Agency tasked with investigating suspected GSOC bugging responds to criticism
In the ongoing story about the possible surveillance of the Garda Siochana Ombudsman Commission in Ireland, a number of new details have emerged from Verrimus, the security consultancy agency tasked with investigating the spying. A recent Irish Independent report levelled a number of criticisms at Verrimus, saying that Verrimus in fact detected their own UK phones during their sweep and that they erroneously claimed this to be evidence of a UK IMSI Catcher.
In response to the Independent’s claims, Verrimus stated:
A mobile phone CANNOT create a 3G base station, so it is impossible that Verrimus operator’s phones were the source of the fake Mobile Country Code (MCC) and fake Mobile Network Code (MNC) that was detected."
However, a mobile phone with appropriate software could easily transmit the fake MCC and MNC. Furthermore, there is no connection between a phone’s ability to act as a full base station and its ability to transmit the fake data seen by Verrimus. Research has also shown that a phone can act as a base station with the appropriate software. Building this into a phone app would be trivial for a surveillance company that also provides their own custom 2G and 3G software.
It is highly unlikely that if Verrimus had any device that could broadcast the fake data they observed that they would not rule out their own equipment first. If no such equipment was brought with them and all phones were commercial off the shelf models with no custom software then it would be impossible for the phones to transmit the observed data.
It would have been appropriate for Verrimus to issue a denial that they had such a device with them rather than relying on false technical data.
Additionally, Verrimus should report to GSOC and An Garda Siochana on the Irish towers present during their first scan but not present during their second scan. Each of these should be accounted for by the telco providers with towers in the vicinity of GSOC. The terms of the independent judicial inquiry into this matter should include an investigation of any towers not accounted for as they would pose a considerable threat to the privacy of the Irish public.
The second issue that was reported by the Irish Independent was that that the telephonic WiFi capable device that was connected to an external network was in fact connected to the WiFi in a local cafe. This may at first sight seem unproblematic. However, as correctly pointed out by Verrimus in their press release, this poses a significant security risk.
It is as troubling as if the device was directly connected to a malicious WiFi router. Even with an encrypted air channel (WEP, WPA, WPA2) a malicious actor could sniff and inject whatever packets they needed to communicate with the device. Buying a coffee is usually all that is required to get the SSID and key for the network in a such a cafe. This would also be very difficult to detect unless specifically looking for the malicious activity.