Cyber Espionage : The Triggerfish
ArsTechnica had some bits of information how the triggerfish has been used to retrieve information from cell phones such as the electronic serial number (ESN), phone numbers and other information without the users’ knowledge and without the help of the telephone providers. It was used back in the 90s by the FBI to track legendary hacker Kevin Mitnick.
When cell phones are on, they automatically look for cell sites around them in order to connect to the telephone company network. It will then connect to the one having the strongest signal, as it means a better signal. The triggerfish antenna is a high-powered cell site simulator to which any cell phone near enough will connect, as they will consider it as a normal cell site. Once the mobile registers to the triggerfish and the user wants to make or receive a call, the mobile will send the mobile identification number (MIN), which is actually the phone number, the ESN, cell site data, which contains the channel used and sub-geographical location all the incoming and outgoing data of the caller. It will also contain the outgoing or incoming MIN. According to the documents released by the ACLU, the triggerfish is able to display the following:
“If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site/simulator/triggerfish would include the cellular telephone number (MIN), the call’s incoming or outgoing status, the telephone number dialled, the cellular telephone’s ESN, the date, time and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected)“
The same document also writes that this device may be able to intercept the contents of the communication if the option is enabled. It’s important to note that the cell phone must be used to receive or send a call (SMS or web also) in other to for the triggerfish to work, as data about the location of the phone will be send in every data packet send and received by the user. This is how organization can track people using cell phones. Since mobiles always need to find new cell sites as the user moves around, it needs to exchange geographical information with the phone in order to locate the cell sites nearest to the mobile.
As told above, the antenna needs to be stronger than the local cell site in order to pickup the registration of the mobiles. Therefore it needs a lot of power and a high-gain. It also needs equipment such as a digital analyzer in order to make sense of the data intercepted by the triggerfish. And for tracking, it needs to be mounted on a truck to follow the signal of course.
There is a way for everyone to build something almost similar as the triggerfish by using an IMSI catcher. An IMSI catcher can be used to intercept GSM phone calls and use the same tactics as the triggerfish: by simulating a cell site. It will then relay data to a genuine cell site in the area. To do that, the IMSI catcher will need a SIM card and will then appear to the genuine cell site as a mobile phone. In other words, the IMSI catcher acts as a man-in-the-middle between the mobile phone and the genuine cell site.
Even if it works in the same way as a triggerfish, the IMSI catcher has some serious drawbacks, among others:
- “It must be ensured, that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the Mobile Station, there is no need to log into the simulated Base Station.
- All mobile phones in the catchment area have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers.
- [...] Since the network access is handled with the SIM/USIM of the IMSI Catcher, the receiver cannot see the number of the calling party. Of course, this also implicates that the tapped calls are not listed in the itemized bill.
- The assignment near the Base Station can be difficult, due to the high signal level of the original Base Station.”
“Electronic Surveillance Manual“, U.S Department of Justice, June 2005
“IMSI Catcher“, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13, 2007
 “FOIA docs show feds can lojack mobiles without telco help”, Julian Sanchez, ArsTechnica, November 16, 2008, http://arstechnica.com/news.ars/post/20081116-foia-docs-show-feds-can-lojack-mobiles-without-telco-help.html (accessed on November 18, 2008)
 “Computer hacker Kevin Mitnick”, Michael Cooke, Essortment.com, 2002, http://www.essortment.com/all/kevinmitnickco_rmap.htm (accessed on November 18, 2008)
 “Electronic Surveillance Book : XIV Cell Site Simulators/Digital Analyzer/Triggerfish”, Electronic Surveillance Unit, Department of Justice, June 2005, p.40
 “IMSI Catcher”, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13. 2007, p.14
 Ibid. p.16