The secretive use of IMSI grabbers in the UK is set to receive oversight from the Interception of Communications Commissioner's Office (IOCCO).

IOCCO is awaiting a formal request from the Prime Minister to provide oversight of the use of mobile phone eavesdropping devices in prisons, its head has confirmed to The Register.

Known as “IMSI grabbers” in the UK but more widely as “IMSI catchers”, the eavesdropping devices pretend to be mobile phone masts as part of a man-in-the-middle attack which forces devices to transmit their International Mobile Subscriber Identity number.

The Register has been told that IOCCO has been informally asked to examine the use of these devices, but only in prisons. The office is still awaiting a formal request from the Prime Minister, but has been informally notified of the coming task which will form part of its increased examination of the interception of prisoners' communications.

Matthew Rice, an advocacy officer at Privacy International told The Register that IMSI grabbers were a significant privacy concern, describing the devices as “a particularly intrusive 'dragnet' approach to surveillance. If you're in the wrong place at the wrong time, anyone's mobile phone, email and text communications can be intercepted.”

IMSI grabbers, while a communications interception capability, are not currently part of IOCCO's oversight remit. Instead their use falls under the oversight of the considerably less public Office for Surveillance Commissioners (OSC) which scrutinises covert surveillance in the UK with an equal degree of covertness.

While the use of IMSI grabbers has never been avowed by a police force in Blighty, an investigation conducted by Privacy International and Vice, broadcast in a documentary titled Phone Hackers: Britain's Secret Surveillance, seemed to reveal their widespread deployment around London.

Earlier this year, requests made under the Freedom of Information Act by Scottish outlet The Ferret managed to snag the first confirmation on the use of the devices in the UK. It found that the Scottish Prison Service had deployed IMSI grabbers in a £1.2m pilot project to prevent use of mobile phones in prisons, although it was also revealed that this was only partially successful as prisoners “developed innovative countermeasures” to deal with the devices.

“Recent reports of trials of this technology in prisons is particularly alarming,” Rice stated. “For no other reason than because they happen to live near a prison, innocent members of the public could have their phone details logged or even their services blocked. This is unacceptable.”

Rather than the OSC, IOCCO has been tasked with looking into the use of IMSI grabbers in prisons due to the differences between the two oversight bodies' roles. Use of the devices is permitted in prisons, not under Part II of Regulation of Investigatory Powers Act 2000, which covers covert surveillance, but under the Prisons Interference with Wireless Telegraphy Act 2012.

The OSC oversees covert operations conducted under Part II of RIPA and the Police Act 1997, while IOCCO—which, due to a greater commitment to public engagement spearheaded by Joanna Cavan, who is soon to head to GCHQ—has a broader remit to oversee snooping in other areas, even where such oversight is directed by the Prime Minister and not by statute.

Speaking to journalists ahead of the release of IOCCO's annual report for 2015, which revealed that 86.2 per cent of all items of communications information collected by the State last year were related to telephone comms rather than internet ones, Cavan said that it was “not enough any more to be tied to the strict Parliamentary timetable, and to have to wait to lay reports in Parliament, so we're very keen going forward to continue to publish as we go along and put as much out there [as we can].”

Before joining IOCCO, Cavan worked as an interception and digital forensics specialist and appeared as an independent expert witness in forensic telecommunications cases, particularly regarding the location analysis of base transceiver stations (mobile phone masts). As she will join GCHQ's tech help desk in the coming weeks, however, she will not form part of IOCCO's oversight team into the use of IMSI grabbers in prisons.

As noted on page four of IOCCO’s annual report for 2015, the office's additional oversight functions in regards to interception under the Prisons Interference with Wireless Telegraphy Act 2012 will only apply to England and Wales, not interception in Scotland. IOCCO has agreed to undertake this additional oversight “subject to receiving a formal direction from the Prime Minister and some additional resources.”

Privacy International was scathing of the existing oversight regime, telling The Register: “The oversight of the deployment of IMSI catchers in prisons is similar to the oversight of the deployment of IMSI catchers by law enforcement and intelligence agencies: Woeful.”

It is as though the bodies charged with oversight (IOCCO and OSC) were happier to leave their oversight in the dark while the use of the technology became an open secret. Steps taken until now have been disappointing to say the least. As the surveillance powers available for law enforcement are set to expand, the bodies charged with oversight need to seriously consider whether they have the capacity and the expertise to effectively execute that most important responsibility: Building trust with the public.

IMSI, aka Idiots Missed Security Implementation

Although the Global System for Mobile Communications (GSM) standards were developed by the European Telecommunications Standards Institute (ETSI) as a secure means of wireless communication, the specifications require the mobile device to authenticate itself to the network using its IMSI (International Mobile Subscriber Identity) – but do not require the network to authenticate itself back to the mobile device.

This long-known shortcoming in security has proved difficult to defend against those who seek to spoof the network itself. As mobile devices must maximise signal strength by selecting the base transceiver station which is nearest, IMSI grabbers often lie about their location and thus force devices to communicate with them.

Additionally, once the connection between the base station and mobile device is established it is the base station which selects the encryption mode to be used in that connection, making it possible for a malicious actor to force a mobile device to communicate in plain-text rendering the communications visible to the man-in-the-middle himself.

“Questions must be asked of our mobile manufacturers and mobile phone operators about what they are doing to combat the use of IMSI Catchers,” Privacy International's Rice told The Register.

By the time of publication a spokesperson for Number 10 had not confirmed when IOCCO would be formally asked to audit IMSI catcher usage by the Prime Minister. ®