In a letter to Senator Ron Wyden, the Department of Homeland Security has acknowledged that unknown users are operating IMSI catchers in Washington, D.C.:
The Department of Homeland Security (DHS) is acknowledging for the first time that foreign actors or criminals are using eavesdropping devices to track cellphone activity in Washington, D.C., according to a letter obtained by The Hill.
DHS in a letter to Sen. Ron Wyden (D-Ore.) last Monday said they came across unauthorized cell-site simulators in the Washington, D.C., area last year. Such devices, also known as "stingrays," can track a user's location data through their mobile phones and can intercept cellphone calls and messages.
[...] DHS official Christopher Krebs, the top official leading the NPPD, added in a separate letter accompanying his response that such use "of IMSI catchers by malicious actors to track and monitor cellular users is unlawful and threatens the security of communications, resulting in safety, economic and privacy risks."
DHS said they have not determined the users behind such eavesdropping devices, nor the type of devices being used. The agency also did not elaborate on how many devices it unearthed, nor where authorities located them.
Also at Ars Technica and CNN.
Related: Police: Stingray Device Intercepts Mobile Phones
ACLU Reveals Greater Extent of FBI and Law Enforcement "Stingray" Use
US IRS Bought Stingray, Stingray II, and Hailstorm IMSI-Catchers
EFF Launches the Cell-Site Simulator Section of Street Level Surveillance
NYPD Making Heavy Use of Stingrays
New York Lawmakers Want Local Cops to Get Warrant Before Using Stingray
New Jersey State Police Spent $850,000 on Harris Corp. Stingray Devices
Related Stories
mrbluze writes:
"Columbia Tribune / AP reports of Police agencies' reluctance to divulge details about the Stingray cell-phone interception device, whose use has increased since a Supreme Court decision to prevent the use of GPS tracking devices without a warrant. The Stingray is reported to be a suitcase-sized device that pretends to be a mobile phone tower, tricking a cell phone to connect to it instead of the cellphone company's tower, but details on how this works are not revealed.
In one of the rare court cases involving the device, the FBI acknowledged in 2011 that so-called cell site simulator technology affects innocent users in the area where it's operated, not just a suspect police are seeking.
A December 2013 investigation by USA Today found roughly 1 in 4 law enforcement agencies it surveyed had performed tower dumps, and slightly fewer owned a Stingray.
However, a report by GlobalResearch.ca gives much greater detail, including photographs of the device:
When a suspect makes a phone call, the StingRay tricks the cell into sending its signal back to the police, thus preventing the signal from traveling back to the suspect's wireless carrier. But not only does StingRay track the targeted cell phone, it also extracts data off potentially thousands of other cell phone users in the area.
Although manufactured by a Germany and Britain-based firm, the StingRay devices are sold in the US by the Harris Corporation, an international telecommunications equipment company. It gets between $60,000 and $175,000 for each Stingray it sells to US law enforcement agencies."
The ACLU has released documents obtained from Florida public records requests to law enforcement agencies that give a more complete account of the use of Stingray surveillance technology. "Stingrays, also known as 'cell site simulators,' or 'IMSI catchers,' are invasive cell phone surveillance devices that mimic cell phone towers and force phones in the area to broadcast information that can be used to identify and locate them." The Register reports:
Documents obtained by the American Civil Liberties Union have shown that US cops are using the FBI's Stingray mobile phone tracking tech much more often than first thought. And the Feds are going to great lengths to hide the full extent of its use.
"The documents paint a detailed picture of police using an invasive technology - one that can follow you inside your house - in many hundreds of cases and almost entirely in secret," said Nathan Freed Wessler, staff attorney at the ACLU. "The secrecy is not just from the public, but often from judges who are supposed to ensure that police are not abusing their authority. Partly relying on that secrecy, police have been getting authorization to use Stingrays based on the low standard of 'relevance,' not a warrant based on probable cause as required by the Fourth Amendment."
The ACLU requested information about Stingray use from three dozen Florida police departments and found out that the system has been in use in the Sunshine State since 2007 - much earlier than first thought. According to a May 2014 email, the Stingray system has been used in 1,835 cases in Florida, none of which were national-security related. More than a third of cases using the technology involved robbery, burglary, and theft, and the rest were largely "wanted persons" cases.
The documents also included details of a few specific cases where Stingrays have been used. In one, defense lawyers were able to use the FBI's reluctance to reveal details about the technology to get a sweetheart deal of a sentence for their clients.
The Guardian reports about the US Internal Revenue Service (IRS) buying and upgrading Harris Corporation Stingray IMSI-catchers in 2009 (PDF (21 MB) and text (10.2 KB) versions of 2009 invoice) and 2012 (upgrading Stingray II to a HailStorm, see quote below) and that they're now the 13th US federal agency confirmed to use the technology which pretends to be legitimate cell towers in order to eavesdrop on mobile communication. IMSI-catchers are not restricted to "only" catching metadata; they can catch all communications and also perform any kind of addition MITM attack like malware insertion. No warrants are said to be required, only PEN register orders. The invoices was obtained through Freedom of Information Act (FOIA) requests.
Quote from the Guardian article:
The 2009 IRS/Harris Corp invoice is mostly redacted under section B(4) of the Freedom of Information Act, which is intended to protect trade secrets and privileged information. However, an invoice from 2012, which is also partially redacted, reports that the agency spent $65,652 on upgrading a Stingray II to a HailStorm, a more powerful version of the same device, as well as $6,000 on training from Harris Corporation.
The CEO of Harris Corporation is William M. Brown (PDF 54.8 KB) who according to Forbes was number 279 in CEO compensation in 2012. Here's the rest of the Harris Corporation management.
Digital analyzer. IMSI catcher. Stingray. Triggerfish. Dirt box. Cell-site simulator. The list of aliases used by the devices that masquerade as a cell phone tower, trick your phone into connecting with them, and suck up your data, seems to grow every day. But no matter what name cell-site simulators go by, whether they are in the hands of the government or malicious thieves, there's no question that they're a serious threat to privacy.
That's why EFF is launching the cell-site simulator section of Street Level Surveillance today.
EFF's Street Level Surveillance Project unites our past and future work on domestic surveillance technologies into one easily accessible portal. On this page, you'll find all the materials we have on each individual technology gathered into one place. Materials include FAQs about specific technologies, infographics and videos explaining how technologies work, and advocacy materials for activists concerned about the adoption of street level surveillance technologies in their own community. In the coming months, we'll be adding materials on drones, stingrays, and fusion centers.
Shaun Nichols over at The Register (El Reg) is reporting on a New York Civil Liberties Union report (NYCLU) detailing New York City Police Department (NYPD) use of IMSI catchers.
According to the NYCLU's report, the NYPD has used IMSI catchers (essentially mobile cell towers powerful enough to induce all nearby cellular devices to connect to them, rather than commercial cell towers) more than 1,000 times in the past seven years.
From the El Reg article:
According to the NYCLU report, between 2008 and May of 2015 police used stingray hardware 1,016 times, and that permission to deploy the devices required a court order rather than a harder-to-obtain warrant.
The use of stingray devices by police has become a point of contention between law enforcement and groups who see the devices as a violation of personal privacy. Long used by the FBI, stingray devices impersonate legit cellphone towers to monitor nearby mobile phones and track their movements.
[...] "If carrying a cell phone means being exposed to military-grade surveillance equipment, then the privacy of nearly all New Yorkers is at risk," said NYCLU executive director Donna Lieberman.
"Considering the NYPD's troubling history of surveilling innocent people, it must at the very least establish strict privacy policies and obtain warrants prior to using intrusive equipment like Stingrays that can track people's cell phones."
This kind of gives a little more zing to the old saw "Welcome to New York. Now go home."
The New York Civil Liberties Union is pushing a new state bill that would require law enforcement to obtain a warrant prior to deploying a cell-site simulator, or stingray. The bill also includes other new restrictions.
Cell-site simulators, or fake cell towers, are often used by police to locate criminal suspects by tricking their phones into giving up their location. In some cases, simulators can also be used to intercept phone calls and text messages. Use of these devices has been heavily scrutinized in recent years—in September 2015, the Department of Justice said it would require its federal agents to seek a warrant before deployment.
[...] The bill, which was first reported by ZDNET, doesn't mention stingrays specifically. However, it specifically forbids law enforcement from accessing "electronic device information by means of physical interaction or electronic communication with the device" unless they have a warrant. There are a few narrow exceptions, such as exigent circumstances.
Information obtained via right-to-know request revealed The New Jersey State Police spent at least $850,000 on stingray devices from Harris Corp.
Authorities didn't respond to NBC10's request to discuss the use of the technology described in more than 100 pages of invoices and other heavily redacted documents detailing the devices purchased. Jeanne LoCicero, deputy legal director ACLU of New Jersey, asked for the same documents that NBC10 sought and received the same response from the department upon further inquiry.
[...] New Jersey State Police department's lack of transparency on the device is not uncommon from what has been seen with other law enforcement agencies at both the local and federal level when similar requests have been made.
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @01:39PM
Ever expects the Spanish Inquisition!!
Dare I say “What Russians?”
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @01:56PM (25 children)
How hard could it be to make a Stingray hunter?
You need:
1) to be able to detect that you are communicating with a Stingray - if nothing else, this can be done by referencing against a list of known good-actor network access points.
2) RDF on the signals coming from the tower - they're short burst, but I'm sure the clever guys in our national defense can manage to make RDF work with short burst transmissions...
3) follow the signals.
It might take several connections to zero in on one, but if they're in fixed locations, they should be easily detected and busted. And, if they're rolling, we should get some awesome dashcam footage of the chase.
🌻🌻 [google.com]
(Score: 2) by Knowledge Troll on Wednesday April 04 2018, @02:10PM (13 children)
If it moves around constantly I think that'd pretty much make it impossible to direction find. And yes I am a T hunter.
The reason being, for at least all the ways I know how to find a transmitter through radio location, I need a map and to plot the intersection of many bearings to find hypothetical locations for the transmitter then investigate those. It takes quite a while - about half a day - with readings taken from many different locations.
If the transmitter was moving around this technique wouldn't work at all unless it moved from fixed points to fixed points and you increased the time and bearing readings.
(Score: 4, Insightful) by zocalo on Wednesday April 04 2018, @02:38PM (11 children)
Of course, when the find out that many of the "rogue" IMSI catchers are actually being operated by other US agencies things could get amusing, but I doubt we'll get to hear about that.
UNIX? They're not even circumcised! Savages!
(Score: 2) by Knowledge Troll on Wednesday April 04 2018, @02:48PM (9 children)
In the movies maybe - I wonder if you have ever done a T hunt? Are you aware of how many reflections and false readings there are? There is a reason you need an entire day's worth of data to find a single point.
After you find the point where the most intersections exist and you travel to that location then you get to start all over again doing the DF process on a local instead of regional scale. All new DF equipment and techniques.
I can't conceive of any system that could finger an exact automobile regardless of the number of receivers involved. You would need to have local receivers ready to DF over the entire hypothetical area the transmitter could be at once that was identified.
This is going to be a massive scale undertaking involving a lot of people not just technology. That's assuming it moves.
Now perhaps there is some new amazing technology that exploits the cell phone's use of CDMA so the DF can use all of the components of multipath that exist, find the one with the lowest delay, and assume that is a signal that exists with out any reflection, which should help with reducing false readings because of reflections which I'd say is the biggest issue.
I'm still not sure that'd help a lot with this task of finding a moving transmitter though.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @03:11PM (6 children)
Thankfully, each Stingray only operates over a single cell coverage area, and if they're trying to intercept a particular person's call, they're likely trying to be closer to the target than other cell towers, so if you know the target, you've got a very small area to cover.
Now, if you're running a general trawl net over the entire DC-inside-the-beltway region, you might just start adding DF equipment on all the existing cell towers, increasing coverage density until you can track them in real-time.
🌻🌻 [google.com]
(Score: 2) by Bobs on Wednesday April 04 2018, @03:29PM (5 children)
I literally do not know what I am talking about.
But, as they are all fake cell towers, and people have access to handheld smart-phones, it seems like a software problem to me.
Get 20+ people spread out with a smart phone and special software, all log into a site where you upload the cell connection data from the phones in real time, server filters out the known/registered towers and people converge on an area. Apparently they already have a general/regional map of problem IMSIs in DC area.
Seems like you would able to quickly filter out the noise and reflections based upon the multiple inputs and quickly triangulate a bad source. Flag it and tag and and move on to the next.
I am certain there is a lot of complexity I am missing - feel free to point out the flaws of this.
Thanks.
(Score: 3, Interesting) by Knowledge Troll on Wednesday April 04 2018, @03:44PM (4 children)
Not always a bad thing. Approaching this with out the limitations/bias I bring from doing previous DF actually helped me realize I'm outside my domain of expertise because cell phones have a very different signal with characteristics that enable what starts to look like pure voodoo.
First of all the thought came to mind that the cell system can already locate cell phones using direction finding with cooperating cell towers and the accuracy is down in the 10s to 100s of meters as I recall. This is done with time difference of arrival analysis I believe and requires that the cell towers (specifically the DF receivers) are coherent which they are because all participants in the cell network are synchronized in time via GPS.
If the cell towers can do this for cell phones they can most likely be modified/software updated to be able to do this for cell towers/stingrays and not just the cell phones themselves. This may assume that the device being located is cooperating or not actively trying to hinder the process.
But more to your point about using all of the cell phones out there as receivers in a distributed DF network - not bad. Not bad at all. You got me thinking - all of those cell phones are also phase coherent with the other phones and the cell network as a whole because they synchronize to the towers which synchronize to GPS (the towers are STRAT 1 time sources). That is actually an amazingly powerful system!
If you can get all of those receivers running at once, sending their received signals back to a central point along with the time information and the physical location of the phone, you can start to do time difference of arrival calculations with many more sources, assuming you through an absolute fuck ton of math at it.
If you want to throw an even bigger absolute fuck ton at it, my estimate is about 20db more math, then you can start doing phased array DSP and form virtual directional antennas that you can rotate in space and have very sharp areas in them that you can exploit for direction finding. You could also do this as a DVR like system so you don't have to do all the analysis in real time - you could sit and study such signals and find other ones at your leisure (assuming you aren't trying to find a moving target).
That might even let you find the exact phones sitting right next to the person if they were literally on all sides of them. It seems like having this on every phone in a city and the target being on the road would let this happen.
I suppose this is within the realms of the NSA but it is getting outside my domain of expertise too. I'm not that sophisticated with radios.
(Score: 2) by Osamabobama on Wednesday April 04 2018, @06:07PM (1 child)
This could be a good (read compelling) use of the backdoors that NSA likely has in most cell phones.
Outside of the NSA, I'm sure there would be a community of people interested in crowd-sourcing this effort, as long as the results were published. Something along the lines of Folding@Home, but for cell phones. I suppose all that math you referred to would require some backend server to do the heavy lifting.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by Knowledge Troll on Wednesday April 04 2018, @09:28PM
Well one issue that is going to be a problem is I don't think the average cell phone is going to do this with out some kind of modification. I heavily suspect the interface available to the baseband module just won't allow for operating it/getting information out of it in a way where all the detail would be available. Though for a good chunk of them there is quite likely a new firmware that could be loaded into the baseband module if it uses SDR.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @07:27PM
There's a company around Vero Beach that does triangulation based on TOF measurements - mostly for first responder radios, but the idea is that with 3 or more receiver towers, you can track the difference in time of arrival of a particular signal and get a rough idea where it came from. Like the urban gunshot locators, but with radio (only ~7 orders of magnitude faster, WGCW?)
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @07:28PM
If reflections are such a huge problem, would it be simpler from an aerial perspective? I would imagine a few drones working together could narrow in on one fairly quickly.
Though most low flying drones aren't very stealthy ...
(Score: 2) by Spook brat on Wednesday April 04 2018, @05:06PM
The U.S. Military measures the time between a rogue battlefield radio beginning transmissions and artillery landing on the antenna in seconds; the difference between what you did and what they do is one of resources. Start with a bunch of receivers instead of just one, network them together with a bunch of computing power to back them up, and the solution becomes almost instantaneous. I'm pretty sure the only thing keeping the US .gov from leveraging that expertise for this problem is the Posse Comitatus Act; politicians don't like the idea of soldiers patrolling the streets of the Capitol.
Of course, that just keeps the Army from turning DC into an overt SIGINT battlespace; the CIA could probably borrow some NSA toys and do it on the down-low without too much pushback. Maybe some hurt feelings from the FBI over having their jurisdiction stepped on, but that's never stopped Langley before.
Travel the galaxy! Meet fascinating life forms... And kill them [schlockmercenary.com]
(Score: 2) by zocalo on Wednesday April 04 2018, @05:24PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @03:07PM
Not so sure that realtime CCTV taps are feasible, yet. I do agree that you'll probably find some domestic agencies operating off the books.
However, I wouldn't be surprised if the current Stingray haul isn't coming from technical capture, but rather classical intelligence channels - X heard that Y was operating a Stingray, Z confirmed with Y that they are, DCPD comes knocking at Y's door and confiscates the equipment.
🌻🌻 [google.com]
(Score: 3, Interesting) by JoeMerchant on Wednesday April 04 2018, @03:01PM
So... resources. Deploy networked T-hunters on a fleet of 100 police patrol cars. They already have the occasional RDF on police cars for the stolen vehicle tracking work (and other things, I suspect.) Once deployed, the officers driving around don't even have to know they're helping to find Stingrays, they just provide data to the hunter-controller.
🌻🌻 [google.com]
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @02:15PM (3 children)
Fox hunt! [wikipedia.org] (Though the term is definitely not PC today, I prefer the colorful version).
Technically it would probably be FCC responsibility to narrow them down, as their usage requires them to broadcast and doing so without authorization and with interference without a license wouldn't seem legal to me. Good luck with convincing the FCC they should investigate them.
Civilians doing so would be difficult. I don't want to say impossible.
BUT, if it were a foreign government responsible our government could uncover that in short order. If it so desired it would be stopped through normal diplomatic channels - extraterritoriality doesn't cover violation of international broadcasting treaties.
This sig for rent.
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @02:18PM
It's hard to say whether this is espionage or cybercrime.
It wouldn't surprise me if the Israelis were behind it in order to figure out what's going on in private conversations between government officials.
(Score: 4, Insightful) by Knowledge Troll on Wednesday April 04 2018, @02:19PM
Just give the ham radio operators the technology they need to receive the signals and discriminate based on the ID of the rogue cell towers. It may be difficult or even close to impossible but that doesn't mean they won't take the challenge up and then have fun while working on it.
If any civilians are going to be able to DF that thing it would be the hams. I'm sure The Feds/The Man has the technology and experience to do it right now though.
(Score: 1, Funny) by Anonymous Coward on Wednesday April 04 2018, @02:50PM
As a fox-American, I am outraged by this name!
(Score: 2) by DannyB on Wednesday April 04 2018, @02:23PM (5 children)
It might not be possible to distinguish a Stingray from a legitimate network operator's cell tower.
Sent from my TRS-80
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Interesting) by JoeMerchant on Wednesday April 04 2018, @03:04PM (4 children)
Except that legitimate network operator's cell towers are licensed, registered, and otherwise known entities.
Now, if the Stingray were spoofing an actual tower, and physically located very close to it - that could get interesting.
🌻🌻 [google.com]
(Score: 3, Informative) by Osamabobama on Wednesday April 04 2018, @06:21PM (1 child)
There was a story [techcrunch.com] about this in Seattle last year. The system is referred to as SeaGlass [washington.edu], and is hosted by the University of Washington.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @07:31PM
There's no story about this in Washington D.C. from several years earlier. The system is referred to as
Redactedand is hosted by the TLA agency who shall not be named.🌻🌻 [google.com]
(Score: 3, Interesting) by DannyB on Wednesday April 04 2018, @08:27PM (1 child)
And I suspect Stingray's are not licensed, or otherwise known.
I think the very means that enables their operation is either a vulnerability exploit or stolen credentials / keys.
Either the protocol / authentication is so weak that you can fool a mobile device to believe "hey this is an AT&T tower, not a Verizon tower", or it uses some stolen keys that cause the device to believe this. I suspect the protocol involves encryption and proof both ways between the tower and mobile set. The tower also wants to be really sure that the mobile set is authorized, and is paying the bill for making a call, text or data. The mobile operator probably also doesn't want their phones being fooled into using a hacker's network. Now either that mechanism is too weak, or some keys / credentials are compromised.
Why else is even the mere existence of Stingray treated as a major secret? If it is legitimate, it shouldn't need to be any more secret than the mere fact that phone wiretaps can be done. They're trying to keep the secret from the mobile phone operators -- who would actively block Stingrays.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by JoeMerchant on Wednesday April 04 2018, @08:33PM
Agreed.
However, if the Stingray is acting as a legitimate tower, it's not going to be in the legitimate tower's exact location, and that's the giveaway. If it's physically very near, it could be quite hard to tease apart with RDF, but easier to notice when servicing the legitimate tower.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @06:39PM
You, sir, are the upper-management PHB from hell.
(Score: 5, Insightful) by DannyB on Wednesday April 04 2018, @02:22PM (7 children)
This is why we CAN NOT have back doors built into cryptography, or into our devices.
I've said it multiple times before, and I won't link back those this time:
How Stingray works -- two theories:
1. Stingray is an exploit that is impossible to patch. The mobile network protocols were designed back in the day and did not view security as seriously as we do today, and thus they are exploitable. It will take years, upgrading all mobile sets and fixed network sets to switch to safer protocols.
2. Stingray relies on stolen credentials or keys. If the mobile operators knew which ones, they would revoke / change them and Stingray would be b0rked.
Either theory explains the extreme secrecy of Stingray. Law enforcement will even allow the guilty to go free rather than allow Stingray to be scrutinized in court. They will even commit perjury (aka "Parallel Construction") rather than reveal the mere existence of Stingray.
When I posted these theories (multiple times) here previously, I also said that once the secret of Stingray leaks out -- EVERYONE will have it. The poor will be able to spy on the rich. Etc.
Now to the point:
It was inevitable that, like nuclear weapons, Stingray would proliferate. It would fall into the hands of people who you don't want to have it.
This is also proof of why we can't have back doors in our cryptosystems or our computers (including mobile devices). The "secret sauce" to the backdoor WILL leak out. It is an absolute inevitability.
We can have either:
1. Secure systems -- hackers can't get in, but neither can government.
2. Insecure systems -- government can get in, but so can hackers.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 4, Funny) by JoeMerchant on Wednesday April 04 2018, @03:15PM
Oh, come on, the DVD and blu-ray keys lasted what, like at least 6 months in the wild before they were cracked/leaked.
🌻🌻 [google.com]
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @07:52PM (5 children)
How Stingray works - third possibility
3. Stingray obtained keys and access from the same companies that make either the tower radio manufacturers or diagnostic equipment for them, perfectly legally, and they operate with the active or passive cooperation of the carrier industry (and perhaps cooperation of either sort is covered under a secret Presidential Policy Directive). Harris builds many other RF products. I'd bet they obtained how to get GSM connection information perfectly legally.
(Which isn't to say that either your #1 or #2 answers aren't right either, but I'd bet on it being a standard that anyone with the knowledge and equipment can exploit).
What I haven't seen explained yet is if the devices actually pass along voice and phone data (beyond connection metadata which we know they capture), or if they allow a handshake and then hand it off to another legitimate tower for the actual network access. The only uses I've ever seen explained are they capture the IMSI and similar numbering allowing for location tracking of a given IMSI. (It would matter whether the Stingray actually provides network access or exists solely to identify what units are out there - I would think that if that info is publicly broadcasted like identification-to-network information it may be publicly monitored without a warrant but what do I know....)
Government would like to believe that there is a third option where government has access but nobody else does. But I'd modify that to say Secure systems are those in which nobody but the end user can get in, including the manufacturer. Insecure systems are when anybody else but the end user can get in. That covers the "manufacturer installed maintenance backdoors" as well.
This sig for rent.
(Score: 4, Interesting) by DannyB on Wednesday April 04 2018, @08:20PM
Your suggestion that Stingray is perfectly legal, would be my first guess -- but then why the extreme secrecy of Stingray?
If Stingray were legitimate, it would simply be treated like a secret. Maybe even a state secret.
Instead everything about Stingray smacks of illegality. Law enforcement agencies that have Stingray can't (or once couldn't) even disclose that they had it, or that it existed. Stingray cannot be used as evidence in a prosecution, because that would subject Stingray to defense scrutiny. And rightly so. So Stingray cases either are flatly dropped -- letting someone "obviously" guilty just walk. Or the law enforcement engages in perjury, also known as Parallel Construction. Parallel Construction is a euphemism for a conspiracy between law enforcement and prosecution to lie to the court (perjury) and withhold actual evidence from the defense. The actual Stingray evidence that led to identification of the suspect is obscured and covered over by some other alleged way that they, in theory, might have discovered the suspect's identity.
Because of how Stingray is treated, I find it unlikely that it is legitimate. Hence my two theories on how it is probably illegitimate.
My theory: even if Stingray does not perform all the functions of a cell phone tower, the functions it does perform require one of my two theories. I don't think the phones broadcast anything important in the clear. Merely having a phone's IMEI number is probably not so important. What you want, are their texts and phone conversations. Stingray is always brought up in the context of wiretapping on steroids. If the Stingray were merely to identify that John Doe's phone is in this area, and maybe that it makes calls at certain times, I don't think it would get this description. Law enforcement would need mobile phone operator help to tap conversations and text messages. But I think that is the entire purpose of Stingray.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @08:26PM (3 children)
In fact, now that I think about it, I wonder what there is about a Stingray that makes it better than simply getting a warrant for a wireless company's IMSI data from existing towers. The only things my brain comes up with are A) real-time access, B) ability to triangulate signals to a tighter area or different DF loci than existing towers provide, or C) a Stingray can be used without a warrant to get information that could by parallel construction lead to a warrant to actually tap a given phone.
For those saying "Hey, DF it!".... Yeah, maybe. But this thesis [sipsik.net] presents steps of the GSM handshaking protocols. One can't just use standard radio detection..... you've got all sorts of signals from all sorts of sources on multiple MULTIPLE frequencies to monitor. I'm fairly certain that to make sense of it you'd have to have something beyond just a scanner with directional antenna. You'd need to trace out the network's frequency and signal correction burst tone signals, lock on to them and get their bearings... and these are called bursts for reasons. You'd have to find out how you distinguish a legitimate handshake from a fake one, possibly.
Among other goodies in the thesis is the note that an individual cell phone must validate itself to the tower... but the tower does not need to validate itself to the cell phone - this is the fault point at which Stingray can exist as a technology and not have to make nice with the rest of a carrier network to get what it wants. Anyway, it may be possible but the complexity would require considerably more work than your weekend fox hunt - and those are hard on their own.
This sig for rent.
(Score: 2) by DannyB on Wednesday April 04 2018, @08:31PM (2 children)
GSM is highly frequency agile. In about 2000ish, the spec was at least 6000 pages, back then.
Both mobile sets and network towers are highly frequency agile. Sequential packets are sent on different frequencies. And in various time slots, as I (mis)understand it. The frequency changing avoids multi-path distortion problems. A few packets might get dropped due to multi-path distortion, but most, statistically, won't.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @10:47PM
We cross-posted above.... What I got out of the paper is that there are synchronization bursts on certain frequencies at certain times, such that a phone can hook itself into the network. But you'd have to recognize and lock on those bursts and DF them. Or look at all signals on a given frequency set and possibly triangulate the tower's side by repeated signals from one bearing. I'm sure that is possible but I'm also sure that it takes considerable specialist knowledge of GSM protocol and somewhat specialized software/equipment to do so.
As to why they're kept ultra-secret to the point of case dismissal. There is more in heaven and earth, Horatio. But I think it is a mixture of security-by-obscurity (if the details are public then strategies to identify them by the targets is increased and this technology isn't just used domestically - other actors of three letters also have a vested interest in keeping the systems as secret as possible) and as you say, desire to not reveal parallel constructionism - it wouldn't be the first time law enforcement dumps a case to conceal that generally.
But the point of Stingrays might be much narrower than content capture - identify the phones (including burners) so that they may be targeted for legitimately warranted surveillance by their identification numbers, not just names. Or possibly by name and then use the Stingray to get the proper numbers so that only the proper phone is surveilled. Which is why (if I get the timeline correctly) they were used for quite awhile before a prosecutor got zealous and thought that the fruits could be used as evidence by themselves. You're right the whole thing smacks of parallel constructionism and as such no department in their right mind will allow the process to be compromised.
This sig for rent.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @10:55PM
Oh, I think I see what you're saying now.... But I think the Stingray is *just* the IMEI interceptor - and not just IMEI but the full representational network string. A secondary device (*not* the "Stingray" and not necessarily directly hooked into the network) could MITM or otherwise monitor that phone's communication stream to intercept its communications. Those intercepted comms form the basis to frame a parallel construction - what is most likely wanted is to make SURE that they've got the right phone.... before they begin the legitimate warranting process.
The initial furor when Stingray came to light IIRC was when a prosecutor wanted to use that information, though, simply to establish presence. Intercepted comms weren't the issue - the court case was given up only because of IMEI Intercept is what I thought it was.
This sig for rent.
(Score: 5, Insightful) by Dale on Wednesday April 04 2018, @02:40PM (2 children)
Amusing that DHS suddenly seems to have issues with Stingrays. I thought law enforcement was all about these things just being normal tools that aren't invasive enough to even need to bother with a warrant over. Why be concerned at all now? Of course we know why. It is ok for THEM to use them but not anyone else.
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @03:59PM
DHS is just come paining that the CIA & FBI were there first and took the good spots.
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @06:26PM
"foreign actors or criminals are using eavesdropping devices to track cellphone activity in Washington, D.C."
yeah, ok DHS. it's probably a bunch of pigs using the damn things.
(Score: 3, Interesting) by leftover on Wednesday April 04 2018, @04:37PM (1 child)
Would it not be a hoot if DHS-right hand does a long and noisy investigation, only to find these were the work of DHS-left hand? Still funny, although not as delicious, if it was another Fed branch.
Bent, folded, spindled, and mutilated.
(Score: 2) by Entropy on Thursday April 05 2018, @08:14AM
That would be beautiful.
(Score: 3, Informative) by captain normal on Wednesday April 04 2018, @04:59PM
Wonder what hat The Hill pulled that out out of the letter the DHS sent to Sen. Wyden?
"[T]he National Protection and Programs Directorate (NPPD) has observed anomalous activity in the National Capital Region that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers,..."
"DHS said they have not determined the users behind such eavesdropping devices, nor the type of devices being used"
While we can't expect bureaucrats and politicians to be really technically knowledgeable, here at S/N we're supposed to be well grounded EEs and technicians. While there could be some malicious players tracking cell signals, personally I think that there is probably a much less malevolent explanation. Cell phone signal boosters operate in a similar fashion, by grabbing the signal from a cell phone and then connecting to a tower with an amplified signal. They can be used in a car or truck. One can walk into Best Buy or Fry's and buy them.
https://www.bestbuy.com/site/weboost-drive-4g-m-cellular-signal-booster-black/3247029.p? [bestbuy.com]
When life isn't going right, go left.
(Score: 3, Informative) by Thexalon on Wednesday April 04 2018, @05:58PM
DHS spokesperson: "I'm shocked, shocked, to learn that spying is going on here!"
FBI: "Your wiretap transcripts, sir."
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @08:42PM
I'll bet somebody signed off on their use, so it wasn't really "unauthorized".
(Score: 2) by hamsterdan on Wednesday April 04 2018, @11:47PM
They find that stuff they used against every citizen funding for their toys is now used against them? my pity meter is probably broken, it doesn't measure anything. I know about the ones they found in Ottawa, serves them right too. I can't wait for that stuff to get affordable for us :)