STL Telecom Analysis: Uncovering the Weakest Links
By: Marwan Taher
Published Tuesday, October 4, 2011
The STL indictment used to implicate Hezbollah in the killing of Rafik Hariri is based on highly touted telecom-analysis. But an in-depth examination of this evidence reveals that it is unlikely to stand in a fair trial
Analysis - The latest twist in the never-ending saga of the international investigation into the 2005 assassination of former Lebanese Prime Minister Rafik Hariri happened on Friday. One of Australia's top cops and former chief investigator for the tribunal, Nick Kaldas, reiterated accusations that Hezbollah was behind the killing.
The case against Hezbollah is largely based on telecom evidence cited in the tribunal's indictment of four suspects who are linked to Hezbollah. In a much cited CBC report into the Hariri investigation, telecom analysis was uncritically hailed as “probably the single most important intelligence-gathering tool in modern times.” In the case of the Hariri tribunal, telecom data was used to build a whole narrative surrounding the assassination’s planning and execution and to identify some of the accused. Resorting to telecom data gave a highly politicized investigation an air of objectivity. It provided the tribunal with a much needed lifeline after testimonies used to implicate Syria in previous reports were undermined.
But despite the valuable information provided by the telecom analysis, a systematic in-depth examination of the type of telecom data used, the method of identifying suspects, and the level of security of mobile networks in Lebanon all reveal that the evidence is mostly of a speculative nature. This casts serious doubts on the prosecutor's conclusions and the integrity of his case.
Relying on CDRs: How They Work...or Don't
The data obtained by the investigative team came from Lebanese mobile network operators. Although a mobile network creates and maintains large amounts of data, the STL has indicated that only one type of data, the Call Detail Record (CDR), was used by the investigation.
A Call Detail Record (CDR) of cell phone use is a computer generated record used for billing purposes. It contains less detail than other types of logs. However, it is the most likely to be retained by the network operator because of its use for customer invoicing. The indictment specifically refers to CDRs and does not mention any other logs used in the telecom analysis.
Paragraph 18 of the indictment explains that a CDR contains “information such as incoming and outgoing phone numbers, the date and time of a call, its duration, call type, and the approximate location of mobile phones by reference to the cell-towers which carried a call.”
Co-Location: Hard to Pin Down
CDRs are used to determine whether two phones are always present - i.e. detected - in the same place at the same time but never in contact with each other, a procedure referred to as co-location. Co-location is a central method of analysis used in the indictment. If co-location is detected, it is inferred that one person is using both these phones. This appears logical, but it depends on the amount of data used to demonstrate the effect.
If you had minute-by-minute plots of two cell phones as they moved around, down to a resolution of one meter, and those movements overlap throughout, you would have very strong evidence of co-location. But this is apparently not the case based on the indictment. In paragraph 25 (b) of the indictment, phones are co-located “as evidenced by the timing and locations of the calls[my italics].” This implies that data records used for analysis are only those generated when a call is made, via CDR logs.
If this is the case, then the location is referring to the entire coverage area of a cell phone tower used to transmit data between the cell phone and the network's operating center. This location is thus shared with hundreds of other cell phones at any point in time. And if you only have a data record when a phone call is made, then you can only check which two among these hundreds of phones are co-located when both phones happen to be used within a short time, so you could have both their locations during that interval. How often this happens is not stated in the indictment.
Building the Networks Narrative
The weakness of co-location evidence is not the only loophole in the evidence provided. The entire narrative of who called who and when is in doubt. The STL case is based on unravelling four major phone networks, dubbed the Red, Blue, Green, and Purple networks, respectively. The first three were closed networks, i.e. networks whose phones communicated exclusively with each other.
We can assume the Red network was uncovered first. The fact that the Red network always operated around Hariri - it had a particular pattern of phone calls on the day of the assassination, and the fact that it ceased operation one minute before the blast, would have made it stand out in any rudimentary communication analysis. This probably led the investigative team to conclude that the Red network was the operational assassination team on the ground.
By analyzing the locations of the Red phones, several other phones were likely co-located with phones in the Red network. This would be the Blue network involved in logistical support, especially in matters that required contact with the public, like buying phone cards and purchasing the van allegedly used in the blast.
The involvement of the Green network is more tenuous. One of the suspects with both a Red phone and Blue phone had six other phones. Let’s call him suspect ‘A’ - later identified by the STL investigative team as Salim Ayyash, the alleged field coordinator of the entire operation. One of the many phones located with ‘A’, and not part of the Red or Blue networks, was used to call someone outside the Red and Blue networks. Let's call this person suspect ‘B’ — later identified by the STL as Hezbollah high ranking official Mustafa Baddredine, the ultimate commander of the operation.
Calls betwen ‘A’ and ‘B’ using the Green network were made at critical moments: when the Red network was tailing Hariri, when the van was being purchased, and one-hour before the explosion. It is important to note that linking the calls to the events appears to be based on the fact that their timing coincided with these events. CDR logs do not contain the content of phone calls, only the time of call and its duration.
This Green network ceased one hour before the assassination. The only other link to the assassination is that ‘B’ was in the vicinity of the blast site on February 3rd, 11 days before the assassination. From all of this, the investigative team extrapolates that ‘B’ headed the entire operation.
Unlike the Green, Blue, and Red networks, the Purple network is an open network of only three phones. According to the indictment, the Purple network was responsible for creating the video tape in which Abu Adass, a young religious man, takes responsibility for the assassination. Abu Adass disappeared a month before the assassination.
Identifying the Suspects
The Pitfalls of Personal Calls
Identifying the user of a phone is called ‘attribution.’ Much ado is made in the indictment about uncovering the different networks operating in relation to the assassination. But analysis to identify the suspects is dealt with briefly, despite it being the indispensable link between the telecom data and each suspect. The little analysis provided indicates that uncovering the identity of the suspects was done by examining their usage of their own personal cell phones. The indictment uses the term PMP (Personal Mobile Phone) to refer to these personal phones. PMPs are used to contact the friends, family, and personal acquaintances of the suspects — that is, people not involved in the assassination and whose identity is more easily traceable. These people may have been questioned by the STL about the identity of the suspect they were in contact with. Alternatively, the investigators may have simply inferred the suspects’ identities by examining the list of people they contacted.
The Pre-trial Judge’s decision confirming the indictment does not exclude any of these two options, stating that the investigation was “based on the contacts called most frequently, the content of text messages, whether the phone was active or ceased being used and the use of the mobile phones near locations where these persons were allegedly found, as well as documentary evidence, statements or other types of evidence.”
Through co-location, the investigators found that both ‘A’ and ‘B’ used several PMPs, in addition to their color-coded phones. By investigating the people contacted by these PMPs, the indictment claims ‘A’ was identified as Salim Ayyash, and ‘B’ as Mustafa Badreddine.
While the indictment enumerates several incidents of co-location used to uncover the networks, no specific example of attribution is provided to identify those using the networks.
Paragraph 23 (b) of the indictment glibly states that “by identifying and then investigating persons who have been in contact with a PMP, the user of that PMP can be identified.”
Inexplicably, Purple network users do not appear to carry PMPs, according to the indictment. While it lists the PMPs used by ‘A’ and ‘B’, the Purple phone users only have Purple phones. It is then not clear how they were identified, since no other method of attribution is mentioned. One possibility is that the Purple phones were themselves used to call family and friends, and through this contact, it was possible to determine, using similar methods to identifying ‘A’ and ‘B’, the true identities of Purple phone users. This possibility, however, leaves unexplained why these two individuals, involved in arguably the most revealing part of the preparations, would not exercise the same degree of secrecy as the other phone users and use separate phones or personal calls.
The other possibility is that Purple network users had no personal phones at all. They might have been identified from eye witnesses at the mosque or security cameras in the area.
Ayyash Called: The Weakest Link?
The Purple phones however play a role in linking Ayyash to their operation. Two of the Purple phones were in the area of Abu Adass’s mosque for several days a week before his disappearance and one day after. These two phones were in contact with a third Purple phone, who in turn was in contact with ‘A’ on several of his personal phones.
But as mentioned earlier, the Purple network is involved in arguably the most revealing aspect of the plot: preparing a video to take responsibility for the assassination. Anyone who prepared or saw the video would have realized the final intent. That ‘A’ would not use a covert network phone to coordinate with the Purple network, but instead a more easily traceable PMP, requires explanation the indictment doesn’t provide.
The Digital Data Demise
Not a Perfect World
In addition to questions about the way telecom data was analyzed and the flimsy evidence provided regarding attribution, the authenticity of the raw data itself is questionable. In recent years, digital data has been increasingly accepted as admissible evidence in court proceedings. As with other forms of documentary evidence, its admissibility hinges on being relevant and not tampered with.
Verifying the validity of telecom data requires that the data provider, in this case the mobile company operating the network, discuss how the data is generated, stored, and produced, as well as list the safeguards in place to prevent modification of the data, or at least detect if a change has taken place. An independent communications analyst must then perform the same analysis on the data provided by the prosecution and obtain the same results. In his decision approving the indictment, Pre-trial Judge Fransen specifically states he did not examine if the Communications Report submitted by the prosecutor was an Expert Report.
But at least one network operator’s credibility, the Alfa network, is in tatters, and well-regarded experts find that Lebanon’s telecom data is anything but secure. Computer systems storing Lebanon’s telecom data have been allegedly compromised and tampered with by Israeli intelligence services. If the data itself is unreliable, any argument that relies on it will not hold.
Lebanese Telecom Infrastructure: Every Man’s Land
In November 2010, Lebanon’s telecommunications ministry held a press conference to discuss the results of a survey of the Lebanese mobile networks from a security standpoint.
The survey found that security procedures at the network operators were lax to non-existent. Passwords to servers at Operating Mobile Centers (OMC) were exchanged freely between the staff. Control systems were connected to the Internet without sufficient safeguards, providing remote access and control. Job candidates or potential suppliers were not subject to background security checks. In fact, one type of firewall used by a Lebanese mobile network is developed by an Israeli company with links to Unit 8200, Israel’s cyber warfare unit. The country’s mobile networks were simply not built with security in mind.
The security survey was triggered by the arrest of three employees at the mobile network operator Alfa on spying charges. One of those accused, Charbel Qazzi, allegedly confessed to providing the Israelis with maps showing cell tower locations and broadcast frequencies in 1996. This would allow the Israelis to identify towers to intercept or tamper with.
In 2007, by his alleged account, Qazzi provided his handlers the root passwords to Alfa’s OMC. Root access to any computer system allows total control of the system, including the ability to hide the fact that the system has been compromised. It would allow forging, modifying, and erasing data records. It also allows installation of software programs to monitor or disrupt communications, as well as to alter data records automatically in real time. In short, root compromise of a computer system would completely invalidate the authenticity of any data produced by the system.
According to the ministry, the Israelis had set up a number of listening towers at the border with Lebanon, which could intercept and eavesdrop on transmissions between cell towers of the Lebanese mobile networks. Because of the weak encryption codes used for transmissions, phone lines were easily tapped. This allowed the Israelis to eavesdrop on voice calls, as well as track mobile phone locations across a large swath of southern and eastern Lebanon.
Across all of Lebanon, cell phone towers are not physically protected and can be accessed by anyone who knows their location. This would allow installing equipment to change the tower’s behavior, such as notification of phone calls, disrupting operations, or forging phone calls.
SIM card security can and has been broken. SIM cards can be cloned and a phone call may use the cloned card’s phone number. The mobile network allows both cards to be active simultaneously, although it would indicate each was in a different handset and require further tampering to go undetected.
Possible vs. Probable Scenarios
Call Detail Records (CDRs) are stored on a database at the OMC. They can be modified by anyone with the database password. By manipulating the data in specific ways, an intruder can send an investigator down avenues of his choosing.
It is possible but not very probable, for example, that the entire data set of CDRs encompassing the color-coded networks, the PMPs, and their calls to other phones, was generated offline and then dumped into the database at one point in time. All the phone calls, their timing, and their location would have been fabricated in order to generate the narrative the prosecutor is now promoting.
But generating an entire history of communication, while feasible, is very complicated. Creating a believable pattern of communication that can withstand scrutiny is tricky, and depending on the logging and backups in place at the OMC, many data stores would need to be modified.
It is likely then that most of the phones implicated are real, and some were actually used by the assassination team. Instead of generating an entire data set, some of the links could be tampered with. One way to do this would be to link the actual networks on the ground, such as the Red network and the Purple network, with a framed person. Generating fake phone calls to and from the Blue and Green networks would place them in locations and times that are significant to the investigation. There would not have to be too many, just enough to make them complicit in the crime. This can be accomplished by obtaining the codes of the SIM cards of the targets, and using them at appropriate times and locations. Alternatively, the CDRs for the fake calls could be inserted into the database at the OMC.
One method that requires no generation of data is to change the locations of certain phones to coincide with the location of one of the network phones. For instance, by altering the CDR database, the datum locating a PMP phone would be altered to indicate a new location near that of a Red network phone in each record that includes the PMP, thus making it seem that the Red phone and the PMP are co-located.
In fact, if malware is installed on the OMC servers, this manufactured co-location could happen in real-time, as phone calls are made. Whenever a target uses their phone, the system detects it as a targeted phone, and ensures the current location of an assassin’s phone is used when generating CDRs and record logs. Because this data modification is generated as it happens and not superimposed later, it would be undetectable.
These methods of sabotage require that the phones of the targets you wish to frame be known in advance. The indictment states that some operatives were using several PMPs, which implies they kept changing their phone numbers. If this is true, one would have to constantly track the PMP the target is using. This is not impossible, but more challenging. If one has access to the entire communications database of the country, it would be possible to connect phone numbers to target, even if the identity of the user was unknown.
Suspecting Israel not Foolproof
However, the notion that Israel conspired to frame Hezbollah for the assassination of Hariri raises many questions itself. If Israel had access to the entire communications network, and Hezbollah operatives use this network, then why didn’t the Israelis use this information to locate and eliminate the operatives?
A more serious objection is that most of the Israeli spies caught in the past three years were discovered through analysis of their mobile phone calls. If the Israelis were so adept at manipulating telecom records of Lebanese mobile networks, why didn’t they do so to protect their spies?
There are speculative answers to these questions. But in any case, the defense team of the Hezbollah suspects does not have to present a counter narrative of who killed Hariri to argue against the prosecution’s case. The team need only establish the many cases of security compromises on the mobile phone networks and assess the prosecution’s data for evidence of tampering in order to rule the telecom data inadmissible.
The only way an investigative team could verify what really took place would be to spend the past half-decade probing the integrity of the data it used for its analysis, thereby confirming it against as many data stores as possible. It remains to be seen whether the STL trial judges will be content with the current evidence or seriously question the data's integrity.
Marwan Taher is a Beirut-based software developer with a background in computer engineering.
|Cell Phone Networks: How They Work|
|A cell phone network is made up of a patchwork of slightly overlapping coverage areas called cells. Each cell is served by a Base Transceiver Station (BTS), commonly referred to as a cell tower. A mobile phone connects to the mobile network via these towers, hopping from one BTS to the next as it leaves and enters their coverage areas. The size of the coverage area can vary, but in an urban city like Beirut, a cell tower typically covers a few city blocks.
A BTS is a relatively simple device tasked with sending and receiving data between a phone and the network. A BTS connects to a Base Station Controller (BSC), which is a more sophisticated piece of equipment. A BSC manages the BTS, providing control, monitoring, and logging facilities. A Base Station Controller can be connected to tens of cell towers.
A BSC will in turn connect to the Mobile Switching Center at the Operating Mobile Center (OMC). The OMC of a mobile network is a collection of computer servers that link the entire mobile network together. It integrates all the cell phone towers into one network, tracks the location of mobile phones connected to the network, connects and routes phone calls to the appropriate phone, provides a gateway to other phone networks, including the Internet, and generates records of its activities.
In the course of its operation, several data streams are created by the mobile network. Even when the phone is not being used to make calls, the OMC is constantly tracking which cell tower is in contact with the phone. The current location of each mobile phone is kept in a database called the Home Location Register (HLR). This is essential in order to route an incoming call to the phone. If the network operator maintained an archive of these locations, and not just the current one, it would be able to show the sequence of cell towers the phone connected to, whether it was making phone calls or not.
A phone connected to a BTS must by necessity be within the BTS’s area of coverage. Some networks record timing data and the specific BTS antenna used by a phone, which enables an operator to narrow down the location of a phone.
At the same time, even when not making calls, a mobile phone is in constant contact with nearby cell towers in order to determine which tower it should connect to. It initiates a connection with each tower to measure the signal strength, and then hops to the strongest one. If the mobile network kept a log of these connections, informally, a ‘handshake log’, then logs from multiple towers can be used to determine the location of the phone to within a few meters. This location data, if available, would allow continuous tracing of a phone as it moves through the city.
|Data Tampering Techniques and their Detection|
|The CERT Coordination Center at Carnegie Melon, one of the most well regarded groups in IT security worldwide, offer this advice in recovering a compromised computer system:
“Keep in mind that if a machine is compromised, anything on that system could have been modified, including the kernel, binaries, datafiles, running processes, and memory. In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network. Merely determining and fixing the vulnerability that was used to initially compromise this machine may not be enough.”
Computer security might be described as a race between an administrator trying to protect an information system, and an intruder attempting to compromise it. The savvy administrator can take a number of steps to make the system more difficult to compromise successfully, or, at the very least, make any data tampering detectable.
Of course, the intruder could also modify these extra logs. But each extra modification is an added burden and presents added potential for mistakes. The intruder might miss a log or make an error in one of the modifications. Sometimes a log is not easily modified, and the only recourse for the intruder is to destroy the log to cover his tracks. This data loss would also indicate tampering.
If backups of the data are made on a periodic basis, then the current data can be compared against the old backups to detect discrepancies. Not all systems maintain such duplicate data. Often, an organization may only have backups for archival purposes, destroying the original data once it is backed up.
But again, with administrative access, even the backups can be modified or destroyed. The only way this can be avoided is by having off-site backups, where the backup is physically separated from the OMC and stored in another safe location. One hopes that Lebanese mobile operators take these precautions, but based on the historical record, this hope seems overly optimistic.
The previous security measures are only useful in detecting tampering after original data records have been generated. That is, an intruder accesses and attempts to modify data already there. By installing their own software on the system, however, an intruder can modify the very behavior of the system, causing it to generate invalid data in real-time as the system is operating. The forged or modified data would then be introduced into the running system and automatically present itself in all the logs and backups available. It would be undetectable.
The only recourse in this case is to look for anomalies in the data itself: mobile phones jumping too fast from one location to the next, phone calls made at odd hours of the day, phone calls made by the same SIM card using different handsets, or simultaneous phone calls from the same phone. These indicate artificially generated data, but rely on the intruder to have made a mistake. Such a mistake would affect all records, where a benign mistake in the original data would would affect some but not all records. At this level of sabotage, the contest depends on the foresight of the intruder and ingenuity of the investigator.
An example of the sophistication and complexity of malware is the Stuxnet worm, which targeted Siemens industrial software and equipment. The Stuxnet worm gained root access to Windows systems via previously unknown vulnerabilities in the Microsoft operating system and remained undetectable in its host. It targeted systems that controlled certain industrial machines by modifying the control programs generated by these system. It also deployed numerous tactics to shield its modification from detection by the system and by the equipment it disrupted.
The Stuxnet worm revealed the powerful talent for stealthy and sophisticated systems manipulation by its creator. It is alleged to have been developed by Israeli intelligence, specifically Unit 8200. Given what is already known about Israeli intrusions into Lebanese telecom networks, their technical capacity to capitalize on it should not be underestimated.