GSOC bugging - what technical details have been confirmed?

edanto

Obviously there is a political sh1tstorm at the moment, AGSI calling for GSOC commissioner to resign, the Taoiseach making inaccurate statements about the law, and other bits and pieces. There's a thread in politics for all that.

Do we have any technical details yet about the anomalies observed in the sweep? How reliable are the reports of a compromised phone in a conference room? What has been claimed about the WiFi? What was the third anomaly, was it something to do with a mitm attack via fake GSM tower? Has any of that been confirmed, or are all three things wild speculation?

Given the claims, which are technically plausible? There's hardly any information other than what was in the Sunday Times, but maybe more technical details will come to light soon.

EDIT to add in a quote from Shatter's speech in the Dail - http://www.irishtimes.com/news/politics/oireachtas/no-definitive-evidence-of-surveillance-shatter-1.1687850

Minister Shatter wrote:

He told the Dáil that three issues of concern to the Ombudsman’s office were identified, the first from a wi-fi device which was found to have connected to an external wi-fi network.

“I am also advised that the wi-fi device was unable to communicate with any of GSOC’s databases or electronic systems and that the boardroom is not generally used for meetings.,” he said.

The second related to a conference call telephone in the chairman’s office, where the conference phone rang but tests were unable to establish the source of the call.

The third issue related to the detection of an unexpected UK 3G network near the GSOC offices.

Sunday Times wrote:

The consultants, among them former counter-surveillance specialists with Britain’s GCHQ spying agency, found a speaker phone on the upper floor of the GSOC building was bugged. The room was regularly used to hold case conferences on sensitive investigations. A test of the line confirmed the phone was being used to eavesdrop on meetings, according to sources.

timmywex

No specific technical details:

From reading it though sounds like a bug put on a phone in a meeting room, a physical little device capturing the voice transmissions, and the wifi, maybe just a rogue access point rather than man in the middle even?

Impossible to know given the little thats been released, and the general media interpretation/lack of understanding surrounding "hacking".

syklops

Very little specifics have been released. Although from whats quoted above, I have less confidence about the "government-level espionage equipment". I can build a wifi-snooping device using a raspberry pi and a wireless dongle. I could build a bug with 20 quids worth of stuff from Maplin and anyone can buy a UK 3g dongle. But, that doesn't sell headlines as well.

sawdoubters

http://www.broadsheet.ie/tag/gsoc-bugging-questions/

edanto

The GSOC guy on prime time now just gave (marginally) more detail on one of the items - he said there was a WiFi device discovered with no password, not connected to their network.

Simplest explanation - it might have been some sloppy IT, perhaps an ISP's router/AP just left with default settings? Though if things were that sloppy it would beg a lot more questions.

He didn't mention the conference phone at all - sounds like the Sunday Times article made some wild claims unsupported by GSOC.

wil

edanto wrote: »

The GSOC guy on prime time now just gave (marginally) more detail on one of the items - he said there was a WiFi device discovered with no password, not connected to their network.

Simplest explanation - it might have been some sloppy IT, perhaps an ISP's router/AP just left with default settings?

He didn't mention the conference phone at all - sounds like the Sunday Times article made some wild claims unsupported by GSOC.

Might be a bug in your TV :pac:, but he kinda did. Funny how people hear different things.:)

Sounds like there doesn't seem to be any physical device just anomalies - (I guess they could be considered bugs if you wish)

Paraphrased from Primetime (errors and errata excepted)

---
Threefold issue
Piece of equipment connecting to a external wifi without pw
Conference call telephone - tested showed anomaly - strange behaviour rated unlikely to be innocent
Sophisticated external sweeping device (unspecified and vague)
Were they bugged - very difficult to say...
Cant definitively say they were bugged.
---

edanto

Thanks for that - I missed the conference phone bit [I got it badly wrong, embarrassing!], had Prime Time on in the background as I'm putting up some shelves so didn't give it full attention. Appreciate your paraphrasing. Shelves are up now, so I can watch back over the recording and will transcript the bit where he got into the most technical detail.

GSOC: What we got were credible threats to our own security, we hired credible international experts to consider those for us, to examine, to test them. At the conclusion of their testing, and their security sweeps, they were able to tell us that certain things did not look likely and other things they could not be definitively sure.

Miriam: What were the credible threats?

GOSC: The credible threats were threefold, one was a piece of equipment which was connecting to an external network, a WiFi device. It should have been activated by a password, in actual fact it was activating without seeming to have the need for a password, and transmitting. It did not compromise our data. It did not connect with our internal security but having found it, we certainly needed to take it very seriously. That was one.

The second was more worrying, it was a conference call telephone, a conference call facility that we use not infrequently. That was tested and the tests showed up what we called in our first report, an anomaly, but it showed up something that gave them cause for concern and their judgement was that the strange behaviour of this device in response to their test, was such that it could have been co-incidental, it could have been explained away, but they rated in their report the possibility of it being co-incidental of being close to zero.

The third one was a sophisticated piece of equipment that does sweeps of building from external if you like, if doesn't have to be in the vicinity, and it can attack mobile phones and other ....

Miriam: So, it sounds like still, like your statement last night from GSOC, which more or less confirmed what you're saying now, that you still believed there could have been bugging of your building? And that is not what the minister is saying.

GSOC: Well, we have no disagreement at all with the Minister

and back to politics.

He didn't really answer the question about what the credible threats were that led to the consultants being called in. Returned to it later in the interview and didn't give much details.

wil

syklops wrote: »

Very little specifics have been released. Although from whats quoted above, I have less confidence about the "government-level espionage equipment". I can build a wifi-snooping device using a raspberry pi and a wireless dongle. I could build a bug with 20 quids worth of stuff from Maplin and anyone can buy a UK 3g dongle. But, that doesn't sell headlines as well.

Are you preparing to make a confession:D
In bold was one of the first things I thought as the expert stated this.

Apparently (I've no need or desire to confirm) one of the most sophisticated government "generated" malware worms designed to attack another countries infrastructure (intentionally vague) is now available in kit form.

syklops

GOSC: The credible threats were threefold, one was a piece of equipment which was connecting to an external network, a WiFi device. It should have been activated by a password, in actual fact it was activating without seeming to have the need for a password, and transmitting. It did not compromise our data. It did not connect with our internal security but having found it, we certainly needed to take it very seriously. That was one.

Still vague, but it could be a wifi pineapple.

_Whimsical_

edanto wrote: »

He didn't really answer the question about what the credible threats were that led to the consultants being called in. Returned to it later in the interview and didn't give much details.

He said that the fact that private information regarding the Kevin Boylan case got into "the public discourse" had prompted them to call in consultants. He seemed very reluctant to make that clear though and Miriam didn't pick up on it.

Dermot Illogical

_Whimsical_ wrote: »

He said that the fact that private information regarding the Kevin Boylan case got into "the public discourse" had prompted them to call in consultants. He seemed very reluctant to make that clear though and Miriam didn't pick up on it.

And then the fact that they ran a check made it into the public domain as well.

dalta5billion

Could the consultant's report be FOI'd?

I'd be interested in the UK 3G network, and whether the Irish network made a mistake in the broadcasted network name. Otherwise GCHQ are suspect #1 for me.

Was the "unsecured WiFi network" belonging to GSOC or was it an attempt by a local resident to see if any gullible GSOC staff would use it?

This anomaly with the conference phone is incredibly vague and varied. Was there unusual latency? Sinister breathing on the line? Phantom prank callers?

Also, the routing of some things through an untraceable UK IP address. A bitcoin financed VPS? GCHQ rerouting traffic with BGP?

I want a damn PDF from someone with /some/ technical expertise. This vindicates the Garda Commissioner's view of GSOC as being unsuitable to handle sensitive data.

syklops

dalta5billion wrote: »

Could the consultant's report be FOI'd?

I'd be interested in the UK 3G network, and whether the Irish network made a mistake in the broadcasted network name. Otherwise GCHQ are suspect #1 for me.

Was the "unsecured WiFi network" belonging to GSOC or was it an attempt by a local resident to see if any gullible GSOC staff would use it?

This anomaly with the conference phone is incredibly vague and varied. Was there unusual latency? Sinister breathing on the line? Phantom prank callers?

Also, the routing of some things through an untraceable UK IP address. A bitcoin financed VPS? GCHQ rerouting traffic with BGP?

I want a damn PDF from someone with /some/ technical expertise. This vindicates the Garda Commissioner's view of GSOC as being unsuitable to handle sensitive data.

With respect for this forum, so few details have been released, speculation is just folly. Mi5/GCHQ have practically untraceable ways of monitoring/tapping. Stuff like TEMPEST which can read peoples screens like they were sat next to them and cuffs that go on physical phone lines and retransmit the signal to the listening van parked on the corner.

A bug, as in physical bug, put in/on a conference phone seems a bit too low tech for them.

Wireless is often the weak link in an organisation. An unencrypted AP which guys use for checking their gmail on, could give up some traffic. Install jassager on the AP and it could trick phones and laptops to connect to it first allowing you to sniff emails, passwords, usernames, documents etc, plenty of information to aide in attacking the network itself.

I still think this is a lot more low tech than has been reported.

_Whimsical_

dalta5billion wrote: »

Could the consultant's report be FOI'd?

I'd be interested in the UK 3G network, and whether the Irish network made a mistake in the broadcasted network name. Otherwise GCHQ are suspect #1 for me.

Was the "unsecured WiFi network" belonging to GSOC or was it an attempt by a local resident to see if any gullible GSOC staff would use it?

He gave the impression the wifi network belonged to them as he said it should have password protected and they thought it was but it turned out it had been accessed without a password.

dalta5billion

syklops wrote: »

With respect for this forum, so few details have been released, speculation is just folly. Mi5/GCHQ have practically untraceable ways of monitoring/tapping. Stuff like TEMPEST which can read peoples screens like they were sat next to them and cuffs that go on physical phone lines and retransmit the signal to the listening van parked on the corner.

A bug, as in physical bug, put in/on a conference phone seems a bit too low tech for them.

Wireless is often the weak link in an organisation. An unencrypted AP which guys use for checking their gmail on, could give up some traffic. Install jassager on the AP and it could trick phones and laptops to connect to it first allowing you to sniff emails, passwords, usernames, documents etc, plenty of information to aide in attacking the network itself.

I still think this is a lot more low tech than has been reported.

What I'm saying is the "UK 3G" network sounds like either

a) an error on the part of an Irish network
b) Someone running a GSM base station in the vicinity, forgetting to change network name.

Lookup OpenBTS talk at DefCon. Loads of phones connected automatically. Extremely effective for a small area.

You're right, perhaps inappropriate speculation on it being GCHQ.

syklops

dalta5billion wrote: »

What I'm saying is the "UK 3G" network sounds like either

a) an error on the part of an Irish network
b) Someone running a GSM base station in the vicinity, forgetting to change network name.

Lookup OpenBTS talk at DefCon. Loads of phones connected automatically. Extremely effective for a small area.

You're right, perhaps inappropriate speculation on it being GCHQ.

Funnily today I am in the NOC of a Irish service provider and they have british 3g modems plugged in for testing. Again, the technical details are so thin on the ground it really isnt worth the time speculating. It really could be anything. We'll assume the security firm knew what they were doing, but they no doubt wrote a report and there is no guarantee that whoever read it, understood what it said.

edanto

Some technical details emerged today at the committee. Just to look at one aspect, the conference phone.

The privacy consultants that were investigating the phone sent some type of audio signal down the phone line at 1am.... and the phone was rung back immediately. Repeating the test did not produce the same results.

Paraphrasing GSOC statement to committee - any errors are mine wrote:

The commission did not rule out that there could be reasonable explanations for any or all of these devices

The anomaly in the telephone unit could not be repeated. We could not rule out an innocent call, even at 1am.

Telecoms data could not identify the number from which the call had been made or even that a call had been made.

If the signal the consultants sent down the line would normally cause the phone to be rung back, why did subsequent identical tests not produce the same result?

If it was a random wrong number call, why did telecoms data not give a caller ID or even identify that a call had been made?

Why would a privacy consultant send a signal of this type down a phone line unless it was known to give results that indicate surveillance?

That might be a question people here have some experience of - is sending a signal of some type down a phone line, which generates a return ring any indication of a bugged line? Surely it could equally be faulty hardware at the exchange?

edanto

http://www.irishtimes.com/news/crime-and-law/gsoc-s-account-of-bugging-evidence-does-not-tally-with-that-of-minister-1.1689432

From the Irish Times today


The most serious of three examples of suspected surveillance found relates to O’Brien’s landline in his office in GSOC headquarters in Dublin.

In layman’s terms, it was tested to determine it if was bugged. This was done by sending a message down the line informing any potential bug that the line was being put out of service.

Automatic response
One source familiar with such testing said a bugging mechanism’s automatic response is to ring the telephone to establish if it had indeed just been discontinued.
When O’Brien’s phone was put through that process it rang immediately. It was 1am.
The possibilities are two-fold.

Either the phone was bugged and its ringing was confirmation of that fact.

Or somebody somewhere accidentally rang the phone in the early hours of the morning and at the exact moment those doing the testing expected it to ring if bugged.

syklops

edanto wrote: »

http://www.irishtimes.com/news/crime-and-law/gsoc-s-account-of-bugging-evidence-does-not-tally-with-that-of-minister-1.1689432

From the Irish Times today


The most serious of three examples of suspected surveillance found relates to O’Brien’s landline in his office in GSOC headquarters in Dublin.

In layman’s terms, it was tested to determine it if was bugged. This was done by sending a message down the line informing any potential bug that the line was being put out of service.

Automatic response
One source familiar with such testing said a bugging mechanism’s automatic response is to ring the telephone to establish if it had indeed just been discontinued.
When O’Brien’s phone was put through that process it rang immediately. It was 1am.
The possibilities are two-fold.

Either the phone was bugged and its ringing was confirmation of that fact.

Or somebody somewhere accidentally rang the phone in the early hours of the morning and at the exact moment those doing the testing expected it to ring if bugged.

We don't want laymans terms. We want what happened.

That explanation sounds like BS to me. Covert surveillance, tries to be, you know, covert. A bug ringing the phone its listening to to test if its still working?

Phoebas

syklops wrote: »

We don't want laymans terms. We want what happened.

That explanation sounds like BS to me. Covert surveillance, tries to be, you know, covert. A bug ringing the phone its listening to to test if its still working?

I'm far from an expert in this area, but is it possible that the phone ringing immediately after the test was done on the line may have been an unexpected artifact of the test itself?

syklops

Phoebas wrote: »

I'm far from an expert in this area, but is it possible that the phone ringing immediately after the test was done on the line may have been an unexpected artifact of the test itself?

Again, without specifics, its impossible to know.

Dermot Illogical

One of the most infuriating things about this is the complete lack of technical specifics. It's all waffle like "anomalies on a wifi device", but when the GSOC commissioner was asked straight out (twice) what the device was he couldn't, or wouldn't, say. A media wireless type device thingy apparently.
My suspicion is that the lack of detail is possibly deliberate. Putting the technical details of the devices and the tests run on them out there would quickly answer all questions. Perhaps they strongly suspect they were chasing shadows and are afraid they'll become a total laughing stock? Perhaps there are genuine threats? Who knows? All we have so far is damaging waffle.
The whole thing could become instantly clear if the device/test data was released.

Phoebas

Dermot Illogical wrote: »

One of the most infuriating things about this is the complete lack of technical specifics. It's all waffle like "anomalies on a wifi device", but when the GSOC commissioner was asked straight out (twice) what the device was he couldn't, or wouldn't, say. A media wireless type device thingy apparently.

I thought they told the committee that it was a WiFi repeater (which surprised me because it wouldn't make sense for them to have one - switched on - when they have no WiFi network).

I've also heard somewhere that it was some kind of media player - but it's difficult to separate the fact from the fiction.

edanto

At the committee they said it was some kind of media player, can't find the transcript to that committee session. Not sure if transcripts are generally available to public sessions, but I hope so.

I cautiously hope that the Sunday Times reveals a few more technical details without compromising GSOC security.

aidan_walsh

The committee transcript is here, broken across 25 pages and not immediately searchable. Unfortunately, KildareStreet doesn't seem to index committee meetings, or hasn't indexed this one yet.

aidan_walsh

Actually, **** that. Have a text file. http://pastebin.ca/2640158

Phoebas

edanto wrote: »

At the committee they said it was some kind of media player, can't find the transcript to that committee session. Not sure if transcripts are generally available to public sessions, but I hope so.

Here it is:
The Wi-Fi device was in a media console and it allowed us to do certain things with that media console

Blowfish

syklops wrote: »

Very little specifics have been released. Although from whats quoted above, I have less confidence about the "government-level espionage equipment". I can build a wifi-snooping device using a raspberry pi and a wireless dongle. I could build a bug with 20 quids worth of stuff from Maplin and anyone can buy a UK 3g dongle. But, that doesn't sell headlines as well.

Indeed, in fact you could probably find the odd one in an Irish mobile phone repair shop like, I dunno, this one, which just so happens to be right accross the road from the GSOC offices.....

[edit] heh, well I guess people from that shop have spammed boards before now, hence the censoring. Check on Google Maps, it's right accross the road. I'm curious if the consultants actually bothered to walk over to see if, just on the off chance it was something they were playing with in the shop causing any of the issues.

syklops

Phoebas wrote: »

Here it is:
The Wi-Fi device was in a media console and it allowed us to do certain things with that media console

Again, clear as mud. How many "media consoles" do the GSOC have?

Was it simply a wifi dongle connected to an external hard drive?

Dermot Illogical

There's a little more detail in the GSOC briefing document obtained by the IT.

http://www.irishtimes.com/news/politics/gsoc-briefing-paper-contains-more-than-shatter-d%C3%A1il-statement-1.1691878

Iwannahurl

dalta5billion wrote: »

What I'm saying is the "UK 3G" network sounds like either

a) an error on the part of an Irish network
b) Someone running a GSM base station in the vicinity, forgetting to change network name.

Lookup OpenBTS talk at DefCon. Loads of phones connected automatically. Extremely effective for a small area.

You're right, perhaps inappropriate speculation on it being GCHQ.

I know nothing about the technology, but a thought has occurred to me: could one simple explanation (though obviously a slightly paranoid one) for the UK 'identity' of the alleged IMSI-catcher be that it was a device designed, manufactured and sold by a UK company?

It has been alleged that the Metropolitan Police (Simon O'Brien's old firm) use technology of that nature, as manufactured and sold by Datong PLC, a Leeds-based company specialising in "high quality intelligence equipment".