A new exposé in The Intercept reveals how software imposed on mobile operators allows the Iranian government to monitor and interfere with the communications of opponents of the current regime. The system, codenamed ‘SIAM’, gives the government the ability to:
- break the encryption of calls;
- track a phone user’s movements;
- identify all phones currently in a particular location;
- analyze all the contacts of a phone user; and
- interrupt or slow the user’s internet connection.
The country is entering its seventh week of unrest following the death of 22 year old Mahsa Amini (pictured) who was reportedly beaten after being jailed by Iran’s morality police. Demonstrations around the country have led to 185 killings of protestors by security forces as the authorities struggle to contain the anger of ordinary Iranians.
The state’s methods of oppression are both physical and digital, and it is common knowledge that Iran’s internet is often slowed or disconnected during periods of civil disobedience, as also occurred at the beginning of the latest wave of protests. However, little was previously known about the technological capabilities of Iran’s internal security agencies. A self-described hacker responded to the latest crackdown by giving The Intercept two manuals for SIAM, a system used by Iran’s Communications Regulatory Authority (CRA) to surveil and control services provided to all mobile phone users in the country. The manuals were reportedly taken from Ariantel, an Iranian MVNO founded in 2016, as corroborated by years of leaked email correspondence involving Ariantel employees and the Iranian government. Per one of the hacked manuals:
Based on CRA rules and regulations all telecom operators must provide CRA direct access to their system for query (sic) customers information and change their services via web service.
The Intercept has published two documents provided by the hacker. The aforementioned quote comes from the English-language specification of an API to extract data from communications providers. This was seemingly translated from Persian for use as part of a proposed contract with a Spanish telecom business. Queries using this API would allow the authorities to search for data using a phone number, MAC address or name, and then receive data for matching users that includes:
- MSISDN
- IMEI
- IP addresses used to connect to the internet
- family name and father’s name
- passport number (for visitors from other countries)
- birth certificate number
- postal address
- name of company for corporate users
- a history of the user’s CDRs
- a history of websites visited
The API specification included rules for instructions sent from the CRA to comms providers. For example, telcos could be ordered to forward a user’s calls to another number. Another function called ‘Force2GNumber’ would disable 3G and 4G access for the stated user, effectively limiting the quality of the user’s service and denying them some of the privacy protection enabled by later generations of networks. The API would also permit the regulator to tell the comms provider to immediately kill the user’s data session or suspend the user’s service for a period of 1 day, 3 days, 1 week, 15 days or permanently. But perhaps the most frightening function involved the comms provider returning a complete list of all MSISDNs and IMEIs of phones in a given location.
A second SIAM manual published by The Intercept appears to contain similar material, but in the original Persian. This manual refers to the same English-named functions, including ‘Force2GNumber’. The analysis of The Intercept suggests this document originated with the security function of the CRA, and was sent to Ariantel from an email address used by the CRA.
Websites like Commsrisk cannot deliver a better world, but we can ask readers to take responsibility for the change they want to see. I know some readers will have offered products and services that could be used as instruments of oppression to governments that should not be trusted with them. It is not difficult to see how tools originally designed for lawful intercept, data analysis or fraud prevention could be used to bludgeon human rights. In 2012, US President Barack Obama issued an executive order that sanctioned Iran’s Communications Regulatory Authority but the European Union and other countries did not follow his lead.
I vividly recall one occasion when I found myself in the office of an executive who was trying to sell an ‘anti-fraud’ system to Iran. His system offered disturbingly similar functionality to that described for SIAM. The salesman volunteered information about the deal without any sense of shame, as if I should be impressed by his pursuit of a contract with one of the most authoritarian governments in the world. He seemingly had not considered the nature of the customer he was pursuing, or the risk of delivering a system that could readily be used for nationwide surveillance. I am ashamed to admit that I did not confront that salesman because I made that visit in order to finalize a sponsorship agreement for my nonprofit association, the Risk & Assurance Group. I regret not behaving differently on that occasion, and I now become angry when I see him regularly using social media to portray himself as a moral businessman. Software companies may feel like they are only trading in the ability to process data, but such data can alter the course of a human life.
Look here for all The Intercept’s revelations about SIAM.
