When sincerely concerned about stingray devices it might be a better idea to either invest in a professional detection appliance or to install applications such as AIMSICD. ( foss/free)
If you only deny 2g connectivity; it provides no certainty against being stung and you won't know if you are a target.
Do you have information on professional detection equipment?
Detection apps are known to be ineffective. It's mostly because IMSI catchers comply with the standard. Your baseband will fall for that - there's not much useful information to be passed to the operating system - or even an app.
Most firms who sell lawfull interception appliances also sell the appliances required to protect, detect or mitigate against it.
Usually they only sell their appliances to law enforcement, the militairy and intelligence agencies after signing a NDA. The legality is often dubious, and atleast some are nothing but a expensive user friendly box around GNU radio, osmocom and very little code of their own. ( But my knowledge could be dated. )
If you so desire mail me for a list of names, but i'd rather not post them here connected to my identity.
I have struggled to come up with a way of asking this neutrally, and I believe in a right to privacy and think "nothing to hide, nothing to fear" is nonsense, but seriously... wtf are people doing that they are "sincerely concerned about stingray devices"?
> So they stand between you and the tower and sift through the transmission first. This means they can now intercept data on that transmission. I don’t know what they can do with it, and there is no real clear information on what data they can get. They do say metadata and access the cellphones internal storage, so that is enough to want to block the Stingray.
That's interesting, it sounds like something that was being repeatedly sent to my Motorola flip phone in China in 2007. I had the ability to reject this SMS/MMS thankfully.
I do not know the specifics of the Stingray, but I can tell you more similair "lawfull interception" devices exist.
These devices "talk" with your Baseband; the radio in your phone that runs it's own OS. Many of these can do DMA to with the memory of your "phone" / ordinary soc.
Theoretically, a exploited baseband could allow the lawfull interception device to read and write to your internal storage and more. I have not read about this happening in the wild yet.
I can't speak for Google devices but per Apple's iOS security whitepaper (page 41) [1]:
"To protect the device from vulnerabilities in network processor firmware, network interfaces including Wi-Fi and baseband have limited access to application processor memory. When USB or SDIO is used to interface with the network processor, the network processor can’t initiate Direct Memory Access (DMA) transactions to the application processor. When PCIe is used, each network processor is on its own isolated PCIe bus. An IOMMU on each PCIe bus limits the network processor’s DMA access to pages of memory containing its network packets or control structures."
Oh, totally. It's an important part of modern defense in depth. 'Just because they said they turned on the IOMMU doesn't make it bulletproof' is all I'm saying.
You'd be surprised how unsafe those are too, even though they aren't RDMA protocols. USB and SDIO stacks aren't really designed with malicious input in mind; it's like the 90s all over again if you think of those as the network protocols they are.
That's right, any kind of communication opens up some form of attack surface. Eliminating DMA is still worthwhile by reducing its total size, and shifting more of the implementation to the softare stack gives the device owner (hopefully the user) more control over the attack surface.
On modern phones Stingray devices are just one of the many tools that can be used to gain access to private communications and data. Any app requiring access permissions to everything is a potential vulnerability that can be exploited by 3rd parties (not to mention closed blobs etc); in this context smartphones are all things considered much more vulnerable than old 2G ones.
Not being a target of interest for the police myself, I will rather trust my old obsolete 2G only dumb phone because the chances of it being spied upon by Google, Microsoft, Apple, Facebook etc. and associated parties are zero, zero, zero and zero.
Law enforcement agencies can (and do) purchase ad targeting profile data, and can also force warrantless searches of commercial databases, at least in the US.
They also can legally (and do) intercept things like backup replication streams of the big providers (they did this to yahoo years ago, for example).
My rule of thumb is that if any big consumer cloud service has it, then law enforcement does too.
Since the data is gathered using gray-area / illegal techniques, it will never be used in legitimate ways in court, which means it will only ever be used to further violate the rights of private citizens.
> Law enforcement agencies can (and do) purchase ad targeting profile data
Ad targeting profile data isn't typically sold in a way that's particularly useful to LE. It's the most valuable thing the ad networks own. I can't call up Facebook [1], and ask to buy your demographic profile. I can call up Facebook, and ask to buy the ability to show ads to people fitting your demographic profile.
Data from big providers, that ends up in the hands of law enforcement, is gathered through one of two ways:
1. Legitimate requests for access, with a judge signing off on it, an associated paper trail, and some pushback from the companies.
2. NSLs, with a secret judge signing off on it, and nearly no paper trail, and some pushback from the companies.
As far as I'm aware, #1 dwarfs #2 in frequency of access, and is also a completely legal, above-board way for LE to operate.
Stingrays, on the other hand, are much more like #2.
I mean, if you're not going to go through the trouble of protecting yourself from a Stingray, I understand. I occasionally jaywalk, and don't always cook my meat to 'well-done', wear mixed fabrics, and may have played hokey during my last dentist appointment. It's a risk/hazard sort of thing.
But if type #2 LE access is what you're concerned about, then you should probably look into dealing with Stingrays.
[1] Actually, I guess I can, as we discover with the train wreck of a platform partners program. And I am shocked that it is that much of a train wreck. Still, I can't buy your profile from Apple, or Google, or Microsoft.
"What exactly are the practical consequences of being spied on by GMAF, compared to law enforcement?"
Should law enforcement order them to relinquish all data about someone wrapped in a gag order, they get all information they need without that someone even noticing.
I think I am not of interest to LE today, but who knows what could happen in a few years from now. Should the wrong people get in power I don't want them to know what's in my head as much as I don't want any potential employer to know about my ideas.
The point is that whatever information they collect today about people, it stays in their servers forever, ready to be scraped through AI to build a profile.
It’s worth pointing out that even the author admits that the newer Stingray II has 3G/4G support. I think this is probably related to known insecurities in the AKA protocol, as researchers have recently found [1]. It looks like call interception isn’t so straight forward anymore, but IMSI capture and approximate location capture are alive and well.
So unless you can verify that only Stingray I is deployed in the vicinity, I think it’s a stretch to say that the Stingray product “doesn’t care” about anything other than 2G.
What might me important for some reader: shutting off 2G services means that you won't have telephone voice services, if your operator doesn't support voLTE.
No, there's also 3G as well, remember. My phone allows 2G, 3G, 2G and 3G, 3G and 4G, or 2G and 3G and 4G network selections in its settins menu (Android 7, Sony)
Meanwhile, setting my Samsung Galaxy S9 to no-2G gives me a warning message that cannot be dismissed: "This setting turns off 2G service. If 2G service is off, some app..." (the remainder can't be viewed).
Sadly just because you have a QA department doesn't mean much. Your investment is only as good as the people you invest in (at least in this case). "Oh I sit around all day using a phone?"
I could imagine that they'll eventually receive a firmware update allowing them to have conduct more modern modes of operation. That said, given that the target network also has 2G besides 3g; it can be configured in a "compatible" mode; one that can and is being exploited in the wild. 3g only networks are not suceptible to that particular type of attack. However, a similair scenario also exists for 3g/4g networks.
TL;DR Locking your baseband to the most modern technology decreases the odds for being intercepted/stung but certainly does not guarantee any safety.
Stingrays already work with 4g. And 5g has many of the same flaws, likely on purpose. We can only hope common criminals will start massively exploiting them if we want real change to happen.
What flaws are there, exactly? Missing mutual authentication are the main cause for 2G's security issues. There are no trivial MitM attacks on 3G and 4G - besides denial of service that may result in downgrades. There are location and identity leaks, but that's user tracking at best. Not to compare with 2G.
There is no problem for a stasi wannabe to use legal process to extort the base station credentials from the phone company. There should be defences against carrier assisted MITM, like signed NONCEs and per-carrier station public key registers with accountable station data (location, station photos, etc)
If you question lawful interception, then your problem is not the technical standard that allows it, but your have a problem with society and the laws it implements.
There are good reasons to have security endpoints in the core network instead of the base stations. But it doesn't affect lawful interception at all.
Honestly, I'd rather take my chances of being spied on by the local police department rather than install a very suspicious looking app from the play store.
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Dete...