With Wing Commander Abhinandan Varthaman back in India and tensions between India and Pakistan looking to de-escalate, there lies a pertinent question from the February 14 Pulwama attack that triggered the over two-week-long hostilities.
YSMS technology is difficult to spot and track. The device reportedly constitutes a smartphone (with the app installed), paired with a radio set.
With Wing Commander Abhinandan Varthaman back in India and tensions between India and Pakistan looking to de-escalate, there lies a pertinent question from the February 14 Pulwama attack that triggered the over two-week-long hostilities.
On February 18, The Times of India reported that the handlers may have used a mobile application called YSMS to contact the Pulwama suicide bomber in an attack that led to the deaths of 40 Central Reserve Police Force personnel.
The question: What do services like YSMS bring to the table and why are they so difficult to spot and track?
The device reportedly constitutes a smartphone (with the app installed), paired with a radio set. The radio set has WiFi capabilities, which enables it to connect with the smartphone. The phone, now connected to the radio, can send encrypted messages at very high frequencies (VHF) to devices which are within line-of-sight, courtesy the radio.
Essentially, what makes it difficult to track is that it operates outside of conventional networks. The system does not rely on your average telecom networks due to the absence of a SIM card during the set-up of the entire contraption. The newspaper reports that intelligence officials had intercepted text messages believed to have been sent by the handlers and that the app is a “new version” that operates on a frequency undetected by Indian intelligence since December 2018.
The first report of militants using such technology against Indian forces was in The Hindu from 2015. The newspaper reported that intelligence officials had solved the puzzle of operatives being caught with phones without SIM cards after interrogating Pakistani militant Sajjad Ahmad in August that year. The Chennai-based daily reported a year later saying that the Army had failed to crack it and that the Defence Research and Development Organisation may have taken a shot at it too.
Privacy, encryption and subsequent attempts at decryption have been longstanding debates. Apps like YSMS and the supporting technology have at least been around since 2012 on the Dark Web. During Hurricane Sandy (2012), cell phones were rendered ineffective without mobile towers until the breakthrough to use them in this way. Understandably, it can be quite a pain for agencies tracking unfavourable elements that are outside your average grid.
Even encryption is not something new to militants. A paper by Robert Graham for Combating Terrorism Center spoke of Al-Qaeda using such tools as far back as 2007.
“Outside of natural disasters the most common use case I have heard of is during protests,” Tarun Wadhwa, entrepreneur and Visiting Instructor at Carnegie Mellon University, told Outlook.
Wadhwa said that it isn’t an issue of “difficult-to-hack encryption” and that there are many such systems that work on “mesh” networks -- “where data is transmitted from one point to another.” He added that similar concepts will most likely be used “for connecting people and devices to the internet.”
Outlook also reached out to NASSCOM, the IT trade body within the country, which said that it is in “process of developing a narrative around the same” and that it wouldn’t be able to comment on it.
How difficult is it though to go about trying to intercept such messages in the first place?
“As far as intercepting the messages, I don’t know specifically here but I would think it is possible to shut down the radio frequency, spoof the WiFi network, or hack into the phones themselves to capture screen and keyboard movements,” Wadhwa said.
While referring to ‘spoofing’ WiFi networks, Wadhwa also referred to debates surrounding the use of technology which may be used to intercept communication from such apps, appropriately named “Stingray”.
In 2013, ArsTechnica reported that state agencies in the United States were using Stringray as “clandestine mobile phone surveillance equipment.” The devices were known to be able to track phone movements, intercept communication and perform denial-of-service (DOS) attack. The American Civil Liberties Union called Stingrays a “troubling new location tracking device” in a blog a year earlier.
In mid-2016, an appeals court in Maryland rebuked the authorities for using Stingray, saying it expected “that people have an objectively reasonable expectation of privacy in real-time cell phone location information.”
While such technology may not be what Indian agencies use, it could only be a matter of time, for it and for subsequent debates around privacy, when looked at through the prism of national security.