, 2015)

At three satellite facilities, in Britain, Cyprus and New Zealand, there's a special antenna that allows NSA's partner agencies a significant increase in their capability to collect satellite communications.

This antenna is called Torus, and while conventional parabolic dish antennas can only view one satellite at a time, one single Torus antenna is able to receive the signals from up to 35 communications satellites.

These rare and expensive Torus antennas are used by some television networks, but a close look at photos of the Five Eyes satellite stations has now revealed the locations where Torus antennas are also used for gathering signals intelligence.

A General Dynamics Satcom Technologies Torus antenna
with the array of receiver heads clearly visible

The Torus antenna is rectangular, instead of circular like the conventional satellite dishes. Its quasi-parabolic shape is actually a section of a geometrical shape called torus, which it gave its name. Where a conventional satellite antenna only has one receiving head, called a Low-Noise Block (LNB) downconverter, a Torus antenna has many of them, placed in an array.

How one Torus antenna (brand name Simulsat) is able
to receive the signals of up to 35 satellites
(Source: Evertz.com - Click to enlarge)

With a focal arc instead of a single focus point, the Torus antenna can pick up the signals from a range of satellites which are in a GeoStationary Orbit (GSO), a fixed position above the equator. This is the case for most of the more than 100 communications satellites. Because a Torus antenna has to be aligned with the position of multiple satellites, it has to be adjusted to a specific position and therefore cannot be turned or spin around like circular satellite dishes.

Satellite collection

The usage of Torus antennas for signals intelligence first became clear from a slide that was part of a 2011 presentation for the annual Five Eyes conference. It was published in May 2014 in Glenn Greenwald's book No Place To Hide.

The slide is titled "New Collection Posture" and contains a diagram showing the various steps in the process of satellite collection. Greenwald saw this as evidence that NSA wants to "Collect it All", although the diagram clearly shows this refers to just one particular stage:

For the first step of this process it's said that "Torus increases physical access" - a clear description of the fact that one such antenna can receive the signals from many satellites. With one satellite having between 24 and 32 transponders to relay a signal, one Torus antenna, under the right circumstances, could in theory receive nearly 1,000 communications channels simultaneously.

This doesn't necessarily means that with Torus antennas, the Five Eyes agencies are now "collecting everything". The new antenna allows them access to much more satellites, but in the next stage (dubbed "Know it All") they look for and pick out the channels that have the best chances for useful information.

More access also means the need for more capacity to process these incoming signals, because they have to be converted, demodulated and demultiplexed before something can be done with them. And for internet communications, also more XKEYSCORE (XKS) servers would be needed for buffering, so analysts can sort out data of interest.

Torus antennas are useful to "increase the haystack", which doesn't mean that the whole haystack is stored - only those tufts that are likely to contain "needles".

Torus interception antennas

Now knowing what to look for, it was quite easy to "spy back" on the satellite intercept stations through the aerial images of Google Maps. By doing so, we can recognize Torus antennas in Britain, Cyprus and New Zealand.

Waihopai, New Zealand

Most information about the use of a Torus antenna for signals intelligence is available for the one at the Waihopai satellite intercept station in New Zealand, which is codenamed IRONSAND.

According to an article that was originally published in The Marlborough Express in July 2007, the Torus at Waihopai was built the month before and was expected to be operational later that year. Then GCSB director Bruce Ferguson said that this new dish would enable satellites to be tracked more efficiently, and with a cost of under 1 million dollars, it was very good value for money, he said.

The Waihopai station in 2012, with the Torus antenna at the far left
(Photo: Gilbert van Reenen/Vital Images - Click to enlarge)

The new Torus antenna joined the existing satellite dishes, the first of which was built in 1989, and the second in 1998. These dishes are covered by domes, which make them look like giant golf balls. According to the GCSB director this was to ward off the weather, but it is generally considered that it is actually to prevent seeing which direction the dishes face.

The Torus didn't get such a covering, maybe because it only has limited ability to manoeuvre on a fixed pad. But had the Torus antenna been covered like the old dishes, we wouldn't have known about this new and increased satellite interception capability.

The GCSB satellite station Waihopai, before (2005) and
after (2008) the Torus antenna was installed

The Torus at Waihopai is also mentioned in a recently disclosed GCSB presentation from April 2010, which says: "TORUS now enabling an increase of COMSAT/FORNSAT collection". This sounds like this antenna became operational not long before, although it was already installed in 2007. Maybe it took a few years before the necessary processing capacity became fully functional.

Bude, United Kingdom

A second Torus antenna used for satellite interception is at GCHQ Bude, in the west of Cornwall, in the United Kingdom. Bude, codenamed CARBOY, is a large station where GCHQ and NSA cooperate in the interception of both satellite and submarine cable communications.

Here, satellite interception started in the late 1960s with two giant dishes with a diameter of 27 meters. Nowadays there are 21 satellite antennas of various sizes that can cover all the main frequency bands and seem generally orientated towards the INTELSAT, Intersputnik and INMARSAT communication satellites.

The Torus antenna at GCHQ Bude must have been installed somewhere between January 2011 and June 2013: on the current Google Maps image, which is from December 30, 2010, the Torus antenna isn't yet present, but in the picture below, which is from June 23, 2013, the distinctively shaped antenna is clearly visible:

Satellite dishes at GCHQ Bude in Cornwall, with the Torus
antenna just right of the big radome in the center
(Photo: Reuters/Kieran Doherty - Click to enlarge)

Ayios Nikolaos, Cyprus

A third Torus antenna is installed at the GCHQ listening station Ayios Nikolaos, which is part of the British Sovereign Base Area (SBA) of Dhekelia in Cyprus, where British signals intelligence has already been present since the late 1940s.

This listening station is codenamed SOUNDER and is part of the Five Eyes satellite interception network that became known as ECHELON. A Google Maps satellite photo shows that there are several large and small satellite dishes, including one that can be recognized as a Torus antenna:

Satellite dishes at GCHQ Ayios Nikolaos in Cyprus with
the one at the left recognizable as a Torus antenna
(Photo: Google Maps - Click to enlarge)

This satellite image is from April 12, 2014, but because for this location no earlier images are available, it's not possible to say in which year this Torus antenna was installed. This makes that for now, the oldest reference to a Torus antenna used for signals intelligence is for Waihopai in New Zealand (2007).

As a reader noticed in a comment below, images from Google Earth show that the Torus antenna at Ayios Nikolaos must have been built somewhere between May 2008 and April 2011, according to the images available for those dates.
So for signals intelligence, Torus antennas were subsequently set up in Waihopai (2007), in Ayios Nikolaos (between 2008 and 2011) and in Bude (between 2011 and 2013).

No Torus dishes were visible at the other major satellite stations of the Five Eyes countries, like Yakima and Sugar Grove in the US, Menwith Hill in the UK, Misawa in Japan, and Geraldton in Australia. Torus antennas can also not be seen in aerial photos of the satellite intercept facilities in allied countries like The Netherlands, Denmark, Germany, and Austria.


The Torus antenna was developed in 1973 by COMSAT Laboratories in Clarksburg, Maryland, where it operated an experimental installation that communicated with Intelsat satellites.

The original version of the Torus antenna was able to receive the signals of up to 7 satellites simultaneously and costed 1,1 million US dollars. At that time, the price of a conventional dish, that was much larger than those used nowadays, was around 800,000 dollars.

Probably the first experimental Torus antenna of Comsat,
here being disassembled in August 2007
(Photo: Dennis Boiter/Comara.org - Click to enlarge)

In 1979, COMSAT applied for the Federal Communications Commission (FCC) to build three Torus antennas for commercial use: in Etam (West Virginia), Andover (Maine) and Jamesburg (California). Each of them had to communicate simultaneously with three American domestic satellites which were in a geostationary orbit at 4° degrees apart from eachother.

After the presentation of the first commercial Torus antenna in 1981, the system didn't become very popular, apparently because the efficiency of this antenna type was less than the parabolic satellite dishes and also had increased sidelobe levels. General Dynamics was apparently able to reduce these effects by the offset design of its custom made antennas.


The largest and custom made Torus antennas appear to be manufactured by General Dynamics Satcom Technologies. Smaller, standard Torus antennas are available from General Dynamics' subsidiary Antenna Technology Communications Inc (ATCi), which produces three types under the brand name Simulsat. The width of these dishes is between 8 and 13 meters.

Reportedly there are only about 20 Torus antennas in the world, but it's not clear whether this number is only about the largest ones made by GD Satcom Technologies, or that it also includes that smaller dishes from ATCi. Main customers are the US federal government and television stations that feed their cable networks with a large number of satellite channels.

Simulsat antenna at the Microsoft campus in Silicon Valley

Television networks

An example of a Torus used by television networks is the American sports broadcaster ESPN, which had a 24-meter Torus antenna installed at its headquarters in Bristol, Connecticut, in 2007. DIRECTV has three Torus dishes, including one at its Los Angeles Broadcast Center (LABC), which receives signals from 32 satellites.

It's not known what the price of a Torus antenna is, but it comes probably near 1 million dollars. This can be worth it as one single Torus eliminates the need to install multiple conventional parabolic dishes, that can cost up to several hundred thousand dollars each.

After this article had been published, a number of other Torus-antennas were found by Cryptome, @sigwinch and other people. Most of them are at the dish farms of television networks and commercial satellite companies. Until now, 17 additional Torus antennas can be seen at:

- CIA headquarters (present already in 2000)
- Schriever Air Force Base in Colorado
- An Intelsat ground station near Napa, California (2)
- An Intelsat ground station in Nuevo, California
- An Intelsat ground station near Atlanta, Georgia
- An RRsat America ground station near Hawley, Pennsylvania
- An Intelsat dish farm in Long Beach, California
- An Echostar satellite downlink facility in Chandler, Arizona
- The Intelsat Teleport near Castle Rock, Colorado
- An Echostar Broadcast Center in Cheyenne, Wyoming
- A satellite station near Lake Pochung, New Jersey
- A satellite ground station in Vernon county, New Jersey
- The HBO Communication Center in Hauppage, New York
- The roof of HBO Studio Productions in New York City (2)
- The Inmarsat access station in Nemea, Greece

Links and sources
- Stuff.co.nz: Snowden Files: Inside Waihopai Domes
- Business sheet: General Dynamics SATCOM Technologies Business Overview (pdf)
- Product sheet: General Dynamics 7.0 Meter Torus (pdf)

March 25, 2015

New Zealand and XKEYSCORE: not much evidence for mass surveillance

Since March 5, The New Zealand Herald and the website The Intercept published a number of stories based on top secret documents regarding New Zealand. These stories followed last year's claims by Edward Snowden saying that the New Zealand signals intelligence agency GCSB is involved in indiscriminate and illegal mass surveillance of ordinary citizens.

Here we will take a close look at the original documentes that accompanied these reportings and put them in a broader context in order to see whether they support these claims or not. Attention will also be paid to the notorious XKEYSCORE system.

The listening station at Waihopai (SIGAD: NZC-333) in New Zealand
after activists deflated one of the kevlar radomes in April 2008
(Source: GCSB presentation - Click to enlarge)

GCSB satellite collection

In the first story from March 5, it was claimed that New Zealand's signals intelligence agency GCSB conducted "mass spying on friendly nations" in the South Pacific on behalf of the Five Eyes partnership, which consists of the United States, the United Kingdom, Canada, Australia and New Zealand.

The allegation of "mass spying" seems to be based upon an excerpt from an GCHQ wiki page from about 2011, which talks about "full-take collection" at New Zealand's satellite intercept station in Waihopai (codenamed IRONSAND):

Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)

A GCSB report from July 2009 says that GCSB users were trained by NSA XKEYSCORE trainers "in anticipation of full-take collection and 2nd party sharing" with the full-take collection expected to be running by October 2009.

"Full-take" collection

The New Zealand Herald explained that "full-take collection means the base now collects and retains everything it intercepts: both the content of all the messages and the metadata". If that would be true, then one could probably speak of "mass surveillance".

But later on, the report quotes the German magazine Der Spiegel, which reported already in 2013 that XKEYSCORE "enables 'full-take' of all unfiltered data over a period of several days". The latter is an important detail, but neither The New Zealand Herald, nor The Intercept paid any further attention to it.

When New Zealand's prime minister John Key was asked about the "full-take" at a press conference, he told a reporter: "With the greatest of respect, I don't actually think you understand the technical term and it's not my job to explain it to you". This is the standard response governments give in these matters, rather letting citizens think they are under massive surveillance than explaining what really happens...


In the GCHQ wiki entry we also see two check boxes with next to them the Waihopai station mentioned as "GCSB_IRONSAND_WC2_FULL_TAKE". The abbreviation WC2 stands for WEALTHYCLUSTER 2, which is apparently the second generation of a system that is used to process low data rate signals: it sessionizes all of them and then forwards them to XKEYSCORE.

Using WEALTHYCLUSTER processing is called the traditional version of XKEYSCORE, which is used for satellite and terrestrial radio signals. For higher data rates, like on fiber-optic cables, it was/is not possible to forward all data to XKEYSCORE.

These yet unfiltered internet communication sessions forwarded to XKEYSCORE are called the 'full-take'. They are only stored for a short period of time: content is buffered for 3 to 5 days (sometimes shorter or sometimes longer, depending on the amount of traffic), and metadata for up to 30 days. In other words, XKEYSCORE creates a rolling buffer which is continually being rewritten:

Slide with some main characteristisc of the XKEYSCORE system
See also another, similar NSA presentation about XKEYSCORE

This buffering enables analysts to perform federated queries using so-called "soft selectors", like keywords, against the body texts of e-mail and chat messages, digital documents, spreadsheets in English, as well as in Arabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot be found by just filtering out known e-mail addresses of a target. When such content has been found, the analyst might be able to find new intelligence or new "strong selectors", which can then be used for starting a traditional search.

XKEYSCORE Fingerprints

To use XKEYSCORE more efficient, analysts can create so-called 'fingerprints', which are rules that contain search terms (especially all the correlated identities of a certain target) that are automatically executed by the system. Some examples of XKEYSCORE fingerprints were disclosed by German regional television on July 3, 2014, who presented them as excerpts of XKEYSCORE's source code.

Until now, The New Zealand Herald has published two XKEYSCORE fingerprints that define GCSB targets: one related to candidates for the job of director-general of the World Trade Organisation (WTO), and another one related to the Solomon Islands, for which the fingerprints show that GCSB (and/or NSA) was interested in documents from the government of this island state, as well as in the Truth and Reconciliation Commission and former militia groups.

GCSB targets

Another document disclosed by The New Zealand Herald and The Intercept shows that GCSB also spies on China, Pakistan, India, Iran, South Pacific Island nations (like Tuvalu, Nauru, Kiribati and Samoa, Vanuatu, New Caledonia, Fiji, Tonga and French Polynesia), the diplomatic communications of Japan, North Korea, Vietnam, and South America, as well as French police and nuclear testing activities in New Caledonia, and even on Antarctica.

A number of these targets, and some others, were already listed in a 1985-86 annual report of GCSB (classified as TOP SECRET UMBRA), which was accidently released in 2006. So although it might be embarrassing for the New Zealand government that the spying on nearby friendly island states was exposed, it is nothing new and nothing what is very far out of the range of what intelligence agencies usually do.

"Collect it All"

In a GCSB presentation (pdf) about the Waihopai satellite station from April 2010 we read: "To brief IS on the MHS ‘Collect It All’ initiative" - with IS being the abbreviation for IRONSAND, the codename for Waihopai; and MHS for Menwith Hill Station, NSA's large satellite facility in England.

This seems to confirm that "Collect It All" was initially a project for the Menwith Hill Station, maybe meant to be extended to other satellite collection facilities, but not the primary aspiration for NSA's collection efforts in general, as Glenn Greenwald claimed in his book No Place To Hide.*

As evidence, Greenwald presented a slide from a 2011 presentation for the annual Five Eyes conference, but that shows that "Collect it All" actually refers to just one particular stage of the collection process for satellite traffic:

- On top of the diagram, the process starts with receiving the satellite signals ("Sniff it All") and this is followed by "Know it All", which is about detecting (survey) what kind of traffic certain communication channels contain.

- The stage for which they aim "Collect it All" is when signals are processed into usable data by conversion, demodulation and demultiplexing. This is done through systems codenamed ASPHALT and ASPHALT PLUS, but no further information on these system has been published. Apparently "Collect it All" is about increasing the capability to process signals.

- The next stage is "Process it All" where, after a Massive Volume Reduction (MVR) to get rid of useless data, XKEYSCORE (XKS) is used to search for things that are of interest. The last two stages are about analysing data at a large scale and share them with GCHQ and NSA's satellite intercept station in Misawa, Japan.

Photo of what might be XKEYSCORE equipment at the NSA's
European Cryptologic Center (ECC) in Griesheim, Germany
(Source: ECC presentation (pdf) - Click to enlarge)

Targeted collection

Combining the earlier disclosed information about XKEYSCORE shows that neither "full-take", nor "Collect it All" means that "everything" ends up in some NSA database (typically PINWALE for content and MARINA for metadata). This only happens with data that is extracted based upon 'strong selectors', 'fingerprints', or manual searches by analysts when they think it contains valuable foreign intelligence information.

A 2012 NSA document about a training course for XKEYSCORE, published by Der Spiegel in June 2014, says that this system helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

This suggests that XKEYSCORE is able to sort out data in a way that is even more targeted than the traditional method, in which communications are filtered out by internet addresses. This would make XKEYSCORE even less the "mass surveillance tool" as it is called by Snowden.

GCSB cable access

Besides the satellite station in Waihopai and the High-Frequency radio intercept facility near Tangimoana, some snippets disclosed in September 2014, show that GCSB also started a cable access program codenamed SPEARGUN, for which the first metadata probe was expected mid-2013. According to The Intercept, this program might be about tapping the Southern Cross cable, which carries "the vast majority of internet traffic between New Zealand and the rest of the world".

A bit confusing is that in a 2012 GCSB presentation (pdf), project SPEARGUN is listed among topics related to the "IRONSAND Mission", but maybe this means that the mission of this satellite intercept station in Waihopai was extended to include cable operations too.

IRONSAND is in the north east of the South Island of New Zealand, while the landing points for the Southern Cross cable are in the north of the North Island, a distance of more than 500 kilometers. It's possible that from the Waihopai station the actual cable intercept facilities are remotely controlled, maybe through a secure Virtual Private Network (VPN) connection over the domestic Aqualink cable:

The access points to the Southern Cross cable could then be identical with the "NSA facilities" in Auckland and "in the north" of the country, which Edward Snowden hinted to in his speech on the "Moment of Truth" meeting in Auckland on September 15, 2014.

Snowden's claims

The Intercept presented this cable access as a "mass metadata surveillance system" capable of "illegal domestic spying" on the communications of New Zealanders. These claims seem to be based upon a rather pathetic statement from Edward Snowden himself:

"If you live in New Zealand, you are being watched. At the NSA I routinely came across the communications of New Zealanders in my work with a mass surveillance tool we share with GCSB, called “XKEYSCORE.” It allows total, granular access to the database of communications collected in the course of mass surveillance. It is not limited to or even used largely for the purposes of cybersecurity, as has been claimed, but is instead used primarily for reading individuals’ private email, text messages, and internet traffic".

Snowden pretends that XKEYSCORE is primarily used to snoop on the communications of private citizens, as if GCSB, NSA and the other partner agencies don't have way too many other targets (see for example the long list of countries targeted by GCSB) and waste their time on ordinary civilians. Snowden however continues:

"The GCSB provides mass surveillance data into XKEYSCORE. They also provide access to the communications of millions of New Zealanders to the NSA at facilities such as the GCSB station at Waihopai"
"It means they have the ability see every website you visit, every text message you send, every call you make, every ticket you purchase, every donation you make, and every book you order online

This is also misleading, because, as we have already seen, GCSB isn't very much interested in "your" private communications. In his "Moment of Truth" speech, Snowden claimed that he would have been able to enter for example the e-mail address of prime minister John Key in XKEYSCORE to get access to all content and metadata of his internet activities.

What Snowden briefly acknowledged in this speech, but left out in his statement for The Intercept, is that such searches are constrained by policy restrictions. Indeed, every analyst who works with XKEYSCORE and wants to query data collected in New Zealand, has to do a training on the New Zealand Signals Intelligence Directive 7 (NZSID7), which contains the rules about what GCSB is allowed to do.

As GCSB is not allowed to collect communications of New Zealanders (except for when there's a warrant to assist domestic agencies), this means that the other Five Eyes agencies aren't allowed to do that either. Snowden would therefore not have been allowed to look at the communications of prime minister Key.

Not only must all queries against data from New Zealand sources be compliant with both the NZSID7 and the Human Rights Act (HRA), they will also be audited by GCSB:

Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)

Snowden however considers these policy restrictions not sufficient because analysts "aren't really overseen". For GCSB, a 2013 review report found that there were indeed problems with oversight, but the new GCSB law, which is opposed by many people because it would supposedly enable "mass surveillance", actually also strengthens oversight. NSA noticed this too.

The government's response

New Zealand's prime minister John Key rejected the reportings by The New Zealand Herald, saying that "Some of the information was incorrect, some of the information was out of date, some of the assumptions made were just plain wrong". He strongly denied that GCSB collects mass metadata on New Zealanders, but he acknowledged that the agency had tapped into the cable, but only for the purposes of a cybersecurity program codenamed CORTEX.

As a proof, several secret government documents were declassified, but from them it doesn't become clear whether CORTEX really is the same program as the cable access which is codenamed SPEARGUN in the NSA and GCSB documents. According to Key, the CORTEX cybersecurity system was eventually scaled back and now only protects specific entities in the public sector and some private companies.

A snippet from an NSA document says that the implementation of the cable access project SPEARGUN was awaiting the new 2013 GCSB Act. It was said this was because the new law would enable "mass surveillance", but the proposed law also authorizes GCSB to ensure cybersecurity, which would support the statement of the government.



As the disclosed documents only contain a few lines and no further details about the cable acces codenamed SPEARGUN, it is not possible to say for sure whether this is about intercepting communications from the Southern Cross cable, like the Snowden-related media claim, or that it is actually a cybersecurity program, like the government says.

What did become clear is that XKEYSCORE isn't really a "mass surveillance tool", but is actually used to collect data in a way that is at least just as targeted as traditional methods. Many of GCSB's targets came out as legitimate, some are more questionable, but none of them included the bulk collection of communications from ordinary citizens, whether domestic or abroad.

Snowden also said that there are "large amounts of indiscriminate metadata about the communication and other online events of citizens" from all Five Eyes countries. But apart from the domestic phone records collected by the NSA, no evidence has yet been presented for such collection in the other countries.

Links and Sources
- EmptyWheel.net: What an XKeyscore Fingerprint Looks Like
- The New Zealand Herald: Bryce Edwards: The ramifications of the spying scandal
- The Press: We're snooping on the Pacific...so what?
- Report: Review of Compliance at the Government Communications Security Bureau (pdf) (2013)
- ArsTechnica.com: Building a panopticon: The evolution of the NSA’s XKeyscore

March 11, 2015

US military and intelligence computer networks

From the Snowden revelations we learned not only about NSA data collection projects, but also about many software tools that are used to analyze and search those data. These programs run on secure computer networks, isolated from the public internet. Here we will provide an overview of these networks that are used by the US military and US intelligence agencies.

Besides computer networks, they also use a number of dedicated telephone networks, but gradually these are transferred from traditional circuit-switched networks to Voice over IP (VoIP). This makes it possible to have only one IP packet-switched network for both computer and phone services. It seems that for example NSA's NSTS phone system is now fully IP-based.

An old NSTS telephone and a KVM-switch which enables switching between physically
separated networks, in this case two Unclassified (green labels), one Secret
(red label) and one Top Secret/SCI (orange and yellow label) network
(National Security Operations Center, 2006 - Click to enlarge)

US national networks

The main US military and intelligence computer networks are (of course) only accessible for authorized personnel from the United States. Special security measures are in place to prevent interception by foreign intelligence agencies. Most of the tools and programs used by NSA run on JWICS and NSANet, but here we only mention them when this is confirmed by documents.

DNI-U (Director National Intelligence-Unclassified)
- Until 2006: Open Source Information System (OSIS)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Access: US intelligence users
- Controlled by: DNI-CIO Intelligence Community Enterprise Services office (ICES)
- Purpose: Providing open source information; consists of a group of secure intranets used by the US Intelligence Community (IC)
- Computer applications: Intelink-U, Intellipedia, etc.

Page of the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)

NIPRNet (Non-secure Internet Protocol Router Network)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Secured by: Network traffic monitored by the TUTELAGE program and QUANTUM-DNS at gateways
- Address format: http://subdomains.domain.mil
- Access: US military users, via Common Access Card smart card *
- Number of users: ca. 4,000,000
- Purpose: Combat support applications for the US Department of Defense (DoD), Joint Chiefs of Staff (JCS), Military Departments (MILDEPS), Combatant Commands (COCOM), and senior leadership; composed of the unclassified networks of the DoD; provides protected access to the public internet.
- Computer applications: E-mail, file transfer and web services like the Joint Deployable Intelligence Support System (JDISS)
- Video Teleconferencing (VTC)

Cyber security officers in an operations center room at Barksdale Air Force Base
There are screens connected to NIPRNet (green background/border)
and SIPRNet (red background/border)
(Photo: U.S. Air Force/Tech. Sgt. Cecilio Ricardo - Click to enlarge)
More about this photo on SecurityCritics.org

SIPRNet (Secret Internet Protocol Router Network)
- Classification level: SECRET (color code: red)
- Secured by: TACLANE (KG-175A/D) network encryptors
- Address format: http://subdomains.domain.smil.mil
- Access: US (and some foreign partners)* military and intelligence users, via SIPRNet Token smart card
- Number of users: ca. 500,000 *
- Controlled by: JCS, NSA, DIA and DISA *
- Purpose: Supporting the Global Command and Control System (GCCS), the Defense Message System (DMS), collaborative planning and numerous other classified warfighter applications, and as such DoD's largest interoperable command and control data network.
- Computer applications: Intelink-S, Intellipedia, TREASUREMAP, Joint Deployable Intelligence Support System (JDISS), Defense Knowledge Online, Army Knowledge Online, etc.
- Phone service: VoSIP (Voice over Secure IP) as an adjunct to the DRSN for users that do not require the full command and control and conferencing capabilities.
- Secure Video Teleconferencing (VTC)

Computers in the White House Situation Room, with a yellow screensaver,
indicating they are connected to a TOP SECRET/SCI computer network
(Screenshot from a White House video)

JWICS (Joint Worldwide Intelligence Communications System)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE (KG-175A/D) network encryptors *
- Address format: http://subdomains.domain.ic.gov
- Access: US intelligence users
- Controlled by: DIA, with management delegated to AFISR
- Purpose: Collaboration and sharing of intelligence data within the US Intelligence Community (IC)
- Computer applications: ICE-mail, Intelink-TS, Intellipedia, GHOSTMACHINE, ROYALNET, TREASUREMAP, ICREACH, Joint Deployable Intelligence Support System (JDISS), etc.
- Phone Service: DoD Intelligence Information System (DoDIIS) VoIP telephone system
- Secure Video Teleconferencing (VTC)

Web-browser with a JWICS address for the ROYALNET tool

These various military and intelligence networks run on a world-wide physical infrastructure that is called the Defense Information Systems Network (DISN), which is maintained by the Defense Information Systems Agency (DISA) and consists of landline, mobile, radio and satellite communication links.

Most of these communication links are not connected to the public internet, but because radio and satellite transmissions can easily be intercepted by foreign countries, the security of these networks is assured by encryption. This encryption can also be used to run higher classified traffic over communication links with a lower classification level through Virtual Private Network (VPN) tunnels.

Classified communications have to be protected by Suite A Cryptography, which contains very strong and classified encryption algorithms. On most networks this is implemented by using Type 1 certified TACLANE (KG-175A/D) in-line network encryptors made by General Dynamics:

(Diagram: General Dynamics)

As long there's the appropriate strong link encryption, only the end points with the computer terminals (where data are processed before they are encrypted) need strict physical and digital security requirements in order to prevent any kind of eavesdropping or interception by foreign adversaries.

Most American military bases are connected to the SIPRNET backbone, but for tactical users in the field, the SIPRNet and JWICS networks can extend to mobile sites through Satellite Communications (SATCOM) links, like for example TROJAN SPIRIT and TROJAN SPIRIT LITE, which consist of a satellite terminal that can be on a pallet, in a shelter, on a trailer or even connected to a transit case.

Other US goverment departments and intelligence agencies also have their own computer networks at different classification levels:

- LEO (Law Enforcement Online; Unclassified, for law enforcement communications)
- FBINet (Federal Bureau of Investigation Network; Secret)
- SCION (Sensitive Compartmented Information Operational Network; Top Secret/SCI)

- HSIN (Homeland Security Information Network; Unclassified)
- HSDN (Homeland Secure Data Network; Secret)

State Department
- OpenNet (Unclassified)
- ClassNet (Secret; address format: http://subdomain.state.sgov.gov)
- INRISS (INR Intelligence Support System; Top Secret/SCI)

- AIN (Agency InterNet; Unclassified)
- ADN (Agency Data Network?; Top Secret/SCI)

- GWAN (Government Wide Area Network, also known as NRO Management Information System (NMIS); Top Secret)
- CWAN (Contractor Wide Area Network; Top Secret)

- NGANet (National Geospational intelligence Agency Network; Top Secret/SCI)

Finally, there's the Capitol Network (CapNet, formerly known as Intelink-P), which provides Congressional intelligence consumers with connectivity to Intelink-TS and CIASource, the latter being the CIA's primary dissemination vehicle for both finished and unfinished intelligence reports.

US multinational networks

Besides the aforementioned networks that are only accessible for authorized military and intelligence personnel from the United States, there are also computer networks set up by the US for multinational coalitions, and which therefore can also be used by officials from partner countries.

The group of countries that have access to such coalition networks is often denoted by a number of "Eyes" corresponding with the number of countries that participate.

NSANet (National Security Agency Network)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE network encryptors *
- Address format: http://subdomain.domain.nsa
- Access: US, UK, CAN, AUS, NZL signals intelligence users
- Controlled by: NSA, with management delegated to CSS Texas
- Purpose: Sharing intelligence data among the 5 Eyes partners
- Computer applications: SIDToday (newsletter), TREASUREMAP, MAILORDER, MARINA, TURBINE, PRESSUREWAVE, INTERQUAKE, World Cellular Information Service (WCIS), GATC Opportunity Volume Analytic, etc.
- Phone service: NSTS (National Secure Telephone System)

Web-browser with NSANet address for the INTERQUAKE tool, used by NSA's
Special Collection Service (SCS, organizational code: F6) units
(Click for the full presentation)

Besides NSANet as its general purpose intranet, NSA also operates several other computer networks, for example for hacking operations conducted by the TAO-division. We can see some of these networks in the following diagram, which shows how data go (counter-clockwise) from a bot in a victim's computer on the internet, through a network codenamed WAITAUTO to TAONet and from there through a TAONet/NSANet DeMilitarized Zone (DMZ) to data repositories and analysing tools on NSANet:

Diagram showing the data flow for TAO botnet hacking operations
(Source: NSA presentation - Click to enlarge)

- Until 2010: GRIFFIN (Globally Reaching Interconnected Fully Functional Information Network)
- Classification level: SECRET//REL FVEY
- Access: US, UK, CAN, AUS, NZL military users
- Controlled by: DIA(?)
- Purpose: Information sharing and supporting command and control systems
- Applications: Secure e-mail, chat and VoSIP communications

STONEGHOST (Quad-Link or Q-Lat)
- Classification level: TOP SECRET//SCI
- Access: US, UK, CAN, AUS, NZL(?) military intelligence users
- Controlled by: DIA
- Purpose: Sharing of military intelligence information
- Applications: Intelink-C, etc.

CFBLNet (Combined Federated Battle Laboratories Network)
- Classification level: Unclassified and SECRET
- Access: US, UK, CAN, AUS, NZL, and at least nine European countries Research & Development institutions
- Controlled by: MultiNational Information Sharing (MNIS) Program Management Office
- Purpose: Supporting research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.
- Applications: Communications, analytic tools, and other applications

The CFBLNet countries in 2009, with three of the Five Eyes countries (yellow line),
six European NATO countries and the NATO organization (black line),
six NATO guest nations (dotted line) and two non-NATO countries.
(source: NATO Education and Training Network (pdf), 2012)

For communications among the members of multinational coalitions, the United States provides computer networks called Combined Enterprise Regional Information eXchange System (CENTRIXS). These are secure wide area network (WAN) architectures which are established according to the specific demands of a particular coalition exercise or operation.

CENTRIXS enables the secure sharing of intelligence and operational information at the level of "SECRET REL TO [country/coalition designator]" and also provides selected centralized services, like Active Directory/DNS Roots, VoIP telephony, Windows Server Update Services (WSUS) and Anti-Virus Definitions.

There are more than 40 CENTRIXS networks and communities of interest (COIs) in which the 28 NATO members and some 80 other countries participate. The best-known CENTRIXS networks are:

CENTRIXS Four Eyes (CFE or X-Net)
- Classification level: TOP SECRET//ACGU
- Address format: http://subdomains.domain.xnet.mnf
- Access: US, UK, CAN, AUS military users
- Controlled by: DIA
- Purpose: Operational coordination through sharing and exchange of intelligence products
- Applications: Various services

- Classification level: TOP SECRET//ISAF
- Access: ca. 50 coalition partners
- Controlled by: ?
- Purpose: Sharing critical battlefield information; US component of the Afghan Mission Network (AMN).
- Computer applications: Web services, instant messaging, Common Operational Picture (COP), etc.
- Voice over IP

CENTRIXS-M (Maritime)
- Classification level: TOP SECRET ?
- Purpose: Supporting multinational information exchange among the ships of coalition partners of the US Navy to provide access to critical, time-sensitive planning and support data necessary to carry out the mission
- Computer applications: E-mail, Chat messaging, Webpages, etc.

Some other CENTRIXS networks are:

- For the ca. 80 Troop Contributing Nations of the Global Counter-Terrorism Force (GCTF)

- For the Combined Maritime Forces, Central Command (CMFC)

- For the Combined Maritime Forces, Pacific (CMFP)

- For the United States and Japan

- For the United States and South-Korea

Links and Sources
- US National Intelligence: A Consumer's Guide (pdf) (2009)
- Paper about How to Use FASTLANEs to Protect IP Networks (pdf) (2006)

February 23, 2015

NSA and GCHQ stealing SIM card keys: a few things you should know

(Updated: February 27, 2015)

Last Thursday, February 19, the website The Intercept broke a big story about how NSA and GCHQ hacked the security company Gemalto in order to acquire large numbers of keys used in the SIM cards of mobile phones.

The story has quite some background information about how these keys are used and how NSA and GCHQ conducted this operation. But as we have often seen with revelations based upon the Snowden-documents, media once again came with headlines like "Sim card database hack gave US and UK spies access to billions of cellphones", which is so exaggerated that it is almost a scandal in itself.

Instead, analysing The Intercept's article and the original documents leads to the conclusion that the goals of this operation were most likely limited to tactical military operations - something that was completely ignored in most press reports. Also there is no evidence that Gemalto was more involved in this than other SIM card suppliers.

To what extent was Gemalto involved?

According to The Intercept, NSA and GCHQ planned hacking several large SIM card manufacturers, but in the documents we find only one for which this was apparently successful: Gemalto. Other documents merely show that GCHQ wanted to "investigate Gemalto" "for access to Gemalto employees" "to get presence for when they would be needed".

An internal GCHQ wiki page from May 2011 lists Gemalto facilites in more than a dozen countries, like Germany, Maxico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore, but also without explicitly saying whether or not these were successfully hacked.

One report and a few slides from a presentation that was not fully disclosed mention large numbers of SIM card keys that had been collected, but this is not specifically linked to Gemalto. Although Gemalto is the largest manufacturer, it seems likely these data were also collected from other companies, like Bluefish, Giesecke & Devrient, Oberthur, Oasis, Infineon, STMicroelectronics, and Morpho.

Therefore, we actually don't know to what extent NSA and GCHQ used the access they apparently had to Gemalto's network, and it is definitely not correct to say that all 2 billion SIM cards that Gemalto produces every year were compromised by this hack.

And given the fact that other SIM card suppliers were targeted and/or hacked too, one wonders why The Intercept didn't left out the name of Gemalto. Because now its competitors profit from not being named, while Gemalto shares already had a huge drop on the stock market.

On February 25, Gemalto came with a press release in which results of its investigation into the alleged hack were presented. Gemalto concluded that NSA and GCHQ probably "only breached its office networks and could not have resulted in a massive theft of SIM encryption keys". The report also says Gemalto never sold SIM cards to four of the twelve operators listed in the GCHQ documents, in particular to the Somali carrier, and that in 2010-2011, most operators in the targeted countries were using the vulnarable 2G networks, mostly with prepaid cards which have a very short life cycle, typically between 3 and 6 months.

The Netherlands

Gemalto is a digital security company providing software applications, secure smart cards and tokens and is also the world’s biggest manufacturer of SIM cards. It's essentially a French company, but it has some 12.000 employees in 44 countries all over the world.

The Gemalto headquarters are officially in Amsterdam in the Netherlands, which made Dutch media claiming that "NSA hacked a company in the Netherlands". This was rather premature, since the two Dutch locations of Gemalto seem not to be likely targets in this case.

The Amsterdam headquarters is very small, consisting of only some 30 people. The reason they are in Amsterdam is apparently mainly because the Dutch capital was already the seat of Axalto, one of Gemalto's predecessors, and because the company wanted access to the Amsterdam stock exchange.

Unnoticed by Dutch national media is the fact that Gemalto also has a plant in the city of Breda, where, according to an unrelated press report from last year, (only) bank cards are personalised. This plant also has a customer service team, but strangely enough Breda isn't in the list of locations on Gemalto's website.

The plant of Gemalto in the southern Dutch city Breda
(photo: Tom van der Put/MaRicMedia)

Also interesting is that last month, Gemalto acquired the US manufacturer of security products SafeNet. This company, founded in the late 1980s by former NSA officials, not only makes encryption devices used by commercial companies and banks all over the world, but also the KIV-7 link encryptor, which is used by the US Army, as well as the Enhanced Crypto Card (KSV-21), which provides the encryption functions for the US government's STE secure telephone.

How does the SIM card key work?

SIM cards, produced by companies like Gemalto, have a microchip which among other data includes a unique 128 bit Authentication Key, also known as "Ki". A copy of this key is given to the phone provider, so when a phone call is made, this key number can be used to make sure the handset connects to a valid provider, and the provider knows it connects to a handset that belongs to a known customer.

The Intercept's report suggests that this Ki number is also used as the encryption key to protect the subsequent communications, but in reality this is a bit more complex. Here's how it works for 3rd Generation (UMTS) networks:

1. After a handset connects to the base station, the latter sends the handset a 128 bit random number, a 48 bit sequence number and an authentication token.

2. The chip in the SIM card combines the Ki number with the random number and the sequence number to also calculate an authentication token and a response number, which are used to authenticate the network and the handset, respectively.

3. By combining the Ki number with the random number, the SIM card chip also calculates the:
- 128 bit Confidentiality Key (CK) for encrypting messages
- 128 bit Integrity Key (IK) for checking the integrity of messages
4. The actual (voice) data are then encrypted through the f8 algorithm (which is based upon the KASUMI block cipher) using the Confidentiality Key.

5. For additional security, both the Confidentiality Key and the Integrity Key have a limited lifetime. The expiration time is variable and send to the handset after establishing a connection.

Although for the actual encryption key CK, the Ki number from the SIM card is mixed with a random number, this provides no extra security: the base station sends this random number to the handset over the air unencrypted, so it can be intercepted easily by anyone.

Eavesdroppers would therefore only need the SIM card Ki to recreate the encryption key and use that to decrypt the conversation (see also this US Patent for a "Method of lawful interception for UMTS").

Why were these SIM card keys collected?

The press reports, speaking in general terms of "unfettered access to billions of cellphones around the globe", suggest that everyone's mobile phone could now be at risk of being intercepted by NSA or GCHQ.

One important thing they forgot, is that one only needs to steal SIM card keys when you are trying to intercept mobile phone traffic when it travels by radio between the handset and the cell tower. Only that path is encrypted.

Once the communications arrive at the provider's network, they are decrypted and sent over telephone backbone networks to the cell tower near the receiving end as plain text. It's then encrypted again for the radio transmission between the cell tower and the receiving handset.

As we know from previous Snowden-leaks, NSA and GCHQ have vast capabilities of filtering fiber-optic backbone cables that are likely to contain communications that are of interest for military or foreign intelligence purposes. The big advantage here is that on those backbone cables there's no encryption (although people can use end-to-end encryption methods themselves).

Therefore, the SIM card keys are only needed when NSA and GCHQ want to listen in or read traffic that is or has been intercepted from the wireless transmission between a handset and a cell tower. This narrows down the field where these keys can be useful substantially.

Tactical military operations

Intercepting the radio signal of mobile phones needs to be done from rather close proximity. To do this, the NSA uses StingRay and DRT devices, which are highly sophisticated boxes that in a passive mode are capable of detecting and intercepting the radio transmissions of multiple cell phones. In an active mode they can mimic a cell tower in order to catch individual phone calls and as such they are better known as IMSI-catchers.

These devices are widely used by the NSA and the US military in tactical ground operations, like in Afghanistan and previously in Iraq, as well as in other crisis regions. StingRays and DRT boxes can be used as a manpack, in military vehicles, but also aboard small signals intelligence aircraft like the C-12 Huron. Surveillance drones also have similar capabilities.

A Prophet Spiral Humvee which uses DRT devices
for collecting radio and cell phone signals

This military, or at least anti-terrorism purpose is confirmed by a disclosed slide which shows that Kis for mobile networks from Somalia, Kuwait, Saudi Arabia, Afghanistan, Iran and Bahrain were found among collected data.

A GCHQ report that was also published as part of The Intercept's story says that key files from "Somali providers are not on GCHQ's list of interest, [...] however this was usefully shared with NSA", which clearly shows that both agencies were looking for keys from specific countries.

The report also says that during a three month trial in the first quarter of 2010, significant numbers of Kis were found for cell phone providers from Serbia, Iceland, India, Afghanistan, Yemen, Iran, Tajikistan and Somalia, which is shown in this chart:

According to the report, this chart reflects "a steady rate of activity from several networks of interest", which again indicates that GCHQ is specifically looking for keys for countries where the US and the UK are involved in military operations.

The same reports says that Iceland appearing in this list was unexpected, but Dutch newspapers guessed this could be explained by the fact that in 2010, Julian Assange and other people related to WikiLeaks were staying there.

One also wonders why The Intercept didn't trace the companies that in 2010 and 2011 provided the SIM cards to the countries mentioned in the GCHQ report. The fact that SIM keys for those countries were collected, seems a strong indication that the security of those suppliers was apparently weak.

Eavesdropping in foreign capitals

Remarkably, the use of SIM card keys for tactical military operations is completely ignored by The Intercept, even though this is probably the main purpose (which was also expressed by at least two security experts). The Intercept does however claims that such keys would be useful to eavesdrop on mobile phone traffic somewhere else:

The joint NSA/CIA Special Collection Service (SCS) has eavesdropping installations in many US embassies, and because these are often situated in the city center and therefore near a parliament or government agencies, they could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials.

With the current UMTS (3G) and LTE (4G) mobile networks using encryption that is much harder to crack than that of the older GSM network, having the SIM card keys would make it easy to decrypt already collected mobile communications, as well as listing in to them in real-time.

A 16 port IMSI catcher from the Chinese manufacturer Ejoin Technology

As easy it may be to decrypt conversations when having the key, the more difficult it seems to get hold of keys that are useful for this purpose. SIM cards are shipped in large batches of up to several hundred thousand cards and while it is known to which provider in which country they go, one cannot predict in whose phone the individual cards will eventually end up.

So when NSA and GCHQ are stealing large numbers of keys, they have to wait for some of them ending up by people that are on their target lists - which really seems a very small chance. This method is also useless against people using an old SIM card, which could be the case for German chancellor Merkel, who has a phone number that was already used in 1999. For these kind of targets it would be much more efficient to hack or tap into local telephone switches.

The way to make it work would be to "collect them all" and create a database of keys that will eventually cover every newly assigned phone number. But in one of the documents, GCHQ notices that large SIM suppliers increasingly use strong encryption for their key files, which will make it hard to achieve such a full coverage.

This is another reason, why stealing SIM card keys is most likely focussed on war zones: over there, very large amounts of phone calls and metadata are collected, which, given the large number of suspects and targets over there too, makes much better chances of finding keys that are actually useful. But still, stealing these keys looks not like a very efficient method.

Could these hacking operations be justified?

This brings us to the question of how justified this method of stealing SIM card keys could be. The fact that NSA and GCHQ are hacking commercial telecommunication and security companies is seen as one of the biggest scandals that have been revealed during the Snowden-revelations.

It's not only because of breaking into their networks, but also because for this, the communications of specific employees like system administrators are intercepted to acquire the passwords and usernames for their Facebook-accounts, despite the fact that they themselves aren't a threat to the US or the UK.

They are targeted not as an end, but as means in order to get access to the communications of other targets elsewhere. These ultimate targets could maybe justify these means, but without knowing what the actual goals are, it's difficult to come with a final judgement.

Although this kind of hacking affects innocent civilians, it's still very focussed. According to The Intercept, "In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization" - which is a rather small number given that Gemalto alone has some 12.000 employees.

Targeting companies and organizations like Swift, Belgacom and Gemalto should not have come as a complete surprise. Nowadays internet and telecommunication providers have become similar of interest for national security as military contractors and top technological research institutions have always been.

This is also reflected by the last of the 16 Topical Missions in the NSA's Strategic Mission List from 2007:

"Global Signals Cognizance: The core communications infrastructure and global network information needed to achieve and maintain baseline knowledge.
Capture knowledge of location, characterization, use, and status of military and civil communications infrastructure, including command, control, communications and computer networks: intelligence, surveillance, reconnaissance and targeting systems; and associated structures incidental to pursuing Strategic Mission List priorities.
Focus of mission is creating knowledge databases that enable SIGINT efforts against future unanticipated threats and allow continuity on economy of force targets not currently included on the Strategic Mission List."

Links and Sources
- Motherboard.vice.com: Did the NSA Hack Other Sim Card Makers, Too?
- NRC.nl: Simkaartsleutels vooral van belang bij afluisteren in Midden-Oosten
- Tweakers.net: Gemalto: geen sim-sleutels buitgemaakt bij aanval geheime diensten
- Reuters.com: Hack gave U.S. and British spies access to billions of phones: Intercept
- Crypto.com: How Law Enforcement Tracks Cellular Phones
- Presentation about Network Security: GSM and 3G Security (pdf)
- Matthew Green: On cellular encryption
- GCHQ's aspirations for mobile phone interception: 4 slides + 2 slides
- This article appeared also on the weblog of Matthew Aid