GCHQ hacks GRX providers to mount MitM attacks on smartphone users

A new report by German Der Spiegel has revealed that the Government Communications Headquarters (GCHQ), the UK equivalent of the US NSA, has compromised a number of Global Roaming Exchange (GRX) providers.

There are only a couple dozen GRXs in the whole world, and they act as hubs for GPRS connections from roaming users. The ones that Der Spiegel claims have been breached are Comfone, Mach, and Belgacom International Carrier Services (BICS).

The ultimate goal of these attacks is for the intelligence agency to be able to access as the companies’ central roaming routers that process international traffic, so that they could ultimately mount Man-in-the-Middle attacks targeting smartphone users and thusly compromise the devices to serve their own goals (i.e. surreptitious surveillance).

To compromise the systems and networks of these GRXs, the agency first researched the engineers, IT personnel and network administrators working for them. After discovering much about their personal and digital lives, they would create spoofed versions of pages they often visited (such as their LinkedIn profiles and Slashdot) within which they would embed backdoor-opening malware, and then would use a technology dubbed “Quantum Insert” to serve them those pages instead of the legitimate ones, which would result in their systems being saddled with the aforementioned malware.

Well-known IT security expert and cryptographer Bruce Schneier has recently explained how the technology is used by the NSA, and to which end:

As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target’s browser to visit a Foxacid server-¦They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a “race condition” between the NSA server and the legitimate website-¦The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server-¦FoxAcid is the NSA codename for what the NSA calls an “exploit orchestrator,” an internet-enabled system capable of attacking target computers in a variety of different ways.

It is unknown whether the GCHQ uses NSA infrastructure or their own.

Der Spiegel also briefly mentions another GCHQ operation dubbed “Wylekey” which has apparently successfully compromised several international mobile billing clearinghouses.

Don't miss