Intelligence Services are Scary af

A Tale of Transnational Terrorist Chatter

Despite the hyperbolic rhetoric about the dangers of “encrypted messenger apps” creating a “safe space for terrorists,” the reality does not live up to the hype. Even the best encrypted messenger apps provide only limited privacy by securing the content of users’ messages. Smartphone messenger apps, even end to end encrypted ones, produce various amounts of metadata — from massive, to huge. Analysis of the open source data suggests that the Intelligence Services are not taking full advantage of the metadata that’s available to them.

This post expands on a Twitter thread I wrote earlier:

ISIS Middle Management

Abu Ahmad is a man with a $5 million dollar bounty on his head. He is a senior lieutenant within ISIS an important part of the External Operations Center (EOC) — ISIS’ international terrorism department. He is a key operational player, handling the mundane logistical tasks critical for successful terrorist attacks. Abu Ahmad is essentially a terrorist middle manager.

Management within organisations as they develop plans and execute operations is essentially the same regardless of the type of plan or operation. For a middle manager like Abu Ahmad, that means he spends a lot of time communicating with his bosses and his direct reports, solving problems and generally trying to get everyone to do what they are supposed to do at the right time. As manager in ISIS’ external operations (i.e. terrorist attacks), who he talks to, who they talk to, and what is said, is all extremely interesting information for the Services. Crucially, encrypted messenger apps only protect “what is said.”

The Paris Attack

One operation that we know Abu Ahmad helped manage was the November 13th, 2015, attack in Paris. This attack involved multiple operatives, long term planning, significant resources and logistical support. The attacks involved:

  • Multiple suicide bombings at the Stade de France (Abu Ahmad’s responsibility, apparently)
  • Attacking restaurants with automatic weapons and suicide bombers
  • Massacre at the Bataclan, personally overseen by Abaaoud (the local coordinator)

After the attacks the Services were desperate to know everything about ISIS operatives in Europe. Investigators worked diligently and thoroughly to track down and followup leads of every sort, using every technique available to modern police and intelligence services. Sort of…

November 13, 2015. Paris, France.

Abu Ahmad’s Turkish number was found …written on a slip of paper in the pants pocket …of one of the suicide bombers at the Stade de France [Emphasis added] — Source

This is whats known in technical parlance as — a clue. The phone number can be used by intelligence services as a “selector” to search for who has been in contact with it, where it is located, and so on. This is exactly the sort of function that modern SIGINT excels at — creating graphs of connections, starting from a single known point (such as, Abu Ahmad’s phone number.)

December 10, 2015. A refugee center, Austria.

Until his arrest in December, Mr. Haddadi remained in touch with Abu Ahmad through messages on Telegram and via text messages to his Turkish number [Emphasis added] — Source

Adel Haddadi is an ISIS operative who was sent to France to participate as one of the suicide bombers at the Stade de France, but it was not to be. Inept clandestine tradecraft (possibly due to poor training) caused delays in his journey to Brussels, preventing him from taking part in the Paris attacks.

Haddadi, along with an ISIS accomplice, was arrested at the refugee center hours after being linked to the Paris attack suicide squad. Was Haddadi caught because he was communicating with a phone number directly linked to the Paris attacks? Not exactly. Investigators followed a long chain of leads, combining traditional police work with modern techniques such as facial recognition software and databases, to link him first to the suicide squad and then to the refugee camps.

After finding a Syrian passport at the Stade de France, investigators ran fingerprints and discovered that two of the dead men had arrived in Greece as Syrian migrants on Oct. 3. With the aid of German and U.S. intelligence, a manifest of the day’s migrant arrivals — including photos — was run through databases and a face-recognition system of known radicals and Islamic State militants,
The searches returned two hits — men also claiming to be Syrian who had arrived that day.
On Dec. 10, Austrian police in Salzburg received their photos and fake Syrian names from French intelligence. Within four hours, they had tracked them down to the refu­gee center [Emphasis added]— Source

Smartphone Apps Are Too Secure, Right?

Haddadi was in constant contact with Abu Ahmad. He, and his colleague, were attempting to connect with a number of people who could provide support, including possibly logistical support for another attack.

Their phone records show that they had begun reaching out to contacts all over Europe, a list that…included other newly arrived migrants as well as longer-term immigrants tied to the region’s criminal underworld. — Source

So either the pair of operatives, an Algerian and a Pakistani, had an extensive list of contacts in Europe, or they were being managed remotely by Abu Ahmad. The available open source information suggests it was the latter. How was he able to communicate with these two without the security forces discovering them immediately?

It Was The Crypto, Right?

Haddadi was using encrypted messenger apps — Telegram, WhatsApp — and, apparently, plaintext SMS, to communicate with a phone number directly linked to the Paris attacks just a month earlier. In intelligence services jargon they’d say Abu Ahmad’s Turkish phone number was blown. Did the encryption prevent the police from catching Haddadi sooner? No. Emphatically not.

WhatsApp, Telegram and SMS all require a phone number for sending and receiving messages. SMS uses it directly (obviously), and WhatsApp and Telegram use it as the account ID. Both of these “encrypted messaging apps” have access to massive quantities of metadata, more than enough to identify connections between accounts as well as geolocate a user.

WhatsApp and Telegram Metadata

  • Phone number: the account ID
  • IP addresses: used by the phone to connect to the account — these can be geolocated, they can be linked to the telco who can provide even more data (tower dumps, CDRs, etc. etc.)
  • Message transaction logs: the source and destination account IDs (both are phone numbers); the number of messages, their size, and their time stamps.
  • Time stamps: when the phone was connected and the account active.

All of this information, and probably much more, is available to both WhatsApp and Telegram. In addition, there’s also more metadata available from Google, who provides the Android push messaging infrastructure used by both Telegram and WhatsApp. Similar data would be available from Apple (if ISIS used Apple products, which they don’t.)

But It‘s End to End Encrypted

The message content was protected by encryption on the wire — from the phone to the server — and end to end — from phone to phone. But that doesn’t matter. The intelligence services, including the NSA, already had the crucial information they needed — Abu Ahmad’s Turkish phone number — and the ability to access the metadata linking Haddadi to ISIS and the Paris attacks.

Telegram and WhatsApp are both known to be used by ISIS. They comply with legal requests for data. That data — metadata about accounts in contact with Abu Ahmad’s phone number — would have been sufficient to identify and locate Haddadi (and his pal).

So, WTF then?

Haddadi was not an experienced clandestine operative using furtive encrypted signals to communicate with his boss back at ISIS. He was using extremely common messenger services known to be used by ISIS. He was exchanging messages with a phone number that was directly linked to the Paris attacks. For a month after the number was known to security forces!

The Stade de France suicide squad was a discrete cell of terrorists managed by Abu Ahmad via a Turkish phone number. Every messenger service used by Haddadi required verified telephone numbers and was capable of linking the Turkish phone number to whichever phone Haddadi was using at the time. Knowing which account Haddadi was using would be more than sufficient to geolocate him. So why did the investigators use fingerprints, immigration databases and facial recognition when warrant and a simple SQL query would suffice?

Are the Services making full and sufficient use of wealth of new data that smartphones make available under the existing legal frameworks?

In Conclusion

Encrypted messenger apps can provide a level of confidentiality for users, but confidentiality is not sufficient protection for a terrorist. Smartphones, and the apps themselves, generate vast quantities of data and metadata of immense value to the Services.

Encrypted messengers create more data that intelligence services can use to capture terrorists, not less. They are not a safe haven for terrorists simply because they offer end to end encryption. Full stop.