Weaknesses in the Signalling System 7 or SS7 suite of protocols, which were developed in 1975 for information exchange and routing of calls between different telcos, were being exploited to carry out the surveillance, the organisation claimed. When SS7 was developed, there was no pressing need to include authentication or access control.
Circles is affiliated with the NSO Group, that develops the Pegasus spyware, and says it only sells its software to nation-states.
Researchers Bill Marczak, John Scott-Railton, Siena Anstis, and Ron Deibert, along with public interest technologist Siddharth Prakash Rao, said in a detailed post that they had determined the following countries were likely customers of Circles:
The researchers said they had used Internet scanning and a unique signature associated with hostnames of Check Point firewalls that were used in Circles deployments. "This scanning enabled us to identify Circles deployments in at least 25 countries."
"From the 252 IP addresses we detected in 50 ASNs, we identified 25 governments that are likely to be Circles customers. We also identified 17 specific government branches that appear to be Circles customers, based on WHOIS, passive DNS, and historical scanning data from Check Point firewall IPs or their neighbours," the researchers said.
"We identified a single Circles system in Australia. We cannot verify the identity of the operator. The system’s Check Point firewall was also reachable through an IP address in a Malaysian datacentre (EstNOC Malaysia), which appears to be forwarding traffic onwards to the Australian IPs. The Australian IPs, on Optus and TPG, geolocate to Australia’s capital Canberra, per MaxMind."
They cited leaked documents as saying Circles customers could "purchase a system that they connect to their local telecommunications companies’ infrastructure, or can use a separate system called the 'Circles Cloud', which interconnects with telecommunications companies around the world".
"Because of SS7’s lack of authentication, any attacker that interconnects with the SS7 network (such as an intelligence agency, a cyber criminal purchasing SS7 access, or a surveillance firm running a fake phone company) can send commands to a subscriber’s 'home network' falsely indicating that the subscriber is roaming," the researchers said.
"These commands allow the attacker to track the victim’s location, and intercept voice calls and SMS text messages. Such capabilities could also be used to intercept codes used for two-factor authentication sent via SMS.
"It is challenging and expensive for telecommunications operators to distinguish malicious traffic from benign behaviour, making these attacks tricky to block."
Contacted for comment, an NSO spokesperson told iTWire: "Circles is an independent company from NSO, affiliated to the same corporate grouping. Both NSO Group and Circles lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate.
"As we have previously stated, Circles is involved in search and rescue and tactical geo-location technology.
“CitizenLab’s pre-determined agenda means it has once again published a report based on inaccurate assumptions and without a full command of the facts.”