Woman holding Iran flag showing government surveillance

Embedded in Cellular Networks, Iran’s SIAM System Allows for Remote Phone Manipulation

A new report from The Intercept exposes previously unknown details about Iran’s SIAM system, which has base-level access to the country’s cellular networks. The system is used not just for government surveillance, but also has functions that allow for remote manipulation of individual data collections and backdoors through encryption.

It is believed that the system has been used to monitor and track protesters in recent months, and its features allow it to knock individual users off of 3G or 4G networks and force them into a slower 2G connection. In some cases, local police have also sent text messages to specific users warning them to stay away from protest areas and to not associate with “anti-revolutionary” government critics.

Iran government surveillance baked into country’s phone networks

The current wave of protests in Iran was sparked by the September death of Mahsa Amini while in morality police custody, a young woman who had been detained for not wearing a veil in public as required by the country’s strict dress code. The protest movement has since morphed into general opposition to the country’s theocratic government. Protesters have complained about sporadic network blackouts, slow connections and app malfunctions since this began, and the Intercept report provides evidence that this is due to direct government surveillance and interference.

The information on the SIAM system comes from leaked documents obtained from Iranian cellular carrier Ariantel, which contains email correspondence and documents shared between employees and Iranian government staff along with outside contractors used to implement and service the system. The file trove also contains two operators manuals that document the features that appear to be designed specifically for government surveillance and interference with the communications of government critics.

Protesters and government dissidents have long suspected sweeping government surveillance via the country’s phone networks, but the details were not known before now. SIAM allows government agents to plug into a web interface that provides detailed data on mobile phone users along with a menu of actions that can be taken against them: tools to break encryption, metadata summaries for specific phone numbers that show complete records of their networks of communication, and the ability to slow their connections by blocking phones from networks higher than 3G to force a backup 2G connection.

The system thus goes beyond government surveillance, serving as a tool to actively discourage and disrupt protests. The agency responsible for it is the Communications Regulatory Authority (CRA), the country’s lead telecommunications regulator. One of the documents obtained by The Intercept is a memorandum notifying all telecom operators that they must provide the agency with direct access to their systems to “query customer information” and “change (customer) services via a web service.”

The Office of Security of Communications Systems (OSCS), which is a part of the CRA, appears to be the entity most directly involved with government surveillance and service disruption via SIAM. The leaked documents show email exchanges between carrier Ariantel and OSCS dating up to August of this year at the most recent, and the manual for SIAM operation also appears to have been translated to English and provided to a Spanish telecom contractor that Ariantel did business with.

Menu of features tracks device IMEI numbers, pushes targets onto 2G networks

Aside from government surveillance, much of the focus of SIAM appears to be to push selected targets onto 2G networks. In addition to throttling speeds (to the point that many smartphone functions become essentially useless), this also degrades the security of its communications as 2G networks do not offer the same encryption features. This “Force2GNumber” function in SIAM may be deployed as a means to make it easier to intercept SMS two-factor authentication codes, something that could provide a route into encrypted messaging apps commonly used by protesters.

SIAM is also able to track communications between network users by device IMEI number. This means that protesters can be continuously tracked even if they swap SIM cards, and their communications and movements can be paired with a variety of data that SIAM can pull directly from the carrier: family name, nationality, location history, billing contact information, birth certificate number (often used as a national identification number), employer, and a list of IP addresses and WiFi networks that the user has connected to.

While ostensibly a regulatory agency, the CRA has long been known to play an active role in censoring internet-based communications in Iran. The agency was sanctioned by the US in 2013 for blocking hundreds of websites during 2009 disputes about the result of Iran’s presidential election. And in 2019, the CRA was found to have directly ordered certain internet providers to shut down during another period of social unrest.

The documents do not spell out a direct connection between government surveillance of protesters and the use of SIAM, but the manual of features appears specifically tailored to monitor and disrupt dissent. And it tracks with general reports from protesters on the ground in Iran, who say that service is frequently slowed or stalled during protests and that they have received unprompted messages from government agencies suddenly advising them to avoid areas of planned protest.