I work in wireless telecom: Really doubtful "we don't know how to find them". The FCC's enforcement bureau has a set of vans equipped to find unauthorized transmitters. IMSI catchers must transmit and remain on the air. It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours. The only other explanation I can think of is being operated from embassies with full diplomatic protections, but that runs the risk of the host county (USA) PNG'ing several staff with 24 hour notice as punishment.
Quick edit: Whole US federal agencies have their own TSCM (technical surveillance countermeasures) staff entirely separate from the FCC. It is a job position at the dept of state. Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.
>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.
how about quick switching between several [semi-stationary or briefcase carried] catchers (by analogy with an old Russia/USSR anti-aircraft tactic of quickly switching between several radars to avoid being detected and locked-in by an anti-radar missile :).
Theoretically possible. Using current off the shelf tech, several imsi catchers could be networked together by normal LTE data networks with battle tested VPN crypto. Doable with any mifi type hotspot device or even just a modern phone and tethering. People with high end spectrum analyzers and directional antennas would struggle to locate a thing that only powers on for 1-2 minutes, and the relocated to a random location. If I were trying to find such things I would need three separate DF (direction finding) teams, and try to establish a pattern of behavior or movement on the part of the operators to narrow down the target areas. Could take weeks.
I'm not a wireless expert, but then wouldn't it also be theoretically possible to have a network of direction finders? Isn't direction finding also a repeatable set of steps that can benefit from automation?
Yes, though DF can be much more efficient with directional (yagi, parabolic, horn) antennas. If fully automated by network the antennas connected to the spectrum analyzers need to be on two axis motorized platforms.
It would be easier to, you know, secure wireless communications to begin with. It's not like the Feds couldn't arrange to have stingrays that are properly keyed. (And there's always CALEA.) Yes, I know, it would only be easier for new kit, but it will take a long time to get it deployed. But every year we delay this makes the pain worse.
purely Rx phased arrays, unless very large, do not have nearly the gain (in dBi) of a good parabolic or horn. and not nearly as much directional discrimination as a good sized (90cm) parabolic.
in a phased array that is also a Tx this can be partially compensated for with higher dBm output power from the radio itself, but that's not the usage scenario we're talking about here.
The manufacturer bears responsibility for misuse given the current state of the market; this is why markets exist, to trade information. If there is a genuine inability to communicate, then the market ceases to exist.
Open societies favor markets for a reason: communication, open lines of communication, and stable ones at that. There are all kinds of ways a computer virus can infect a system that is automatic; consider the possibility that a virus has infected an "autonomous" control system for a moving vehicle. A mechanical coupling usually makes this impossible, a steering wheel.
The other explanation is very low power / short range e.g. femtocells. If a Stingray-like device is affecting a single building or the like, targeting a particular person, it likely won't be noticed by anyone.
Something strong enough to get a whole building full of phones to ping it most certainly can be found by a $70,000 spectrum analyzers and trained RF engineer.
Hell - I bet you could find that with a $12 RTL-SDR and a home built antenna plugged into your laptop - if you were curious and suspected there was one nearby...
Never underestimate the amateur radio community. They hunt down radio pirates, emitters of interference, and hidden beacons for FUN! With the right antenna and a halfway decent receiver, it is not too difficult to hunt down the source of a transmission.
This doesn't sound like a technical problem. More like a government is being defunded, half the vans need repair, lack of senior management, no direction, other priorities, shortage of techs, hiring freeze, the remaining people only work from 9-5 and we don't pay overtime, type of problem.
While there is extensive infrastructure for detecting active transmitting devices like Stingrays, there's no discussion (or tooling) around passive IMSI grabbers. These devices are significantly more limited (no IMEI or MSISDN, GSM-only), they remain pretty effective in areas/networks where GSM is still in place.
Depends on how much the devices cost to procure, and the budget of the party using them. Seems like these could be treated as "black-throws" given the right cost:budget ratio.
OpenBTS and Ettus USPR (software defined radios) have made it inexpensive enough for hobbyists to set up cellular base stations at Burningman.
The difference between an open source base station, and a homebuilt stingray in negligible.
While a grand or two's worth of radio hardware and however many weekends/evenings spent getting it all set up and the a software configured is _kind of_ expensive - it's effectively free at criminal org, corporate espionage, or state levels of action.
Not even that, if you want to use them as a MitM just broadcast the data you want and any arbitrary receiver will pick them up that can't be pinpointed.
That's assuming you don't mind losing the transmitting hardware.
For example an imsi catcher spliced into 120vac power and stuffed up into a ceiling tile in a busy shopping mall. I bet that with a stepladder, a clipboard and two guys in high visibility vests, a set of electrician tools, you could do this at nearly any mall in America.
One option might be to have the sniffing device setup with a hidden wireless network (of some sort).
Then when you walk around, sit in the food court eating, or if the device is close to the outside, sit somewhere out of sight of the cameras with a strong wifi antennae and grab whatever data.
Unless they have some "free" wifi that the device could hop on to send it to some server somewhere.
Using that and / or 4g would make it easier to find the device and, of course, the person though.
"It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours."
Even more so in 2018 where an IMSI catcher is only relevant/useful if you downgrade the target to 2G operation, which requires some kind of additional interference/jamming.
Unless they are using "stingray" as some kind of generic term for "device you use to intercept mobile phones" and there are now 3G/LTE "stingrays".
This would all be so simple to deal with if phones just displayed an "unlocked" or "downgraded" warning when operating in 2G or unencrypted mode ...
>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.
I'd assume if it was run from an embassy it's not risky at all actually - they can just tell the FCC to pound sand
I'm laughing because that's how this discussion will go when posted here: We'll detail a method to catch rogue sting-rays, then brainstorm how to operate them with less risk.
Most will probably be owned by law enforcement. Many will be operating without the benefit of a warrant. So what do you do when you find one? You won't make many friends if you interfere with an ongoing investigation particularly if you raise questions about the legality of the operation at the same time.
Things were much the same back in the old days. If a telephone employee would find listening devices on the lines they were best off just quietly removing them and disposing of them. In the wild, surveillance equipment legally installed under a warrant looks exactly the same as all of the other kinds.
So in practice everyone got to tap phone lines, just as long as they didn't annoy anyone too official while doing so. The targets would never find out, unless the were willing to climb a telephone pole and check for themselves. The same thing will probably happen with stingray type devices. People like private investigators are likely already using them.
That reminds me of some photos my dad took years ago of a line technician on a crane truck fiddling with some equipment on a utility pole at the edge of our front yard for about thirty minutes. He thinks the guy was testing for some illegal cable descrambler on the line although I suppose it could have been anything since this happened in the DC Metro area :)
Can someone please explain to me why this cell security problem seems to be completely ignored? If encryption algorithms are broken, they're phased out and untrusted. But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.
Why don't towers have a sort of encryption certificate verifying they're legit?
Why doesnt my cell provider just provide my phone a list of it's legit towers?
I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.
> Why don't towers have a sort of encryption certificate verifying they're legit?
Pushback from various parties/regimes to keep this out of the standards. (e.g. the brits pushed back against strong encryption in the 1. GSM standards, https://www.aftenposten.no/verden/i/Olkl/Sources-We-were-pre... , and this has gone round to other countries pushing back in all kinds of ways since then.)
> Why doesnt my cell provider just provide my phone a list of it's legit towers?
It does, but not securely, so it can be faked. And since the towers does not authenticate themselves to the phone, you can just pretend to be a tower anyway.
> I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.
Sure, there's numerous ways to solve this - but there is little incentives to do so. it does get somewhat better - LTE can authenticate the network to the phone. But then there are countries where it's illegal to encrypt the public phone networks, so the protocol specs include an option to just disable this mechanism alltogether.
- Phone manufactures want to make their phones work everywhere, and the standards make them have all kinds of fall back mechanisms. So new LTE phones supports everything from LTE to the oldest GSM standards - they don't want a reputation of their phone not working when traveling to XXX.
- Telco companies gets pushback from governments, or in most cases around the world are owned and operated by governments - and they want backdoors into networks for surveillance.
- Telco equipment manufactures just make equipment that the telco companies wants. While all the standards for all the protocols and mechanisms work, they are product of a design-by-commitee, mostly made up by telco companies and telco manufacturers.
"I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works."
LTE and 3G solve the problem of authentication and encryption with the tower - the problem is that an attacker can, through interference or other means, force your handset to downgrade to 2G operation.
There is a very, very simple solution to this: display an icon/error when you downgrade to 2G and an even bigger icon when your 2G connection has no encryption (which is a valid option for a 2G connection).
This would be trivially simple but for reasons that are difficult to understand, phone OS and SIM providers do not do this.
"But it's super hard to find any information if how this all works."
I would recommend viewing/listening to the CCC (Congress) talks on GSM subjects that have been given over the last ten years. The osmocom "baseband-devel" is also a good mailing list to read the archives of ...
> But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.
I think there is a perfect storm of savant security nerds with piss-pour communications skills and telcos over-indexing on mba/finance leadership.
The security nerds make blustery comments that “anyone with motivation and a couple g’s worth of gear can target ANYONE.”
There are a bunch or problems with this argument. Gnuradio is not easy. You need to be in radio proximity to your target. Targeting someone requires some homework and luck (converting msisdn to timsi isn’t trivial. It’s doable, but the nerds double down on trivial, burning credibility by claiming triviality that can easily be argued against by half-wits.). The mbas (whose job it is to move the needle on billion dollar businesses) are getting asked to add expenses that require new software at the base stations, replacement of mobile endpoints, Break roaming and generate NO ADDITIONAL REVENUE BECAUSE CONSUMERS DONT REALLY CARE ABOUT SECURITY.
What would you do? These are not the best and brightest. They have built careers in avoiding risk.
The MNOs have a serious culture problem. The single best solution would be to incentivize competition, but the only thing the SV people want is net neutrality, which only entrenches the established players.
We only have ourselves to blame for this mess. The moves that would resolve this problem: taking on risk that most wont recognize will not move the needle in the right direction. Consumers think mobile internet is too pricey- they won’t pay more for security. The solution creates costs. We are doomed.
Naive question: how does net neutrality entrench companies? To me it seems the opposite, the more you can pay the better service your company can offer which directly benefits larger entrenched companies, no?
Imagine deciding to run a local ISP for 300 homes in your neighborhood. You don't know if all 300 will sign up for service. You don't know how long it will take to get to 300.
Do you pay for peering agreements that will meet the demands of 300 homes for the two years it will take to get there, or do you try to build up gradually? Will you be in a situation where you can't meet your existing customers' demand? Who will have leverage in that next peering agreement? It's clearly the entrenched backhaul provider.
If you have some ability to steer & prioritize traffic, you will have some wiggle room when it comes time to negotiate your next agreement. With net neutrality concepts- you lose that tool. You're totally dependent on the accuracy of your traffic predictions & the peering partner has a significant negotiating advantage.
You're going to take on the risk of digging trenches & negotiating peering agreements for underserved, rural or suburban locations. You're going to need a mass of homes to agree to the trenching & installation. You're going to have to negotiate labor for digging these trenches & laying cable in a way that will resist water damage & other threats.
All of this sucks and is hard.
>>the more you can pay the better service your company can offer which directly benefits larger entrenched companies, no?
I don't believe that anyone really wants to rate websites differently than they already are (via peering arrangements- which are how the Internet works, folks). But the argument that most people want to make is that ISPs will block access to example.com. The best example of access to a website being cut off I can point to is google's decision to block Amazon devices from accessing youtube.com.
If no ISP is doing this kind of blocking, then what's the point of exposing ISPs to risk of unfounded claims from random customers that you are violating net neutrality principals? Do you now need to absorb the cost of Audits to prove you're not? Digging trenches is hard, expensive & risky. What happens when you pile on more regulations?
Who is excited to get into this business? The established providers already have legal teams & are prepared to deal with legislators. Startup ISPs are annoying bugs that can easily be crushed with regulatory pressure. Add "ability to absorb regulatory & legal tangles" to your list of runway calculations.
All I see are increasingly challenging hurdles for startup ISPs that need pricing flexibility to manage the early, high risk tasks of starting an ISP.
That was the first thing that struck me too. There's some irony about these showing up on the streets of DC.
New technology only stays in the hands of "our team" for so long before ultimately showing up on our doorstep. Especially when that's low cost surveillance technology...
I wasn't familiar with the term 'stingray', so this headline was both confusing an amusing to me. I was confused about why they would even be looking for 'hostile' cartilaginous fish. I can't be the only one.
As a resident, let me pose to you this : The government doesn't always know what the rest of the government is doing. I would be surprised if there weren't rogue Stingray's out there, and even more not surprised that it's some discreet arm of the government.
Yeah, like the local garbage collection agency, or the animal welfare agency, or the horse racing regulators. All of whom will claim, if cornered, "We don't need a warrant, because, ummm, we're doing this TO PROTECT THE PRESIDENT!!!"
(That list may sound idiotic, but you can't make this shit up - there's examples where I live of those exact agencies (and more) requesting warrantless access to telecommunications metadata: https://www.smh.com.au/technology/dozens-of-government-agenc... )
More likely explanation is various intelligence agencies with contracts with companies like Booz, ITT-Exelis, LockheedMartin, etc that have the technical capability to do private signals intelligence gathering.
This is not limited to the US. In fact, you are late to the party. Both in Oslo and in London these where uncovered and published about, that was 2015.
> IMSI-Catchers also allow adversaries to intercept your conversations, text messages, and data. Police can use them to determine your location or to find out who is in a given geographic area at what time. [1]
Does turning one's phone off not disable pinging cell towers?
Wrong. This is an exaggeration at best and just plain wrong for most US LTE users. LTE is very hard to fully MiTM. You can still catch / observe through IMSI, but the phone won't deal with your rogue tower. If you can downgrade someone to 3G you can more easily observe voice and or texts. Data is actually harder to MiTM, even on 3G. That said, it is not feasible to down grade any modern US LTE devices as far as I know.
Turning your phone off usually does prevent tower pings, but some phones have been known to be sneaky.
Many modern phones don't turn off all the way, and continue to ping towers.
I can't find any official documentation, but several Android phones I've owned over the years have powered themselves on when switched off and receiving a phone call.
Why can't they find them the same way government agencies normally enforce radio licensing? Drive around with a receiver (a cell phone, basically) enumerating all the purported cell towers in a geographic area, then cross-check that with a list of legitimate carrier infrastructure?
It MAY not be that easy... femtocells and whatnot may make that a difficult task. I wondered this myself, since nearly all pirate radio stations are caught.. but cell sites don't work the same way. Just a thought.
I think this is good news. I think the kinds of politicians that are typically over-friendly with the police are also the kind that want a strong military. The use of "law enforcement" technology like stingrays by hostile intelligence agencies, might create a useful tension in them that could help convince them to harden domestic communications against law enforcement spying.
except that if/when politicians get cozy, either willingly or not, with the hostile intelligence agencies then they would likely want all the benefits of that cozy relationship to continue indefinitely
Layman question: one can limit their exposure with encrypted VoIP communications (e.g. FaceTime) and chats (iMessage, Signal), correct?
That being said, the intercepter would still know:
- phone being connected (IMEI)
- location of the phone
- which servers were requested, but not the encrypted content (yet)
- how much data was transmitted, "call time"
So if two phones were talking with each other over FaceTime connected to stingrays, a third-party can still deduce that they were talking to each other given the amount of data being transferred and when the requests occurred.
Re: your last sentence, a stingray rarely if ever offers actual network connectivity, either ss7 or data. Its purpose is just to catch the unique ID numbers from the phone. Whatever you have set into your phone for LTE APN data settings isn't going to work with a random imsi catcher. Such a thing won't have an uplink anyways outside of its command/control functions.
How/why? Could you elaborate? Will the rouge tower drop the phone? Won't the phone try to connect again and again to the tower with the strongest signal?
The metadata is most of the story. Certainly, if the stingray lets arbitrary protocols through, you can secure the contents of your communications, including any metadata tunneled through (e.g., if you're using VPN), but not the metadata on the outside of the tunnel. Depending on the VoIP protocol, you may not get any protection for metadata unless you're using a VPN.
For those confused about the terminology in the title...
> The devices, which are also known as stingrays or IMSI catchers, are commonly used by domestic law enforcement nationwide to locate a particular phone. Sometimes, they can also be used to intercept text messages and phone calls. Stingrays act as a fake cell tower and effectively trick a cell phone into transmitting to it, which gives up the phone’s location.
And if the NSA and FBI had devoted less energy to turning this country into a corrupt republic on its way to a totalitarian nightmare, I am sure they would have had the ability and resources to ensure that such stingrays were impossible to set up.
Here is what the EFF says: "[Stringrays] can also intercept metadata (such as information about calls made and the amount of time on each call), the content of unencrypted phone calls and text messages and data usage (such as websites visited). Additionally, marketing material indicates that they can be configured to divert calls and text messages, edit messages, and even spoof the identity of a caller in text messages and calls." [1]
This is what the FBI and NSA love. They never try to protect the American public from such weaknesses in the country's infrastructure, although that is what they are supposed to be doing. All so they can spy on everybody, feed illegal parallel-construction activities, and generally nurture the growth of a police state; it is also clear by now that these agencies have been interfering with national politics. These are not friends of our freedoms.
I admit that I don't have much expertise on the matter, having only ever operated a GSM cell site simulator (never LTE), but the max range I remember (in ideal conditions) is something like 35 miles.
(Note there's and "extended range" feature, where you can halve the cell site's capacity by waiting two timeslots in the TDMA schedule instead of one - which lets you go as far as 120km...)
Yep most of this bullshit is because garbage like 2G (and 3G) is still in operation. Phones should just phase that out (less code, thus less attack surface).
Quick edit: Whole US federal agencies have their own TSCM (technical surveillance countermeasures) staff entirely separate from the FCC. It is a job position at the dept of state. Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.