COMSEC Lessons from the Underworld
Anyone who has waded through the Snowden revelations, or the Vault 7 leaks, will probably treat mobile devices with a healthy degree of caution. And rightly so. The public record demonstrates that spies excel at using smartphones to conduct surveillance and spread propaganda. Furthermore the incidence of such programs is accelerating as tools of the trade proliferate. The implications are unsettling.
While the National Security Agency was found guilty of illegal monitoring, at least there’s some semblance of an official framework in place to govern its actions. Big tech, on the other hand, is subject to far fewer legal restrictions here in the United States. What’s more, foreign spies operate inside our borders with the explicit consent of their own governments. As far as intelligence services abroad are concerned, the entire population of the United States is fair game. Given the depth and breadth of the surveillance capabilities arrayed against them, do average American citizens stand a chance of defending themselves? The answer to this question can be found by traversing the far corners of the underworld, a milieu where communication security (COMSEC) is paramount and mistakes can be fatal.
Trust What You Control
Despite these risks of using a smartphone, groups of people still need to communicate and technology does offer an edge. So how does the underworld address the threat of exposure? History informs that there has been a shift towards equipment and infrastructure which is more directly under their control. This tenet often manifests itself in DIY communications systems.
For example, there are service providers who sell specially modified devices and host their own servers. A maverick company named Encrochat serves as an instructive case study. Encrochat offered custom Android phones which had their microphones, GPS, and camera physically removed. The phones shipped with pre-installed encrypted messaging apps that routed traffic through the company’s offshore data centers.
You can probably guess how this story ended. Law enforcement succeeded in hacking the company’s user base en masse. At one point Encrochat’s leaders broadcast a warning alert to users, conceding that “Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device.” More than 100 million messages were decrypted, leading to a wave of arrests spanning five countries.
To buttress their defenses, criminal groups can skip the middleman entirely and run their own in-house systems. The Mexican cartels, for instance, have been known to shell out millions of dollars to build nationwide encrypted real-time communication networks. Although these networks do provide more autonomy, dedicated infrastructure is also conspicuous. Once digital infrastructure has been identified it can be methodically attacked.
This is exactly how the FBI nailed Joaquín Guzmán, the former boss of the Sinaloa Cartel. The feds simply figured out who Guzmán hired to build his network and they leaned on him until he coughed up the system’s encryption passcodes. Why waste the time asking the NSA to decipher foreign traffic when you can compel an insider to hand over the keys to the kingdom? This is known in the business as “rubber-hose cryptanalysis.”
One way around this vulnerability is to leverage a setup that’s strictly short-term. Pablo Escobar, the late boss of the Medellin drug cartel in Columbia, bet his life on this practice. For months on end he avoided capture by using a radio telephone to hold brief conversations while driving around disguised as a taxi driver. The moving transmissions that blipped in and out of existence proved difficult to trace. When police finally did catch him, it was because Escobar slipped up. He made a call lasting over three minutes from a fixed location. One slip is all it took.
A retired intelligence analyst offers the following insight: “Anything that emits an electromagnetic signal can and will be targeted.” What this means is that groups with higher security requirements may have to dispense with technology altogether and go old-school. Facing an adversary that possesses a world-class home-field advantage, the best option may be to exit the field and force watchers onto terrain where their automation and economies of scale don’t mean as much. This is why ISIS relies on couriers who don’t carry electronics.
Finally, in the annals of espionage there is one “hard target” who stands head and shoulders above the rest, a man who, to this day, regularly stymies America’s most talented spies by surrounding himself with the intelligence equivalent of a black hole: Kim Jong-un of North Korea. At one point President Obama remarked that he would have “targeted the North Korean leadership” with a military strike but that acquiring the necessary information to do so was impossible.
Ernst Blofeld, eat your heart out.
Streams of bytes are constantly being exchanged between mobile devices, users, and their immediate environment. Therefore it’s wise to limit the information that you give a smartphone, limit the information that it discloses to its surroundings, and scrutinize the information which you consume. Recall how wardens in the movie Silence of the Lambs kept Dr. Lecter locked away most of the time. And when they did interact with him they carefully controlled the parameters of the conversation. In the domain of anti-forensics this is known as data source elimination.
An extreme expression of this strategy would be to yank out the battery of a smart phone and stick everything into a Faraday bag. This particular ploy gave the NSA fits in Iraq when a known target took his cellphone completely apart, making it extremely difficult to follow him. Spies eventually got him by monitoring his wife’s cellphone. Thus imparting an important lesson: it’s not just your cellphone that’s a threat, it’s everyone else’s too. Put another way: only in a country like North Korea could there be “black holes,” because only a country like North Korea possesses the necessary stranglehold on communication.
Another problem with going cold turkey is that the absence of transmission may, in and of itself, set off alarms. In the Xinjiang region of China, anyone who abruptly stops using their smart phone and goes “off grid” is flagged as meriting further investigation. Anomalies are useful for unearthing threats in a large population. The authorities begin by collecting loads of data and defining statistical baselines of behavior. Then they scan their operating environment for people who violate those baselines. The recent ascension of big data and artificial intelligence in countries like China has enabled significance advances to this end.
The Syrian jihadist who led the November 2015 Paris attacks evaded security services through clever application of the anti-forensic strategy of data fabrication. Specifically he successfully created a whole series of fake baselines by giving his cellphones and account credentials to collaborators who used them to preserve a consistent level of online activity. To further muddy the water, the jihadist maintained radio silence for long periods, used face-to-face meetings, and coded hand written notes. This demonstrates both anti-forensic data concealment and data transformation. When he did communicate electronically, he did so using expendable devices which were used once and then disposed of to destroy forensic evidence.
Granted, the average user may not want to spend the time and energy to fabricate baselines. They can, however, probably still come up with modest windows of opportunity in their daily routines. For example, someone who works a regular 9-to-5 job can opt to depart from home during the early hours of the morning, leaving the mobile device back on the coffee table where it normally sits overnight.
A Bitter Pill
The fate of countless terrorists and crime bosses hints that there is no silver bullet. Anyone who offers guarantees regarding COMSEC is either a fool, a con artist selling snake oil, or a spy trying to bait a trap. Security is not a product or a branding mechanism. It’s a process. One that requires consistency, discipline, and sacrifice. The notion that there’s an app that will allow you to have your cake and eat it too is a sweet-sounding lie emanating from Silicon Valley. The bitter pill of COMSEC is that autonomy cannot be purchased. Nor is it convenient. Achieving higher levels of assurance means faithfully practicing anti-forensics by keeping sensitive data streams scarce, extremely difficult to identify, and even harder to interpret. Through the use of ephemeral out-of-band channels that function within existing patterns of activity, raising the cost of detection and analysis to unsustainable levels. Even state-sponsored organizations have their limits.
Bill Blunden is an independent investigator focusing on information security, anti-forensics, and institutional analysis. He is the author of several books, including The Rootkit Arsenal and Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.