My biggest disillusionment when I learned about Stingrays was with the FCC. I had always thought of the FCC as good stewards of the broadcast spectrum and I didn't think they would ever approve shenanigans like the commercial development of radios that impersonate commercial broadcasters.
I'm still curious why they haven't decided that the fact that cell site simulators are possible is a super-grave bug!
It's one thing to say "we think it might be legal to use a cell site simulator in some specific circumstances", but another thing to say "our cell phone infrastructure allows anyone to successfully pretend to be a tower and spy on people, and we're not going to try to fix that".
Harris Corp is not sneaking behind the FCC's back, the FCC specifically approved this use and licensed the device. In any other situation if someone tried to broadcast on licensed spectrum the FCC would come down on them like a ton of bricks.
I think his point though is that the wireless technology itself should make this impossible. The fact that it's not provably secure is problematic, because it's all well and good to say "you're not allowed to" until someone subverts the rules. People break laws all the time, including police
There are very few violations of the FCC's rules in general partly because the FCC regulates and certifies hardware manufacturers of radio equipment, so it's very difficult to purchase equipment that doesn't follow the rules. You can see this happening in the Wifi space where the FCC is clamping down on dd-wrt at the device manufacturer level because the software allows people to violate that frequency's rules. People with the right skills can build custom equipment to violate the rules but it's rare. And for the few people that do try to do things like pirate radio the FCC hunts them down and the penalties are stiff.
My point being that for the most part the FCC's regulatory scheme works at keeping people playing by the rules without extra layers of technically complicated security.
Is it accurate to state they have made illegal (via 'rules') to use open source (user controlled) EM comm above 100um (below 3000GHz[1]) (except a few windows)? Or is it 9kHz to 275GHz? I bet when line of sight NIR comms (there's a nice window around 1550nm) get popular, they will (to stay relevant) want to 'regulate'[2] that too. Prior restraint is the problem here, anyone can mess with the spectrum with basic electronic skills, mandating 'approved' software seems less than pointless.
A big part of this problem was standing. There was no acknowledgment, in fact denial, that these things existed and were being used. It therefore was incumbent on the claimant to prove they existed. But now it's understood they exist, so that finally might work its way through the court system to see whether or not this is a legal search/seizure.
It's still up to the claimant to prove it was used on them personally and in some damaging manner.
This has been a problem for people (Wikipedia) suing the NSA. Despite statistical analysis showing it's probably true, there isn't any 'beyond a doubt' evidence.
I don't think they have to show beyond a doubt. But you're correct they have to somehow demonstrate not just that this capability exists, but that it was used on them, and that the court can provide a remedy.
This is just one example of why whistle blower protections are necessary.
Basically, someone needs to go Snowden and publish the kitchen sink of Stingray records to allow people to even build a case and then to prove it went beyond reasonable use (if any).
More info for anyone else who hasn't heard of Stingrays:
> The StingRay is an IMSI-catcher (International Mobile Subscriber Identity), a controversial cellular phone surveillance device, manufactured by Harris Corporation.[2] Initially developed for the military and intelligence community, ....
> Active mode operations
1. Extracting stored data such as International Mobile Subscriber Identity ("IMSI") numbers and Electronic Serial Number ("ESN"),[9]
2. Writing cellular protocol metadata to internal storage
3. Forcing an increase in signal transmission power,[10]
4. Forcing an abundance of radio signals to be transmitted
5. Interception of communications content
6. Tracking and locating the cellular device user,[4]
7. Conducting a denial of service attack
8. Encryption key extraction.[11]
9. radio jamming for either general denial of service purposes[12] or to aid in active mode protocol rollback attacks
> Active (cell site simulator) capabilities
> In active mode, the StingRay will force each compatible cellular device in a given area to disconnect from its service provider cell site (e.g., operated by Verizon, AT&T, etc.) and establish a new connection with the StingRay.[13] In most cases, this is accomplished by having the StingRay broadcast a pilot signal that is either stronger than, or made to appear stronger than, the pilot signals being broadcast by legitimate cell sites operating in the area.[14] A common function of all cellular communications protocols is to have the cellular device connect to the cell site offering the strongest signal. StingRays exploit this function as a means to force temporary connections with cellular devices within a limited area.
So does that mean it would show up as a different carrier on my iPhone, or I'd be blind to the tower choice?
Apparently even airplane mode might not necessarily protect you (though I don't claim to know how this works in the internals of iOS):
> Furthermore while the IMSI is not transmitted often a silent SMS or a failed call will induce the phone to transmit its IMSI or TMSI also in and out of airplane mode while registering on the network.
"The Anaheim Police Department has acknowledged in new documents that it uses surveillance devices known as Dirtboxes—plane-mounted stingrays—on aircraft flying above the Southern California city that is home to Disneyland, one of the most popular tourist destinations in the world."
According to the United States Census Bureau Anaheim County has a population of 346,997 (2014). Not being from the US, the fact that a county police from an area with a population of 350k is able to afford to buy and operate airplanes amazes me.
From looking at the FAA registry[1] and googling, it looks like the Anaheim police department operates 3 aircraft: N226PD, an AS350 helicopter; N326PD, another AS350 helicopter; N508BH, a Cessna 208B.
N508BH, the Cessna, is probably the one they're using for surveillance (See the 2012 OC Register article, "$2.2 million Cessna will help fight crime"[2]).
Three aircraft for a California city with population 350K isn't crazy--Glendale and Burbank together have about 300K people, and their police forces have gone in together to create a "joint air support division" that has 4 helicopters[3].
As a point of contrast, the New Zealand police own 1 helicopter, and contract out flying light aircraft to commercial operators.
Upon saying that, they often call upon the air force for logistical support (in particular for helicopter operations, usually for drug operations, such as airlifting cannabis for destruction, not for raids).
In the US, it is illegal for the military to operate in a civilian law-enforcement context. The National Guard (state militias) can be called into civilian action by the state governor, but do not normally perform civilian tasks.
Helicopter ownership by police departments is common. Airplane ownership is less common, at least at the city/county level - the state police forces frequently have small planes.
That quote doesn't mean that department buys or operates airplanes. It means they own at least one specific kind of StingRay that they can mount in aircrafts that happen to be flying in their precinct.
I will say, being from the US, the fact that any branch of the government would use such a device should amaze me, but unfortunately I have to admit I have heard of worse abuses of power.
Cell towers are fixed objects. Has any work been done in detecting these planes based on the fact they are the only cell towers around moving at 100+kph? Could standard cellphone gear be sensitive enough to measure or at least guess at any doppler effect?
I'm reminded of a British comedy that included a poacher being caught after a tagged animal was found to be traveling at 55mph down the m5.
In active mode the Stingray will broadcast a consistently strong signal to force targets to connect to it so that it can grab identifiers.
Some detection methods rely on this, as well as fingerprinting the Stingray (they negotiate a drop in encryption and ask the phone to max signal strength)
Current solutions for Android will point out new base stations that stand out and are likely an IMSI catcher:
The better method, since the devices change and some are stationary, is to authenticate the real cell phone towers. This would involve either updating the GSM protocol, or having the carriers send out additional settings that make the phone aware of their legitimate sites and only connect to them.
iOS doesn't make these settings available in official API's, but if they did it would be possible to develop apps or features that could detect/avoid IMSI catchers.
The best non-tech solution is to have an anonymous IMSI. The attack relies on linking an IMSI to a real person, or the pattern behavior of a phone to a real person. So - anonymous SIM cards, change them up often, don't have it switched on with any of your real phones or real phones of friends, leave it switched off, etc.
Sorry to say, but AIMSICD is a placebo. It does not detect anything. It was proved in their issues page many times, it never detected any threat, but detected dozens of false positives (also see their issues).
A recent news report mentioned that a "cell tower" moved along with participants in a demonstration (in London IIRC), and also that it switched networks, so obviously someone noticed that.
Time division logic involves keeping track of how far each phone is from the tower. I think GSM uses 50m or 100m bands, ie. phones that are 200m from the tower time their broadcast bursts so as not to conflict with phones that are 100m from the tower. I don't know whether the distance information is available to the phones, or is kept internally in the tower, though. (I'm not an expert on this, I just heard that this need paid for a fair amount of NTP research/development, many years ago.)
The parameter in GSM is called "Timing Advance". [http://www.qtc.jp/3GPP/Specs/GSM_GERAN/0510-8c0.pdf] and it's the length of time by which the mobile advances its transmission to the base station. So with increasing "timing advance", the mobile has to start transmitting earlier.
Units are GSM symbol periods, defined to be 48/13 µs = 3.69µs, which, multiplied by the speed of light (3⋅10^8 m/s) is 1108m. As the distance contributes in both ways (from base-station to handset, and back) one timing advance step is half the distance: about 550m.
The base station measures the relative phase of received transmissions from the mobile and will send information to the mobile to set or adjust the timing advance. [look for "timing advance" in http://www.etsi.org/deliver/etsi_gts/04/0408/05.03.00_60/gsm... which specifies the information elements that are exchanged.] So, yes, it should be possible to get TA for each cell the mobile exchanges data with from the phone.
Somewhere on my todo is "wire pager to cell phone", I think this would work by having a Asterisk system take the incoming call, send the (nationwide) page, pager is wired to phone, phone displays page as if it's an incoming call (while caller hears ringing), if callee decides to answer the GSM circuits get power and the phone calls the Asterisk box which patches the two together. If someone beats me to it, I'll buy one. Putting a RTL-SDR into the phone would take care of the pager circuit and make other neat things possible.
Presumably by using a one-way pager network it gives you the opportunity to be completely passive (thereby undetectable) until you decide to initiate an actual call.
As of today, what stops someone (regardless of their intentions) from building or making their own Stingray-like device?
Is it illegal for an 'average joe' to build or develop one of these? Or is it just super high difficulty, ie the protocols just aren't published or [easily] reverse-engineered? Or right now is it just the illegality of call recording entirely that is "preventing" it's use?
Pretty sure I watched a conference talk that demoed a functional one that included pass-thru [to prevent suspicion/non-functional devices] to the real cell tower IIRC).
I'm just curious because obviously this isn't something you want just anyone to be able to build & deploy -- so much potential for abuse, anything from basic identity theft to serious securities fraud, and much more quickly becomes a very serious & probable threat once these become even just slightly more "mainstream" for the public / criminals / mafia / etc...
It is illegal to make or sell or own radio hardware capable of operating on that spectrum, or modify other hardware to work on that spectrum, or hint to your users how they might modify your product to work on that spectrum, unless you are a licensee or have permission from one. Even Motorola can't take its new basebands out of RF-isolated testing facilities before FCC approval.
Theoretically calls are encrypted, however security researches have shown vulnerabilities due to old/incorrectly applied primitives. Not sure exactly which protocol versions this applies to. Stingray might just have asked nicely for the keys.
Commercial IMSI-catchers (made with the cooperation of carriers?) do exist, and there are some hobbyist proofs of concept. It is very hard to get caught doing passive receiving.
Transmit in a way that catches the eyes of carrier network engineers, though, and the federal government will come knocking with criminal charges.
FCC makes exceptions to most things for official purposes. For example, government installations can be licensed to operate cell phone jammers
So the most likely scenario is that the carriers are cooperating... Are they cooperating only with the US, or are they cooperating with other nations as well? Seems safe to assume they're cooperating with any/all nations that have a significant market for their products (ie leverage).
That's fairly scary though -- I assume the keys / encryption stays the same across similar networks, regardless of nation (given that phones continue to work abroad)? Perhaps the keys / encryption does differ by carrier, I'm not sure, but I'd definitely be curious. As long as they stay undetected, sounds like there is very little stopping COUNTRY_X from deploying these in COUNTRY_Y for their own gain, not to mention 'lower level' criminals / mafia / etc...
And obviously there are plenty of people out there (reverse-engineers, employees/insiders, et al) that have access to the keys...
Any idea if the exceptions that the FCC makes are public information, or obtainable via FOIA or similar? I'm guessing the FCC has a rigid "exception request process" in place and, hopefully, they only provide [super] limited-scope exceptions (without warrants, eh)... I'd love to see what exceptions are actually being made and what limits, if any, they contain.
Anyways, this is definitely pretty far outside of my realm of knowledge but I find the tech incredibly intriguing and very interesting nonetheless (and I agree with commentshere regarding the FCC).
For GSM encryption, at least the commonly deployed variants, you do not need cooperation or stolen keys, you can just straight-up break it in a few minutes. (EDIT: might not be correct for up-to-date networks, see below)
And if you impersonate a cell tower instead of passively sniffing, you can just turn encryption off or downgrade to a weak one.
You seem to be right. There is a paper about fast attacks against A5/3, but according to the authors it doesn't necessarily apply to real attack scenarios.
You're probably thinking of Chris Paget's Defcon 18 talk demonstrating an OpenBTS/USRP/Asterix based 2G IMSI catcher.
Also, it's not entirely illegal to operate on some cellular frequencies which overlap with ham bands, if you're a licensed ham radio operator, which Chris apparently was (KJ6GCG).
He also had to disable encryption (illegal on ham bands), use extremely low power and a highly directional antenna (to ensure he didn't intercept anyone outside of the room), and ensure everyone inside the room was aware of the demonstration (IIRC there were signs outside the room). He also destroyed the USB stick the base station was writing to. Even then it was definitely a legal gray area...
If you can settle for 2G IMSI-catching, there are some old femtocells with SIP backhaul that could be hackable enough. Someone once tried to build a "roam-to-voip-at-home" kind of service out of those. It was just SIP VoIP backhaul without protection preventing spoofing the backhaul network. I can't recall the company but I think they pivoted to shipboard phone service.
This kind of stuff always annoys me. One of the interesting things would be a 'home designed' cell system based on using unlicensed spectrum in the TV white spaces. Then you could build a system where a phone only answered a tower which sent out an ident frame which was cryptographically signed by a trusted key. And the response would be encrypted with that trusted key as well so only the cell tower could decrypt it. That and an VOIP back haul network and you're closer.
Its on my list of projects to look at with SDR, but sadly I am no Fabrice Ballard (who no doubt has already built such a system as a proof of concept and then tossed it away)
To get decent coverage you need to negotiate and pay for space, power, and internet connectivity on thousands of towers/tall buildings all owned by different people and municipalities who see you as somewhere between an annoyance and a revenue stream to exploit. Then you need a field workforce capable of performing maintenance at all of those sites (which requires making appointments and sometimes paying fees to the property owners), a supply chain of spare parts, and the RF expertise and test equipment to measure and do quality control on their coverage all around the cities you're operating in.
Then you need a way to recoup all this cost.
Being a cell carrier takes staggering amounts of money and staggering amounts of schlep. It's not for hobbyists, hackers, or small companies (who are not in fact carriers but just resell and rebrand real carriers' services). There is a reason it's the domain of giant corporations run by the kind of people who make deals (and not write code) for a living.
This is one of the reasons its a fun idea. The TV bands (50 - 210Mhz) can cover a huge area from a single antenna (that was their original modality) but because of the inverse square law, it means that a much smaller and lower power antenna nearby can still get a big chunk of real estate. During some experiments at a company that will remain nameless it was something like 1 antenna could easily cover 2 mile diameter circle, 4 would cover 8 square miles, and 30 - 40 could cover nearly all of the cities around the SF bay.
The actual cellular mechanics are quite an undertaking, but something along the lines of a coded point to point system would be implementable by a small group of people.
Again, the problem is getting the antennae up high. Unless you and your small group happen to own some radio towers and/or tall buildings, range is going to be much much smaller.
A lot of companies have their own towers that only provide service within of a city, and for events, you can even set up your own network, like the CCC always does during their conferences.
Having a national, or even global network is a lot harder, though.
”Stingrays and Dirtboxes are mobile surveillance systems that impersonate a legitimate cell phone tower in order to trick mobile phones and other mobile devices in their vicinity into connecting to them and revealing their unique ID and location.“
I'm genuinely curious too -- I would certainly think that they'd require either a warrant. Perhaps cooperation from the carriers, including permission to intercept & use their spectrum, might be enough?
I'm not well-versed on how cell carriers & landline carriers differ as far as common-carrier & wiretapping laws go.
It's not illegal unless you have standing to challenge it in court. Standing is used by government (at least in the US) to allow all sorts of likely illegal activities but without a court explicitly making it illegal they can get away with almost anything.
What happened to common sense spirit of the law violations ? The 4th amendment is plain English. Why do we let lawyers pollute the system with "translations"
It may be plain English, but it's also highly ambiguous English. Who decides what is "unreasonable"? I agree that they've taken this stuff way too far, but that doesn't mean that my idea of the text is the "plain English" interpretation, and theirs is the "lawyerly translation" version.
But the spirit remains the same. The concept is you are safe from search without a warrant. If they are able to apply copyright to digital media then its assumed the same as paper. If it is assumed the same as paper then it seems obvious that its safe from search.
The plain English wording says that you are safe from unreasonable searches. Everything hinges on the interpretation of "reasonable," which is not a matter of "plain English" because plain English doesn't define "reasonable" with sufficient precision.
In what world is using a damn airplane to get the location of mass numbers of people by exploiting their cell phones considered reasonable? It's ridiculous that people aren't in jail over this kind of bullshit.
only for lawyers... its obvious the concept is to protect citizens from govt dragnets... to anyone who isnt attempting to pervert the spirit of the law
You've gone from "plain English" to "spirit of the law" which is way different.
Again, I agree with you, but this position is not something you arrive at by just reading the 4th Amendment and then understanding its words without legal context.
Given the cooperation between telcos and law enforcement, is there much difference?
There was temporary cell service at Burning Man for the first time this year, supposedly to "support" law enforcement. I guess you could interpret that in two different ways...
I took a couple pics looking in from the door - I cant see anything out of the ordinary WRT "stingray" labeled equipment... They have a fence around the thing.
