Award 2015 Nominee
Secret Surveillance in Oslo
Per Anders Johansen
The theme of the articles is the revealing of secret surveillance in Oslo, the method being described below. Aftenposten has undertaken the first ever tracking of active mobile surveillance equipment in Oslo. The measurements reveal that secret, fake base stations, so-called IMSI-catchers, are being operated in the immediate vicinity of several important buildings in the capital, including the Norwegian parliament, several main government buildings and most important business areas. The people who run this surveillance equipment may in principle monitor every person moving in and out of the parliament building, the government offices or other institutions in the area. They can also select certain persons for eavesdropping and collect data from their smartphones.
Norway’s major secrets are being administered here, right in the centre of Oslo. A number of the most important state institutions are situated within a radius of one kilometer: The Prime minister’s office, the Ministry of defence, Stortinget (parliament) and the central bank, Norges Bank.
Ministers, state secretaries, members of parliament, state officials, business executives and other essential staff engaged in protecting the nation’s security, our military and our oil wealth – totalling more than 6000 billion kroner (NOK) – are working within this area.
The Norwegian parliament – Stortinget – is situated in the centre of Oslo
– photo made by Monica Strømdahl
But passers-by are hardly aware of the following fact: In several locations someone has installed secret transmitters which most probably behave like fake mobile base stations. These so called IMSI-catchers can monitor all mobile activity in the vicinity.
The people who run this surveillance equipment may in principle monitor every person moving in and out of the parliament building, the goverment offices or other institutions in the area. They can also select certain persons for eavesdropping and collecting data from their smartphones.
This newspaper has undertaken the first ever tracking of active mobile surveillance equipment in Oslo. The measurements reveal that secret, fake base stations, so-called IMSI-catchers, are being operated in the immediate vicinity of several important buildings in the capital:
– One in the area Lille Grensen between Karl Johans gate and Akersgata
– One in Nedre Vollgate
– One in the intersection Rådhusgata – Skippergata
– One in the area at Akershusstranda.
– One near the intersection Parkveien – Henrik Ibsens gate, close to the American embassy
– One in the intersection Parkveien – Hegdehaugsveien
The fake base stations were active as late as last Thursday.
A great number of findings
By means of one of the world’s most advanced encrypted cell phones – the German-made CryptoPhone 500 – Aftenposten’s journalists have – during two months this fall – monitored and disclosed a number of locations in the city with suspicious mobile activity. Then we cooperated with the two security companies ‘Aeger Group’ and ‘CEPIA Technologies’, both of which have very precise measuring equipment for locating fake base stations. During the past two weeks they made a number of measurements which indicate that the surveillance equipment ‘with a very high degree of probability’ are being used actively in the centre of Oslo.
“If we had made such findings for a private company, they would have prompted a request for the autorities to begin an investigation”, states Kyrre Sletsjøe, the manager of CEPIA Technologies. He has a long experience from Norway’s intelligence services, and has assisted governments in several countries with similar examinations .
In order to be able to determine with a hundred percent certainty what kind of equipment is being used, who the target is, and where its exact location is, Aftenposten and the security companies would have to undertake measurements inside the buildings. However, only the police are authorized for such actions.
“Only organisations with strong resources are able to employ the kind of technical equipment involved here.”
Very advanced and expensive
The fake base stations revealed during the monitoring have been in a so called ‘identification mode’. The transmitters were switched on and were able to register all mobile phones within its reach.
The way this equipment functions indicates that very advanced systems are involved, with price tags between 500.000 kroner (approximately 85.000 dollars) and 2 million kroner (330.000 dollars). This kind of equipment cannot be legally sold to private persons in NATO member countries.
Jahn-Helge Flesvik, who is manager of the security company Aeger Group, participated in Aftenposten’s mapping. He too has experience from the intelligence community.
He has no doubt, whatsoever, about the conclusion: “Only organisations with strong resources are able to employ the kind of technical equipment involved here.”
The entire Parkveien may be monitored
On a Friday morning several ministers have come together for lunch in the government’s guesthouse Villa Parafina in the street Parkveien. Prime minister Erna Solberg (conservative) steps out of her black Mercedes and enters the building, just a few yards from her own residence.
In this neighbourhood, where among others the American and Israeli embassies are situated, our CryptoPhone repeatedly registered highly suspicious activity. With a series of measurements during several days, the security companies detected two strategically placed IMSI-catchers which cover the blocks along Parkveien. Signals from the secret transmitters have a range of 1000 meters with unobstructed view, and a slightly shorter range in built-up areas.
Who is behind this?
The big question is who operates the fake base stations in the centre of Oslo. And how long have they been in use?
Only the police, the Police Security Service (PST) and the National Security Authority (NSM) have the autority, according to the Criminal Procedure Act and the Police Law, to utilize such equipment. But no Norwegian official contacted by Aftenposten says the equipment belongs to them. Aftenposten has no reason to believe that the Norwegian government stands behind the transmitters.
“What I can say, is that the PST only to a very limited extent employs equipment that utilizes so called mobile regulated zones. And when we do, it will be part of precautionary measures or the investigation of a criminal offense. This is always done on a legal basis, after a court order”, says Signe Kathrine Aaling, police attorney at the Police Security Service.
Few people wish to speculate whether private companies, foreign intelligence or criminals have the resources to uphold such a large-scale espionage activity in Oslo’s mobile network.
“What we see is a gathering of intelligence on Norwegian soil. Very few institutions in this country are authorized to use this kind of equipment”, says Kyrre Sletsjøe in CEPIA Technology.
The Ministry of justice did not want to make an immediate comment on the matter. But only the morning after receiving the results of Aftenposten’s investigations, did staff members from the National Security Authority appear on the streets of Oslo city, trying to trace the illegal base stations.
PST: Numerous players might be behind this
“Many people have an intention to access the mobile communicatons of others”, says Arne Christian Haugstøyl in the section for preventive action at PST. Aftenposten has disclosed, outside of Stortinget and several ministries, the presence of advanced espionage equipment that intercepts and monitors mobile phones.
“I think the findings are interesting”, says section leader Haugstøyl at the PST. He says numerous players might be involved in this activity.”Many people have the intention to access the mobile communication of others, and we know it is happening. It might be private players and it might be state players”, he says. The PST confirms that the level of intelligence activity in and against Norway is high. “I cannot say that the findings you made can be attributed to states’ illegal intelligence activity, but on the other hand we can not exclude the possibility. We are aware that they have both an intention and the capacity to do so.”
Do you think foreign intelligence is involved?
“I can not, on the basis of these findings, state that it involves foreign intelligence, but I can say that we are aware of foreign intelligence services that have this kind of capacity. And in our preventive work, we warn persons who administer Norwegian interests against discussing sensitive matters on the mobile phone.”
Will you be undertaking something on the basis of Aftenposten’s informations?
“The PST are working continuously to prevent illegal intelligence activity. Most important for us is to convince Norwegians involved in managing Norway’s interests, to reduce their own vulnerability. For instance avoid discussing sensitive matters on the mobile phone.”
Why is it so difficult for you to prevent this activity?
“This equipment involves no permanent installations, and there are no large antennas. It all fits in a suitcase. The PST sees no point in running around, trying to find the equipment itself. It is important for us to work with preventive measures and reduce the vulnerability, simply to make the Norwegian public understand that if you have a secret, you should not discuss it on an open line”, says Haugstøyl.
NSM looks into the risk of espionage
The National Security Authority was informed last Thursday about Aftenposten’s detection of fake mobile base stations. The next day they started their own investigations near important buildings in the centre of Oslo.
“We take this very seriously”, says Hans Christian Pretorius, who is head of department with the NSM. “We started our own investigations immediately after receiving the information from Aftenposten,” explains Pretorius.
It is not known who deployed the fake base stations (IMSI-catchers), the equipment used to monitor mobile communications. Pretorius confirmed that the security autority detected signals from IMSI-catchers in the centre of Oslo. “We started out tracing the locations where Aftenposten had already been. We examine this particularly with a view to where there is a need to shield institutions – obviously government offices and other important buildings”, says Pretorius. He adds that “our mission concerns objects that are vital for society”.
Examined central buildings this Friday
“The results shown by Aftenposten’s survey make us able to sharpen our own investigations. We did that on Friday”, says Pretorius.
Did you find IMSI-catchers, as Aftenposten did?
“We found things. We don’t have all the data ready in order to find indications in precisely the same locations. But we did register signals from IMSI-catchers in the centre of town”, says Pretorius. He adds that it is too early to say how many and where, or what types and capacity they have.
Pretorius says the findings are worrying.
“We do not know the intentions of those who are behind this, why the IMSI-catchers are here, and what they are collecting. But we are working to find that out right now. It is important for us to secure our own communication. If weak points are being exploited, someone may have the opportunity to identify, listen in on conversations and find out persons’ whereabouts. Of course this is unfortunate. According to the NSM, it may be extremely difficult to pinpoint the exact position of an IMSI-catcher. The equipment may be switched off at times, the signals are coming and going. In addition, these signals must be correlated to real base stations. This is demanding work, both as to technical equipment and time.”
This is how the fake cell towers work
– The fake base stations – or cell towers – may monitor thousands of citizens in Oslo every day
– They have the same size as a computer, cost between 10 000 and 12 million kroner (less than 2000 up to 2 million dollars). They make Oslo’s mobile network very unsafe.
– The signals from the fake base station near the intersection Rådhusgata/Skippergata will blink for 20-30 seconds. Then they fade away.
– A few minutes later, the radiosignals are back. They are much too strong, and they come from somewhere they ought not come from.
-The alarm flashes on the advanced Falcon II-equipment belonging to the security-experts Aftenposten cooperates with. Once again we picked up the signals from an IMSI-catcher, a fake mobile base station.
-The Falcon II indicates that signals are coming from a surveillance point only 50 – 100 meters away, probably hidden in an office, a window, a car or a small suitcase. Most probably it is placed a few hundred meters from the Prime minister’s office (SMK), the Ministry of defence, the Norwegian Defence staff and Norges Bank, the Norwegian central bank.
– Intelligence staff, police and military men refer to the fake base stations as ‘IMSI-catchers’, ‘grabbers’ or ‘stingrays’.
– An IMSI-catcher tries to make itself as attractive as possible, in order to persuade your cell phone choose its signals instead of those coming from all the legal base stations in the vicinity. It offers strong signals and other data intended to cheat your mobile device.
And this makes them easy to detect, if you know what you are looking for, according to Kyrre Sletsjøe, the manager of CEPIA Technologies, the company which conducted the monitoring for Aftenposten.
Sophisticated equipment in Oslo
“One of the IMSI-catchers we registered is so technically advanced that it operates in dual bands”, says Jahn-Helge Flesvik in the security company Aeger. “This equipment can pick up and identify a mobile device in a very short time.”
First step to a further surveillance
In the initial stage IMSI-catchers can only be used for collecting data from the sim-card. The most advanced gadgets may register several hundred numbers in just a few minutes.
Once your mobile phone has been detected by a fake base station, it will be aware that you find yourself close to the station, and it may control what your phone will be allowed to do.
Then the IMSI-catcher may enter an active mode in order to eavesdrop on certain conversations. In the next step, the IMSI-catcher will transmit the conversation to the real GSM-system. But the spies are sitting in between, where they are able hear every word.
In addition the fake base station may register SMS-messages and install spyware which enables someone to switch on the microphone. In that case, the mobile phone may be used for monitoring rooms or offices.
Even if Aftenposten’s investigation is the first of its kind in Norway, security authorities, the police, criminals and spies have used the same equipment for at least 10 years. It is especially effective when hunting criminals and controlling mobile communication in an area, in order to prevent detonation of remote-controlled bombs.
This is how Aftenposten detected the fake base stations in Oslo.
- 1. From October 10 until November 21 Aftenposten used one of the world’s most advanced encrypted mobile phones, the CryptoPhone, in order to identify suspicious mobile activity in the Oslo area.
- 2. This mobile was produced by the company GSMK and is distributed in Norway by Multisys. It can analyze communications in the baseband processor of your mobile phone, and it reacts when it discovers suspicious activity indicating the presence of fake base stations nearby.
- 3. Aftenposten made 50.000 measurements during 57 different expeditions, covering 100 kilometers in the streets in and around Oslo. The route was logged with location data.
- 4. Every indication was controlled for possible sources of error, for example signal strength, poor coverage, tunnels, bridges and imprecise GPS-positions. 122 incidents were, according to the CryptoPhone, «highly suspicious», indicating a fake base station nearby.
- 5. This material was submitted to the mobile companies Telenor and Netcom, the Police Security Service and the Norwegian Post and Telecommunications Authority for comments. None of them could say whether they had information about fake base stations in Oslo. Telenor did not wish to meet with Aftenposten, they would only answer in an e-mail.
- 6. As a next step, this newspaper went into a cooperation with the Norwegian security firm Aeger Group, and the British-Norwegian-Czech company CEPIA Technology.
- 7. Both companies are being led by Norwegians with a long experience from military intelligence. They are hired by private institutions and state authorities to detect illegal surveillance.
- 8. Based on Aftenposten’s informations, the security companies searched for signals at several locations in the Oslo-area in the weeks no. 49 and 50. They used highly sophisticated counterintelligence equipment.
- 9. This monitoring makes it possible to to identify with very high probability the location of IMSI-catchers, down to a distance of 50 meters. In order to pinpoint the precise location, however, one would need police authority to access offices and premises.