Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday April 04 2018, @01:33PM   Printer-friendly
from the a-WOPR-of-a-story dept.

In a letter to Senator Ron Wyden, the Department of Homeland Security has acknowledged that unknown users are operating IMSI catchers in Washington, D.C.:

The Department of Homeland Security (DHS) is acknowledging for the first time that foreign actors or criminals are using eavesdropping devices to track cellphone activity in Washington, D.C., according to a letter obtained by The Hill.

DHS in a letter to Sen. Ron Wyden (D-Ore.) last Monday said they came across unauthorized cell-site simulators in the Washington, D.C., area last year. Such devices, also known as "stingrays," can track a user's location data through their mobile phones and can intercept cellphone calls and messages.

[...] DHS official Christopher Krebs, the top official leading the NPPD, added in a separate letter accompanying his response that such use "of IMSI catchers by malicious actors to track and monitor cellular users is unlawful and threatens the security of communications, resulting in safety, economic and privacy risks."

DHS said they have not determined the users behind such eavesdropping devices, nor the type of devices being used. The agency also did not elaborate on how many devices it unearthed, nor where authorities located them.

Also at Ars Technica and CNN.

Related: Police: Stingray Device Intercepts Mobile Phones
ACLU Reveals Greater Extent of FBI and Law Enforcement "Stingray" Use
US IRS Bought Stingray, Stingray II, and Hailstorm IMSI-Catchers
EFF Launches the Cell-Site Simulator Section of Street Level Surveillance
NYPD Making Heavy Use of Stingrays
New York Lawmakers Want Local Cops to Get Warrant Before Using Stingray
New Jersey State Police Spent $850,000 on Harris Corp. Stingray Devices


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Knowledge Troll on Wednesday April 04 2018, @02:10PM (13 children)

    by Knowledge Troll (5948) on Wednesday April 04 2018, @02:10PM (#662482) Homepage Journal

    And, if they're rolling, we should get some awesome dashcam footage of the chase.

    If it moves around constantly I think that'd pretty much make it impossible to direction find. And yes I am a T hunter.

    The reason being, for at least all the ways I know how to find a transmitter through radio location, I need a map and to plot the intersection of many bearings to find hypothetical locations for the transmitter then investigate those. It takes quite a while - about half a day - with readings taken from many different locations.

    If the transmitter was moving around this technique wouldn't work at all unless it moved from fixed points to fixed points and you increased the time and bearing readings.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 4, Insightful) by zocalo on Wednesday April 04 2018, @02:38PM (11 children)

    by zocalo (302) on Wednesday April 04 2018, @02:38PM (#662496)
    Or you could perhaps co-ordinate having multiple receivers doing RDF at the same time on the same signal and extrapolating that into an approximate location in realtime. If you've got suitable CCTV coverage, then a little analysis of which vehicles were recorded in each area over several plots, and you're probably going to be able to pin down a specific vehicle pretty quickly. I think most usage cases for IMSI catchers would be to target a specific location or (possibly) individual, so that's going to mean they'll need to remain within fairly close proximity of their target which, in turn, is going to limit their ability to have highly randomised routes quite a bit and make them easier to pin down. Still not trivial, but perhaps not beyond the capabilities of a suitably motivated and equipped US government agency.

    Of course, when the find out that many of the "rogue" IMSI catchers are actually being operated by other US agencies things could get amusing, but I doubt we'll get to hear about that.
    --
    UNIX? They're not even circumcised! Savages!
    • (Score: 2) by Knowledge Troll on Wednesday April 04 2018, @02:48PM (9 children)

      by Knowledge Troll (5948) on Wednesday April 04 2018, @02:48PM (#662502) Homepage Journal

      Still not trivial, but perhaps not beyond the capabilities of a suitably motivated and equipped US government agency.

      In the movies maybe - I wonder if you have ever done a T hunt? Are you aware of how many reflections and false readings there are? There is a reason you need an entire day's worth of data to find a single point.

      After you find the point where the most intersections exist and you travel to that location then you get to start all over again doing the DF process on a local instead of regional scale. All new DF equipment and techniques.

      I can't conceive of any system that could finger an exact automobile regardless of the number of receivers involved. You would need to have local receivers ready to DF over the entire hypothetical area the transmitter could be at once that was identified.

      This is going to be a massive scale undertaking involving a lot of people not just technology. That's assuming it moves.

      Now perhaps there is some new amazing technology that exploits the cell phone's use of CDMA so the DF can use all of the components of multipath that exist, find the one with the lowest delay, and assume that is a signal that exists with out any reflection, which should help with reducing false readings because of reflections which I'd say is the biggest issue.

      I'm still not sure that'd help a lot with this task of finding a moving transmitter though.

      • (Score: 2) by JoeMerchant on Wednesday April 04 2018, @03:11PM (6 children)

        by JoeMerchant (3937) on Wednesday April 04 2018, @03:11PM (#662513)

        DF over the entire hypothetical area the transmitter could be at once that was identified.

        Thankfully, each Stingray only operates over a single cell coverage area, and if they're trying to intercept a particular person's call, they're likely trying to be closer to the target than other cell towers, so if you know the target, you've got a very small area to cover.

        Now, if you're running a general trawl net over the entire DC-inside-the-beltway region, you might just start adding DF equipment on all the existing cell towers, increasing coverage density until you can track them in real-time.

        --
        🌻🌻 [google.com]
        • (Score: 2) by Bobs on Wednesday April 04 2018, @03:29PM (5 children)

          by Bobs (1462) on Wednesday April 04 2018, @03:29PM (#662515)

          I literally do not know what I am talking about.

          But, as they are all fake cell towers, and people have access to handheld smart-phones, it seems like a software problem to me.

          Get 20+ people spread out with a smart phone and special software, all log into a site where you upload the cell connection data from the phones in real time, server filters out the known/registered towers and people converge on an area. Apparently they already have a general/regional map of problem IMSIs in DC area.

          Seems like you would able to quickly filter out the noise and reflections based upon the multiple inputs and quickly triangulate a bad source. Flag it and tag and and move on to the next.

          I am certain there is a lot of complexity I am missing - feel free to point out the flaws of this.

          Thanks.

          • (Score: 3, Interesting) by Knowledge Troll on Wednesday April 04 2018, @03:44PM (4 children)

            by Knowledge Troll (5948) on Wednesday April 04 2018, @03:44PM (#662520) Homepage Journal

            I literally do not know what I am talking about.

            Not always a bad thing. Approaching this with out the limitations/bias I bring from doing previous DF actually helped me realize I'm outside my domain of expertise because cell phones have a very different signal with characteristics that enable what starts to look like pure voodoo.

            First of all the thought came to mind that the cell system can already locate cell phones using direction finding with cooperating cell towers and the accuracy is down in the 10s to 100s of meters as I recall. This is done with time difference of arrival analysis I believe and requires that the cell towers (specifically the DF receivers) are coherent which they are because all participants in the cell network are synchronized in time via GPS.

            If the cell towers can do this for cell phones they can most likely be modified/software updated to be able to do this for cell towers/stingrays and not just the cell phones themselves. This may assume that the device being located is cooperating or not actively trying to hinder the process.

            But more to your point about using all of the cell phones out there as receivers in a distributed DF network - not bad. Not bad at all. You got me thinking - all of those cell phones are also phase coherent with the other phones and the cell network as a whole because they synchronize to the towers which synchronize to GPS (the towers are STRAT 1 time sources). That is actually an amazingly powerful system!

            If you can get all of those receivers running at once, sending their received signals back to a central point along with the time information and the physical location of the phone, you can start to do time difference of arrival calculations with many more sources, assuming you through an absolute fuck ton of math at it.

            If you want to throw an even bigger absolute fuck ton at it, my estimate is about 20db more math, then you can start doing phased array DSP and form virtual directional antennas that you can rotate in space and have very sharp areas in them that you can exploit for direction finding. You could also do this as a DVR like system so you don't have to do all the analysis in real time - you could sit and study such signals and find other ones at your leisure (assuming you aren't trying to find a moving target).

            That might even let you find the exact phones sitting right next to the person if they were literally on all sides of them. It seems like having this on every phone in a city and the target being on the road would let this happen.

            I suppose this is within the realms of the NSA but it is getting outside my domain of expertise too. I'm not that sophisticated with radios.

            • (Score: 2) by Osamabobama on Wednesday April 04 2018, @06:07PM (1 child)

              by Osamabobama (5842) on Wednesday April 04 2018, @06:07PM (#662572)

              This could be a good (read compelling) use of the backdoors that NSA likely has in most cell phones.

              Outside of the NSA, I'm sure there would be a community of people interested in crowd-sourcing this effort, as long as the results were published. Something along the lines of Folding@Home, but for cell phones. I suppose all that math you referred to would require some backend server to do the heavy lifting.

              --
              Appended to the end of comments you post. Max: 120 chars.
              • (Score: 2) by Knowledge Troll on Wednesday April 04 2018, @09:28PM

                by Knowledge Troll (5948) on Wednesday April 04 2018, @09:28PM (#662643) Homepage Journal

                Well one issue that is going to be a problem is I don't think the average cell phone is going to do this with out some kind of modification. I heavily suspect the interface available to the baseband module just won't allow for operating it/getting information out of it in a way where all the detail would be available. Though for a good chunk of them there is quite likely a new firmware that could be loaded into the baseband module if it uses SDR.

            • (Score: 2) by JoeMerchant on Wednesday April 04 2018, @07:27PM

              by JoeMerchant (3937) on Wednesday April 04 2018, @07:27PM (#662596)

              There's a company around Vero Beach that does triangulation based on TOF measurements - mostly for first responder radios, but the idea is that with 3 or more receiver towers, you can track the difference in time of arrival of a particular signal and get a rough idea where it came from. Like the urban gunshot locators, but with radio (only ~7 orders of magnitude faster, WGCW?)

              --
              🌻🌻 [google.com]
            • (Score: 0) by Anonymous Coward on Wednesday April 04 2018, @07:28PM

              by Anonymous Coward on Wednesday April 04 2018, @07:28PM (#662598)

              If reflections are such a huge problem, would it be simpler from an aerial perspective? I would imagine a few drones working together could narrow in on one fairly quickly.

              Though most low flying drones aren't very stealthy ...

      • (Score: 2) by Spook brat on Wednesday April 04 2018, @05:06PM

        by Spook brat (775) on Wednesday April 04 2018, @05:06PM (#662556) Journal

        Still not trivial, but perhaps not beyond the capabilities of a suitably motivated and equipped US government agency.

        In the movies maybe - I wonder if you have ever done a T hunt? Are you aware of how many reflections and false readings there are? There is a reason you need an entire day's worth of data to find a single point.

        The U.S. Military measures the time between a rogue battlefield radio beginning transmissions and artillery landing on the antenna in seconds; the difference between what you did and what they do is one of resources. Start with a bunch of receivers instead of just one, network them together with a bunch of computing power to back them up, and the solution becomes almost instantaneous. I'm pretty sure the only thing keeping the US .gov from leveraging that expertise for this problem is the Posse Comitatus Act; politicians don't like the idea of soldiers patrolling the streets of the Capitol.

        Of course, that just keeps the Army from turning DC into an overt SIGINT battlespace; the CIA could probably borrow some NSA toys and do it on the down-low without too much pushback. Maybe some hurt feelings from the FBI over having their jurisdiction stepped on, but that's never stopped Langley before.

        --
        Travel the galaxy! Meet fascinating life forms... And kill them [schlockmercenary.com]
      • (Score: 2) by zocalo on Wednesday April 04 2018, @05:24PM

        by zocalo (302) on Wednesday April 04 2018, @05:24PM (#662559)
        Actually I have, albeit in a marine environment so far fewer reflections and different frequencies to contend with, with both military and civilian grade equipment. There's a world of difference between the two in terms of speed and accuracy (and cost, naturally) there, so I'm expecting the same to be true for more modern land based hardware too. Also, IMSI catchers are going to need to be pretty short range devices in order to be effective as they have to over power the legitimate base stations, so you've already got a headstart in pinning down the location and a stronger signal to lock onto when you get close enough. I don't think it's going to be trivial, especially in an major urban environment, but given the right equipment I don't think it's CSI TV show levels of improbability to be able to pin them down either.
        --
        UNIX? They're not even circumcised! Savages!
    • (Score: 2) by JoeMerchant on Wednesday April 04 2018, @03:07PM

      by JoeMerchant (3937) on Wednesday April 04 2018, @03:07PM (#662511)

      Not so sure that realtime CCTV taps are feasible, yet. I do agree that you'll probably find some domestic agencies operating off the books.

      However, I wouldn't be surprised if the current Stingray haul isn't coming from technical capture, but rather classical intelligence channels - X heard that Y was operating a Stingray, Z confirmed with Y that they are, DCPD comes knocking at Y's door and confiscates the equipment.

      --
      🌻🌻 [google.com]
  • (Score: 3, Interesting) by JoeMerchant on Wednesday April 04 2018, @03:01PM

    by JoeMerchant (3937) on Wednesday April 04 2018, @03:01PM (#662506)

    I need a map and to plot the intersection of many bearings to find hypothetical locations for the transmitter then investigate those. It takes quite a while - about half a day - with readings taken from many different locations.

    So... resources. Deploy networked T-hunters on a fleet of 100 police patrol cars. They already have the occasional RDF on police cars for the stolen vehicle tracking work (and other things, I suspect.) Once deployed, the officers driving around don't even have to know they're helping to find Stingrays, they just provide data to the hunter-controller.

    --
    🌻🌻 [google.com]