For $20M, These Israeli Hackers Will Spy On Any Phone On The Planet

With just a few million dollars and a phone number, you can snoop on any call or text that phone makes – no matter where you are or where the device is located.

That’s the bold claim of Israel’s Ability Inc, which offers its set of bleeding-edge spy tools to governments the world over. And it’s plotting to flog its kit to American cops in the coming months.

Unlimited spying

Ability’s most startling product, from both technical and price perspectives, is the Unlimited Interception System (ULIN). Launched in November last year, it can cost as much as $20 million, depending on how many targets the customer wants to surveil. All a ULIN customer requires is the target’s phone number or the IMSI (International Mobile Subscriber Identity), the unique identifier for an individual mobile device. Got those? Then boom – you can spy on a target’s location, calls and texts.

This capability is far more advanced than that of IMSI-catchers (widely known as StingRays), currently used by police departments in the United States. IMSI-catchers can help acquire a target’s IMSI number, as well as snoop on mobiles, but only if the target is within range.

ULIN has no such geographic limitation. A quarterly update document posted only on May 2, spells out the tech’s power: “ULIN enables interception of voice calls, SMS messages and call-related information of GSM/UMTS/LTE phones, without the need to be close to the intercepted phone and without the consent of mobile network operators and requires only the mobile device’s phone number or IMSI. Customers can use ULIN to intercept calls, and gather other information, from anywhere in the world.”

Ability’s tool exploits a weakness resident in SS7, the Signalling System No. 7. A core part of the world’s shared networking infrastructure, SS7 helps route calls between different carriers and switching centers. Service providers often use SS7 to support communications in areas where the customer’s normal network isn’t available, such as when the user is abroad. For instance, when a Verizon user is holidaying in Spain, local carriers will use SS7 to “speak” with the customer’s operator to determine who provides its service.

Hackers, however, use weaknesses in the SS7 network for a number of nefarious purposes. For instance, to forward calls heading to voicemail to their own devices. They can do this because wireless networks do not have the necessary safeguards to block these attacks. Concerns around SS7 have led House Democrat Ted Lieu to demand a Congressional investigation and the Federal Communications Commission has launched its own probe.

Article Continues Below

Previously, government contractors selling SS7 exploitation tools had to work with wireless service providers to access the SS7 network. These tools, according to a Washington Post report in 2014, were only able to detect users’ locations, not intercept communication. Ability, however, can do much more.

According to documents seen by FORBES, one of which was leaked by an anonymous source (published below and on Document Cloud), Ability’s ULIN service allows it to locate targets and snoop on calls and texts – without any assistance from the cellular networks. According to whitehat hacker Drew Porter from security consultancy Red Mesa, this is technically feasible, and could be done in two ways: by hacking the SS7 network or by leasing a system from a carrier that has the ability to “talk” to large parts of the network.

Porter noted the first option is “preferred because you really don’t need any carrier cooperation.” The second would require some kind of contract, which would be “less ideal,” he added, as it may allow interested parties to trace the interception back to the true spy or surveillance vendor. Ability could also have built its own infrastructure that can send messages across the network.

Regardless of how Ability is able to spy on mobiles over SS7, it has its hands on a powerful product. Direct hacks on mobile devices typically require the use of malware and exploitation of software vulnerabilities – themselves a costly commodity – and run the risk of detection. Accessing a mobile device through SS7, however, can provide access to much of the same information with little danger of detection by the target.

Ability, Inc
While Others Talk, We Intercept

Proven Ability in interception and decryption
Our core focus has been the development of field-proven systems for off-air interception of cellular and satellite communications .

We are also highly acclaimed for our proven expertise in the decoding and deciphering of intercepted communications.

Our ABILITY to combine superior interception systems with state of the art decryption systems means that we can provide fully integrated solutions that are not only solid in theory – but also robust in practice!



Follow IWB on Facebook and Twitter