"Be aware, someone is watching" – inside Iran's mobile spying playbook

Flag of Iran on a computer binary codes falling from the top and fading away
(Image credit: Getty Images)

It's been months since angry Iranians took to the streets to voice their dissent against the regime, and the protests are still raging. So far, authorities have responded with a ruthless crackdown - both online and offline. 

An increased level of violence (especially against women), hundreds of dubious arrests, death sentences quickly turning into execution: this is what protesters are facing on a daily basis. 

Nevertheless, they have been taking precautions. Downloads of VPNs skyrocketed since the unrest kicked off, for example, as a means to protect anonymity and bypass censorship. And yet, officers seemed to have been always able to easily intercept their communications and movements.    

A recent investigation revealing details over Iran's mobile surveillance playbook may explain how this keeps happening. A series of internal emails and documents were first leaked to US non-profit news organization The Intercept and then reviewed by experts at Canada-based Citizen Lab.

While this evidence doesn't include executed agreements, it still gives a glimpse into the intention of Iran's government to build an unprecedented mobile surveillance system. Even worse, perhaps, it also shows how some international private companies are ready to make revenue despite the detriment to Iranians' human rights. 

Iran's mobile intercept system

"We have seen other systems, for example those employed in areas like Russia and China, that do engage in mobile blocking behavior. But, it seems to me that Iran is very unique as they posses very strict controls and oversight," Gary Miller, mobile security researcher at Citizen Lab, told TechRadar.

Miller led the primary investigation and research into Iran's Intercept System, going through the technical aspects revealed by the communications between Iran-based Mobile Virtual Network Operators (MVNO) and Iran’s Communication Regulatory Authority (CRA) with a series of foreign vendors. 

What he and his research team found is an extremely rare mobile intercept system which, if fully implemented, would enable authorities to "directly monitor, intercept, redirect, degrade or deny all Iranians’ mobile communications." 

The whole infrastructure is formed by different components that fit together to create the perfect surveillance jigsaw puzzle. 

The Legal Intercept System is the main part of this, responsible for both spying on users and controlling their activities. So-called SIAM is its core: a web software applied to each mobile service provider in Iran, providing the CRA with a series of commands for remotely manipulating mobile connections while monitoring usage details.

SIAM can throttle a phone's data speed, for example, degrading the connection network up to an unsecure 2G. 

It also allows authorities to track countless users' data such as real-time physical locations and history, Wi-Fi networks and IP addresses people connect to the web from. Other commands can even prevent users from receiving or placing calls. 

Such a system is beefed up by a component alerting the CRA about any changes on the status of active SIM cards, allowing authorities to prevent users from having more than one active account with different providers, together with an interface that collects voice and messages details. 

"The most disturbing fact is that they can not only monitor, which is part of the normal legal intercept activity, but actually manipulate the communications," Miller told TechRadar. 

"This is more than just simple surveillance. This is absolute control over the mobile network infrastructure in Iran. All mobile network operators have to comply, and they do have to directly integrate the system's commands."

The Iran government seems then to have all the means to crush future protests by using such resources to enforce restrictions and, most worryingly, persecute dissidents. Although the reviewed evidence cannot confirm that all these capabilities are actually in place, Miller believes it would be really difficult to assume the opposite.

"We do know that they have suspended mobile services. We do know that journalists and citizens have been captured," he said. "In the way Iran works, they don't require something unless they use it." 

Visualization of a radio signal coming from a mobile phone in a data filled scene.

(Image credit: Getty Images)

It is worth noting that every government around the world allows law enforcement to legally intercept citizens' mobile communication to a certain degree - even democracies. However, these operations must generally be approved by a court system. Here, there's no indication of such a legal process. 

"In my opinion, what makes this so scary is that they [Iranian authorities] could do whatever they want," said Miller.    

As already mentioned, the leaked correspondence also revealed the involvement of some foreign vendors to support such a dystopian infrastructure. More specifically, UK-based satellite communication consultancy Telinsol seems to have conducted transactions on behalf of Iranian MVNO Ariantel. The company denied any involvement.  

PROTEI, an international telecommunications systems vendor operating in Russia, appeared to have discussed with Ariantel the possibility for its team to fly to Iran for training. 

The email exchange with Canadian mobile support trader PortaOne was about a potential sale of platform management software. The firm first denied such allegations, but then admitted the deal was halted after further reviewing, Citizen Lab reported.   

As the experts note, corporate actors have a responsibility to prevent or mitigate adverse human rights impacts linked to their operations. But, as Miller said: "The evidence we saw indicates that they were attempting to sell their products, being very aware of the requirements."

What's at stake for Iranians?

Whether or not the full Iranian mobile spying playbook is currently in place, authorities appear to have both the resources and intentions to deeply control what citizens do with their smartphones. 

The stakes for Iranians are extremely high, especially considering the wave of protests still ongoing. According to the latest daily statistics coming from the US-based Human Rights Activists News Agency (HRANA), over 14,700 prison sentences have been handed out since September last year. Four of the protesters have been executed, while more than a hundred are suspected to face the same fate.

These figures are alarming especially being that, although VPN use soared among citizens, experts think that relying too heavily on such security software on mobile could be more harmful than beneficial under these circumstances. This is compounded due to the fact that authorities are actively looking for suspicious encrypted traffic as part of its harsh crackdown on VPN services

"Clearly, they want to monitor communication and VPN is a circumvention method to prevent that type of activity from happening," explained Miller. 

"However, we also know that certain individuals have been interrogated because they use VPNs. The only way that you can determine that is by looking at the data traffic and the legal intercept infrastructure allows them to specifically identify VPN users."  

That's something that also Amir Rashidi, an internet security and digital rights expert focused on Iran, pointed out to The Intercept. "The government can easily identify IP addresses in use by a particular VPN provider, pass the addresses to this location function, and then see where the people are who are using this VPN," he said.

Thousands of Iranian-Canadians and their supporters protest against the Iranian Islamic regime in Richmond Hill, Canada on November 19, 2022.

(Image credit: Getty Images / NurPhoto)

So, what can Iranians do to secure their communications as much as they can?

According to Miller, the best way to do so is by using an encrypted messaging app like Signal where you can turn on the disappearing mode option. This means that even if authorities access the application, there would not be any record of potentially incriminating past conversations.   

Another important step is downloading reliable mobile antivirus software as there is evidence of users being targeted by malware, said again Miller. Most likely, as an effort to compromise even more data about them.

He also suggests, yes, using a VPN, but doing so in a strategic way. This means not to keep the software switched on all the time to avoid setting off an alarm within Iranian authorities. What's more, protestors should also consider completely turning off their phones when taking part in a rally. 

"Just be aware that someone is watching."

In the meantime, Citizen Lab is committed to carrying on further research in this direction as more information becomes available. 

"I have a very long history working with mobile network operators and I know how scary it is how these systems operate. The goal is to ensure that people are properly educated in terms of what really happens in these countries." 

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com