Cyber Espionage : The Triggerfish

ArsTechnica had some bits of information how the triggerfish has been used to retrieve information from cell phones such as the electronic serial number (ESN), phone numbers and other information without the users’ knowledge and without the help of the telephone providers[1]. It was used back in the 90s by the FBI to track legendary hacker Kevin Mitnick[2].

When cell phones are on, they automatically look for cell sites around them in order to connect to the telephone company network. It will then connect to the one having the strongest signal, as it means a better signal. The triggerfish antenna is a high-powered cell site simulator to which any cell phone near enough will connect, as they will consider it as a normal cell site. Once the mobile registers to the triggerfish and the user wants to make or receive a call, the mobile will send the mobile identification number (MIN), which is actually the phone number, the ESN, cell site data, which contains the channel used and sub-geographical location all the incoming and outgoing data of the caller. It will also contain the outgoing or incoming MIN.  According to the documents released by the ACLU, the triggerfish is able to display the following:

“If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site/simulator/triggerfish would include the cellular telephone number (MIN), the call’s incoming or outgoing status, the telephone number dialled, the cellular telephone’s ESN, the date, time and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected)[3]

The same document also writes that this device may be able to intercept the contents of the communication if the option is enabled. It’s important to note that the cell phone must be used to receive or send a call (SMS or web also) in other to for the triggerfish to work, as data about the location of the phone will be send in every data packet send and received by the user. This is how organization can track people using cell phones. Since mobiles always need to find new cell sites as the user moves around, it needs to exchange geographical information with the phone in order to locate the cell sites nearest to the mobile.

As told above, the antenna needs to be stronger than the local cell site in order to pickup the registration of the mobiles. Therefore it needs a lot of power and a high-gain. It also needs equipment such as a digital analyzer in order to make sense of the data intercepted by the triggerfish. And for tracking, it needs to be mounted on a truck to follow the signal of course.

There is a way for everyone to build something almost similar as the triggerfish by using an IMSI catcher. An IMSI catcher can be used to intercept GSM phone calls and use the same tactics as the triggerfish: by simulating a cell site. It will then relay data to a genuine cell site in the area. To do that, the IMSI catcher will need a SIM card and will then appear to the genuine cell site as a mobile phone. In other words, the IMSI catcher acts as a man-in-the-middle between the mobile phone and the genuine cell site.

representing the man-in-the-middle attack using an ISMI catcher
Diagram representing the man-in-the-middle attack using an ISMI catcher(4)

Even if it works in the same way as a triggerfish, the IMSI catcher has some serious drawbacks, among others[5]:

  • “It must be ensured, that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the Mobile Station, there is no need to log into the simulated Base Station.

  • All mobile phones in the catchment area have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers.

  • […] Since the network access is handled with the SIM/USIM of the IMSI Catcher, the receiver cannot see the number of the calling party. Of course, this also implicates that the tapped calls are not listed in the itemized bill.

  • The assignment near the Base Station can be difficult, due to the high signal level of the original Base Station.”

IMSI Catchers can be found online. They are sold by Rohde & Schwarz. You could buy the GC128 GSM Communication Unit R&S and apply the firmware to transform it into an ISMI catcher.

See also:

Electronic Surveillance Manual“, U.S Department of Justice, June 2005

IMSI Catcher“, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13, 2007

[1] “FOIA docs show feds can lojack mobiles without telco help”, Julian Sanchez, ArsTechnica, November 16, 2008, (accessed on November 18, 2008)

[2] “Computer hacker Kevin Mitnick”, Michael Cooke,, 2002, (accessed on November 18, 2008)

[3] “Electronic Surveillance Book : XIV Cell Site Simulators/Digital Analyzer/Triggerfish”, Electronic Surveillance Unit, Department of Justice, June 2005, p.40

[4] “IMSI Catcher”, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13. 2007, p.14

[5] Ibid. p.16

High-tech Cheating

One man and a woman, Steve Lee and Rong Yang, were convicted last week to eight months of prison after helping two Chinese men cheat their immigration exams, according to a news report from the Metropolitan Police Service[1].  The duo was monitoring the examination from a vehicle outside the building with laptops, transmitters and other equipment.

“Lee and Yang were clearly involved in a sophisticated operation using some of the best surveillance technology available worth thousands of pounds. When we first arrived at the scene it was very confusing as to what exactly was going on.”

It’s hard to tell what was the “best surveillance technology available worth thousands of pounds” since no detailed equipment list was given, but we might expect this to be largely exaggerated. The report states that Zhuang, the examinee, was given “tiny buttonhole cameras sewn in, a microphone and a small ear piece”. With this equipment, the information was transmitted back to Lee and Yang, who told Zhuang the answers to the questions.

“Best surveillance equipment” found into the car
“Best surveillance equipment” found into the car

I decided to look the equipment needed to conduct such an operation. The following material can be found without looking very hard on the net:

· Wireless Button Camera – £226.37

· Wireless Microphone – £133.13

· Wireless Earpiece – £134

· Laptop – £429

· Wireless Router – £51

Total: £973.5

Unless I’m forgetting something worth more than £1000, this is far from being “thousands of pounds”. And I’m quite sure you can get these items cheaper if you look on eBay.

Anyway, the cheaters were caught after a member of the public reported seeing them sitting Lee and Yang in a silver BMW with wires running from under the hood to the inside the car.

According to Sergeant Dominic Washington who first responded to the call from the public, said:

“However, working with colleagues from across the borough and the Met we believe that we have uncovered an established criminal enterprise that may be in operation in other parts of the country.”

No, I don’t think so… but this might give ideas to the others. And why were there wires under the car?

[1] “Two convicted for immigration test scam”, Metropolitan Police Service, November 14, 2008, (accessed on November 17, 2008)

Whitehouse Hacked by Chinese Several Times

An unnamed senior US official has declared to the Financial Times that the Whitehouse computer network was victim to numerous cyber attacks from China. According to the same official, the attackers had access to e-mails for short periods of time[1].

The unclassified network of the Whitehouse was breach numerous times by the attackers, which may have stole information. The sensibility of the information accessed is not specified, but since it was on the unclassified network, no data of value should have been viewed by the hackers. The attacks were detected by the National Cyber Investigative Joint Task Force, an agency created in 2007 and under the FBI[2].

No one from the American and Chinese sides commented on this event. This declaration comes amid many cyber attacks performed in previous years also and every time, blamed on the Chinese or Russians. In 2007, the Pentagon claimed to have been hacked by the cyber division of the People’s Liberation Army (PLA)[3]. It has been known for a while not that China has developed advanced cyber warfare capabilities and has gain a lot of experience.

It has been known for a while not that China has developed advanced cyber warfare capabilities and has gain a lot of experience in that domain.
It has been known for a while not that China has developed advanced cyber warfare capabilities and has gain a lot of experience in that domain.

[1] “Chinese hack into White House network”, Demetri Sevastopulo, The Financial Times, November 6, 2008, (accessed on November 7, 2008)

[2] “New US National Cyber Investigative Joint Task Force Will Be Led by FBI”, ILBS, April 28, 2008, (accessed on November 6, 2008)

[3] “Pentagon: Chinese military hacked us”, Lewis Page, The Register, (accessed on November 6, 2008)

Both U.S Presidential Campaigns Hacked

Newsweek reports that the computer systems of M. Obama and M. McCain were both hacked by unknown attackers during their campaigns[1]. Very little information is available, but according to Newsweek, the FBI and the Secret Services claimed that several files from the Obama servers had been compromised by a “foreign entity” in midsummer. The same happened to the McCain campaign.

According to the FBI, documents were stole by foreign powers (probably Russia or China) in order to gather information for future negotiations.

But the former director of technology for the 2004 presidential campaign of Rep. Dennis Kucinich expressed skepticism about the claims. Henry Poole from CivicActions, a firm that offers Internet campaign consulting services, said “It’s unlikely that either campaign would have stored sensitive data on the same servers that were being used for public campaigning purposes[2]“.

It is unclear if anyone got compromised at all. If so, why would the FBI and Secret Services report such events? Hopefully there is more to come on this…

See also:

“Hackers and Spending Sprees”, Newsweek, November 5, 2008, (accessed on November 6, 2008)

“Both US political campaigns got hacked”, Egan Orion, The Inquirer, November 6, 2008, (accessed on November 6, 2008)

[1] “Hackers and Spending Sprees”, Newsweek, November 5, 2008, (accessed on November 6, 2008)

[2] “Report: Obama, McCain campaign computers were hacked by ‘foreign entity'”, Jaikumar Vijayan, ComputerWorld, (accessed on November 6, 2008)