
Americans’ Cellphones Targeted in Secret U.S. Spy Program - dshibarshin
http://online.wsj.com/news/article_email/americans-cellphones-targeted-in-secret-u-s-spy-program-1415917533-lMyQjAxMTI0NTEwMzAxMTMwWj
======
csoghoian
The US Marshals are not the only federal law enforcement agency doing
something like this. According to documents I obtained through a FOIA in 2012,
ICE has purchased an airbourne mounting kit and paid for airbourne training
for their Stingray II cell phone tracking gear. See:
[https://www.documentcloud.org/documents/479397-#document/p44](https://www.documentcloud.org/documents/479397-#document/p44)

Anyone interested in learning more about IMSI catchers and their use by US law
enforcement agencies might be interested in this law review article I wrote.
[http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678)

~~~
trhway
>The US Marshals are not the only

yep. The cell phone tracking has actively been used for tracking and targeting
in Ukraine/Russia war on Donbass by both sides.

------
ipsin
In all seriousness, when police circumvent the existing legal methods for
gaining access to information, and when they spy on people without warrants,
why should the "normal channels" be left open?

Isn't it about time to repeal things like CALEA, or to accept that the cost of
having a system like this is that it should be the _only_ system?

"But we're afraid bad guys would act like they live in a surveillance state if
they actually knew they lived in a surveillance state!" I... I just don't know
how to understand that mindset.

I know there are evil criminals in the world, and I'll bet that having power
and dominion over everyone is a fun trip, but it's also corrosive to what the
US has always pretended to be.

------
dmix
There are also IMSI Catchers intercepting GSM all over the USA, for example
this twitter feed reported one at SFO airport recently:

[https://twitter.com/cellhacking/status/524562944928264192](https://twitter.com/cellhacking/status/524562944928264192)

And all over Washington DC:

[https://twitter.com/esdamerica/status/512293117052334080](https://twitter.com/esdamerica/status/512293117052334080)

~~~
larakerns
There are now a few Android apps in development to keep track of the towers
your devices use day to day to hopefully detect rogue IMSI catchers.

This one is the most promising:
[http://signup.spideyapp.com/](http://signup.spideyapp.com/)

------
sehugg
Link is to WSJ paywall; also covered by:

[http://thehill.com/policy/technology/224129-report-feds-
usin...](http://thehill.com/policy/technology/224129-report-feds-using-
airplane-trackers-to-monitor-cellphones)

[http://www.foxnews.com/politics/2014/11/13/secret-us-spy-
pro...](http://www.foxnews.com/politics/2014/11/13/secret-us-spy-program-
targeted-americans-cell-phones/)

------
mkal_tsr
Whenever I warn friends about this, I get called a conspiracy theorist :-/

We have a long way to go in educating the general public about technology, its
benefits, and its pitfalls.

------
r0h1n
Thinking aloud in terms of a "solution" \- is it possible to build
crowdsourced blocklists that can be subscribed to by users, and will refuse to
let their phones connect to "fake" celltowers?

P.S. I'm not a wireless guy, so I don't know if there's any kind of a digital
giveaway that can distinguish a fake cell tower versus the real one it is
spoofing. If there isn't, then perhaps the fault lies with existing wireless
comm. standards.

~~~
venomsnake
Not until the baseband processor is proprietary. And even then nothing
prevents feds from just giving the towers new ids or just manipulating the
blacklists.

------
declan
Here are some excerpts from the WSJ paywalled article:

 _Cellphones are programmed to connect automatically to the strongest cell
tower signal. The device being used by the U.S. Marshals Service identifies
itself as having the closest, strongest signal, even though it doesn’t, and
forces all the phones that can detect its signal to send in their unique
registration information. Even having encryption on one’s phone, such as Apple
Co. ’s iPhone 6 now includes, doesn’t prevent this process...

The program cuts out phone companies as an intermediary in searching for
suspects. Rather than asking a company for cell-tower information to help
locate a suspect, which law enforcement has criticized as slow and inaccurate,
the government can now get that information itself. People familiar with the
program say they do get court orders to search for phones, but it isn’t clear
if those orders describe the methods used because the orders are sealed.

Also unknown are the steps taken to ensure data collected on innocent people
isn’t kept for future examination by investigators. A federal appeals court
ruled earlier this year that over-collection of data by investigators, and
stockpiling of such data, was a violation of the Constitution._

This isn't exactly new. Harris' Stingray price list has AIRBRN-KIT-CONUS for
sale for $9,000, dating back to 2008:
[https://info.publicintelligence.net/Harris-
SurveillancePrice...](https://info.publicintelligence.net/Harris-
SurveillancePriceList.pdf)

Here's a 2013 post on the so-called DRTBOX:
[http://electrospaces.blogspot.com/2013/11/drtbox-and-drt-
sur...](http://electrospaces.blogspot.com/2013/11/drtbox-and-drt-surveillance-
systems.html)

And another blog post from 2013 saying "Immigration and Customs Enforcement
(ICE) purchased $3 million worth of Stingrays over several years, and are
purchasing airborne mounting kits for both drones and manned aircraft":
[http://gritsforbreakfast.blogspot.com/2013/03/bypassing-
tele...](http://gritsforbreakfast.blogspot.com/2013/03/bypassing-telecoms-
stingrays-allow.html)

An earlier FOIA response from 2012:
[http://s3.documentcloud.org/documents/479397/stingrayfoia.tx...](http://s3.documentcloud.org/documents/479397/stingrayfoia.txt)
"The training will cover all of Harris Stringray ll operations from an
airborne platform.-Specifically, four students are to attend this special
training on three different software packages GSM, and CDM mobile handsets)
for the Program... The schedule is more unpredictable due to a large portion
of the training taking place in an aircraft."

To summarize: if you live in the U.S.[1], your cell phone info (IMSI etc.) has
been slurped up by flying FedGov "dirtboxes" without your knowledge, stored in
perpetuity, without any law passed by Congress explicitly authorizing this, in
violation of the Constitution's Fourth Amendment, and at best authorized by a
secret court order from a secret court. Sigh.

[1] I presume most of the HN US readers live in or near metro areas, and the
WSJ article says the program covers "most of the U.S. population." Obviously
if you're in Idaho or Alaska, you're less likely to be caught in this
particular data vacuum cleaner.

~~~
navyrain
In addition to the egrigious complaints citizens could make, wouldn't telecoms
and cellphone manufacturers have grounds to sue over this? It sounds like
these boxes are actively disrupting or reducing cell-phone service reliability
by tricking devices to connect to them, despite not being a good tower.

~~~
jrockway
Ultimately, it's the government that mediates the dispute. They're the
government's airwaves and you (the cell phone provider) receive a license to
use them. I haven't read the relevant FCC regulations, but they can easily say
"cell phone service is secondary; law enforcement is primary".

There is precedent: amateur radio operators can use any means available to
them to transmit life-critical messages when licensed methods/frequencies
don't work. If that was to set up a fake cell phone tower and get phones to
connect, then one could argue that one was using the frequencies legally.
(IANAL; don't do this and say I said it was OK. The usual case is something
like using your amateur radio to contact the coast guard if your ship is
sinking.)

------
alexggordon
At a certain point, everyone will realize this has to stop. I've started to
wonder though, if the way to beat the government at this is not to try and
stop them, but to encrypt things in such a way that they can no longer use
technology like this.

Personally, one thing I like about open source software, is I can host pretty
much whatever I want, whenever I want. If this development path continues, I'd
imagine that eventually, if there might be some entrepreneuring cell
company[0] that would simply encrypt it all anonymously.

Obviously, this would mean a few changes to the way we do things. For example,
maybe instead of triangulating your cellular position in an emergency, iOS and
Android could create a 'distress' api that would allow for emergency services
to access your location, and then alert you with the status. To be honest, it
would end up working in a similar way as Emergency and Amber alerts on your
device[1].

Realistically, it probably won't happen like this, but if privacy won't be
given to us, we need to take it.

[0] [http://www.artemis.com/](http://www.artemis.com/) [1]
[http://support.apple.com/en-us/HT5795](http://support.apple.com/en-us/HT5795)

~~~
mike_hearn
It's already fixed (I think) from UMTS upwards. In GSM (2G) the tower
authenticated the handset but not vice versa. In UMTS+ the authentication is
mutual. To impersonate a cell tower you would therefore need to be able to
sign with the carriers signing keys.

One of the most interesting and unreported aspects of these Stingray boxes is
how they handle the 2G/3G divergence here. In the USA there's also CDMA to
think about and I don't know how that handles authentication, if at all. I
suspect such IMSI catchers emulate a GSM base station and possibly jam 3G
frequencies to try and force phones to downgrade. I don't think there's any
way to tell phones to never use GSM even if it's the only option, but if there
was, I suspect that'd "fix" things (except most people wouldn't know about or
use them). Ultimately the only thing that can stop this is a phasing out of 2G
entirely but that won't happen any time soon, and even once it's done, by that
point law enforcement will have got used to the ability to just follow
everyone around all the time and would insist that they MUST be able to use
these devices otherwise chaos and anarchy would follow, so they'd probably
mount a vigorous lobbying campaign to get the signing keys.

~~~
maxerickson
The ars technica article I link here:

[https://news.ycombinator.com/item?id=8607062](https://news.ycombinator.com/item?id=8607062)

discusses police departments purchasing equipment that will work with phones
that can't be forced to 2G (partly in anticipation of carriers switching 2G
off).

------
fit2rule
Yeah, well .. here is the thing:

 _We_ , the free people, can build drones and we can also put wifi repeaters
on them and we can - instead of sniffing things - actively participate in the
construction and maintenance of wide open communication systems, for all to
use. Everyone.

That is the other end of the scale of all this secrecy and control - there is
another end of the NSA conundrum, and its all about open source. So, you know:
getting your own local network started, and stop just 'consuming it' from the
powers that be, is sort of a priority folks. If you don't want to have a
secret oppressor, push to have fewer secrets kept in the world. Its a fact
that the corruption of all governments begin with their secrets.

So .. as someone who has a fleet of small drones above his head right now,
albeit sleeping while the lipo's charge, here is a technology I think should
be pointed out that is a little less prone to snooping, and with the right
kind of neighborhood, gives us all a great amount of freedom to communicate,
nevertheless:

[http://ronja.twibright.com/](http://ronja.twibright.com/)

Snoop on that, Feds!

------
ChuckMcM
My new kickstarter, a cell tower locator and a high power green laser pointer.
When ever the device detects a cell tower above 500' AGL it activates the
green laser pointer and directs it at the detected tower signal. :-)

------
fragsworth
> A Justice Department official would neither confirm nor deny the existence
> of such a program. The official said discussion of such matters would allow
> criminal suspects or foreign powers to determine U.S. surveillance
> capabilities.

This is the go-to defense for surveillance secrecy. However, not discussing
such matters allows criminal officials to abuse these powers without
repercussion.

~~~
unclebucknasty
> _The official said discussion of such matters would allow criminal suspects
> or foreign powers to determine U.S. surveillance capabilities._

Not to mention U.S. citizens!

I mean, if they want to use that argument, then they should actually limit
their surveillance to "criminal suspects" and "foreign powers".

> _This is the go-to defense for surveillance secrecy._

Indeed. And note how it used to be terrorism that provided the tidy
justification for sweeping up large numbers of random U.S. citizens in these
operations. Now, just plain ol' criminal suspects and foreign powers provide
enough justification for domestic spying.

The goalposts are moving. We will all be accustomed to the surveillance state
soon enough. Nothing to see here.

------
coin
Isn't it illegal to transmit on frequencies for which one is not licensed to
use?

------
joering2
A $9,000 per machine. Is it possible for a civilian to purchase it?

Knowing this is unconstitutional and if there are no government laws
(shouldn't be right?) forbidding you from purchasing it, can I sue them if
they refuse to sell me one?

Correct me if I'm wrong but putting this machine around Wall Street (given you
know how to sell and buy stocks) would probably get you $9k back in less than
a day, hm?

I still wonder though, if cellphones technology is secure and traffic
encrypted, then how come can they listen to it? Wouldn't it be that Verizon or
Apple had to give them some sort of keys to open the traffic and read it?
(serious question)

~~~
adventured
That's incorrect.

It's illegal for you to do something like this. Very illegal. They would
likely arrest you for attempting to purchase one, even if you had done nothing
wrong. You could try to sue them, but then you can do that at any time; trying
is never the problem, the consequences are.

It's not a situation where they were granted permission to do it, in a
Constitutionally friendly sort of way.

These are extra-legal programs, where nobody will get in trouble regardless of
the context, and they're simply saying: just try to stop us.

~~~
jacquesm
Why is receiving data openly transmitted on the airwaves illegal?

~~~
emddudley
Ask Google about their Street View wardriving project... an appeals court
ruled that it violated the Wiretap Act.

[http://www.wired.com/2014/04/threatlevel_0401_streetview/](http://www.wired.com/2014/04/threatlevel_0401_streetview/)

~~~
anigbrowl
That was quite different though, because Google was (inadvertently) recording
packet data as well as SSIDs. It's right there in the 3rd paragraph.

------
guelo
Let's say they're flying a Cesna 1,500 feet over a metro area, that could
easily be millions of cellphone connections. A regular cell tower can't handle
that many. I'm wondering how this could work.

~~~
steveplace
You don't have to transmit voice or data, just capture and release IMSI ID'S.
The capacity is there.

------
bickfordb
Seems like you would get an excellent picture of everyone's location habits
with a small number of flights per city per month.

If this is legal, why can't they just subpoena carriers for the tower census
data?

~~~
mike_hearn
They could try, but they might not get it, and the carriers wouldn't like it -
better to ask forgiveness than permission, right? I think it says this in the
article.

------
hindsightbias
Last year a Cessna (a Skylane or Stationair) orbited the around central SF for
several hours over 3 or 4 days. The edge of the track was right over my block.
It would drone by every few minutes. It did not have a removed door or
anything that would indicate camera platform. The constant orbit wouldn't make
sense as an photographic mapping platform.

It was not on flighttrack, no ADS-B info, and too high to see the N number.

------
higherpurpose
Isn't it time Google and Apple build some protections inside Android and iOS
against this?

Maybe do something like what these guys did, but I'm sure they can come up
with even more comprehensive protections:

[http://www.wired.com/2014/09/cryptophone-firewall-
identifies...](http://www.wired.com/2014/09/cryptophone-firewall-identifies-
rogue-cell-towers/)

~~~
mindslight
The application OS is basically irrelevant when talking about cell
communications. They'd have to design their own boards to even have a chance
at _isolating_ the "baseband" processor - to say nothing of controlling its
behavior, especially as carriers _want_ to keep its workings secret for
"security"

Most phones (anything CDMA, or most everything LTE) use a Qualcomm SOC, with
both the baseband and application processor sharing the same memory space.
This is a recipe for anything on the application processor being pwned beyond
recognition.

The last time I played with Qualcomm/CDMA (around 2007), I used proprietary
software (QPST) to do undocumented incantations to clone an ESN from one phone
to another. When I called the number, both rang. Picking both up led to
hearing the conversation in both. This tells you _precisely_ how good their
idea of "encryption" is.

The entire Qualcomm ecosystem is a black box, and is there even a remote
chance they don't have a partnership with the NSA? I'm sure San Diego is seen
as a key national security interest - if it weren't "secured" by the NSA, then
China/Russia intelligence would do so (or an uppity colony looking for a leg
up).

I'll happily eat these words when there's an open source GSM or CDMA stack,
portable hardware to run it, and the ability to pay for network access
anonymously. But fr now, I see Wifi/Mifi as the only plausible way forward.

~~~
droopybuns
Can you provide some technical documentation that supports your assertion that
the baseband and the application processor are sharing memory space? I thought
they use different processors that are supporting essentially independent
operating systems.

~~~
mindslight
They're independent operating environments, but that doesn't mean their
memories are isolated.

It's commonly accepted that most mobile SoCs operate this way. See the
diagram/text on page 2 of
[https://www.usenix.org/system/files/conference/woot12/woot12...](https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf)
. To the extent that a specific Qualcomm processor might avoid such a design,
it's impossible to know due to their longstanding culture of security through
obscurity.

AFAIK, the Raspberry Pi is setup the same way, with the black box GPU being
the master of the CPU that is commonly used to run Linux. This setup is only
less problematic because the GPU lacks an unobservable network link.

Even the i9100, with an independent modem, was found to be setup with shared
memory for communication -
[http://redmine.replicant.us/projects/replicant/wiki/GalaxySI...](http://redmine.replicant.us/projects/replicant/wiki/GalaxySI9000)

Models like the Samsung i9300 have the modem chipset as an independent unit,
although I've seen a block diagram indicating that the eMMC flash and modem
RAM are in the same package, which is worrying.

~~~
mike_hearn
Your information is out of date.

Modern Qualcomm basebands are restricted by an MMU and isolated from the main
OS. Carriers wanted this because baseband exploits were such a common way for
phones to get rooted. Additionally they have been hardened considerably in
recent times, apparently modern Qualcomm basebands are much, much harder to
hack than they once were. And they run now on a proprietary CPU design called,
I think, Hexagon, which makes even just disassembling the thing a bit tricky.

~~~
mindslight
I can believe this, because they do have an interest in preventing any random
party from taking over a phone. Unfortunately, there is a large gap between
being resistant to exploits, and convincing the world that you're resistant to
exploits through open review.

BTW do you mean "rooting" in the longstanding sense of general exploitation,
or in the recent narrow sense of the owner of a device obtaining control of
it? There's of course an overlap between these two, but insight into the
specific business motivation would be interesting.

------
m0dest
I understand that you can sniff IMSI without being a recognized carrier. But
to actually get a cell phone to join your tower – don't you need the carrier's
keys to be able to authenticate during the tower handshake? (iOS 5+ warns
about unencrypted tower connections, so presumably these have to be
authenticated UMTS?)

If so, should we expect that the carriers surrendered their keys to law
enforcement to allow them to run fake cell towers that authentically emulate
their networks?

~~~
revelation
That's how IMSI catchers work, your phone joins their network. The network
determines the level of encryption, if any. And last I remember there were
basically no handsets out there that would even report missing encryption, so
I'm not too sure on the iOS 5+ part, but unless you are staring at your screen
all the time you would probably miss any such warning anyway.

(Not to mention that A5/1 is broken, but since Stingrays have been around
forever and companies don't like investing into something thats not broken, I
don't think they even do that. Certainly not at 9k bucks.)

------
kalleboo
These are all still using GSM, which doesn't authenticate the network right? I
really wish I could disable GSM on the iPhone like I could on my Android -
none of the networks I regularly use have usable GSM networks. It's a waste of
battery and a wide open security hole. Plain old classic GSM needs to die.
Bring on the UMTS/LTE future.

~~~
maxerickson
There are a smattering of media reports saying that they can attack LTE (the
new system or upgrade is called "Hailstorm").

They are pretty thin though:

[http://arstechnica.com/tech-policy/2014/09/cities-
scramble-t...](http://arstechnica.com/tech-policy/2014/09/cities-scramble-to-
upgrade-stingray-tracking-as-end-of-2g-network-looms/)

------
ck2
This makes me wonder if the government has or is working on drones that hone
in on a specific cellphone signal with a specific id after being trained.

Not just for tracking but an "icbm" kind of drone. First for military use,
then for domestic use like how the police always get military weapon, iris
scanners, etc.

~~~
pjc50
I believe this has already been done in Yemen, as part of the programme of
murdering foreign nationals in countries the US is not at war with.

~~~
morganvachon
The US is "at war" with the entire world, even their so-called friends. You
don't spy on your friends, you spy on your enemies. You don't do secret raids
and secret bombings on third parties, you do that to your enemies. We've
always been at war with <fill in the blank>.

------
somethingnew
[https://www.kickstarter.com/projects/1760935672/android-
ciph...](https://www.kickstarter.com/projects/1760935672/android-cipher-
indicator-identify-cell-network-tam)

------
drderidder
Its tragic to see the self-inflicted damage that out-of-control surveillance
has caused to the international reputation of the US and its tech industry.
Sad.

------
chatmasta
At this point, why would a terrorist even use a cellphone?

~~~
kaybe
Not owning a cell phone might be a red flag by itself, maybe? (plus moving it
around once in a while)

Hm, I see black market business potential here.

------
comrade1
I think cell antennas have unique identifiers. If true, can you detect when
you connect to a tower that isn't your usual tower in your usual geographic
location (assuming you're being targeted at home, for example).

And if there is indeed a unique id, can the fake cell take the id of a real
cell and still work with the cellphone company, or would it need the
cooperation of the cellphone company? (for example, the cell company would
look at hops?)

I guess it's too much to hope that the cellphone companies would try to
protect our privacy.

Maybe someday we'll have police running things similar to license scanners but
for cellphone conversations. They'll drive around the city recording
conversations to detect keywords for illegal activity (herb, drug, murder of
crows, etc)

EDIT: actually, I don't think they need to hijack cellphone connections. They
can just listen in - at least they used to be able to. We determined the
identities of the bombers of our embassies in Africa in the late-90s through
cellphone conversations through RC-135s flying along the Africa coast from
Diego Garcia, and an intelligence gathering satellite that drags an antenna
behind it.

~~~
dfox
GSM contains half-baked kludge to make passive tracking of phones impractical.
Phone transmits it's IMSI only when network asks it to (eg. when connecting to
network) and then uses random session identifier ("TMSI") for normal traffic.
So if you want to reliably identify and track particular phone or subscriber
without assistance from network, you have to actively MitM the network.

------
dang
We changed the url to one that seems to work, via
[https://news.ycombinator.com/item?id=8604931](https://news.ycombinator.com/item?id=8604931).

------
drcoopster
Wait, and this is news why?

