NYT: Russia's tech tracks users, locations, connections in WhatsApp, Signal, and Telegram

[tridy]

Summary

Russia has developed new digital tools to track and suppress domestic opposition to the war in Ukraine. These tools can monitor encrypted apps like WhatsApp, Signal, and Telegram, and track phone locations, social media users, and phone locations. The tools are being sold to other countries, especially in regions close to Russia. This poses a threat to people’s privacy and freedom and challenges the usual providers of surveillance technology.

 

Quotes

Quote

Simple-to-use software that plugs directly into the telecommunications infrastructure now provides a Swiss-army knife of spying possibilities, according to the documents, which include engineering schematics, emails and screen shots. The Times obtained hundreds of files from a person with access to the internal records, about 40 of which detailed the surveillance tools.

 

One program outlined in the materials can identify when people make voice calls or send files on encrypted chat apps such as Telegram, Signal and WhatsApp. The software cannot intercept specific messages, but can determine whether someone is using multiple phones, map their relationship network by tracking communications with others, and triangulate what phones have been in certain locations on a given day. Another product can collect passwords entered on unencrypted websites.

 

My thoughts

Even if they cannot read the messages and attachments, the information about the user locations, the locations of the phones, tracking the possibility of people meeting based on their locations, "map the relationship network by tracking communications with others" - this is way too much. My main concern is Signal and I have not seen where they would have commented on that yet. It would be interesting if someone who has knowledge of how WhatsApp, Telegram, and Signal communicate, could tell what can be done from the user side to harden the security in this case. I thought that Signal and Telegram were "de-centralized" but it does not help in this case it seems. How do we improve it? VPN with Matrix.org?

 

Sources

https://www.nytimes.com/2023/07/03/technology/russia-ukraine-surveillance-tech.html

the full article is attached

russia-ukraine-surveillance-tech.pdf

[VincentVanMan]

Same as NSA is doing to the US population then?

[tridy]

30 minutes ago, VincentVanMan said:

Same as NSA is doing to the US population then?

Probably yes, but I am still searching for ways of making their work harder.

[Sauron]

43 minutes ago, tridy said:

One program outlined in the materials can identify when people make voice calls or send files on encrypted chat apps such as Telegram, Signal and WhatsApp. The software cannot intercept specific messages, but can determine whether someone is using multiple phones, map their relationship network by tracking communications with others, and triangulate what phones have been in certain locations on a given day. Another product can collect passwords entered on unencrypted websites.

Kind of what I'd expect, technically there's nothing new here - this has always been a possibility. I'm skeptical of them being able to tell who the recipient of the messages is... though I guess you could compare hashes if you're monitoring a network large enough to include the recipient's device, which would be the case if you're, say, the russian state which likely has complete access to the country's cellular networks.

46 minutes ago, tridy said:

It would be interesting if someone who has knowledge of how WhatsApp, Telegram, and Signal communicate, could tell what can be done from the user side to harden the security in this case.

To be clear, your messages are secure in the sense that their content cannot be read by people other than the recipient and you can be sure they were sent by who you think sent them (or at least their device).

 

If you're concerned about privacy in the sense that you don't want general information about your volume of messages and who they're directed at to be known, the solution is either a VPN (though you're giving the VPN's provider that information instead if they decide to collect it) or TOR.

 

Platforms like whatsapp and telegram could mitigate this by introducing random salts and padding in messages when they are delivered to the recipient to make them seem different from when they were sent, encrypting the whole thing again with the receiver's public key (though this involves both a centralized distribution, which afaik both telegram and whatsapp have but possibly not signal, and more workload on the servers).

[tridy]

17 minutes ago, Sauron said:

I'm skeptical of them being able to tell who the recipient of the messages is...

Maybe I misunderstood but I think they can connect the phone's GPS location to when the message was sent. Then knowing one's home address it is possible to connect some of the places where one sends the messages the most. Observing that for a month should provide some patterns and clues about where the home and workplace are. If they can do that, after some time, it becomes possible to see who communicates with whom.

[tridy]

one of the possible flows (within Russia).

 

Having:

 

1. logs from the server that person 1 calls from
2. logs from the server that person 2 receives from

 

Analyzing the traffic, it is possible to find the calls data about when the call was started, and finished and what is the length of the call.

Then matching similar records from both records they are able to link the users that were in the call.

 

This is useful when you are in Russia and have the logs from both servers. However, if you call a different country then you do not have the logs from the second server and it is useless. Even within Russia, using VPN makes it harder to trace.

 

Maybe one of the aspects of this initiative is to scare people so they would switch back to the classic mobile calls and sms and as a result, it will be even easier to trace them.

 

source: (TV Rain in Russian) https://youtu.be/N_bnO74Be_o?t=3069

[Sauron]

1 hour ago, tridy said:

Maybe I misunderstood but I think they can connect the phone's GPS location to when the message was sent.

Unlikely given the desctiption of the attack, but you can know a phone's rough location using cell tower logs though it's not very precise. Still, even if you had everyone's gps data you couldn't necessarily associate it to individual messages, let alone those messages' recipients, unless they were otherwise recognizable, i.e. through a hash.

13 minutes ago, tridy said:

Having:

 

1. logs from the server that person 1 calls from
2. logs from the server that person 2 receives from

 

Analyzing the traffic, it is possible to find the calls data about when the call was started, and finished and what is the length of the call.

Then matching similar records from both records they are able to link the users that were in the call.

You don't need to look at server logs for this, phones can be identified through the IMEI code when they connect to a cell tower. Matching dates and lengths could be feasible but probably not reliable enough on its own given thousands of calls at any given time.

[tridy]

 

5 minutes ago, Sauron said:

Still, even if you had everyone's gps data you couldn't necessarily associate it to individual messages,

I think that if you see a pattern that for a couple of months, after 5:30 PM most of the calls come from GPS locaction X,Y, then it might give some clues about who this might be, the one who lives there. If it is an apartment in a multi-floor house then it can be harder. This could be connected to a regular phone call once in a while, voice recognition, etc. When the information comes from different sources, like GPS,  as you said, cell towers, over some time it might be quite accurate.

 

3 minutes ago, Sauron said:

Matching dates and lengths could be feasible but probably not reliable enough

What they are talking about is the milliseconds precision of the phone calls length, so that would narrow it down quite a lot.

 

[Sauron]

34 minutes ago, tridy said:

I think that if you see a pattern that for a couple of months, after 5:30 PM most of the calls come from GPS locaction X,Y, then it might give some clues about who this might be, the one who lives there. If it is an apartment in a multi-floor house then it can be harder. This could be connected to a regular phone call once in a while, voice recognition, etc. When the information comes from different sources, like GPS,  as you said, cell towers, over some time it might be quite accurate.

Yes, but not practical for mass surveillance. This works if you're tracking down specific people.

35 minutes ago, tridy said:

What they are talking about is the milliseconds precision of the phone calls length, so that would narrow it down quite a lot.

It's hard to be that precise with long distance communication latencies. Also it wouldn't really work with messages. Unless you hash the packets, which works for both calls and messages.

[GhostRoadieBL]

3 hours ago, tridy said:

Probably yes, but I am still searching for ways of making their work harder.

Sometimes older is better, if the phone doesn't have gps it's more effort to triangulate.

It's the same idea as floppy disks being more secure than usb drives, who has a floppy drive kicking around?

[tridy]

3 hours ago, GhostRoadieBL said:

Sometimes older is better, if the phone doesn't have gps it's more effort to triangulate.

or you need to know where it is in the phone and then put a nail through it. the same about the camera.

 

In one of the interviews, Snowden said that he desolders the microphone from his phone and then uses a small usb-c microphone that he attaches when he needs to talk.

 

convenience vs security

[Kisai]

6 hours ago, Sauron said:

 

To be clear, your messages are secure in the sense that their content cannot be read by people other than the recipient and you can be sure they were sent by who you think sent them (or at least their device).

 

 

That's oversimplified.

 

From a "cell carrier" perspective, they know the name, address, and device of everything connected to the network. That is not new. They also know the location of every device down to 100m, if they wanted to by triangulating the location based on the nearest towers to it.  (100m is pretty large, about the length of a subway platform.) Generally without knowing the network's physical topology you wouldn't find this information that useful. But I'm sure spy agencies know where every wireless device is in the country they are authorized to operate in down to a few inches. Like you know how you triangulate a device without needing the wireless carrier? Remember those stingray devices? Setup three of those around a city block, and if your target walks into it, start following them and get closer like a snare net.

 

Exclusive of cell carriers, all other devices, like Wifi laptops and bluetooth connections do not require a subscriber module, they just operate directly off their MAC or BSSID. So even if you have an encrypted connection to the WiFi, that's only between your device and the access point. If you open a "sniffer" Wifi AP you can see every single thing within about 100m, encrypted or not. So you see all the http traffic in pieces. Without software to actually organize it by BSSID and MAC you will only catch the strongest signals. WPA2 encryption just makes this noise now, but you can still tell what people are doing because certain activities are bursty. Text messages, and social media, always end up being tiny packets. So you could tell someone sending messages (as opposed to photos or videos) because the messages will usually fit in one or two packets, where as an image will be around 1000-20000, and video will be pretty much endless to monitor. 

 

So it's not really that hard, in concept, to track an individual by tracking the MAC addresses though the BSSID's with malicious AP's in a city if the user has their WiFi set to automatically connect to open WiFi. Say, Starbucks or McDonalds. They don't even need to be in those stores, simply having the phone attempt to connect is enough.

 

To track any kind of instant messaging service, if the government has access to the routing equipment, they can track the devices in a similar way, you can't rely on the source MAC to not be a VPN, but you can rely on routing path. So if you are using a VPN and not regularly having it cycle your IP address, they will still find you if they wanted to. Your phone will not protect you if you have the 4G/5G radio turned on and also use bluetooth or wifi. 

 

Bluetooth tracking is probably the easiest, since all phones have BLE and NFC on them now. So a device could be devised to just ping BLE and NFC's nearby. The fortunate thing is, that most of these are limited to about a foot of range. So you're about as vulnerable as you would be having just NFC tap-to-pay cards in your wallet.

 

If you don't want to be tracked, you should not be using a smartphone in the first place. That's usually not a viable thing for people.

 

[Sauron]

7 minutes ago, Kisai said:

 

That's oversimplified.

 

From a "cell carrier" perspective, they know the name, address, and device of everything connected to the network. That is not new. They also know the location of every device down to 100m, if they wanted to by triangulating the location based on the nearest towers to it.  (100m is pretty large, about the length of a subway platform.) Generally without knowing the network's physical topology you wouldn't find this information that useful. But I'm sure spy agencies know where every wireless device is in the country they are authorized to operate in down to a few inches. Like you know how you triangulate a device without needing the wireless carrier? Remember those stingray devices? Setup three of those around a city block, and if your target walks into it, start following them and get closer like a snare net.

 

Exclusive of cell carriers, all other devices, like Wifi laptops and bluetooth connections do not require a subscriber module, they just operate directly off their MAC or BSSID. So even if you have an encrypted connection to the WiFi, that's only between your device and the access point. If you open a "sniffer" Wifi AP you can see every single thing within about 100m, encrypted or not. So you see all the http traffic in pieces. Without software to actually organize it by BSSID and MAC you will only catch the strongest signals. WPA2 encryption just makes this noise now, but you can still tell what people are doing because certain activities are bursty. Text messages, and social media, always end up being tiny packets. So you could tell someone sending messages (as opposed to photos or videos) because the messages will usually fit in one or two packets, where as an image will be around 1000-20000, and video will be pretty much endless to monitor. 

 

So it's not really that hard, in concept, to track an individual by tracking the MAC addresses though the BSSID's with malicious AP's in a city if the user has their WiFi set to automatically connect to open WiFi. Say, Starbucks or McDonalds. They don't even need to be in those stores, simply having the phone attempt to connect is enough.

I'm not sure which part of what I said is an oversimplification of this but I agree. The part of my post you quoted was about the encryption of the messages themselves, which does ensure they can't be read and they come from the device you think they come from (unless their private key was stolen, which isn't what's being talked about here).

11 minutes ago, Kisai said:

To track any kind of instant messaging service, if the government has access to the routing equipment, they can track the devices in a similar way, you can't rely on the source MAC to not be a VPN, but you can rely on routing path. So if you are using a VPN and not regularly having it cycle your IP address, they will still find you if they wanted to. Your phone will not protect you if you have the 4G/5G radio turned on and also use bluetooth or wifi. 

If your message goes through a distribution server and not directly to the destination device it can only be tracked if you either have control of that server or can recognize the message in the server's outgoing packets.

[tridy]

On 7/4/2023 at 8:18 PM, Caroline said:

Source NYT

I probably should mark it as the answer.