
Feds: There are hostile stingrays in DC, but we don’t know how to find them - lgs1
https://arstechnica.com/tech-policy/2018/04/dhs-to-senator-malicious-use-of-stingrays-is-a-real-and-growing-risk/
======
walrus01
I work in wireless telecom: Really doubtful "we don't know how to find them".
The FCC's enforcement bureau has a set of vans equipped to find unauthorized
transmitters. IMSI catchers must transmit and remain on the air. It would be
very risky to operate, even briefly, a portable imsi catcher in a briefcase
and move it around WA DC, nevermind one that remained in fixed locations for
hours. The only other explanation I can think of is being operated from
embassies with full diplomatic protections, but that runs the risk of the host
county (USA) PNG'ing several staff with 24 hour notice as punishment.

Quick edit: Whole US federal agencies have their own TSCM (technical
surveillance countermeasures) staff entirely separate from the FCC. It is a
job position at the dept of state. Evolved from bug detection and removal in
the analog days to now encompass just about everything that can leak data.

~~~
subway
Depends on how much the devices cost to procure, and the budget of the party
using them. Seems like these could be treated as "black-throws" given the
right cost:budget ratio.

~~~
bigiain
OpenBTS and Ettus USPR (software defined radios) have made it inexpensive
enough for hobbyists to set up cellular base stations at Burningman.

The difference between an open source base station, and a homebuilt stingray
in negligible.

While a grand or two's worth of radio hardware and however many
weekends/evenings spent getting it all set up and the a software configured is
_kind of_ expensive - it's effectively free at criminal org, corporate
espionage, or state levels of action.

~~~
int0x21
Try less than $200. LimeSDR Mini or a couple Motorola C123s running Osmocombb
with a filter swap...or a hacked femtocell

------
upofadown
Most will probably be owned by law enforcement. Many will be operating without
the benefit of a warrant. So what do you do when you find one? You won't make
many friends if you interfere with an ongoing investigation particularly if
you raise questions about the legality of the operation at the same time.

Things were much the same back in the old days. If a telephone employee would
find listening devices on the lines they were best off just quietly removing
them and disposing of them. In the wild, surveillance equipment legally
installed under a warrant looks exactly the same as all of the other kinds.

So in practice everyone got to tap phone lines, just as long as they didn't
annoy anyone too official while doing so. The targets would never find out,
unless the were willing to climb a telephone pole and check for themselves.
The same thing will probably happen with stingray type devices. People like
private investigators are likely already using them.

~~~
itronitron
That reminds me of some photos my dad took years ago of a line technician on a
crane truck fiddling with some equipment on a utility pole at the edge of our
front yard for about thirty minutes. He thinks the guy was testing for some
illegal cable descrambler on the line although I suppose it could have been
anything since this happened in the DC Metro area :)

------
bvinc
Can someone please explain to me why this cell security problem seems to be
completely ignored? If encryption algorithms are broken, they're phased out
and untrusted. But if 2g is insecure, there's not a single peep from networks
or phone manufactures or Google or Apple about phasing out 2g. There isn't
even an option to disable it.

Why don't towers have a sort of encryption certificate verifying they're
legit?

Why doesnt my cell provider just provide my phone a list of it's legit towers?

I can think of so many ways to solve this problem. But it's super hard to find
any information if how this all works.

~~~
droopybuns
I think there is a perfect storm of savant security nerds with piss-pour
communications skills and telcos over-indexing on mba/finance leadership.

The security nerds make blustery comments that “anyone with motivation and a
couple g’s worth of gear can target ANYONE.”

There are a bunch or problems with this argument. Gnuradio is not easy. You
need to be in radio proximity to your target. Targeting someone requires some
homework and luck (converting msisdn to timsi isn’t trivial. It’s doable, but
the nerds double down on trivial, burning credibility by claiming triviality
that can easily be argued against by half-wits.). The mbas (whose job it is to
move the needle on billion dollar businesses) are getting asked to add
expenses that require new software at the base stations, replacement of mobile
endpoints, Break roaming and generate NO ADDITIONAL REVENUE BECAUSE CONSUMERS
DONT REALLY CARE ABOUT SECURITY.

What would you do? These are not the best and brightest. They have built
careers in avoiding risk.

The MNOs have a serious culture problem. The single best solution would be to
incentivize competition, but the only thing the SV people want is net
neutrality, which only entrenches the established players.

We only have ourselves to blame for this mess. The moves that would resolve
this problem: taking on risk that most wont recognize will not move the needle
in the right direction. Consumers think mobile internet is too pricey- they
won’t pay more for security. The solution creates costs. We are doomed.

~~~
obmelvin
Naive question: how does net neutrality entrench companies? To me it seems the
opposite, the more you can pay the better service your company can offer which
directly benefits larger entrenched companies, no?

~~~
droopybuns
Imagine deciding to run a local ISP for 300 homes in your neighborhood. You
don't know if all 300 will sign up for service. You don't know how long it
will take to get to 300.

Do you pay for peering agreements that will meet the demands of 300 homes for
the two years it will take to get there, or do you try to build up gradually?
Will you be in a situation where you can't meet your existing customers'
demand? Who will have leverage in that next peering agreement? It's clearly
the entrenched backhaul provider.

If you have some ability to steer & prioritize traffic, you will have some
wiggle room when it comes time to negotiate your next agreement. With net
neutrality concepts- you lose that tool. You're totally dependent on the
accuracy of your traffic predictions & the peering partner has a significant
negotiating advantage.

You're going to take on the risk of digging trenches & negotiating peering
agreements for underserved, rural or suburban locations. You're going to need
a mass of homes to agree to the trenching & installation. You're going to have
to negotiate labor for digging these trenches & laying cable in a way that
will resist water damage & other threats.

All of this sucks and is hard.

>>the more you can pay the better service your company can offer which
directly benefits larger entrenched companies, no?

I don't believe that anyone really wants to rate websites differently than
they already are (via peering arrangements- which are how the Internet works,
folks). But the argument that most people want to make is that ISPs will block
access to example.com. The best example of access to a website being cut off I
can point to is google's decision to block Amazon devices from accessing
youtube.com.

If no ISP is doing this kind of blocking, then what's the point of exposing
ISPs to risk of unfounded claims from random customers that you are violating
net neutrality principals? Do you now need to absorb the cost of Audits to
prove you're not? Digging trenches is hard, expensive & risky. What happens
when you pile on more regulations?

Who is excited to get into this business? The established providers already
have legal teams & are prepared to deal with legislators. Startup ISPs are
annoying bugs that can easily be crushed with regulatory pressure. Add
"ability to absorb regulatory & legal tangles" to your list of runway
calculations.

All I see are increasingly challenging hurdles for startup ISPs that need
pricing flexibility to manage the early, high risk tasks of starting an ISP.

------
pacificmint
I'd say let's hope they'll remember that the next time they'll ask for
backdoors in some other technology.

But in reality I have very little hope that they will.

~~~
RpFLCL
That was the first thing that struck me too. There's some irony about these
showing up on the streets of DC.

New technology only stays in the hands of "our team" for so long before
ultimately showing up on our doorstep. Especially when that's low cost
surveillance technology...

------
alexhutcheson
I wasn't familiar with the term 'stingray', so this headline was both
confusing an amusing to me. I was confused about why they would even be
looking for 'hostile' cartilaginous fish. I can't be the only one.

~~~
JCharante
I too thought that for a brief moment when reading the title before
remembering what stingrays were.

------
Overtonwindow
As a resident, let me pose to you this : The government doesn't always know
what the rest of the government is doing. I would be surprised if there
weren't rogue Stingray's out there, and even more not surprised that it's some
discreet arm of the government.

~~~
jumelles
Yes, I'm sure both likely exist, but that doesn't make Stingrays operated by
eg. China, Iran, DPRK, Russia any less of a problem !

~~~
lolc
You're jumping to conclusions. You don't need to be a nation state to operate
a dingy IMSI-catcher.

------
YouKnowBetter
This is not limited to the US. In fact, you are late to the party. Both in
Oslo and in London these where uncovered and published about, that was 2015.

[https://www.aftenposten.no/norge/i/kamWB/New-report-Clear-
si...](https://www.aftenposten.no/norge/i/kamWB/New-report-Clear-signs-of-
mobile-surveillance-in-Oslo_-despite-denial-from-Police-Security-Service)

[https://commsrisk.com/reporters-find-20-imsi-catchers-in-
lon...](https://commsrisk.com/reporters-find-20-imsi-catchers-in-london/)

------
pcmaffey
> IMSI-Catchers also allow adversaries to intercept your conversations, text
> messages, and data. Police can use them to determine your location or to
> find out who is in a given geographic area at what time. [1]

Does turning one's phone off not disable pinging cell towers?

[1] [https://cellularprivacy.github.io/Android-IMSI-Catcher-
Detec...](https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/)

~~~
bitexploder
Wrong. This is an exaggeration at best and just plain wrong for most US LTE
users. LTE is very hard to fully MiTM. You can still catch / observe through
IMSI, but the phone won't deal with your rogue tower. If you can downgrade
someone to 3G you can more easily observe voice and or texts. Data is actually
harder to MiTM, even on 3G. That said, it is not feasible to down grade any
modern US LTE devices as far as I know.

Turning your phone off usually does prevent tower pings, but some phones have
been known to be sneaky.

------
eigenvector
Why can't they find them the same way government agencies normally enforce
radio licensing? Drive around with a receiver (a cell phone, basically)
enumerating all the purported cell towers in a geographic area, then cross-
check that with a list of legitimate carrier infrastructure?

~~~
phusion
It MAY not be that easy... femtocells and whatnot may make that a difficult
task. I wondered this myself, since nearly all pirate radio stations are
caught.. but cell sites don't work the same way. Just a thought.

------
Slansitartop
I think this is good news. I think the kinds of politicians that are typically
over-friendly with the police are also the kind that want a strong military.
The use of "law enforcement" technology like stingrays by hostile intelligence
agencies, might create a useful tension in them that could help convince them
to harden domestic communications against law enforcement spying.

~~~
mkempe
If only they cared about protecting our rights in the first place, as much or
more than they apparently care about alleged spying by foreign powers.

------
chapill
Seems like a good reason to install and use something like

[https://cellularprivacy.github.io/Android-IMSI-Catcher-
Detec...](https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/)

Do the Feds have bounties for catching illegal stingrays?

------
et-al
Layman question: one can limit their exposure with encrypted VoIP
communications (e.g. FaceTime) and chats (iMessage, Signal), correct?

That being said, the intercepter would still know:

\- phone being connected (IMEI)

\- location of the phone

\- which servers were requested, but not the encrypted content (yet)

\- how much data was transmitted, "call time"

So if two phones were talking with each other over FaceTime connected to
stingrays, a third-party can still deduce that they were talking to each other
given the amount of data being transferred and when the requests occurred.

~~~
walrus01
Re: your last sentence, a stingray rarely if ever offers actual network
connectivity, either ss7 or data. Its purpose is just to catch the unique ID
numbers from the phone. Whatever you have set into your phone for LTE APN data
settings isn't going to work with a random imsi catcher. Such a thing won't
have an uplink anyways outside of its command/control functions.

~~~
gruez
Doesn't that make them really detectable? A deadspot with full signal bars
would be really suspicious.

~~~
walrus01
A phone doesn't stay connected to a stingray, it will get the imsi and then
move on to a real site of the phone's carrier.

~~~
pas
How/why? Could you elaborate? Will the rouge tower drop the phone? Won't the
phone try to connect again and again to the tower with the strongest signal?

------
walrus01
Possibly rogue IMSI catchers have also been spotted in in Ottawa. If I had to
bet they're run by CSE, which of course will neither confirm nor deny.

[https://www.google.ca/search?q=ottawa+imsi+catcher&oq=ottawa...](https://www.google.ca/search?q=ottawa+imsi+catcher&oq=ottawa+imsi+catcher&aqs=chrome..69i57.4289j0j4&sourceid=chrome-
mobile&ie=UTF-8)

------
kornish
For those confused about the terminology in the title...

> The devices, which are also known as stingrays or IMSI catchers, are
> commonly used by domestic law enforcement nationwide to locate a particular
> phone. Sometimes, they can also be used to intercept text messages and phone
> calls. Stingrays act as a fake cell tower and effectively trick a cell phone
> into transmitting to it, which gives up the phone’s location.

------
mkempe
My understanding is that all stingrays are by definition hostile.

~~~
mkempe
And if the NSA and FBI had devoted less energy to turning this country into a
corrupt republic on its way to a totalitarian nightmare, I am sure they would
have had the ability and resources to ensure that such stingrays were
_impossible_ to set up.

~~~
mkempe
Here is what the EFF says: "[Stringrays] can also intercept metadata (such as
information about calls made and the amount of time on each call), the content
of unencrypted phone calls and text messages and data usage (such as websites
visited). Additionally, marketing material indicates that they can be
configured to divert calls and text messages, edit messages, and even spoof
the identity of a caller in text messages and calls." [1]

 _This_ is what the FBI and NSA love. They never try to protect the American
public from such weaknesses in the country's infrastructure, although that is
what they are supposed to be doing. All so they can spy on everybody, feed
illegal parallel-construction activities, and generally nurture the growth of
a police state; it is also clear by now that these agencies have been
interfering with national politics. _These are not friends of our freedoms._

[1] [https://www.eff.org/pages/cell-site-simulatorsimsi-
catchers](https://www.eff.org/pages/cell-site-simulatorsimsi-catchers)

------
palisade
Is that Russian ship still parked nearby? I recall reading about that a while
back. Maybe that's where the signal is coming from.
[https://www.cnn.com/2018/01/22/politics/russia-spy-ship-
us-c...](https://www.cnn.com/2018/01/22/politics/russia-spy-ship-us-
coast/index.html)

~~~
tbihl
I admit that I don't have much expertise on the matter, having only ever
operated a GSM cell site simulator (never LTE), but the max range I remember
(in ideal conditions) is something like 35 miles.

~~~
bigiain
35km - which is a TDMA timing issue, not a radio range one - that damned pesky
speed of light problem...

[https://en.wikipedia.org/wiki/Timing_advance](https://en.wikipedia.org/wiki/Timing_advance)

(Note there's and "extended range" feature, where you can halve the cell
site's capacity by waiting two timeslots in the TDMA schedule instead of one -
which lets you go as far as 120km...)

------
elipsey
Ambiguous title. On my first reading I thought: do they mean animals? ...or
missiles? ...oh no it's even scarier then the first two!

------
bsder
Is Milenage still a safe protocol?

Or are all of these stingrays still dependent upon forcing you to switch down
to the older 2G protocols?

~~~
Rjevski
Yep most of this bullshit is because garbage like 2G (and 3G) is still in
operation. Phones should just phase that out (less code, thus less attack
surface).

------
benpiper
The headline doesn't at all agree with the what the article and its sources
say, which is basically a whole lot of nothing.

------
ConcernedCoder
Why would they admit that they could find them?

------
homero
The same backdoors politicians want in our devices will come back to haunt
them.

------
vl
>we don’t know how to find them

Triangulation?

