
California Police Used Stingrays in Planes to Spy on Phones - corywatilo
http://www.wired.com/2016/01/california-police-used-stingrays-in-planes-to-spy-on-phones/
======
guelo
My biggest disillusionment when I learned about Stingrays was with the FCC. I
had always thought of the FCC as good stewards of the broadcast spectrum and I
didn't think they would ever approve shenanigans like the commercial
development of radios that impersonate commercial broadcasters.

~~~
schoen
I'm still curious why they haven't decided that the fact that cell site
simulators _are possible_ is a super-grave bug!

It's one thing to say "we think it might be legal to use a cell site simulator
in some specific circumstances", but another thing to say "our cell phone
infrastructure allows anyone to successfully pretend to be a tower and spy on
people, and we're not going to try to fix that".

~~~
guelo
Harris Corp is not sneaking behind the FCC's back, the FCC specifically
approved this use and licensed the device. In any other situation if someone
tried to broadcast on licensed spectrum the FCC would come down on them like a
ton of bricks.

~~~
rickycook
I think his point though is that the wireless technology itself should make
this impossible. The fact that it's not provably secure is problematic,
because it's all well and good to say "you're not allowed to" until someone
subverts the rules. People break laws all the time, including police

~~~
guelo
There are very few violations of the FCC's rules in general partly because the
FCC regulates and certifies hardware manufacturers of radio equipment, so it's
very difficult to purchase equipment that doesn't follow the rules. You can
see this happening in the Wifi space where the FCC is clamping down on dd-wrt
at the device manufacturer level because the software allows people to violate
that frequency's rules. People with the right skills can build custom
equipment to violate the rules but it's rare. And for the few people that do
try to do things like pirate radio the FCC hunts them down and the penalties
are stiff.

My point being that for the most part the FCC's regulatory scheme works at
keeping people playing by the rules without extra layers of technically
complicated security.

~~~
jakeogh
Is it accurate to state they have made illegal (via 'rules') to use open
source (user controlled) EM comm above 100um (below 3000GHz[1]) (except a few
windows)? Or is it 9kHz to 275GHz? I bet when line of sight NIR comms (there's
a nice window around 1550nm) get popular, they will (to stay relevant) want to
'regulate'[2] that too. Prior restraint is the problem here, anyone can mess
with the spectrum with basic electronic skills, mandating 'approved' software
seems less than pointless.

[1]
[http://www.spectrumwiki.com/wp/allocations101.pdf](http://www.spectrumwiki.com/wp/allocations101.pdf)

[2]
[https://www.youtube.com/watch?v=gbYXBJOFgeI](https://www.youtube.com/watch?v=gbYXBJOFgeI)

------
tedmiston
More info for anyone else who hasn't heard of Stingrays:

> The StingRay is an IMSI-catcher (International Mobile Subscriber Identity),
> a controversial cellular phone surveillance device, manufactured by Harris
> Corporation.[2] Initially developed for the military and intelligence
> community, ....

> Active mode operations
    
    
      1. Extracting stored data such as International Mobile Subscriber Identity ("IMSI") numbers and Electronic Serial Number ("ESN"),[9]
      2. Writing cellular protocol metadata to internal storage
      3. Forcing an increase in signal transmission power,[10]
      4. Forcing an abundance of radio signals to be transmitted
      5. Interception of communications content
      6. Tracking and locating the cellular device user,[4]
      7. Conducting a denial of service attack
      8. Encryption key extraction.[11]
      9. radio jamming for either general denial of service purposes[12] or to aid in active mode protocol rollback attacks
    

> Active (cell site simulator) capabilities

> In active mode, the StingRay will force each compatible cellular device in a
> given area to disconnect from its service provider cell site (e.g., operated
> by Verizon, AT&T, etc.) and establish a new connection with the
> StingRay.[13] In most cases, this is accomplished by having the StingRay
> broadcast a pilot signal that is either stronger than, or made to appear
> stronger than, the pilot signals being broadcast by legitimate cell sites
> operating in the area.[14] A common function of all cellular communications
> protocols is to have the cellular device connect to the cell site offering
> the strongest signal. StingRays exploit this function as a means to force
> temporary connections with cellular devices within a limited area.

So does that mean it would show up as a different carrier on my iPhone, or I'd
be blind to the tower choice?

from
[https://en.wikipedia.org/wiki/Stingray_phone_tracker](https://en.wikipedia.org/wiki/Stingray_phone_tracker)

~~~
nier
How fitting that they called it airplane mode. Looks like you might want to
have that enabled when visiting that particular amusement park.

~~~
tedmiston
Apparently even airplane mode might not necessarily protect you (though I
don't claim to know how this works in the internals of iOS):

> Furthermore while the IMSI is not transmitted often a silent SMS or a failed
> call will induce the phone to transmit its IMSI or TMSI also in and out of
> airplane mode while registering on the network.

[https://en.wikipedia.org/wiki/Talk%3AIMSI-
catcher](https://en.wikipedia.org/wiki/Talk%3AIMSI-catcher)

------
josu
"The Anaheim Police Department has acknowledged in new documents that it uses
surveillance devices known as Dirtboxes—plane-mounted stingrays—on aircraft
flying above the Southern California city that is home to Disneyland, one of
the most popular tourist destinations in the world."

According to the United States Census Bureau Anaheim County has a population
of 346,997 (2014). Not being from the US, the fact that a county police from
an area with a population of 350k is able to afford to buy and operate
airplanes amazes me.

~~~
jjwiseman
From looking at the FAA registry[1] and googling, it looks like the Anaheim
police department operates 3 aircraft: N226PD, an AS350 helicopter; N326PD,
another AS350 helicopter; N508BH, a Cessna 208B.

N508BH, the Cessna, is probably the one they're using for surveillance (See
the 2012 OC Register article, "$2.2 million Cessna will help fight crime"[2]).

FlightAware shows that N508BH flies to northern california a lot. You can also
see what looks like a probable surveillance flight path at
[http://flightaware.com/live/flight/N508BH/history/20151128/2...](http://flightaware.com/live/flight/N508BH/history/20151128/2014Z)

Three aircraft for a California city with population 350K isn't crazy--
Glendale and Burbank together have about 300K people, and their police forces
have gone in together to create a "joint air support division" that has 4
helicopters[3].

    
    
      [1] http://www.faa.gov/licenses_certificates/aircraft_certification/aircraft_registry/releasable_aircraft_download/
      [2] http://www.ocregister.com/articles/air-356706-police-cessna.html
      [3] http://www.mdhelicopters.com/news/pdf/2014/111914.pdf

~~~
toomanybeersies
That's phenomenal.

As a point of contrast, the New Zealand police own 1 helicopter, and contract
out flying light aircraft to commercial operators.

Upon saying that, they often call upon the air force for logistical support
(in particular for helicopter operations, usually for drug operations, such as
airlifting cannabis for destruction, not for raids).

~~~
alistairSH
In the US, it is illegal for the military to operate in a civilian law-
enforcement context. The National Guard (state militias) can be called into
civilian action by the state governor, but do not normally perform civilian
tasks.

Helicopter ownership by police departments is common. Airplane ownership is
less common, at least at the city/county level - the state police forces
frequently have small planes.

------
sandworm101
Cell towers are fixed objects. Has any work been done in detecting these
planes based on the fact they are the only cell towers around moving at
100+kph? Could standard cellphone gear be sensitive enough to measure or at
least guess at any doppler effect?

I'm reminded of a British comedy that included a poacher being caught after a
tagged animal was found to be traveling at 55mph down the m5.

~~~
nikcub
In active mode the Stingray will broadcast a consistently strong signal to
force targets to connect to it so that it can grab identifiers.

Some detection methods rely on this, as well as fingerprinting the Stingray
(they negotiate a drop in encryption and ask the phone to max signal strength)

Current solutions for Android will point out new base stations that stand out
and are likely an IMSI catcher:

[http://secupwn.github.io/Android-IMSI-Catcher-
Detector/](http://secupwn.github.io/Android-IMSI-Catcher-Detector/)

The better method, since the devices change and some are stationary, is to
authenticate the real cell phone towers. This would involve either updating
the GSM protocol, or having the carriers send out additional settings that
make the phone aware of their legitimate sites and only connect to them.

iOS doesn't make these settings available in official API's, but if they did
it would be possible to develop apps or features that could detect/avoid IMSI
catchers.

The best non-tech solution is to have an anonymous IMSI. The attack relies on
linking an IMSI to a real person, or the pattern behavior of a phone to a real
person. So - anonymous SIM cards, change them up often, don't have it switched
on with any of your real phones or real phones of friends, leave it switched
off, etc.

~~~
akerro
Sorry to say, but AIMSICD is a placebo. It does not detect anything. It was
proved in their issues page many times, it never detected any threat, but
detected dozens of false positives (also see their issues).

------
wyldfire
We've been hearing about Stingrays so much I wondered what the average Joe can
do to avoid 'em.

This is about the only thing I found, but it's promising for the long term --
[http://secupwn.github.io/Android-IMSI-Catcher-
Detector/](http://secupwn.github.io/Android-IMSI-Catcher-Detector/) \-- note
that they list themselves as still in alpha and to expect false indications.

I think the typical advice I've heard -- turning off your phone or turning off
the baseband functionality is pretty impractical for most folks.

~~~
jakeogh
Somewhere on my todo is "wire pager to cell phone", I think this would work by
having a Asterisk system take the incoming call, send the (nationwide) page,
pager is wired to phone, phone displays page as if it's an incoming call
(while caller hears ringing), if callee decides to answer the GSM circuits get
power and the phone calls the Asterisk box which patches the two together. If
someone beats me to it, I'll buy one. Putting a RTL-SDR into the phone would
take care of the pager circuit and make other neat things possible.

~~~
voltagex_
What advantage does this give you?

~~~
c22
Presumably by using a one-way pager network it gives you the opportunity to be
completely passive (thereby undetectable) until you decide to initiate an
actual call.

------
adanto6840
As of today, what stops someone (regardless of their intentions) from building
or making their own Stingray-like device?

Is it illegal for an 'average joe' to build or develop one of these? Or is it
just super high difficulty, ie the protocols just aren't published or [easily]
reverse-engineered? Or right now is it just the illegality of call recording
entirely that is "preventing" it's use?

Pretty sure I watched a conference talk that demoed a functional one that
included pass-thru [to prevent suspicion/non-functional devices] to the real
cell tower IIRC).

I'm just curious because obviously this isn't something you want just anyone
to be able to build & deploy -- so much potential for abuse, anything from
basic identity theft to serious securities fraud, and much more quickly
becomes a very serious & probable threat once these become even just slightly
more "mainstream" for the public / criminals / mafia / etc...

~~~
superuser2
It is illegal to make or sell or own radio hardware capable of operating on
that spectrum, or modify other hardware to work on that spectrum, or hint to
your users how they might modify your product to work on that spectrum, unless
you are a licensee or have permission from one. Even Motorola can't take its
new basebands out of RF-isolated testing facilities before FCC approval.

Theoretically calls are encrypted, however security researches have shown
vulnerabilities due to old/incorrectly applied primitives. Not sure exactly
which protocol versions this applies to. Stingray might just have asked nicely
for the keys.

Commercial IMSI-catchers (made with the cooperation of carriers?) do exist,
and there are some hobbyist proofs of concept. It is very hard to get caught
doing passive receiving.

Transmit in a way that catches the eyes of carrier network engineers, though,
and the federal government will come knocking with criminal charges.

FCC makes exceptions to most things for official purposes. For example,
government installations can be licensed to operate cell phone jammers

~~~
adanto6840
Very interesting, thank you.

So the most likely scenario is that the carriers are cooperating... Are they
cooperating only with the US, or are they cooperating with other nations as
well? Seems safe to assume they're cooperating with any/all nations that have
a significant market for their products (ie leverage).

That's fairly scary though -- I assume the keys / encryption stays the same
across similar networks, regardless of nation (given that phones continue to
work abroad)? Perhaps the keys / encryption does differ by carrier, I'm not
sure, but I'd definitely be curious. As long as they stay undetected, sounds
like there is very little stopping COUNTRY_X from deploying these in COUNTRY_Y
for their own gain, not to mention 'lower level' criminals / mafia / etc...

And obviously there are plenty of people out there (reverse-engineers,
employees/insiders, et al) that have access to the keys...

Any idea if the exceptions that the FCC makes are public information, or
obtainable via FOIA or similar? I'm guessing the FCC has a rigid "exception
request process" in place and, hopefully, they only provide [super] limited-
scope exceptions (without warrants, eh)... I'd love to see what exceptions are
_actually_ being made and what limits, if any, they contain.

Anyways, this is definitely pretty far outside of my realm of knowledge but I
find the tech incredibly intriguing and very interesting nonetheless (and I
agree with commentshere regarding the FCC).

~~~
detaro
For GSM encryption, at least the commonly deployed variants, you do not need
cooperation or stolen keys, you can just straight-up break it in a few
minutes. (EDIT: might not be correct for up-to-date networks, see below)

And if you impersonate a cell tower instead of passively sniffing, you can
just turn encryption off or downgrade to a weak one.

~~~
yuhong
I think the strongest one deployed today (A5/3 and GEA3) can be brute forced
(64-bit), but typically takes far more than a few minutes.

~~~
detaro
You seem to be right. There is a paper about fast attacks against A5/3, but
according to the authors it doesn't necessarily apply to real attack
scenarios.

[https://eprint.iacr.org/2010/013](https://eprint.iacr.org/2010/013)

~~~
yuhong
Yea, related key attack I think.

------
ChuckMcM
This kind of stuff always annoys me. One of the interesting things would be a
'home designed' cell system based on using unlicensed spectrum in the TV white
spaces. Then you could build a system where a phone only answered a tower
which sent out an ident frame which was cryptographically signed by a trusted
key. And the response would be encrypted with that trusted key as well so only
the cell tower could decrypt it. That and an VOIP back haul network and you're
closer.

Its on my list of projects to look at with SDR, but sadly I am no Fabrice
Ballard (who no doubt has already built such a system as a proof of concept
and then tossed it away)

~~~
superuser2
To get decent coverage you need to negotiate and pay for space, power, and
internet connectivity on thousands of towers/tall buildings all owned by
different people and municipalities who see you as somewhere between an
annoyance and a revenue stream to exploit. Then you need a field workforce
capable of performing maintenance at all of those sites (which requires making
appointments and sometimes paying fees to the property owners), a supply chain
of spare parts, and the RF expertise and test equipment to measure and do
quality control on their coverage all around the cities you're operating in.

Then you need a way to recoup all this cost.

Being a cell carrier takes staggering amounts of money and staggering amounts
of schlep. It's not for hobbyists, hackers, or small companies (who are not in
fact carriers but just resell and rebrand real carriers' services). There is a
reason it's the domain of giant corporations run by the kind of people who
make deals (and not write code) for a living.

~~~
ChuckMcM
This is one of the reasons its a fun idea. The TV bands (50 - 210Mhz) can
cover a huge area from a single antenna (that was their original modality) but
because of the inverse square law, it means that a much smaller and lower
power antenna nearby can still get a big chunk of real estate. During some
experiments at a company that will remain nameless it was something like 1
antenna could easily cover 2 mile diameter circle, 4 would cover 8 square
miles, and 30 - 40 could cover nearly all of the cities around the SF bay.

The actual cellular mechanics are quite an undertaking, but something along
the lines of a coded point to point system would be implementable by a small
group of people.

~~~
superuser2
Again, the problem is getting the antennae up high. Unless you and your small
group happen to own some radio towers and/or tall buildings, range is going to
be much much smaller.

------
beedogs
No legal justification for any of this. We live in a simulacrum of democracy.

------
nier
Here’s what a stingray is in this context:

”Stingrays and Dirtboxes are mobile surveillance systems that impersonate a
legitimate cell phone tower in order to trick mobile phones and other mobile
devices in their vicinity into connecting to them and revealing their unique
ID and location.“

------
TrevorJ
Serious question: is this not seriously illegal?

~~~
coldcode
It's not illegal unless you have standing to challenge it in court. Standing
is used by government (at least in the US) to allow all sorts of likely
illegal activities but without a court explicitly making it illegal they can
get away with almost anything.

~~~
geggam
What happened to common sense spirit of the law violations ? The 4th amendment
is plain English. Why do we let lawyers pollute the system with "translations"

~~~
mikeash
It may be plain English, but it's also highly ambiguous English. Who decides
what is "unreasonable"? I agree that they've taken this stuff way too far, but
that doesn't mean that my idea of the text is the "plain English"
interpretation, and theirs is the "lawyerly translation" version.

~~~
geggam
But the spirit remains the same. The concept is you are safe from search
without a warrant. If they are able to apply copyright to digital media then
its assumed the same as paper. If it is assumed the same as paper then it
seems obvious that its safe from search.

~~~
mikeash
The plain English wording says that you are safe from _unreasonable_ searches.
Everything hinges on the interpretation of "reasonable," which is not a matter
of "plain English" because plain English doesn't define "reasonable" with
sufficient precision.

~~~
geggam
only for lawyers... its obvious the concept is to protect citizens from govt
dragnets... to anyone who isnt attempting to pervert the spirit of the law

~~~
mikeash
You've gone from "plain English" to "spirit of the law" which is _way_
different.

Again, I agree with you, but this position is not something you arrive at by
just reading the 4th Amendment and then understanding its words without legal
context.

------
samstave
I wonder if the mobile cell tower they just put up outside of att park is a
stingray, or a valid mobile tower

~~~
tlrobinson
Given the cooperation between telcos and law enforcement, is there much
difference?

There was temporary cell service at Burning Man for the first time this year,
supposedly to "support" law enforcement. I guess you could interpret that in
two different ways...

~~~
samstave
I took a couple pics looking in from the door - I cant see anything out of the
ordinary WRT "stingray" labeled equipment... They have a fence around the
thing.

[https://imgur.com/a/m1BzQ](https://imgur.com/a/m1BzQ)

------
Toenex
There is another way to read this title that creates a way more interesting
mental image...

------
revelation
This is also the technique used to drone bomb people. Drones with stingrays
circle over areas looking for IMSIs picked up from sigint.

Hence the high casualty rate, they bomb people based on phone metadata. Don't
borrow a friends phone.

------
pstuart
Apple and Google should build detection for this into their respective
devices.

