October 31, 2013

How NSA targeted chancellor Merkel's mobile phone

(Updated: June 28, 2016)

Last week, the German weekly Der Spiegel revealed that NSA intercepted the mobile phone of the German chancellor Angela Merkel. Although most details were not known yet, the fact itself caused a severe crisis in the relationship between the United States and Germany.

Meanwhile, the original NSA targeting record containing chancellor Merkel's phone number has been published. One of the entries refers to a document about the NSA's SYNAPSE data model, which was disclosed earlier and provides us with a context for the targeting record. Finally, an impression of how the interception could have been conducted is given by a picture of the SCS interception equipment, which is presumably located in the US embassy in Berlin.

The NSA targeting record

The NSA document mentioning Merkel's phone number was published in the print editions of several German newspapers, but the tabloid paper BILD made a scan for their website:

Acoording to Der Spiegel, this document apparently comes from an NSA database in which the agency records its targets. This could be a database codenamed OCTAVE, which is used for tasking telephony targets. According to still undisclosed NSA documents, OCTAVE was replaced by the Unified Targeting Tool (UTT) in 2011.* This record has the following entries:

- SelectorType: a selector is the intelligence term for a name or a number that identifies an espionage target. This line says the type of the selector is PUBLIC DIRECTORY NUM[ber]

- SynapseSelectorTypeID: this designator, SYN_0044, refers to the SYNAPSE Data Model (see below).

- SelectorValue: here's the actual phone number of Merkel. In the print edition of the magazine we can see this phone number written as +49173-XXXXXXX. The country code for Germany (+49) is followed by the prefix code for mobile phone numbers from Vodafone (0173). According to Der Spiegel this is the number of Merkel's cell phone which was provided by her political party and which is the one she uses most to communicate with party members, ministers and confidants, often by text message. It's is just an ordinary cell phone without any security features, and therefore an easy target for intelligence agencies like NSA. It means that her official secure mobile phone wasn't targeted nor compromised.

- Realm: according to Der Spiegel, this field determines the format.

- RealmName: the name of the format, in this case 'rawPhoneNumber'

- Subscriber: GE CHANCELLOR MERKEL. As Angela Merkel wasn't yet chancellor when the surveillance started in 2002, either this entry or the whole record must have been updated after she became chancellor in November 2005.
A bit strange is that the abbreviation for Germany which is used here, GE, should have been replaced by DE after 2004, when the NATO STANAG codes were replaced with the ISO 3166-1 alpha-2 codes.

- Ropi: stands for Responsible Office of Primary Interest, an NSA unit that selects which targets should be monitored. In this case it's S2C32, the European branch of the so-called Product Line for International Security Issues.

- NSRL: stands for National SIGINT Requirements List, which is a daily updated compendium of the tasks, and the priority of those tasks, given to the various Signals Intelligence collection units around the world. 2002-388* indicates that this target was set in 2002, when Angela Merkel was head of the Christian democratic party CDU. Then Bundeskanzler Gerhard Schröder refused to join the US in the war against Iraq, so the US government could have been interested in knowing the position of his main political opponent.

- Status: A, which stands for Active. Der Spiegel says this status was valid a few weeks before President Obama’s Berlin visit in June 2013.

- Topi: stands for Target Office of Primary Interest. According to an NSA document, TOPIs are part of the Analysis & Production division, but Der Spiegel says these are units which are doing the actual interception. In this case, the TOPI is designated F666E, where F6 stands for the joint NSA/CIA Special Collection Service (SCS), which performs eavesdropping actions from inside US embassies in foreign capitals. 66E might then be (a part of) the SCS unit based in the US embassy in Berlin.

- Zip: this Zip code, 166E, is a distribution code for the OCTAVE tasking database (see below).

- Country Name: left blank, apparently the country code below was sufficient.

- CountryCode: which is GE for Germany

An interesting question is how Edward Snowden obtained this database record. Is it part of an NSA document for internal education or presentation purposes, or did he made a copy from the database itself? And if so, are there (many) more of these tasking records in his collection?

A targeting record like this marks the starting point of NSA's collection process. Because of that we know nothing about the follow up, except for the involvement of SCS unit F666E. Therefore, we have no indication about what form of surveillance has taken place: were only metadata gathered or also conversations recorded and text messages stored? And was this continuously, or (given the presumably small number of German linguists) only when there was a more specific need for information ?

The SYNAPSE data model

As we have seen, the second entry of the targeting record refers to SYNAPSE, which is some kind of data model used by NSA to analyze connections of foreign intelligence targets. A slide from a powerpoint presentation about this model was published by the New York Times on September 29, 2013. Note that the title has a huge spelling error as it reads SYANPSE instead of SYNAPSE:

SYNAPSE slide as published in the print edition of the NY Times
(scan by Cryptome - click for a bigger version)

The slide shows a rather complex diagram of all elements involved in examining the communications of a target. We will go through this diagram from top to bottom:

First we see a target, like a person or an organization, mentioned as "agent". These agents are designated by a name and identified by a NIC, which could stand for something like National Identification Card. 'Paki' could be a database for these ID numbers. The agents (targets) themselves are registered in TKB, which stands for Target Knowledge Base.

Agents use various devices, identified by designators like an e-mail or an IP address, a phone number or an IMEI, IMSI, IMN, RHIN or FHIN number (not clear what the last three stand for). The designations of these devices and the connections between them are collected in MAINWAY, which is NSA's main database for bulk telephone metadata.

The designators of the devices used by an agent/target get a 'Subscriber ID' for the OCTAVE database and are listed in the OCTAVE Tasked List. They also get a 'ShareableName' for the Unified Targeting Tool (UTT) to be listed in the UTT Active List. The designators are also labeled with UTT categories and OCTAVE Zip Codes.

Bottom right we see the Responsible Office of Primary Interest (ROPI) which somehow seems to manage the designators, maybe because these are the offices where Tasking takes place, which means selecting the targets to be monitored. Device designators (like phone numbers) of which the communications have to be collected are called Selectors.

Finally, the designators are referenced in the SIGINT Product Reports (blue dot) and the Intelligence Community (IC) Product Reports (red dot) which are released by the various Target Offices of Primary Interest (TOPI). LEXHOUND could be a database for these reports.

As the diagram shows pictures of a personal computer, but OCTAVE and MAINWAY are for telephony data, it seems the whole process is meant for both internet and telephony data.

According to an internal NSA Wiki entry, a tool called Synapse Workbench is used for querying metadata under the Supplemental Procedures governing Communications Metadata Analysis (SPCMA).

Note that the SYNAPSE model has some resemblance with a tool that NSA provided to the Dutch military intelligence service to track communications of Somali pirates, as was revealed on March 8, 2014 by NRC Handelsblad.

The SCS interception equipment

Except for the targeting record, there is no information about how exactly NSA intercepted Merkel's phone, but there are some strong indications. In Berlin, Vodafone mostly uses microwave transmissions on its mobile network and intelligence agencies can intercepted these without much effort.

To show how this could have taken place, Der Spiegel published a slide from a presentation of the Special Collection Service (SCS) showing pictures of an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. This unit can apparently intercept cell phone signals while simultaneously locating people of interest.

In Berlin, the SCS unit operates from inside the US embassy, which is in a building next to the famous Brandenburger Tor. It was opened on July 4, 2008 - in the presence of chancellor Merkel. Before, the US embassy was in a 19th century building in the Neustädtischen Kirchstraße. The spying equipment of the SCS unit is likely to be on the roof of the building, in a structure with conceiled windows:

(photo: Christian Thiel/Der Spiegel)

According to investigative journalist Duncan Campbell, who revealed the existence of the ECHELON system, these windows are covered by special dielectric (insulating) panels, that allow radio waves to pass through and be intercepted, while blocking visible light and concealing the interception equipment behind it.

This equipment usually consists of antenna, dishes or arrays which can collect every type of wireless communications on all available wavelengths. On the opposite side of the embassy's rooftop stucture there's a similar conceiled window right at the corner. With these corner windows on both sides, SCS can catch signals from all directions:

(photo through Dailyphotostream.blogspot.com)

On German television, the US embassador to Germany said that on the embassy's roof there's rather ordinary communications equipment, to stay in touch with Washington and other US embassies around the world. The embassy wouldn't let reporters and politicians in to take a look inside the rooftop structure, probably also because only people with the proper security clearance are allowed to enter these areas.

Because the targeting record clearly mentions unit F666E, it's most likely that chancellor Merkel's cell phone was intercepted by SCS from inside the US embassy. But as her phone uses the Vodafone network, it's also possible that NSA has some kind of backdoor access to this cellular network. Vodafone is a British company and at least NSA's British counterpart GCHQ has an arrangement with this company for tapping undersea fiber optic cables.

It is supposed that data gathered by the various SCS embassy units are send to the SCS headquarters at the joint CIA/NSA facility in College Park, Maryland, through an SCS communications hub, which is at the US Air Force base in Croughton, Northamptonshire, England.

Infrared images taken by the German television station ARD showed that behind the windows there was heat producing (electronic) equipment. But shortly after the eavesdropping came out publicly, the heat signature dropped dramatically. This seems to indicate that the spying facility has been shut down for the time being.

Ending the interception

Apparently, NSA started bugging chancellor Merkel upon intelligence requests from the State Department, according to two anonymous US government officials. The phone number of Angela Merkel was finally removed from the NSA's target list this Summer. According to the Wall Street Journal there was an internal government review which turned up that the agency was monitoring some 35 world leaders.

After learning this, the White House ordered to cut of some of these programs, including the one tracking the German chancellor and some other world leaders. Obama also ordered NSA to stop eavesdropping operations against the headquarters of the United Nations, the International Monetary Fund and the World Bank.

On June 12, 2015, the highest German public prosecutor, Harald Range, said the investigation into the eavesdropping on chancellor Merkel was closed, and no court case would be filed. This because there was no sufficient hard evidence: no original documents were provided, and also Edward Snowden seemed not to have any personal insights in this matter.

During a hearing of the German parliamentary investigation commission on June 23, 2016, it came out that the German information assurance agency BSI offered to investigate chancellor Merkel's cell phone, but this offer wasn't accepted by the chancellery and therefore it wasn't possible to for example check the phone for any kind of malware implants.

President Obama talks with chancellor Merkel using his telephone
for secure communications, August 29, 2013
(White House Photo by Pete Souza)

Links and Sources
- DuncanCampbell.org: The embassy spy centre network (updated)
- NYTimes.com: Tap on Merkel Provides Peek at Vast Spy Net
- DuncanCampbell.org: How embassy eavesdropping works
- TheWeek.com: Did the NSA mislead the President and Congress about foreign leader spying?
- FAZ.net: Es war Merkels Parteihandy
- Spiegel.de: How NSA Spied on Merkel Cell Phone from Berlin Embassy


Anonymous said...

(IMN) - Inmarsat Mobile Number (satellite communications)

(PHIN), Personal Health Information Number

(RHIN) Refugee Health Information Number

Greetz from Germany

Anonymous said...

Angela Merkel's relationship with the 'Paki' could target US government leaders in embassies around the world.

Maria Lone said...

Definitely very sensitive and remarkable update has been published here. Yes, this documentary discloser may the issue of relationship downwardness. Now the question is ethical or considered unethical hacking. Surely Germany has to be find a hacker lol or seriously have to develop their tech defense system. Thanks for sharing this publicly.

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties