SoylentNews is people
SoylentNews
In a letter to Senator Ron Wyden, the Department of Homeland Security has acknowledged that unknown users are operating IMSI catchers in Washington, D.C.:
The Department of Homeland Security (DHS) is acknowledging for the first time that foreign actors or criminals are using eavesdropping devices to track cellphone activity in Washington, D.C., according to a letter obtained by The Hill.
DHS in a letter to Sen. Ron Wyden (D-Ore.) last Monday said they came across unauthorized cell-site simulators in the Washington, D.C., area last year. Such devices, also known as "stingrays," can track a user's location data through their mobile phones and can intercept cellphone calls and messages.
[...] DHS official Christopher Krebs, the top official leading the NPPD, added in a separate letter accompanying his response that such use "of IMSI catchers by malicious actors to track and monitor cellular users is unlawful and threatens the security of communications, resulting in safety, economic and privacy risks."
DHS said they have not determined the users behind such eavesdropping devices, nor the type of devices being used. The agency also did not elaborate on how many devices it unearthed, nor where authorities located them.
Also at Ars Technica and CNN.
Related: Police: Stingray Device Intercepts Mobile Phones
ACLU Reveals Greater Extent of FBI and Law Enforcement "Stingray" Use
US IRS Bought Stingray, Stingray II, and Hailstorm IMSI-Catchers
EFF Launches the Cell-Site Simulator Section of Street Level Surveillance
NYPD Making Heavy Use of Stingrays
New York Lawmakers Want Local Cops to Get Warrant Before Using Stingray
New Jersey State Police Spent $850,000 on Harris Corp. Stingray Devices
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @01:56PM (25 children)
How hard could it be to make a Stingray hunter?
You need:
1) to be able to detect that you are communicating with a Stingray - if nothing else, this can be done by referencing against a list of known good-actor network access points.
2) RDF on the signals coming from the tower - they're short burst, but I'm sure the clever guys in our national defense can manage to make RDF work with short burst transmissions...
3) follow the signals.
It might take several connections to zero in on one, but if they're in fixed locations, they should be easily detected and busted. And, if they're rolling, we should get some awesome dashcam footage of the chase.
🌻🌻 [google.com]
(Score: 2) by Knowledge Troll on Wednesday April 04 2018, @02:10PM (13 children)
If it moves around constantly I think that'd pretty much make it impossible to direction find. And yes I am a T hunter.
The reason being, for at least all the ways I know how to find a transmitter through radio location, I need a map and to plot the intersection of many bearings to find hypothetical locations for the transmitter then investigate those. It takes quite a while - about half a day - with readings taken from many different locations.
If the transmitter was moving around this technique wouldn't work at all unless it moved from fixed points to fixed points and you increased the time and bearing readings.
(Score: 4, Insightful) by zocalo on Wednesday April 04 2018, @02:38PM (11 children)
Of course, when the find out that many of the "rogue" IMSI catchers are actually being operated by other US agencies things could get amusing, but I doubt we'll get to hear about that.
UNIX? They're not even circumcised! Savages!
(Score: 2) by Knowledge Troll on Wednesday April 04 2018, @02:48PM (9 children)
In the movies maybe - I wonder if you have ever done a T hunt? Are you aware of how many reflections and false readings there are? There is a reason you need an entire day's worth of data to find a single point.
After you find the point where the most intersections exist and you travel to that location then you get to start all over again doing the DF process on a local instead of regional scale. All new DF equipment and techniques.
I can't conceive of any system that could finger an exact automobile regardless of the number of receivers involved. You would need to have local receivers ready to DF over the entire hypothetical area the transmitter could be at once that was identified.
This is going to be a massive scale undertaking involving a lot of people not just technology. That's assuming it moves.
Now perhaps there is some new amazing technology that exploits the cell phone's use of CDMA so the DF can use all of the components of multipath that exist, find the one with the lowest delay, and assume that is a signal that exists with out any reflection, which should help with reducing false readings because of reflections which I'd say is the biggest issue.
I'm still not sure that'd help a lot with this task of finding a moving transmitter though.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @03:11PM (6 children)
Thankfully, each Stingray only operates over a single cell coverage area, and if they're trying to intercept a particular person's call, they're likely trying to be closer to the target than other cell towers, so if you know the target, you've got a very small area to cover.
Now, if you're running a general trawl net over the entire DC-inside-the-beltway region, you might just start adding DF equipment on all the existing cell towers, increasing coverage density until you can track them in real-time.
🌻🌻 [google.com]
(Score: 2) by Bobs on Wednesday April 04 2018, @03:29PM (5 children)
I literally do not know what I am talking about.
But, as they are all fake cell towers, and people have access to handheld smart-phones, it seems like a software problem to me.
Get 20+ people spread out with a smart phone and special software, all log into a site where you upload the cell connection data from the phones in real time, server filters out the known/registered towers and people converge on an area. Apparently they already have a general/regional map of problem IMSIs in DC area.
Seems like you would able to quickly filter out the noise and reflections based upon the multiple inputs and quickly triangulate a bad source. Flag it and tag and and move on to the next.
I am certain there is a lot of complexity I am missing - feel free to point out the flaws of this.
Thanks.
(Score: 3, Interesting) by Knowledge Troll on Wednesday April 04 2018, @03:44PM (4 children)
Not always a bad thing. Approaching this with out the limitations/bias I bring from doing previous DF actually helped me realize I'm outside my domain of expertise because cell phones have a very different signal with characteristics that enable what starts to look like pure voodoo.
First of all the thought came to mind that the cell system can already locate cell phones using direction finding with cooperating cell towers and the accuracy is down in the 10s to 100s of meters as I recall. This is done with time difference of arrival analysis I believe and requires that the cell towers (specifically the DF receivers) are coherent which they are because all participants in the cell network are synchronized in time via GPS.
If the cell towers can do this for cell phones they can most likely be modified/software updated to be able to do this for cell towers/stingrays and not just the cell phones themselves. This may assume that the device being located is cooperating or not actively trying to hinder the process.
But more to your point about using all of the cell phones out there as receivers in a distributed DF network - not bad. Not bad at all. You got me thinking - all of those cell phones are also phase coherent with the other phones and the cell network as a whole because they synchronize to the towers which synchronize to GPS (the towers are STRAT 1 time sources). That is actually an amazingly powerful system!
If you can get all of those receivers running at once, sending their received signals back to a central point along with the time information and the physical location of the phone, you can start to do time difference of arrival calculations with many more sources, assuming you through an absolute fuck ton of math at it.
If you want to throw an even bigger absolute fuck ton at it, my estimate is about 20db more math, then you can start doing phased array DSP and form virtual directional antennas that you can rotate in space and have very sharp areas in them that you can exploit for direction finding. You could also do this as a DVR like system so you don't have to do all the analysis in real time - you could sit and study such signals and find other ones at your leisure (assuming you aren't trying to find a moving target).
That might even let you find the exact phones sitting right next to the person if they were literally on all sides of them. It seems like having this on every phone in a city and the target being on the road would let this happen.
I suppose this is within the realms of the NSA but it is getting outside my domain of expertise too. I'm not that sophisticated with radios.
(Score: 2) by Osamabobama on Wednesday April 04 2018, @06:07PM (1 child)
This could be a good (read compelling) use of the backdoors that NSA likely has in most cell phones.
Outside of the NSA, I'm sure there would be a community of people interested in crowd-sourcing this effort, as long as the results were published. Something along the lines of Folding@Home, but for cell phones. I suppose all that math you referred to would require some backend server to do the heavy lifting.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by Knowledge Troll on Wednesday April 04 2018, @09:28PM
Well one issue that is going to be a problem is I don't think the average cell phone is going to do this with out some kind of modification. I heavily suspect the interface available to the baseband module just won't allow for operating it/getting information out of it in a way where all the detail would be available. Though for a good chunk of them there is quite likely a new firmware that could be loaded into the baseband module if it uses SDR.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @07:27PM
There's a company around Vero Beach that does triangulation based on TOF measurements - mostly for first responder radios, but the idea is that with 3 or more receiver towers, you can track the difference in time of arrival of a particular signal and get a rough idea where it came from. Like the urban gunshot locators, but with radio (only ~7 orders of magnitude faster, WGCW?)
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @07:28PM
If reflections are such a huge problem, would it be simpler from an aerial perspective? I would imagine a few drones working together could narrow in on one fairly quickly.
Though most low flying drones aren't very stealthy ...
(Score: 2) by Spook brat on Wednesday April 04 2018, @05:06PM
The U.S. Military measures the time between a rogue battlefield radio beginning transmissions and artillery landing on the antenna in seconds; the difference between what you did and what they do is one of resources. Start with a bunch of receivers instead of just one, network them together with a bunch of computing power to back them up, and the solution becomes almost instantaneous. I'm pretty sure the only thing keeping the US .gov from leveraging that expertise for this problem is the Posse Comitatus Act; politicians don't like the idea of soldiers patrolling the streets of the Capitol.
Of course, that just keeps the Army from turning DC into an overt SIGINT battlespace; the CIA could probably borrow some NSA toys and do it on the down-low without too much pushback. Maybe some hurt feelings from the FBI over having their jurisdiction stepped on, but that's never stopped Langley before.
Travel the galaxy! Meet fascinating life forms... And kill them [schlockmercenary.com]
(Score: 2) by zocalo on Wednesday April 04 2018, @05:24PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @03:07PM
Not so sure that realtime CCTV taps are feasible, yet. I do agree that you'll probably find some domestic agencies operating off the books.
However, I wouldn't be surprised if the current Stingray haul isn't coming from technical capture, but rather classical intelligence channels - X heard that Y was operating a Stingray, Z confirmed with Y that they are, DCPD comes knocking at Y's door and confiscates the equipment.
🌻🌻 [google.com]
(Score: 3, Interesting) by JoeMerchant on Wednesday April 04 2018, @03:01PM
So... resources. Deploy networked T-hunters on a fleet of 100 police patrol cars. They already have the occasional RDF on police cars for the stolen vehicle tracking work (and other things, I suspect.) Once deployed, the officers driving around don't even have to know they're helping to find Stingrays, they just provide data to the hunter-controller.
🌻🌻 [google.com]
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @02:15PM (3 children)
Fox hunt! [wikipedia.org] (Though the term is definitely not PC today, I prefer the colorful version).
Technically it would probably be FCC responsibility to narrow them down, as their usage requires them to broadcast and doing so without authorization and with interference without a license wouldn't seem legal to me. Good luck with convincing the FCC they should investigate them.
Civilians doing so would be difficult. I don't want to say impossible.
BUT, if it were a foreign government responsible our government could uncover that in short order. If it so desired it would be stopped through normal diplomatic channels - extraterritoriality doesn't cover violation of international broadcasting treaties.
This sig for rent.
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @02:18PM
It's hard to say whether this is espionage or cybercrime.
It wouldn't surprise me if the Israelis were behind it in order to figure out what's going on in private conversations between government officials.
(Score: 4, Insightful) by Knowledge Troll on Wednesday April 04 2018, @02:19PM
Just give the ham radio operators the technology they need to receive the signals and discriminate based on the ID of the rogue cell towers. It may be difficult or even close to impossible but that doesn't mean they won't take the challenge up and then have fun while working on it.
If any civilians are going to be able to DF that thing it would be the hams. I'm sure The Feds/The Man has the technology and experience to do it right now though.
(Score: 1, Funny) by Anonymous Coward on Wednesday April 04 2018, @02:50PM
As a fox-American, I am outraged by this name!
(Score: 2) by DannyB on Wednesday April 04 2018, @02:23PM (5 children)
It might not be possible to distinguish a Stingray from a legitimate network operator's cell tower.
Sent from my TRS-80
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Interesting) by JoeMerchant on Wednesday April 04 2018, @03:04PM (4 children)
Except that legitimate network operator's cell towers are licensed, registered, and otherwise known entities.
Now, if the Stingray were spoofing an actual tower, and physically located very close to it - that could get interesting.
🌻🌻 [google.com]
(Score: 3, Informative) by Osamabobama on Wednesday April 04 2018, @06:21PM (1 child)
There was a story [techcrunch.com] about this in Seattle last year. The system is referred to as SeaGlass [washington.edu], and is hosted by the University of Washington.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @07:31PM
There's no story about this in Washington D.C. from several years earlier. The system is referred to as
Redactedand is hosted by the TLA agency who shall not be named.🌻🌻 [google.com]
(Score: 3, Interesting) by DannyB on Wednesday April 04 2018, @08:27PM (1 child)
And I suspect Stingray's are not licensed, or otherwise known.
I think the very means that enables their operation is either a vulnerability exploit or stolen credentials / keys.
Either the protocol / authentication is so weak that you can fool a mobile device to believe "hey this is an AT&T tower, not a Verizon tower", or it uses some stolen keys that cause the device to believe this. I suspect the protocol involves encryption and proof both ways between the tower and mobile set. The tower also wants to be really sure that the mobile set is authorized, and is paying the bill for making a call, text or data. The mobile operator probably also doesn't want their phones being fooled into using a hacker's network. Now either that mechanism is too weak, or some keys / credentials are compromised.
Why else is even the mere existence of Stingray treated as a major secret? If it is legitimate, it shouldn't need to be any more secret than the mere fact that phone wiretaps can be done. They're trying to keep the secret from the mobile phone operators -- who would actively block Stingrays.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @08:33PM
Agreed.
However, if the Stingray is acting as a legitimate tower, it's not going to be in the legitimate tower's exact location, and that's the giveaway. If it's physically very near, it could be quite hard to tease apart with RDF, but easier to notice when servicing the legitimate tower.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @06:39PM
You, sir, are the upper-management PHB from hell.