Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday April 04 2018, @01:33PM   Printer-friendly
from the a-WOPR-of-a-story dept.

In a letter to Senator Ron Wyden, the Department of Homeland Security has acknowledged that unknown users are operating IMSI catchers in Washington, D.C.:

The Department of Homeland Security (DHS) is acknowledging for the first time that foreign actors or criminals are using eavesdropping devices to track cellphone activity in Washington, D.C., according to a letter obtained by The Hill.

DHS in a letter to Sen. Ron Wyden (D-Ore.) last Monday said they came across unauthorized cell-site simulators in the Washington, D.C., area last year. Such devices, also known as "stingrays," can track a user's location data through their mobile phones and can intercept cellphone calls and messages.

[...] DHS official Christopher Krebs, the top official leading the NPPD, added in a separate letter accompanying his response that such use "of IMSI catchers by malicious actors to track and monitor cellular users is unlawful and threatens the security of communications, resulting in safety, economic and privacy risks."

DHS said they have not determined the users behind such eavesdropping devices, nor the type of devices being used. The agency also did not elaborate on how many devices it unearthed, nor where authorities located them.

Also at Ars Technica and CNN.

Related: Police: Stingray Device Intercepts Mobile Phones
ACLU Reveals Greater Extent of FBI and Law Enforcement "Stingray" Use
US IRS Bought Stingray, Stingray II, and Hailstorm IMSI-Catchers
EFF Launches the Cell-Site Simulator Section of Street Level Surveillance
NYPD Making Heavy Use of Stingrays
New York Lawmakers Want Local Cops to Get Warrant Before Using Stingray
New Jersey State Police Spent $850,000 on Harris Corp. Stingray Devices


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @07:52PM (5 children)

    by All Your Lawn Are Belong To Us (6553) on Wednesday April 04 2018, @07:52PM (#662611) Journal

    How Stingray works - third possibility
    3. Stingray obtained keys and access from the same companies that make either the tower radio manufacturers or diagnostic equipment for them, perfectly legally, and they operate with the active or passive cooperation of the carrier industry (and perhaps cooperation of either sort is covered under a secret Presidential Policy Directive). Harris builds many other RF products. I'd bet they obtained how to get GSM connection information perfectly legally.

    (Which isn't to say that either your #1 or #2 answers aren't right either, but I'd bet on it being a standard that anyone with the knowledge and equipment can exploit).

    What I haven't seen explained yet is if the devices actually pass along voice and phone data (beyond connection metadata which we know they capture), or if they allow a handshake and then hand it off to another legitimate tower for the actual network access. The only uses I've ever seen explained are they capture the IMSI and similar numbering allowing for location tracking of a given IMSI. (It would matter whether the Stingray actually provides network access or exists solely to identify what units are out there - I would think that if that info is publicly broadcasted like identification-to-network information it may be publicly monitored without a warrant but what do I know....)

    Government would like to believe that there is a third option where government has access but nobody else does. But I'd modify that to say Secure systems are those in which nobody but the end user can get in, including the manufacturer. Insecure systems are when anybody else but the end user can get in. That covers the "manufacturer installed maintenance backdoors" as well.

    --
    This sig for rent.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 4, Interesting) by DannyB on Wednesday April 04 2018, @08:20PM

    by DannyB (5839) Subscriber Badge on Wednesday April 04 2018, @08:20PM (#662620) Journal

    Your suggestion that Stingray is perfectly legal, would be my first guess -- but then why the extreme secrecy of Stingray?

    If Stingray were legitimate, it would simply be treated like a secret. Maybe even a state secret.

    Instead everything about Stingray smacks of illegality. Law enforcement agencies that have Stingray can't (or once couldn't) even disclose that they had it, or that it existed. Stingray cannot be used as evidence in a prosecution, because that would subject Stingray to defense scrutiny. And rightly so. So Stingray cases either are flatly dropped -- letting someone "obviously" guilty just walk. Or the law enforcement engages in perjury, also known as Parallel Construction. Parallel Construction is a euphemism for a conspiracy between law enforcement and prosecution to lie to the court (perjury) and withhold actual evidence from the defense. The actual Stingray evidence that led to identification of the suspect is obscured and covered over by some other alleged way that they, in theory, might have discovered the suspect's identity.

    Because of how Stingray is treated, I find it unlikely that it is legitimate. Hence my two theories on how it is probably illegitimate.

    My theory: even if Stingray does not perform all the functions of a cell phone tower, the functions it does perform require one of my two theories. I don't think the phones broadcast anything important in the clear. Merely having a phone's IMEI number is probably not so important. What you want, are their texts and phone conversations. Stingray is always brought up in the context of wiretapping on steroids. If the Stingray were merely to identify that John Doe's phone is in this area, and maybe that it makes calls at certain times, I don't think it would get this description. Law enforcement would need mobile phone operator help to tap conversations and text messages. But I think that is the entire purpose of Stingray.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @08:26PM (3 children)

    by All Your Lawn Are Belong To Us (6553) on Wednesday April 04 2018, @08:26PM (#662623) Journal

    In fact, now that I think about it, I wonder what there is about a Stingray that makes it better than simply getting a warrant for a wireless company's IMSI data from existing towers. The only things my brain comes up with are A) real-time access, B) ability to triangulate signals to a tighter area or different DF loci than existing towers provide, or C) a Stingray can be used without a warrant to get information that could by parallel construction lead to a warrant to actually tap a given phone.

    For those saying "Hey, DF it!".... Yeah, maybe. But this thesis [sipsik.net] presents steps of the GSM handshaking protocols. One can't just use standard radio detection..... you've got all sorts of signals from all sorts of sources on multiple MULTIPLE frequencies to monitor. I'm fairly certain that to make sense of it you'd have to have something beyond just a scanner with directional antenna. You'd need to trace out the network's frequency and signal correction burst tone signals, lock on to them and get their bearings... and these are called bursts for reasons. You'd have to find out how you distinguish a legitimate handshake from a fake one, possibly.

    Among other goodies in the thesis is the note that an individual cell phone must validate itself to the tower... but the tower does not need to validate itself to the cell phone - this is the fault point at which Stingray can exist as a technology and not have to make nice with the rest of a carrier network to get what it wants. Anyway, it may be possible but the complexity would require considerably more work than your weekend fox hunt - and those are hard on their own.

    --
    This sig for rent.
    • (Score: 2) by DannyB on Wednesday April 04 2018, @08:31PM (2 children)

      by DannyB (5839) Subscriber Badge on Wednesday April 04 2018, @08:31PM (#662626) Journal

      GSM is highly frequency agile. In about 2000ish, the spec was at least 6000 pages, back then.

      Both mobile sets and network towers are highly frequency agile. Sequential packets are sent on different frequencies. And in various time slots, as I (mis)understand it. The frequency changing avoids multi-path distortion problems. A few packets might get dropped due to multi-path distortion, but most, statistically, won't.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @10:47PM

        by All Your Lawn Are Belong To Us (6553) on Wednesday April 04 2018, @10:47PM (#662671) Journal

        We cross-posted above.... What I got out of the paper is that there are synchronization bursts on certain frequencies at certain times, such that a phone can hook itself into the network. But you'd have to recognize and lock on those bursts and DF them. Or look at all signals on a given frequency set and possibly triangulate the tower's side by repeated signals from one bearing. I'm sure that is possible but I'm also sure that it takes considerable specialist knowledge of GSM protocol and somewhat specialized software/equipment to do so.

        As to why they're kept ultra-secret to the point of case dismissal. There is more in heaven and earth, Horatio. But I think it is a mixture of security-by-obscurity (if the details are public then strategies to identify them by the targets is increased and this technology isn't just used domestically - other actors of three letters also have a vested interest in keeping the systems as secret as possible) and as you say, desire to not reveal parallel constructionism - it wouldn't be the first time law enforcement dumps a case to conceal that generally.

        But the point of Stingrays might be much narrower than content capture - identify the phones (including burners) so that they may be targeted for legitimately warranted surveillance by their identification numbers, not just names. Or possibly by name and then use the Stingray to get the proper numbers so that only the proper phone is surveilled. Which is why (if I get the timeline correctly) they were used for quite awhile before a prosecutor got zealous and thought that the fruits could be used as evidence by themselves. You're right the whole thing smacks of parallel constructionism and as such no department in their right mind will allow the process to be compromised.

        --
        This sig for rent.
      • (Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 04 2018, @10:55PM

        by All Your Lawn Are Belong To Us (6553) on Wednesday April 04 2018, @10:55PM (#662674) Journal

        Oh, I think I see what you're saying now.... But I think the Stingray is *just* the IMEI interceptor - and not just IMEI but the full representational network string. A secondary device (*not* the "Stingray" and not necessarily directly hooked into the network) could MITM or otherwise monitor that phone's communication stream to intercept its communications. Those intercepted comms form the basis to frame a parallel construction - what is most likely wanted is to make SURE that they've got the right phone.... before they begin the legitimate warranting process.

        The initial furor when Stingray came to light IIRC was when a prosecutor wanted to use that information, though, simply to establish presence. Intercepted comms weren't the issue - the court case was given up only because of IMEI Intercept is what I thought it was.

        --
        This sig for rent.