Serbia’s BIA intelligence agency has been listed among likely users of controversial software that enable it to locate every phone in the country in seconds – in a report issued by Citizen Lab, a specialist in surveillance issues.
In research published on Monday, Citizen Lab, an Institute of the University of Toronto that specializes in surveillance issues, listed 25 countries and agencies – including Serbia’s Security Information Agency – that use the software of the Israeli company Circles, which enables the user to locate every phone in the country in seconds.
Founded in 2008, Circles reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the locations of phones around the globe.
Circles is a part of NSO Group, an iPhone and Android spyware developer that is being sued by Facebook over attacks on the accounts of 1,400 WhatsApp users.
It has also been criticized for selling its services to governments that use it to spy on activists, journalists and other citizens, according to Forbes.
Circles, whose products work without hacking the phone itself, says it sells only to nation-states, but Citizen Lab’s research, based on leaked documents, shows that clients can purchase a system that they connect to their local telecommunications companies’ infrastructure, or they can use a separate system called the “Circles Cloud,” which interconnects with telecommunications companies around the world.
According to Citizen Lab, likely Circles customers include governments in Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Thailand, the United Arab Emirates, Vietnam, Zambia and Zimbabwe.
Bill Marczak, from the University of California in Berkley, a senior research fellow at Citizen Lab, said the investigation should raise awareness on the wider issues. “We hope this report enables people to ask more precise questions and perhaps even improve the regulation of the field, which today operates as if it were the Wild West,” Marczak told Calcalyst.
But an NSO spokesperson told Forbes in the name of both NSO and Circles that they operate with “a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate”.
“We cannot comment on a report we have not seen. Given Citizen Lab’s track record, we imagine this will once again be based on inaccurate assumptions and without a full command of the facts. As ever, we find ourselves being asked to comment on an unpublished report from an organization with a predetermined agenda,” the spokesperson said.
The technique used by the Circles tech is known as Signaling System 7 (SS7) exploitation. A SS7 is a protocol suite developed in 1975 for exchanging information and routing phone calls between different wireline telecommunications companies, the Citizen Lab report says.
In its research, the Toronto-based laboratory notes that whileabuse of the global telephone system for tracking and monitoring is believed to be widespread, it is difficult to investigate. When a device is tracked or messages are intercepted, there are not always traces on the target’s device, the report warns.