Intel Source – Phone Traffic/Metadata Analysis #4

5 minute read

Posted by: Allen Hoffmann, JD

February 15, 2015

Read the other parts once published in the IntelPhone Tag
Last time we talked about the methods via which your SIM and IMEI are veritable data gold mine. By cross referencing all the other network records and traffic which that IMEI and/or SIM has ever generated, on that network or others, the telecommunications company and/or your adversary can now check the history of the individual SIM, IMEI, and network of that SIM/IMEI user’s history, and then do the same thing when chasing the same links from any number used, in or out (SIM and IMEI combination – then chase all the phones that SIM has been plugged into, and all the SIMs which have been plugged into that IMEI). Thus the network spreads and spreads like watching a fire burn through a forest – the same shit gets done over and over again, SIMs and IMEIs, in the blink of an eye. Any and every lapse in OPSEC on the phones of your network/s forever accessible, today, tomorrow and for years to come, to a keen investigative eye, or metadata scraping program, and will be highlighted across a network map in some dark squad room somewhere, tacked to a wall for a taskforce or squad to work on.

This article gives you a nice primer while glossing over key OPSEC issues, such as why you change your numbers frequently, and why you need to do it as a crew, but most problematically, it completely and utterly omits the IMEI issue, and tells me that just maybe, “Martin”, who is supposed to be a tech wizard, may just be taking a pay day from both his clients and those interested in them –

Its not just a question of whether or not you as an individual user within your ‘talk group’ have abided by the rules of OPSEC. You’ve heard of metadata before if you haven’t been living in a cave since Snowden threw his pacifier from his stroller and moved to Rooskie land. Who you call, and when you call them, or the fact that you send messages or receive messages, doesn’t sound like a big deal if it ain’t being bugged, right? That shit is metadata, and whilst not as dangerous as being caught on tape saying you killed Jimmy Hoffa in one 10 second recording, what you do and when you do it over a protracted period in the context of metadata could be just as fatal to you should you face prosecution.

If you or anyone in your ‘network’ has allowed an ‘overlap’ to occur whilst ditching a whole talkgroup of phones, ever called their old lady or mom off a ‘work phone’ when they needed a ride, or accidentally plugged a ‘work’ sim into a personal phone and let it tag the network, even for a second, your OPSEC is potentially blown away – your adversary can, circumstantially at the very least, tie your previously anonymous group of phones to people who have a reason to/history of calling one those numbers. We’ve talked before about how game changing information in a case can bring more resources to the table and exponentially multiple the probabilities of you getting fucked up. The relatively cheap task of putting one analyst on a bunch of numbers on the screen can pay dividends sufficient in terms of justifying further specialized, costly investigative resources, such as periodic or ongoing physical surveillance, the deployment of undercovers, or other underhanded means. Never forget, they have a budget they need to justify, and the man hours and dollars spent on old school tails and more involved and technical work will not be expended without preliminary, cheap, less intensive efforts determining that there’s something worth chasing in the first place.

Imagine for a moment that I am your adversary. If I know you make a call to an unknown party (maybe someone from whom I suspect you buy vast quantities of talcum powder) at a certain time of day from a certain area, but that you change both your SIM and IMEI, guess what I’m going to analyze in terms of traffic? How about I, as an analyst, notice that a number always calls at a particular time of day to a particular store’s landline number which I am watching as a potential stash house for talcum powder, but that number never actually connects and never makes any other calls? I’m going to start paying a whole lot more attention to that IMEI and SIM, and any other investigative links I can make happen from it as well.
Thus we see security is not something that can be entrusted as an order to be followed by rank and file foot soldiers – if your people don’t understand why the fuck they can’t call their homie cross country when they have free minutes on their burner (“It ain’t costin’ you shit, nigga!”), they are doomed to make the mistake of doing so; it’s the catch 22 of having your talk group know enough that they get things right, and not know so much/too much that they don’t understand it or fuck it up. That old knowledge gap between security and user-friendliness rears its head from Silicon Valley to the Bronx. There is a solid reason why lots of people get caught (and why it very seldom makes it into court documents) – reliable and intelligent help is hard to find, and regardless, the longer you play the game, the more likely it is that you’ll breach an exceedingly important OPSEC rule because it becomes mundane or someone on your team decides that breaking or even bending the rules ‘just once’ couldn’t possibly hurt. On a long enough timeline, the survival rate for everything, from a May Fly to a human to a tortoise to a skyscraper, falls to zero – and an enterprise is no different. People who don’t slip up and make the cost/benefit consideration of investigation vs. ongoing results an impossible equation stay out of the court system. The rest become statistics which permit the ongoing and ever increasing intensity of new investigations and the methodologies attendant.

Is there really a good reason to invest time or money in PGP text messaging or a proprietary crypto phone, or even encryption software for your computer if you don’t trust it fully? For reasons other than why you would conventionally think so, probably. Find out more next time.

Updated: 2015-02-15