
Stingray, the fake cell phone tower - jonbaer
http://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-tower-cops-and-providers-use-to-track-your-every-move
======
chiph
If my house is on fire and I call 911, but the call doesn't go through because
my phone is connected to a nearby Stingray device and not to a real tower,
that's a big problem.

~~~
centizen
The stingray is a man in the middle. It requires an uplink to real cell phone
services to operate, so a phone call to 911 is going to be patched through

------
lucaspiller
"Say a murder occurs on a particular street with an estimated time of death
between 2 and 4 AM. Local law enforcement would have an obvious interest in
compelling cell phone companies to turn over the records of every cell phone
that moved in and out of the area between those two time periods. At rush
hour, this kind of information would be useless — but if the cell phone
network data shows a device in the same approximate area as the murder
suddenly leaving the area at a high rate of speed, that cell phone owner is a
potential suspect."

This similar to how CCTV is used in the UK. There is apparently one camera for
every eleven people [0]. The difference is the majority of it is owned by
private businesses though. Public CCTV is usually run by local councils which
are independent from the police. If the police want to get any of this
footage, and use it to prosecute, they need to get a court order or subpoena.

[0] [http://www.telegraph.co.uk/technology/10172298/One-
surveilla...](http://www.telegraph.co.uk/technology/10172298/One-surveillance-
camera-for-every-11-people-in-Britain-says-CCTV-survey.html)

~~~
sjtgraham
> Public CCTV is usually run by local councils which are independent from the
> police. If the police want to get any of this footage, and use it to
> prosecute, they need to get a court order or subpoena.

I think you're wrong here. In Westminster, where I live, the police just ask
for it and get it. Last month I witnessed a street brawl outside where I live,
the police already had CCTV before they were on the scene; it was 4am on a
Sunday morning, unlikely a judge would issue a warrant at that time. Also I
know places like McDonald's will just hand it over to the police when asked if
in connection with a criminal investigation.

------
quarterwave
The analogy with license plate detection appears quite accurate.

At first glance this scheme appeared akin to gathering wifi MAC address
broadcasts, but the picture of the box shown in the article has a Tx antenna
co-ax connector (looks like SMA). Then there is the question of SIM
authentication for service. I don't suppose the cops are going to provide 4G
service for free (there is also the issue of service collision and spectrum
allocation) so probably what happens is that the SIM data is handshaked using
some duplex protocol (hence the need for Tx in the base station), but no
connection is made.

~~~
chmars
Full interception and not 'only' the collection of metadata is possible. IMSI
catchers can also be used to block mobile phone usage in an area or send SMS
to users in an area (for example to participants in a demonstrations, already
done in the Ukraine).

Without full interception, a hidden ID check is IMHO a good analogy: Instead
of stopping all persons in an area in order to ask them for their IDs, you
collect meta data on all mobile phones and use these data to identify the
persons in the area.

------
jbuzbee
I seem to recall that there's an authentication handshake in place with modern
protocols so your phone won't connect to any random "cell tower" to prevent
abuse like this. Anybody know for sure? But of course if the police or Harris
has an agreement with the wireless companies, they may have the authentication
credentials pre-loaded allowing them to impersonate said wireless companies at
will.

[edit for clarity]

~~~
thefreeman
I am not sure about the authentication protocol. But along the same lines of
thinking, it really seems like this should be detectable with software. For
example, what if you used crowd sourced cell tower information to notify users
/ block transmissions from any cell phone tower newly detected for 24 hours or
so. It seems like a temporary tower setup for a few hours should be easily
noticeable compared against static, permanent ones.

Also, judging by how ridiculously hard the company who makes them is trying to
keep them hidden (NDA's, etc.), it seems like they may realize that if the
details of the product were known it could be easily circumvented.

~~~
chmars
IMSI catchers ('Stingrays') are indeed detectable, an example is the 'Android
IMSI-Catcher Detector (AIMSICD)' project:

[http://secupwn.github.io/Android-IMSI-Catcher-
Detector/](http://secupwn.github.io/Android-IMSI-Catcher-Detector/)

~~~
tmosleyIII
It would be interesting to test this out

------
jonmrodriguez
As one commenter said on the comment thread of the article:

    
    
        No two ways about it, this IS a wire(less) tap.

------
dudeish44
Possibly related? Mystery police plane travels around London in
circles/triangles.

[http://www.standard.co.uk/news/london/mystery-plane-
circles-...](http://www.standard.co.uk/news/london/mystery-plane-circles-
london-sparking-surveillance-rumours-9623518.html)

------
bribri
Would it be possible to determine if your phone was connected to a Stingray
instead of a regular cell phone tower? Could you have multiple phones spread
out geographically and attempt to triangulate the "cell phone tower" itself,
to see if its moving?

~~~
fiatmoney
Assuming it looks the same as a normal tower, you could still make a map of
existing cell phone towers (crowdsourced from the phones themselves, or
there's probably a regulatory filing somewhere with the information). If your
connection is better than it "should" be, you may have found a Stingray.

~~~
thefreeman
I don't think you would even need to use the signal strength. You could just
flag / block cell towers which are newly detected (say 24-48 hours). Crowd
sourcing seems pretty perfect for this, and it's not like new cell phone
towers are erected that frequently.

~~~
tmosleyIII
Its not just about detecting a tower, they spit out a friends list for your
phone to know the different zones in the area. That list changes.

------
8ig8
Not Stingray, but cell (and license plate) analysis was mentioned in a recent
article in the NY Daily News regarding the white flags on the Brooklyn Bridge.

> Investigators could find names through cell phones if those involved made
> calls while near the Brooklyn Bridge in the wee hours Tuesday. Cops are
> analyzing data from the two nearest cell phone towers, the sources said.

> Security cameras and license plate readers also tracked cars that were on
> the bridge at the time of the heist-and-hoist, a third police source said.

[http://www.nydailynews.com/new-york/dna-flag-brooklyn-
bridge...](http://www.nydailynews.com/new-york/dna-flag-brooklyn-bridge-
vandals-article-1.1879501)

~~~
themartorana
Seems like a lot of "do first, ask for forgiveness later" except here,
forgiveness is asked for in the form of judicial opinions that legalize the
practice and grant such permission retroactively.

If they can't get that, they just go back to doing.

Because terrorism.

------
jqm
FCC isn't involved in this? I mean.. could a private party set up a fake cell
phone tower legally?

Just asking because I don't know.

~~~
tmosleyIII
Yes, not without permission

~~~
ps4fanboy
So the question is do they have it?

~~~
tmosleyIII
Yes,they do.

------
mkoryak
you don't need this expensive box to track people's cellphones, all you need
is an account here:

[http://www.loc-aid.com/](http://www.loc-aid.com/)

You will probably need to be a corporation to get one without opt-in
restrictions, but that shouldn't be hard for big brother.

------
at-fates-hands
This article just reeks of bullshit with very little actual technical
information to back up what they're saying.

But let's take a look at some of those points in the article:

 _A stingray is a false cell phone tower that can force phones in a
geographical area to connect to it._

CDMA networks have security enabled with their base stations, so only
authorized mobile stations are able to access the network. So unless they have
access which has been granted by the carrier, they can't just roll up and
"impersonate" a base station:

"3.3 Access Network

There are two types of access networks: 1xRTT and 1xEV-DO. The AN is the
mobile station’s entry point into the mobile network and maintains the
communications link between the mobile station and the core network. The
access network facilitates security by allowing only authorized mobile
stations to access the network. The AN is composed of the following elements:

Base transceiver station The base transceiver station (BTS) is physically
composed of antennas and towers. The BTS manages radio resources including
radio channel assignment and transmit and receive power management and acts as
the interface to mobile stations.

Packet Control function The packet control function (PCF) maintains the
“connection state” between the access network and mobile stations, buffers
packets when necessary, and relays packets between mobile stations and the
PDSN.

Radio network Controller/base station Controller The radio network controller
for 1xEV-DO and the base station controller for 1xRTT schedule packet
transmission on the air interface and manage handoffs between BTSs. For 1xEV-
DO, security functionality is maintained by the security sublayer in the RNC.
Security functionality is performed by either the BTS or the RNC, or by both."

 _while in others they seem to have taken a brute-force approach, dumping the
data of every single user on a given tower and then sorting it to find the
parties they’re interested in tracking. Stingrays can be used to force the
phone to give up its user details, making it fairly easy for the police to
match devices and account holders._

Another fantastical claim, but with current security, this is, again,
completely impossible:

"But EV-DO doesn't use WEP. Instead, encrypted CDMA transmissions use a 42-bit
pseudo-noise (PN) sequence called a long code. The long code scrambles
transmissions through the standardized Cellular Authentication and Voice
Encryption (CAVE) algorithm to generate a 128-bit subkey called Shared Secret
Data (SSD).

This key then feeds into an Advanced Encryption Standard (AES) algorithm to
encrypt the transmissions. AES is a symmetric encryption algorithm used by
governments to protect sensitive information. If governments use AES to
encrypt their data, it should be good enough to protect your data as well."

So unless they have some super duper code crackers from planet Mars, there's
no way they're capturing, decoding and then "sorting" through people's
conversations and data. Sure, you can match an IMEI to an account, but that's
about it. After that, you're going to need a warrant and from what I know,
Verizon aren't very keen on giving up the information unless it's something
pretty major.

When I worked at Verizon, we had several FBI agents pestering my department to
give up a huge Meth dealer's account so they could track him and bust his ring
of dealers. Verizon completely stone walled them, insisting on a federal
warrant which they didn't want to take time and obtain. After several months
of legal posturing back and forth, Verizon finally gave them the account
details. By then, he knew what was up. The dealer moved to a different state,
and started using prepaid phones so the information was useless.

References for my points:

[http://www.techrepublic.com/article/understand-how-the-ev-
do...](http://www.techrepublic.com/article/understand-how-the-ev-do-standard-
boosts-wireless-security/)
[https://scache.vzw.com/dam/businessportal/content/assets/fil...](https://scache.vzw.com/dam/businessportal/content/assets/files/SecurityWP.pdf)

~~~
FireBeyond
So you're conveniently ignoring GSM?

Or claiming that the information released by the manufacturer, or the limited
information released under subpoena is all just "bullshit"?

Because it's entirely impossible that a carrier has given keys to the
manufacturer "for authorized legal purposes only"?

3.3 is pretty much irrelevant if you consider that even as a simple statement
of purpose, the Stingray -at least- has to relay the raw traffic.

~~~
at-fates-hands
>>>> So you're conveniently ignoring GSM?

Nope, just saying this isn't possible under CDMA technology.

>>>> Or claiming that the information released by the manufacturer, or the
limited information released under subpoena is all just "bullshit"?

For me, it's pretty hard to believe considering how secure CDMA is. Might be
different for GSM. It makes for a good sales pitch though for Stingray,
doesn't it??

>>> Because it's entirely impossible that a carrier has given keys to the
manufacturer "for authorized legal purposes only"?

I said this is possible _if_ the carrier has given them authorization.
Considering my experience working at Verizon, they don't give out stuff like
that willy nilly. Maybe times have changed, but it's hard for me to believe
Verizon is giving state and local police forces the ability to do what they're
claiming in the article.

>>> 3.3 is pretty much irrelevant if you consider that even as a simple
statement of purpose, the Stingray -at least- has to relay the raw traffic.

Which on a CDMA network is encrypted. Not sure if that's the case on GSM, but
all they're getting is encrypted traffic. They make it seem like they're
sitting in a coffee shop just intercepting raw, unencrypted data, which is
false on a CDMA network.

~~~
tmosleyIII
It is very possible to get the traffic for CDMA devices and those devices grab
GSM and CDMA alike. The issues are dealing with the newer tech.

------
rayiner
The article is wrong on a key point. Stingrays don't "force" your cell phone
to do anything. Your cell phone reaches out and connects to it of its own
accord. The Stingray doesn't reach out and collect private data from your
phone. Your phone transmits your private data into the aether at the user's
direction.

I think this fact has major Constitutional implications. The police should not
need a warrant to access information that you carelessly broadcast onto the
public airwaves. I don't think there is any privacy expectation there, any
more than there would be if I took my "papers" out of my desk drawer and threw
them out my car window. They're fair game at that point. Though the 11th
Circuit disagrees (another example of judges not understanding technology?).

~~~
fnordfnordfnord
>Stingrays don't "force" your cell phone to do anything. Your cell phone
reaches out and connects to it of its own accord.

A distinction without a difference. That's the nature of the prevailing
wireless telephony technology. Users wouldn't be able to receive telephone
calls if their equipment didn't coordinate periodically with the cellular
system's base stations. Although a system that doesn't constantly leak user's
data could conceivably be constructed, that is not what is currently in use.
Turning one's phone off to avoid tracking isn't a good solution because then
the device has ceased being a telephone.

>Your phone transmits your private data into the aether at the user's
direction.

No, nobody directs their phone to 'transmit their private data into the
aether' people direct their phones to place and receive telephone calls.

>I think this fact has major Constitutional implications.

I think you're inventing a business case for some group such as Aereo's
engineers to form another technology company whose purpose is to engineer
around weaknesses in the law.

> The police should not need a warrant to access information that you
> carelessly broadcast onto the public airwaves.

Telephone calls are private. Nobody would select 'carelessly broadcast my
information' in their privacy options. The change in technology doesn't render
privacy protections in the law moot.

>I don't think there is any privacy expectation there

I hope you're in the minority.

>(another example of judges not understanding technology?).

Perhaps they've rightly noted that a particular weakness of the technology du
jour is unrelated to the individual's legal right to privacy.

~~~
mason240
The article initially claims that

>Once these devices connect, the stingray can be used to actually eavesdrop on
conversations, text messages, and web browser activity.

Yet further reading shows that "all" it can do is triangulate your position,
something no where near actually intercepting data.

~~~
fnordfnordfnord
Someone is probably playing fast and loose with terminology. There are
apparently a number of optional capabilities.

[https://info.publicintelligence.net/Harris-
SurveillancePrice...](https://info.publicintelligence.net/Harris-
SurveillancePriceList.pdf)

[http://arstechnica.com/tech-policy/2013/09/meet-the-
machines...](http://arstechnica.com/tech-policy/2013/09/meet-the-machines-
that-steal-your-phones-data/)

~~~
nitrogen
I can see why it might be tempting for technologists to create these
surveillance technologies -- a single Stingray II is quoted at $148000.

