/ 29 November 2015

How cops and crooks can ‘grab’ your cellphone – and you

WBS has not been able to capitalise on all its valuable ­spectrum
WBS has not been able to capitalise on all its valuable ­spectrum

October 31 2005. The global “War on Terror” is in full swing, with 9/11 still fresh in everyone’s memories. The United States is at war with Iraq and Afghanistan, determined to eliminate al-Qaeda and the Taliban.

About 8 000km away, in the town of Estcourt in KwaZulu-Natal, ordinary families settle down for an evening meal. But this calm is about to be shattered for Pakistan-born schoolteacher Khalid Rashid.

A group of men, in civilian dress and armed with AK-47 rifles, pull up in 4×4 vehicles at the house where he lives. The men, members of South Africa’s police crime intelligence service, have come for him.

Yasmin Omar, who later fought a legal battle for Rashid’s release, said witnesses reported seeing the police break down the door, fling furniture around and put an abrupt end to his dinner. He was taken to the Cullinan police station 450km away and detained. On the night of November 6, he was flown out of the country on an unscheduled flight.

In a phone call to Omar after his release about two years later, Rashid said that, after leaving South Africa, he did not know where he was taken to because he was hooded while being flown between locations. This continued for almost two years.

Omar said Rashid was taken from South Africa to an unknown port of entry in Kenya. “From Kenya, we aren’t certain; at that stage investigations suggested he may have been taken to the Channel Islands. Others suggested Guantánamo,” she said, adding that Rashid told her that during this time he had been tortured: “He was waterboarded, he was incarcerated, they put on a light continuously so that he wouldn’t fall asleep.”

Rashid was released and taken back to his hometown of Lahore in Pakistan about two years after his deportation. This only happened once Amnesty International threatened to go to the International Criminal Court and said steps would be taken to arrest the president of Pakistan and other officials attached to Pakistani and South African intelligence services, Omar said.

In March 2009 South Africa’s Supreme Court of Appeal ruled Rashid’s detention and deportation had been unlawful, because a warrant hadn’t been obtained in terms of the 2002 Immigration Act.

Rashid came to South Africa from Pakistan “a few months” before his deportation, according to court documents. The court did rule his arrest was lawful however: it found he was an illegal foreigner.

Omar stands by her client, saying the incident took place at a time when people became terror suspects because “they were dressed in a particular way and they had a beard big enough. If he was not innocent, why aren’t charges brought against him? Why was he not arrested and detained and charged, and a proper trial carried out for him?”

Rashid had wanted to try to start a new life in South Africa, but, said Omar, he has been too afraid to return.

Behind Rashid’s capture lies a powerful piece of surveillance equipment: a “grabber”, used to locate the exact position of a cellphone.

On October 31 2005, according to a former crime intelligence official with knowledge of the case South African police crime intelligence officials pinpointed Rashid’s location with a grabber: it was believed he’d aided al-Qaeda in the 9/11 attacks.

The grabber, generally installed in the back of a van, consists of a laptop, one or more antennae and a compact base station the size of a shoebox or desktop computer tower, depending on the model. It forces a cellphone to connect to it instead of a real cellphone tower.

The person surveilling the phone tracks its whereabouts and monitors the communications in real time. They could keep track of someone in a crowd, or their vehicle could be parked outside a suspect’s house.

Grabbers work over a short range – the target must be in a radius of about 1?000m of the device, again depending on the make or model. When the grabber is working, there is no interruption of cellphone service. The call is passed by the grabber to the real network.

A person won’t know whether they are being targeted and nor will their service provider.

Grabbers have varying capabilities: a basic model can only detect a phone’s location, but more sophisticated versions can monitor the conversations, SMSes, internet communications and messenger services of a single phone. Others can intercept thousands of mobile phones’ communications simultaneously, and store them. Some can also scramble cellphone signals within their range.

The private ownership of grabbers is illegal.

Last Friday, Parliament’s joint standing committee on intelligence expressed concern in a media statement about the illegal use of grabbers, particularly about “whether at all a member of the crime intelligence unit might have been moonlighting without permission to conduct matters of crime intelligence” with a grabber.

This comes after it emerged this year that crime intelligence official Paul Scheepers was allegedly found in possession of one of these devices. The Hawks are investigating to determine whether he used it illegally.

On July 31, Independent Media reported that two men were arrested at Centurion’s Irene Village Mall for being in possession of a grabber. It also reported that state intelligence officials were looking for two other grabbers in private hands.

But a countersurveillance expert with ties to the intelligence community told the Mail & Guardian there were currently as many as six grabbers in private hands. He added these were usually used illegally by, for example, moneylenders to locate evasive debtors.

A private investigator told the M&G that, about two years ago, he heard about a Gauteng man who was renting a grabber for R25 000 a day to anyone who could afford it. He said many of his clients were worried they were being intercepted by grabbers and he was considering buying a grabber-detecting device.

The Hawks did not respond to the M&G’s questions about the extent of the threat that privately owned grabbers posed to the public.

Gauging the prevalence of private citizens’ use of grabbers in South Africa is difficult, as is determining the capacity of local law enforcement agencies to use the devices.

Brian Dube, spokesperson for the State Security Agency, said policy did not allow them to “disclose operational details and capabilities”.

Though police did not respond to the M&G’s questions, three sources provided different answers about the use of grabbers by police crime intelligence.

According to a former crime intelligence officer, five years ago police crime intelligence had at least three grabbers: one bought in 2001, and the others in about 2005.

Another private investigator, with ties to the police, said they had about one grabber for each province. A third source, who is an expert in cellphone security, said police had no more than four grabbers nationwide.

The same three sources say grabbers used by police crime intelligence in South Africa have limited capabilities. According to the private investigator, the police’s grabbers can only be used to locate a suspect.

The cellphone security expert confirmed this, but the former police crime intelligence official said at least one grabber at police crime intelligence in Pretoria could be used to locate a target, listen in on one phone call at a time, and intercept SMSs and manipulate them.

“So, if I send a message that says: ‘Hello, John,’ they are able to intercept that message and change it to say: ‘Bugger off, John!’” Both caller and receiver will be unaware of the manipulation.

The M&G was unable to establish what legal procedures law enforcement agencies were obliged to follow before using grabbers to address crime.

The State Security Agency declined to comment when the M&G asked it which laws regulated law enforcement agencies’ use of grabbers.

Last Friday, however, Parliament’s joint standing committee on intelligence said it would “revisit” legislation pertaining to telecommunications interception – specifically the Regulation of Interception of Communications and Provision of Communication-Related Information Act (Rica).

Before the state’s law enforcement agencies can monitor a person’s telecommunications, Rica compels them to apply for an interception order from a designated judge. The committee said it would look at whether Rica needed strengthening in the “likely event that the judge is not sufficiently empowered to deal with matters such as grabbers”.

According to the former crime intelligence officer, and a second source who is a legal expert on surveillance in South Africa, the use of grabbers by local law enforcement agencies has not been regulated.

Asked whether police crime intelligence ever followed any legal protocols required to intercept communications in South Africa before using a grabber, the former crime intelligence official answered: “No! No. That stuff is all illegal … All of it! Where are you going to find a judge who you can convince to quickly approve the thing for you on a 12-hour basis, in a place like Newcastle or Estcourt?”

Law enforcement agencies, it seems, don’t follow legal procedures involving the service provider to authorise the use of grabbers: “Mobile network operators have nothing to do with the grabbers,” the cellphone security expert said.

Cellphone grabber technology

This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science

Can I buy a grabber?

Firstly, you would have to locate one. If you are lucky enough to find a local “street” vendor, you would pay about R30-million.

If you cannot find one, and cannot borrow one from the local cop shop, you may have to import one; but you’d need industry connections. According to a counter-surveillance expert with ties to the South African intelligence community, grabbers can be disassembled, shipped in pieces, and reassembled once all the parts arrive.

According to crime intelligence officials who spoke to the Mail & Guardian, something the size of a grabber could be brought in a diplomatic bag. Countries can ship goods to their embassies in other countries and the package won’t go through customs.

Said a former military intelligence official: “You can transport anything in a diplomatic bag. We used to send wine.”

At the time of going to press, the police’s crime intelligence unit had not responded to questions. – Heidi Swart

Short history of a sinister surveillance tool

The grabber has been available to law enforcement agencies since at least the early 1990s. In 1993, for instance, international electronics manufacturer Rohde & Schwarz produced a grabber known as the GA900. The Harris Corporation, in Florida in the United States, first introduced its version of the grabber, the Stingray, in 2001.

There are several other international manufacturers of grabbers, such as Meganet, Gamma Group, Digital Receiver Technology and Ability, to name a few.

Globally, there is a concern for the threat grabbers pose to citizens’ privacy, largely because they can be used without the knowledge of the service provider or the mobile user. They can, if sufficiently advanced, collect vast amounts of data from people who, perchance, are close to the targeted suspect.

South Africa is not the only country where grabbers have been detected: the Wall Street Journal reported in a 2014 article that the US Marshals Service had used grabbers to collect data from thousands of mobile phones.

Specifically, grabbers produced by Digital Receiver Technology, known as “dirtboxes”, were placed aboard five Cessna aeroplanes that scoured the US from 2007, indiscriminately recording cellphone communications from thousands of people across the country.

In 2011 the Guardian reported that, to the dismay of civil liberty advocates, London’s Metropolitan Police Service had purchased at least one grabber.

In June, in an unrelated report, Sky News found more than 20 instances where grabbers were active in London over a three-week period. Sky couldn’t establish whether these grabbers belonged to law enforcement agencies or criminals. Neither the Metropolitan Police Service nor the country’s National Crime Agency would provide details. They said they didn’t want to compromise their operations by speaking about them to the press.

In December 2014, Norwegian newspaper Aftenposten reported that, with the assistance of two private security companies, it had located no fewer than six grabbers in Oslo, and within range of Parliament and other branches of the government. – Heidi Swart