Four days ago, on 18/07/2021 , there were multiple news releases from a consortium of journalists called the Pegasus Project, on how people globally have been allegedly targeted and tracked by the Pegasus spyware technology supplied by NSO Group. More information is expected to be revealed during this week, but it would be useful to give some observations on the material which has been revealed so far, from a mobile security perspective. This is because the scale and implication of the reported material is immense, and so any additional information could help us all understand this murky area.
First of all – AdaptiveMobile work with mobile operators from the core network perspective. As a result we have a unique viewpoint as we can observe the core network signalling which is used by surveillance companies such as Circles , who are associated with NSO Group. This also gives us the opportunity to potentially see the precursor and delivery methods of the Pegasus mobile spyware, in case they are sent over a bearer in an operator we protect. One particular recent topic in the current Pegasus conversation is around “HLR Lookup Service”. Here we explain what this is, and how it might fit in this story.
What are HLR Lookup Services
HLR lookup is a fairly broad term. In normal operation it refers to SS7 Signalling network commands such as SRI-SM packets being sent to a Home Location Register (HLR) of a mobile operator, to see if a specific mobile number (MSISDN) is registered, and what rough location (network node) the phone is registered in. This is normally done for SMS delivery to that MSISDN. But it can also be the starting point of many signalling related attacks. A HLR Lookup Service would be a company that offers access to specifically do HLR Lookups. There are a number of companies that offer this – a simple internet search will find them. These companies generally give out less information than they did in the past, but what they have in common is that they mainly use SS7 Signalling network commands (such as SRI-SM) or other kinds of numbering plan lookups.
It is important to remember than the impact SRI-SM queries (on their own), are not as precise or as impactful as other types of SS7 signalling attacks. However misuse of them is concerning. This is because in our experience, when we observe a SRI-SM being used maliciously, it is as a precursor type of operation for more sophisticated attacks. You can see how it can forms the basis for some location tracking here, and we have observed it being used by Surveillance companies in our own research. Note: in a technical tense – ‘HLR lookup’ could also mean the use of other types of SS7 packets, but these would not be common, and certainly would not normally be provided by HLR Lookup Service companies.
How HLR Lookup entered the Pegasus NSO story
The first observation we can make is the use of the term HLR lookup in relation to the overall stories. The key element in the stories are the existence of a list , which, according to the Guardian, in the first releases at 17:00 GMT+1 on the 19th of July , said :
“The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.”
It is curious as to why NSO directly mentioned “HLR Lookup” services. It is interesting then that later articles in the media then assumed that HLR lookup services are indeed part of the problem , i.e. –
“… and how seemingly benign processes such as HLR lookups can be exploited in this environment.”
It is unknown whether this use of the term HLR lookups in later news reports comes from NSO’s statement, or from further information possessed by the journalists, or a combination of both. This combination view is the approach that the Pegasus Project took in point 10 of their report :
HLR Lookups or Not?
Then we come to the question, did the list indeed come from a list of HLR lookups used by NSO, potentially for Pegasus targeting? If so, this could make some sense as HLR lookups would allow NSO to determine if the device was currently active/registered – and so available for infection by SMS or another method at this or some later time. This may be strengthened by the fact that some media outlets specifically refer to the list as being of people of interest or potential surveillance targets, not specifically as Pegasus targets. A HLR lookup is also the first part of the delivery of a SMS, which could be used to later send a SMS with the link to the Pegasus malware. It is also conceivable that this list may come from a 3rd party that NSO engaged to perform HLR lookups on their behalf, either someone who they engaged directly or it may have come via Circles, the signalling-based surveillance firm who are associated with NSO. Any signalling-based surveillance company would make very heavy use of querying HLRs as part of their SS7 attacks.
On the other hand, the lack of information presented so far on the origin of the list, and the fact this information was volunteered from NSO who later again strongly pushed back saying this list was potentially from an un-associated HLR lookup service, means the origin cannot be conclusively determined.
Further complicating things is that NSO Group have stated in the recent past that Circles is not part of their Group, although entities like Amnesty International have shown their relationship and history with NSO Group via other companies. In any case we will proceed on the basis that HLR lookups could be used to assist surveillance attacks. In that case, we should then talk about how to control HLR Lookup services.
Dealing with HLR Lookup Services
We first raised to the industry the need to control against the existence of these external HLR lookup services and websites in 2010, and what should be permitted or not. At the time, there were several companies offering access, primarily with connections to operators in Europe, and some of them were returning full SRI-SM results to the customer. This allowed rudimentary location tracking (per country/MSC) as well as the IMSI of the target. While there were commercial reasons as to why HLR lookup services in general are useful – i.e. to see if a number was active or ported in/out – the sharing of sensitive information like the full IMSI and the rough location was a clear violation of privacy. The problem was the environment in which these companies worked relative to the mobile industry was not clear . Once we raised this within the GSMA, over time, an agreement was reached on how mobile operators would treat and govern this. This is contained in multiple GSMA interworking documents, one example below is taken from GSMA BA.27 – Charging Principles, which essentially states:
Interrogation or HLRs is not permitted unless it has been agreed between two parties in their roaming or interworking agreements
For avoidance of doubt, IMSI or Node information that could compromise the privacy or location of subscribers must not be disclosed, subject to the relationship established by the parties
Reselling of results of the queries is not allowed , only by the owner of the HLR, or any parties authorised by the owner of the HLR
Any breach of this could lead to suspension or roaming/interworking agreements
So from this perspective, the NSO statement that HLR Lookup services:
… are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide
May be true in practice – anyone could do it – but it is not actually permitted unless the home operator has agreed it with the HLR Lookup Service’s host operator for the purpose at hand.
However, while this is a definition of what should happen, the reality is often different. Simply stating it should not happen is not enough, Operators need to be able to enforce it. To protect themselves, Mobile Operators should control and monitor inbound HLR traffic by deploying SMS Firewalls/Home Routing (for SRI-SM traffic) and SS7 Firewalls (for inbound HLR signalling traffic in general). But even that is only a start. SRI-SM and other HLR destined traffic is the backbone of intercarrier signalling, it has to be allowed in order for roaming and message delivery between countries to function – it cannot be simply blocked. As a result, operators and their vendors have to monitor and control the HLR-destined traffic that they do permit inwards. This is a complex and technical challenging area, as sophisticated attackers will try to use methods to circumvent or hide any accesses against the HLR, so having a threat intelligence service constantly monitoring and working with mobile operators is critical.
The role of the Mobile Operators on detecting and blocking attacks
Finally, one thing which has not been discussed in these news stories, is the role of the mobile operators. Security companies like ourselves work extensively with mobile operators, detecting and blocking attacks, of any type – messaging and signalling, when they are encountered. For example, after the revelation of the original Pegasus malware, we detected a number of text messages containing Pegasus links in a customer deployment. So the potential for mobile operators to do more is there and this can be helped by more co-operation and intelligence.
One thing that might help, is if people believe they have been targeted by NSO spyware, this is something they could raise with their mobile operator – if the person being targeted felt safe and secure doing so. While it depends on the capabilities of the mobile operator, this could then lead to investigations that determines how the phones were targeted, and then measures could be put in place to prevent HLR lookups and any other precursor attacks. Surveillance companies use a variety of tricks and attacks in order to execute successful attacks, so it stands to reason that we should try to use every method and defence we have to defeat them.
