
Stingrays and Dirtboxes: how cops can secretly track your phone - uhtred
https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/
======
jdefr89
Hey. Someone who briefly worked on the Stingray team here.

I left the company that develops the stingray (who’s name is mentioned in the
article but I shall not say it) because I didn’t feel comfortable with the
ethics of how it could potentially be easily abused without legal permission
and/or repercussion. I fear these technologies will become more commonly used
against Americans by low level law enforcement without good reason and without
responsible usage.

~~~
throwaway_drt2
Used to work for makers of the dirtbox. I would hope anyone curious about this
issue also spends a lot of time digging into those devices as well.

~~~
blue52
The majority of us are well aware how these devices create a MITM attack
against your phone, but is there anything you found particularly interesting
or egregious that we should know about? Especially how LE are using them to
abuse every group who desperately needs protection from these devices.

~~~
thimkerbell
Can it change what I read?

------
GaryNumanVevo
Pro-tip: If you want fairly good OPSEC when going to a protest, get a burner
Android phone, put it on airplane mode with WIFI only. Then purchase a couple
of Comcast / Xfiniti logins off the web, and use those to connect to "xfiniti-
wifi" hotspots. Most cities have them, the speeds are fairly decent too.

We're truly living in the panopticon

~~~
refurb
Maybe I'm being overly paranoid, but if you're arrested, what's stopping the
cops from matching the phones MAC to public wifi connections?

~~~
zamadatix
Since Android 9 there is an option to use randomized MACs for the actual
connection (not just probing).

~~~
mixmastamyk
Most folks won't be aware of an option unless it is default.

~~~
chocolatkey
On my Samsung Galaxy S10e (Android 10) it is the default

~~~
zamadatix
That's for probing only, randomization on connection is accessible via
developer options only.

------
BelleOfTheBall
I remember this being described in Bruce Schneier's book. When I first read
it, I was terrified. Now, seeing them in action, I'm closer to dejected. Most
methods of avoiding them aren't easy or practical enough to be used by the
layman, hell, most laymen don't even know what stingrays are. These are
incredibly tough to protect against on a mass scale.

~~~
Mirioron
What happens when they are used in countries with fewer protections to
individuals than the US?

~~~
mtgx
The bar is already pretty low in the US. The FBI has trained cops to hide the
use of stingrays from judges, so who really knows how many times these were
illegally used to incriminate someone while telling judges they got anonymous
tips or whatever.

~~~
8note
So is it possible to set up spying on stingrays, then get them brought up on
perjury charges when they say it's from anonymous tips?

------
myroon5
It's even possible for phones to be tracked while turned off:

[http://www.washingtonpost.com/world/national-security/nsa-
gr...](http://www.washingtonpost.com/world/national-security/nsa-growth-
fueled-by-need-to-target-
terrorists/2013/07/21/24c93cf4-f0b1-11e2-bed3-b9b6fe264871_story.html)

[https://slate.com/technology/2013/07/nsa-can-reportedly-
trac...](https://slate.com/technology/2013/07/nsa-can-reportedly-track-
cellphones-even-when-they-re-turned-off.html)

~~~
alain94040
How is this possible?

~~~
notyourday
Unless you can physically disconnect the battery, your phone may not actually
be fully off.

For example, on my Android phone should I drain the battery into oblivion (
let the phone die ) and let it sit for about a week in that state, takes about
90 seconds to become fully functional to the lock screen from the moment it is
plugged into a charger.

On the other hand if I do hard power off of a phone followed by powering it
on, it takes ~35-40 seconds for a phone to get to the lock screen. Out of
curiosity I tested several more handsets with similar results. I can only
explain that difference by phone not being completely powered off when the
battery is inserted unless it does not have any juice at all.

~~~
mixmastamyk
I had assumed phone hardware generally won't power on until the battery has
charged to 5% or so, ostensibly to prevent power drops. Not sure which idea is
more accurate without a mobile electronics engineer chiming in.

~~~
ComputerGuru
That is correct. The phone waits until it has enough power to ensure it won't
die during startup because a lot of modern phones (and ultralight laptops)
require tapping into battery reserves because the direct pathway from the wall
wart to the device was not designed to provide sufficient power to operate at
full speed/capacity for more than a brief turbo boost and startup requires
more than that.

~~~
notyourday
Battery charges "enough" to that point in less than a minute? I find it hard
to believe. 4-5 minutes? Absolutely. 50 seconds?

~~~
mixmastamyk
I suppose the timing depends on if you have one of the anemic iphone ones or a
full 2.4+ amp USB charger. Given that charging status is unreliable at low
charges and charge tends to "come back" a bit when not actively drawn.

My current phone has an old battery and can go directly from 40% to 70% charge
in one refresh cycle (10-30 secs?) after plugging in to my ikea charger.

------
throwaway_drt2
I used to work for DRT, they make the "dirtbox" mentioned in the article. I
would really encourage journalists to dig more into this company and their
products.

~~~
thimkerbell
Can these do MITM attacks that inject content into what you are reading?

~~~
ComputerGuru
Not when accessing https resources but the safe answer is yes otherwise.
Unless your phone is infected, of course. Baseband isn't as confined as you
think.

------
rhplus
Reports of stingray flight patterns go back to at least 2015:

[https://komonews.com/archive/fbi-behind-mysterious-spy-
aircr...](https://komonews.com/archive/fbi-behind-mysterious-spy-aircraft-
over-seattle-other-us-cities)

[https://bgr.com/2015/06/03/fbi-dirtbox-stingray-spy-plane-
pr...](https://bgr.com/2015/06/03/fbi-dirtbox-stingray-spy-plane-program/)

------
seniorsassycat
> stingrays can force phones to downgrade to 2G, a less secure protocol, and
> tell the phone to use either no encryption or use a weak encryption that can
> be cracked.

Can android, iOS, or an open phone os prevent 2g communication?

~~~
shakna
It happens within the OS for the baseband processor, not within the OS of the
actual phone. Unsurprisingly, the details of how the baseband processor work
are a highly guarded secret, and trying to reverse engineer anything around it
will end up with a heft lawsuit thrown at you.

~~~
jacquesm
> trying to reverse engineer anything around it will end up with a heft
> lawsuit thrown at you.

Is there an example of that? I can't imagine how reverse engineering anything
would get a hefty lawsuit thrown at you. Maybe if you were to publish the
results with your name under it, but just the act of reverse engineering?

------
arsome
Do they even need to bother with a Stingray, can't they basically just pull up
whatever provider's law enforcement portal and click a few buttons?

~~~
xkcd-sucks
Anecdotally from listening to police scanners, whenever there's an areawide
BOLO notice or anything exciting involving a known party, they always say
where the last "cellphone ping" was. E.g. "Look out for a Black male driving a
white Nissan, last cell ping was on the north side of Lowell 15 minutes ago."
Not sure if a warrant is required, but it happens pretty quickly

~~~
blantonl
That data is typically from the cell phone network provider themselves, not
stingray and dirtboxes. It's part of the Enhanced 911 system in the United
States.

------
Negitivefrags
Random story: I once saw an one of the vans for the local ISP driving around
wtih a box labeled "Stingray" and got all excited.

Picture here: [https://imgur.com/a/P1nPSD2](https://imgur.com/a/P1nPSD2)

Turns out that "Stingray" is also the name of a system for air-blown optic
fiber installation.

Personally I would have avoided the reuse of that particular name for anything
in telecommunications because it has somewhat dark connotations already!

------
floatingatoll
Wi-Fi Calling while in Airplane mode would not be subject to Stingray
interception, and would protect IMEI data from airborne bulk capture.

Authorities can still set up open SSIDs to capture limited information about
phones, but the "fly an airplane over" capture model doesn't work well with
Wi-Fi.

~~~
falcolas
You may be underestimating people's lack of care about what open access point
people connect to. The traffic itself may be encrypted, but DNS queries, phone
hardware addresses, and background traffic might not be.

~~~
floatingatoll
I’m not trying to offer a comprehensive solution for avoiding government
monitoring. I’m just offering a solution for avoiding cellular Stingrays while
retaining cellular service.

For a more comprehensive solution, you would need to _at minimum_ not carry
any electronic devices (signal detection), wear a mask and IR-blocking glasses
(face detection), and wear shoe inserts (gait detection) — and even then, they
can still seize you and overcome those obstacles at will.

~~~
falcolas
The context of this article is "Cops tracking your phone", of which the parent
comment _does not prevent_ in any meaningful fashion. The rest of the remedies
presented here are also mostly unrelated to phone tracking.

~~~
floatingatoll
Your summary of the context is broader than that of the article. The context
of the article is "cops interacting with your cellular radio" in order to
capture IMSIs and perform other interactions, using Stingrays and Dirtboxes.

Not carrying devices with radios is sufficient to prevent you from being
tracked by them. I concede that if you carry a radio-less device and hardwire
it to a network, then as in Battlestar Galactica, you have now removed some of
the safety that the absence of a radio provided.

------
throwaway0a5e
Anyone who cared (for either personal or professional reasons) has been
leaving their phone at home for probably close to a decade now.

~~~
01100011
Absence of normal phone activity which correlates with prohibited activities
can also arouse suspicion. If I wanted to prevent the spooks from thinking I
was away from my phone, I'd probably use some sort of robot to move the phone
around and randomly unlock it using a fake fingerprint. If you do that, your
phone actually turns into an alibi, placing you somewhere other than where you
actually are.

------
kmfrk
Title is "How Cops Can Secretly Track Your Phone" on my end. Assuming that was
the original one, some comments here seem to suggest they only read the custom
title without checking out the actual article.

------
ChuckMcM
FWIW you can do much the same thing with your own SDR setup. One of the more
surprising things for me was that the feature that a phone work
"internationally" means that a nominally "4G" phones will still answer a GSM
tower (talking on a GSM frequency) when the tower says hello. Some phones will
let you turn that off.

But that said, most smartphones will tell you their WiFi MAC address if you
tell them you are an access point. It is more difficult to track a MAC address
back to its owner, but it is easy to see if it shows up again near you. My
Cisco access point did a variant on this when MAC address filtering was on, it
would send you reports of "unknown" MAC addresses which you could log and then
later associate with people visiting the office.

Bottom line though seems to be to treat protests like DefCon events if you
don't want to leak PII. Get a burner phone for such trips.

------
t0mmyb0y
Almost no agencies upgraded to 4G, way too expensive, about $500k. If on
android you can enter a code on device to force ONLY 4G to be used by the
device.

------
sandstrom
Anyone know of any progress in 6G, that would improve privacy in this area?
For example randomized (or truly encrypted) IMEI numbers?

Also, I found this SIM card which seems to be doing IMEI randomization:

[https://omertadigital.com/blogs/news/encrypted-sim-cards-
wha...](https://omertadigital.com/blogs/news/encrypted-sim-cards-what-are-
they-what-do-they-do)

~~~
hosteur
There are no incentives to improve end user privacy with those who specify
telco standards.

------
jeffbee
TL;DR it's a radio in your pocket that constantly announces its identity. I'm
quite interested in the fact that people don't realize this. Is it a
generational split between people who can remember when we did not all have
radios in our pockets and those who can't, or ??? The fact that an always-on
radio you carry everywhere can be used to track you seems like the #1 most
obvious thing about the technology.

~~~
jjulius
You can't expect end users with little-to-no technical know-how to have the
same common knowledge that you do.

~~~
jeffbee
Well, why not? How can we improve general technological literacy? I don't want
people to memorize the protocols, but I do want them to have the foundation of
knowledge that would allow them to conclude that if the phone company can
connect calls to your mobile handset, then they can also figure out roughly
where it is. I'd also like for people to have the basic knowledge required to
understand that GPS does not track you. It's the other way around. I'd like
everyone to understand that mass and energy are conserved, the Earth orbits
the Sun, etc.

~~~
spanhandler
Every professional, expert, specialist, or technician feels this way about the
stuff they know. "Why don't people know [basic thing about their work]? What a
bunch of uneducated morons." The answer is because if they knew all the basic
stuff about all those fields to be what those experts judge to be informed
consumers, and took the time to apply that knowledge, they wouldn't have any
time left to 1) actually buy products and services, or 2) learn what they need
to know about their own field. Also because being an uninformed consumer works
out more-or-less OK much of the time, largely because regulation prevents the
worst sorts of abuses.

In the specific case of tracking/spying I'd imagine lots of people (not most,
but many) _have_ considered the possibility, then dismissed it without looking
into it any further because it seems like something that would _obviously
already be illegal_ , and assuming things that seem like they ought to already
be illegal _are_ already illegal often gets one to the correct conclusion—just
not this time. Those sorts probably assume that if a law enforcement agency
gets a warrant or something _then_ they might start tracking locations using
cell phones, but not that _the cell phone company is already doing that 100%
of the time to everyone_ , since, again, it _really_ seems like something
that'd be illegal. I think a lot of the "information economy" falls in this
blind spot—that credit card companies would be selling your purchase history
or google/your-ISP would be recording every single website you visit _also_
seem, intuitively, like things that'd be very illegal, for example.

~~~
jeffbee
I guess we will disagree on what is or should be obviously illegal. What your
phone does is the functional equivalent of you walking down the street
shouting your phone number. It does not strike me as obviously wrong for
people to hear it.

~~~
spanhandler
I just mean that it's the kind of thing many people who have some concept of
how cell phones work _might assume_ is illegal because tracking a bunch of
people and storing all that info, or broad, non-tightly-targeted-and-regulated
use of things like stingrays, and the various other things service providers
and law enforcement do to spy on people really do seem pretty similar to
stalking and warrantless search and various other activities that are illegal
(so, obviously that would be too, how could it not be, one might reason), and
so they might be surprised that a capability they know or suspect exists _in
the technology_ is used the way it is and to the extent that it is by both
private parties and law enforcement. Their not thinking about their cell phone
as a device that spies on them or is otherwise very untrustworthy might not be
because they don't know what the tech _might do_ but because they've assumed
exercising those capabilities would be illegal.

I suppose similar reasoning is how we arrive at our judgements on _most_
questions of legality, personally, when deciding how to behave and what to
worry about others doing day-to-day. Like, I definitely can't show you the
statute that says driving the wrong way on the highway is illegal, rather than
just a very bad idea, and I'm not sure I've even ever been told _specifically_
that that is illegal let alone done the research to makes sure it's
illegal—but nonetheless, I'm pretty sure it is. So, I would guess some people
surprised that their cell phones spy on them in certain ways are more
surprised that they _are_ being used that way and not that they _could_ be
used that way.

[EDIT] to stretch the analogy further, if I were surprised to learn that some
delivery company had found a way to reduce delivery times by driving the wrong
way on the highway, the fact that vehicles _are technically capable of_
driving the wrong way on the highway wouldn't be the part that I found
surprising.

------
xkcd-sucks
Slightly off topic: Why don't cell networks get shut down more often during
large protests etc.?

It seems that police use cell phones for internal communications pretty
extensively -- Even when there are encrypted radio systems or channels.

My guess is that UX of encrypted radio is generally terrible, and that it's a
nightmare to distribute keys to all multiple agencies that might be operating
in an area. So departments configure encrypted radio for internal use, but
when there's large scale activity they need to fall back to cellphones for
guaranteed un-eavesdroppable comms

~~~
triceratops
> Why don't cell networks get shut down more often during large protests etc.?

What problem are you trying to solve, exactly?

~~~
8note
The problem that people are allowed to disrupt society?

Not everyone values free speech and rights to association

~~~
triceratops
Protests are supposed to be disruptive. That's literally the point of them.
They're trying to bring about a change in the status quo.

If you're American, I wonder what your thoughts are about the Boston Tea
Party.

------
vanusa
So - what countermeasures do people recommend?

Is there anything one can carry around that acts like "phone" but is somehow
less trackable?

~~~
jijji
you could try to prevent the phone from attaching to the fake cell tower, and
only attach to a whitelisted cell tower... that method isnt that easy to do
with most phones

~~~
vanusa
Are there any phones that support tower whitelisting (or blacklisting)?

And if so, where would one get such lists?

------
onenuthin
Is there a way to go back and check you phone and see any evidence that it had
connected to a stingray or dirtbox? Or is it really untraceable from the user
end??

------
owlster
I've heard faraday cages can prevent transmission and reception of
electromagnetic waves.

------
room505
Can a Stingray be used to eavesdrop on someone using an app like Signal for a
voice call or message?

~~~
8note
If you're running e2e encryption, it won't be able to.

I imagine that's why the various governments want to bad Huawei -- with Huawei
in the base infrastructure, more communications will use E2E encryption and
the government mitm attacks will stop working

------
jancsika
Protests should shift to "choose-your-own-adventure" style where a blockchain
decides which branch to take. Just have a small selection of, say, 4 styles to
choose from, where the most extreme includes potential branches with Ghandi-
level long-term economic disruption.

That way the stingray offers no advantage over the protesters; law enforcement
and protesters get the next chapter at exactly the same time, and no single
protestor or group of protestors may be targeted to disrupt the decision-
making process.

That pushes law enforcement either back to pre-protest prevention measures
(which won't work for a spontaneous protest like BLM), or to disrupt internet
connectivity altogether (which, for the Ghandi-level protest has its own
economic implications).

