
Devices Which Track Cellphones, Intercept Calls Found All Over DC, MD, VA - walterbell
https://www.nbcwashington.com/investigations/Potential-Spy-Devices-Which-Track-Cellphones-Intercept-Calls-Found-All-Over-DC-Md-Va-482970231.html
======
jlgaddis
Related article, "Feds: There are hostile stingrays in DC, but we don’t know
how to find them" [0], and discussion [1] from 45d ago.

[0]: [https://arstechnica.com/tech-policy/2018/04/dhs-to-
senator-m...](https://arstechnica.com/tech-policy/2018/04/dhs-to-senator-
malicious-use-of-stingrays-is-a-real-and-growing-risk/)

[1]:
[https://news.ycombinator.com/item?id=16748971](https://news.ycombinator.com/item?id=16748971)

~~~
joe_the_user
My guess would be that the situation isn't that they can't find the stringrays
but that they can't distinguish between "hostile" and "friendly" stringrays.
After all, each agency deploying such devices does so as secretly as possible,
naturally not alerting other agencies, and so there's no list of friendly
stingrays.

~~~
mayamatrix
It's all very Kim Stanley Robinsonesque in his climate-change trilogy where
there are so many US Shadow agencies that they are constantly getting in each
other's way.

~~~
taf2
Or just your typical Russian, Chinese spy operations...

~~~
sigfubar
We'll pull ours back as soon as yours are gone from Moscow.

~~~
dgzl
This response doesn't get enough appreciation.

------
throwaway9803
This is old news to anyone living here and paying attention. I've been
tracking suspicious cell sites for the past three years in my DC metro
neighborhood with an old Android phone and some prosumer software.

Some of the sites are mobile, but most of the ones I found were stationarity,
and could be easily identified once you know what to look for. I'm pretty sure
some of them are seriously degrading cell data/vocie quality.

I stopped once I realized there was nothing you could do once you found them.
there are only a couple of options for who is deploying them none of which I
want to screw with.

~~~
toomuchtodo
You should report their approximate location to the FCC.

~~~
throwaway9803
Honestly, I don't want to be on the radar of any entity that is deploying this
type of gear in the DC metro area.

I am under no illusion that I can protect myself if targeted by a state based
actor. Better to be lost in the crowd.

Best case scenario is it's a legitimate LEO operation.

Worse, it's a federal national security operation.

Worse still, it's a criminal, or foreign national security operation.

Only in the first scenario would the FCC even remotely have the chance to do
anything. Even then it might be a legitimate operation, and they do nothing.

~~~
ILikeConemowk
I’m interested in attempting something similar in Europe. Do you have some
links/pointers?

Thanks!

~~~
shabble
There was a defcon talk a couple of years ago that covers some of the basics:
[https://www.youtube.com/watch?v=bbDAa0syz5A](https://www.youtube.com/watch?v=bbDAa0syz5A)

------
guelo
It was the responsibility of the FCC to have never allowed these devices to
manufactured, but as typical they fell for the police exemption excuse. Now
they'll be abused more and more.

~~~
ohazi
The _protocol_ should have required enough authentication to make it
impossible to manufacture these devices without also having a blessed,
revocable key from the carrier you're snooping on.

The FCC could have easily had their police exemption without also providing
access to your average HAM, any reasonably competent hobbyist, and the
security services of every other nation on the planet.

Security on cellular networks is even more of a joke than on consumer-grade
wifi... it's basically a pinky promise not to look at stuff you're not
supposed to look at. No fucking wonder there's a mountain of stingray clones
in DC. Are they planning to fix this on 5g networks? Because there's no reason
to be so concerned over backdoors in Chinese cellular modems as long as we're
happily letting them in through the front door.

~~~
dannyw
Aren’t Stingrays basically fixed with LTE?

~~~
tyfon
If your phone connects to a Stringray device, it will force it back to older
protocols afaik.

Also:

[https://www.zdnet.com/article/stingray-security-flaw-cell-
ne...](https://www.zdnet.com/article/stingray-security-flaw-cell-networks-
phone-tracking-surveillance/)

------
walterbell
Android app:
[https://opensource.srlabs.de/projects/snoopsnitch/wiki/FAQ#W...](https://opensource.srlabs.de/projects/snoopsnitch/wiki/FAQ#What-
does-SnoopSnitch-do)

 _> SnoopSnitch offers tests to assess whether a device is exposed to attacks
or surveillance from the mobile network. Here, the primary goal is to help
mobile users detect network originated attacks, such as via SS7, SMS, or ISMI
catchers. Our secondary goal is to provide a fact-based incentive to Mobile
Network Operators to better improve the security of their networks._

GSM ratings: [https://gsmmap.org/#!/about](https://gsmmap.org/#!/about)

 _> GSM Security Map compares the protection capabilities of mobile networks.
Networks are rated in their protection capabilities relative to a reference
network that implements all protection measures that have been seen “in the
wild”. The reference is regularly updated to reflect new protection ideas
becoming commercially available. Networks, therefore, have to improve
continuously to maintain their score, just as hackers are continuously
improving their capabilities._

~~~
kelnos
Bah, looks like SnoopSnitch requires root access (and a Qualcomm chipset in
the phone) for most/all of the interesting mobile network tests, which is a
shame.

~~~
robocat
Or just buy a cheap second-hand Android phone - has mostly advantages.

~~~
natch
Yeah, great. Get a phone that secretly sends your text messages to a
collection point in China.

[https://www.theverge.com/2016/11/15/13636072/budget-
android-...](https://www.theverge.com/2016/11/15/13636072/budget-android-
phones-blu-china-text-messages)

~~~
dannyw
Doesn’t matter if it’s a $50 burner phone to detect snooping.

~~~
natch
True. Would you need to pay for a cellular plan, or would it work without?

~~~
pjc50
Even if you do that's what pay as you go SIMs are for.

------
liamtk43
IMSI Catcher Detector for Android [https://github.com/CellularPrivacy/Android-
IMSI-Catcher-Dete...](https://github.com/CellularPrivacy/Android-IMSI-Catcher-
Detector)

------
Operyl
Heh. You know what I found most hilarious about this article? I went to it
with my iPhone in safari and got asked to share my location. Who needs
potential spy devices when all you need to do is compromise your local news
site!

------
bwilliams18
I don't understand the assertion that the US Gov't can't do anything to
prevent the foreign governments from doing this... The FCC has broad powers to
regulate the public airwaves. This technology clearly disturbes authorized and
licensed utilizaton of the airwaves OUTSIDE of the bounds of the Embassies.
FCC should have the power to prevent this.

~~~
ballenf
The situation discussed in the article was with regard to Stingray-type
devices placed at foreign embassies which are considered foreign soil. The FCC
doesn't regulate embassies any more than it regulates Beijing or Moscow.

The Stingrays found on K Street (far from Embassy Row) and some bridges were
more likely US government operations.

So the question comes back to are there non-embassy, non-US government
Stingrays deployed and how to find them.

~~~
stareatgoats
The claim in the article seems dubious. Why would an embassy operate a
stingray? More likely it's US government agencies spying on the embassies.

~~~
fencepost
To track who (or at least what devices) are in the immediate vicinity of the
embassy and when. Patterns in that could easily be useful for catching
physical surveillance at the least, as well as catching placed/planted devices
that check in that way.

Edit: To expand on that, some examples:

If a new device shows up and is always present, particularly if it always has
about the same signal strength or doesn't appear to move, that indicates a
connected IoT device of some sort, and if you're concerned about espionage you
may want to take steps to identify it.

If a particular device shows up for 8-12 hour shifts at varying times, but
there are no businesses, etc. that would have that kind of attendance pattern,
who's carrying that device? An investigator on-site who's also brought a
personal device along?

Heck, if you're in an OnStar-equipped vehicle even if you don't have service,
your vehicle may show up as always on, or at least may ping regularly.

I'm sure appropriate data mining techniques could pull a surprising amount of
information out of the kind of info gathered from these devices.

------
mattsilv
The irony of this article being posted on a website that asks for location
information from mobile users every time you visit.

~~~
natch
True, but at least they have to ask in order to get your location. Rather than
just getting the information 24/7 without asking you. Slight difference there.

------
yosito
When I was living in DC, I would frequently find that my phone would have a
signal but not functioning service, and I'd have to restart it to get service
back. I always suspected Stingray devices.

------
natch
I know journalism is severely challenged these days, but I wonder if anyone
has done or is doing investigations in other cities outside of that region? It
would be a surprise if it was limited to just that (admittedly interesting,
and yes we already know why) geographic area.

------
ptero
This is likely the tip of the iceberg: devices with active transmission that
are easy to find with some effort. I bet there are a lot of passive listeners
(cheap SDR is probably all you need) sprinkled around as well that would be
very hard to find.

------
maxander
> Turner said cell carriers can't completely secure our phones because they
> have to allow for law enforcement access.

The key sentence in the article. The reason there isn’t a fix is that our
(U.S.) government prefers spying on its citizens over being protected from
other powers’ spying.

------
eps
Devices near the embassies can be explained in two ways and the US spying on
foreign diplomats is a far more logical one.

~~~
mcthorogood
Or, Russian spies and other foreign entities listening to the conversations of
U.S. Congressional staffers.

~~~
tar82
Would this be defeated by having those people use some encrypted voip?

~~~
sp332
You wouldn't get the contents, but you could tell who was talking to whom,
when, and for how long.

~~~
aembleton
Unless the encrypted Voip went through a central server.

------
bvinc
When an encryption algorithm is no longer secure, it gets phased out and any
protocol that uses that algorithm eventually gets denied.

Can someone explain why older protocols like 2g with inadequate encryption
can't be phased out? Or why there isn't even an effort or attempt or option to
disable it?

~~~
supertrope
It’s not just the ciphers that were weak to begin with. It’s also the lack of
mutual authentication: the network checks if the phone is entitled to service
but the phone never checks if it’s a legitimate base station.

Telcos do not care about technical means of security. As long as the average
person can’t eavesdrop it’s good enough. When it comes to protecting their
economic interest (preventing free calls) they use smart cards and strong
encryption. 800MHz scanners have been illegal for decades.

Legacy support and reliability are very important (in the context of cellular
service which still is inferior to fixed telecommunications). Customers will
get angry if you tell them their phone is obsolete. Or encryption
incompatibility causes failed calls. The FCC takes a dim view on 911 failures,
so phones must have a fallback no enciphering mode to maximize 911 call
success. Compatibility with roaming host networks must be maintained.

AT&T shut down their GSM network Jan 1 2017 but UMTS has plenty of
vulnerabilities too. The SS7 protocol underpinning the PSTN lacks
authentication.

------
atomical
What android app shows suspicious events?

------
Exuma
Does this apply to iPhones? So someone could put this outside my house and
listen to all my iPhone calls?

~~~
UncleEntity
They can't listen to your calls without cracking the keys shared between the
phone company and your phone...though I do remember reading a while back that
"someone" managed to steal the list from sim card manufacturers on more than
one occasion.

~~~
dsl
That is not true. Stingray's are cell towers and phones trust them. The device
just downgrades to A5/2 (export grade) encryption, or broadcasts that it does
not support encryption at all.

~~~
kalleboo
Seems like a huge oversight to not let SIM cards disable certain types of
encryption (that it knows the home network will never use). IIRC this is how
downgrade attacks are prevented in EMV - the chip card will reject known-
broken auth methods.

~~~
supertrope
The FCC takes a dim view on 911 call failures. All phones must support
disabling GSM encryption as a fail safe. Never disabling encryption would be
“fail secure” (like door locks that remain locked during a power outage).

~~~
kalleboo
Emergency calls already have a bunch of exceptions that don't apply to regular
traffic (e.g. you can use any network, heck you don't even need a SIM card) so
allowing only those to be unencrypted shouldn't be too much of a stretch

------
neom
Curious what this magic software on the phone detecting the devices is doing,
anyone have any insights?

------
dghughes
There was a similar thing in Ottawa Canada
[http://www.cbc.ca/news/politics/cse-supreme-court-cra-
cellph...](http://www.cbc.ca/news/politics/cse-supreme-court-cra-cellphone-
trackers-1.4360759)

------
IAmGraydon
I know almost nothing about the systems and protocols involved here, but
aren't these cell systems hackable? Why has no one tried to connect to one and
then compromise it to learn more about what (and who) makes them tick?

~~~
dboreham
Most likely this has been done but the people who did it aren’t posting here.

------
patrickg_zill
Occam's razor says that these are all run by the various agencies of the
United States government...

Any foreign embassy running one, has no right to radiate beyond the border of
the embassy, where it is US soil and not foreign.

~~~
wu-ikkyu
>Occam's razor says that these are all run by the various agencies of the
United States

Is there a more high value city for a foreign government to spy in? Seems
foolish to assume occams razor here, at least for _all_ of the devices

------
exabrial
In D.C., I wouldn't be surprised if there _also_ are foreign agents targeting
US elected officials, in addition to the normal FBI nonsense.

------
ddtaylor
Fix the busted protocol, why is anyone expecting this not to be a problem? Use
legitimate warrants to monitor communications on premise at the telco.

~~~
tialaramex
Encryption protocols are hard. Two stories, one public and one from my current
job:

HTTPS is secured using SSL/ TLS. SSLv1 is so bad it didn't survive the laugh
test when it was explained to actual cryptographers, I can't find any records
of what it did. SSLv2 is also pretty bad. SSLv3 is at last good enough that
actual cryptographers spent time finding holes in it and today it's considered
so broken as to be useless.

TLSv1.0 went to the IETF. More eyeballs will fix it right? Note if they're all
engineers. Finally in TLSv1.2 the cryptographers were called in, but only
after it was finished. "Hey, is this finished thing secure? Yes or No answers
only"

Only in TLS 1.3 which is finished but yet to be official, did they _start_
with cryptographers and do the engineering problems later after the
cryptographers had baked in the security.

At work, after a system being in use for several years, I was told we couldn't
put more key-value pairs into the session information, it was "full". So I
went to see how this could possibly be true. All the session information is
turned into a JSON blob, which is turned into a few hundred bytes, and then
those bytes are encrypted with RSA with the results stored in a Cookie. RSA is
only designed to encrypt small quantities of data, which isn't a problem
because it's supposed to be used to move a symmetric key. But far, far more
importantly - even if this particular _method_ of doing so is crazy why are we
encrypting all this data and hiding it in a Cookie at all? That's crazy.

~~~
ddtaylor
I agree encryption is hard, but phone encryption protocols are intentionally
weak for the wrong reasons. In the past the parameters have been picked low
enough that domestic intelligence agencies can purposely hack them, while
exporting even worse versions so that foreign adversaries are dead simple to
hack. The protocols have changed over time, but this hasn't.

Also the examples you cite it's not clear of those standards bodies were
infiltrated by the same agencies implicated above. They very much do run
private cover operations and "plant" people or acquire companies that allow
them to weaken these protocols or standards.

------
cameldrv
If these are in embassies, the FBI should just roll up in a van with a HERF
gun and take 'em out.

------
softwaredoug
Awesome this was broken by local journalists

~~~
tedunangst
[https://apnews.com/d716aac4ad744b4cae3c6b13dce12d7e](https://apnews.com/d716aac4ad744b4cae3c6b13dce12d7e)

------
newnewpdro
The willful negligence from our governments in the (in)security of our
communications infrastructure is criminally obscene.

~~~
trumped
they like it this way, maybe.

------
whataretensors
The device owners better not accidentally track an EU citizen or they might
have to pay fines.

