
How a Hacker Proved Cops Used a Stingray to Find Him - mhb
https://www.politico.com/magazine/story/2018/06/03/cyrus-farivar-book-excerpt-stingray-218588
======
Matt3o12_
Something doesn’t seem to add up. First of all the story fails to mention that
those devices do not only track the target, they track and record all phones
in its range, which is a massive breach of privacy and the real issue with
those devices.

Furthermore, they allegedly already had his ip, so why bother with a stingray?
They could simply tell his cell carrier to provide them with all his location
data (as well as further dates).

It seems to me that they went fishing with their stingrays because they didn’t
in fact know his real IP address and only knew from a source or other mistakes
his approximate whereabouts.

It wouldn’t surprise me if they only had his VPN’s IP and were just looking
for everybody connecting to the VPN in the stingray range and this is how they
found him.

~~~
falsedan
> _Furthermore, they allegedly already had his ip, so why bother with a
> stingray? They could simply tell his cell carrier to provide them with all
> his location data_

Remember that getting subscriber data/metadata from ISPs requires a warrant,
and that a single tower location could cover a 6-12 sq. km. area (plenty of
space to hide in)

~~~
Matt3o12_
Can’t they use the towers to triangulate the exact position? So that area
should be rather small. Furthermore, if they already had the IP of the
offender, getting a search warrant should not be the problem at all. This
tells me there is more to this story.

~~~
falsedan
I think triangulation works best when devices do handoff between towers, as
they query each one to see which signal is strongest. For a stationary device
like a mobile broadband dongle, I'd expect it to never handoff.

Getting a search warrant is easy, but not getting one is even easier & leaves
no paper trail.

~~~
ThrowawaySR
My memories from flashing phones circa 2003-2004 may be a bit rusty (btw. back
than "flashing" meant something completely different than nowadays ROM
uploads, it was more akin to poking machine code memory locations in BASIC on
8-bits :) ), but if I recall correctly, the device periodically scans all the
BTSs it can see and sends that list with signal strengths to the network (and
the network decides which tower should the device connect to!). Something
tells me that the device even stayed connected to multiple strongest BTSs at
once, but that may be a false memory.

Of course, that was old GSM days, it may be something completely different
today in 3G/4G/LTE, but so is on the other hand the location hardware and
algorithms of carriers.

But no, no handoffs were needed to track you very precisely even back then.
There were ways around, but given the poor opsec in the case, it is doubtful
something like that was used here.

------
panarky
The salient bit:

 _Police found him by tracking his Internet Protocol (IP) address online
first, and then taking it to Verizon Wireless, the Internet service provider
connected with the account. Verizon provided records that showed that the
AirCard associated with the IP address was transmitting through certain cell
towers in certain parts of Santa Clara. Likely by using a stingray, the police
found the exact block of apartments where Rigmaiden lived._

~~~
ggm
Lest anyone believe their positional privacy is at risk, even the Verizon
routing prefix could have homed the cops onto which provider to drill down
into.

The take-away here, is that end-to-end protocols by neccessity as currently
written send the src IP in the packet. If we'd designed IP to send the src IP
as a payload, and had encrypted payload (TLS style) and then only had the
destination IP in the outer packet, things might be different.

I've asked this question over the years since the 1980s: Given that we
_thought_ source based routing was a thing, its understandable we designed for
simpler times with src IP in the packet but given its _not_ a thing now, and
privacy is, why do we still send the src IP in the packet? It doesn't _mean_
anything useful, to most agents. NAT/CGN devices don't actually care, they
want you to be consistent about which interface you arrive on, and the 5-tuple
has it, but other things could be used which have no end-to-end impact. Beyond
the NAT/CGN boundary, nobody cares, routing is solely on the destination and
the ASN of the transits. Once at the destination, the payload is available, to
find the originators address, to return things.

Src IP is not actually neccessary, in the IP layer. (in theory)

~~~
xyzzyz
If the source IP is encrypted, the recipient needs to decrypt it first in
order to be able to send a response. To decrypt it, it needs to either have
some shared secret with the sender, or the sender needs to use the recipient's
private key.

The parties cannot obtain the shared secret the usual way, the Diffie-Helman
exchange. It cannot be performed, because it requires back-and-forth
communication, which we are trying to establish in the first place. Of course,
we'd still need to use certificates signed by public authorities to deal with
the standard MitM concerns.

The alternative would be for the sender to use the recipient's public key to
encrypt the source IP address. That would require a DNS-like system that would
store and serve public keys corresponding to a given IP address you are trying
to communicate with. This is something doable, especially in IPv6 world where
you don't really have to reuse IPv6 addresses, but it leads to all kinds of
practical problems, figuring out which is probably best left as an exercise
for the reader.

~~~
eboyjr
Just a half-baked idea: If you don't want to make a new request for every
connection, and the recipient owns a huge block of IPv6 addresses, the
recipient can create an asynchronous key pair where the public key is used as
the IPv6 suffix. The United States Department of Defense owns /13\. This
provides 115 bits of public key information. The sender can use the IPv6
address as the public key.

~~~
xyzzyz
115 bits of security is pretty good, for example 3DES, while not exactly a
great choice today, is still considered secure and acceptable for use today,
with its 112 bits of security. However, I know of no public key encryption
scheme that would give acceptable security with only 115 bits of public key.
With RSA, you need at least 1024 bits, and probably should rather use 2048.
Elliptic curve cryptography is considerably better here, but an ECC key of
length n stil gives you only n/2 bits of security, which would be way too
little here.

~~~
grkvlt
2048 bits of RSA key is the same amount of security as 112 bits of symmentric
key, though.

~~~
xyzzyz
Yes, that’s my point — you need to use 2048 bits for key to get 128 bits of
security, so there is no way to fit the public key in the IPv6 address.

~~~
grkvlt
Can't you do something with a key-stretching system [0] maybe, to turn 112
bits of IPV6 into 2048 bits of RSA input, though, since you definitely have
the right amount of entropy?

0\.
[https://en.wikipedia.org/wiki/Key_stretching](https://en.wikipedia.org/wiki/Key_stretching)

------
cantrevealname
The hacker was exposed because of poor OPSEC (due to tracking of his IP
address).

> _Rigmaiden had received boxes and boxes of criminal discovery that would
> help him understand how the government planned to prosecute its case. In the
> penultimate box, he saw the word “stingray” in a set of notes._

The authorities were exposed because of poor OPSEC as well. They weren't
supposed to ever mention “stingray”.

~~~
johnnymonster
The story didn't mention how they were able to get his IP address in the first
place. That level of detail is important for this community!

~~~
sulam
He was filing fake tax returns. That probably exposed his IP in logs on
government servers.

~~~
nindalf
What on earth? Isn't using a VPN the bare minimum when you're doing something
potentially illegal?

~~~
akvadrako
Maybe he did. Unless he's careful in picking his VPN provider they probably
have some level of cooperation with the FBI.

~~~
boomboomsubban
He didn't, but getting anonymous access to a VPN wasn't exactly the simplest
thing then. And if you think they would be unable to find the precise location
of the aircard, it's not really adding any protection.

------
w8rbt
Stingrays were being used as early as the 1990s by federal law enforcement.
They were used to help locate Kevin Mitnick in North Carolina.

Edit - I recall reading that years ago in Tsutomu Shimomura's book 'Takedown'
(published in 1996). Outside of this, I have no other reference. It's a good
read BTW. [https://www.amazon.com/Takedown-Pursuit-Capture-Americas-
Com...](https://www.amazon.com/Takedown-Pursuit-Capture-Americas-
Computer/dp/0786889136)

~~~
c22
I seem to have gotten rid of my copy of _Takedown_ , but Jonathan Littman
writes in _The Fugitive Game_ , paraphrasing John Markoff:

"...Shimomura was sitting in the passenger seat of a Raleigh Sprint
technician's car, holding a cellular-frequency direction-finding antenna, and
watching a 'signal-strength meter display its reading on a laptop computer
screen.'"

This sounds, perhaps, functionally equivalent to a modern stingray, but I
suspect it was not operating as a cell-site simulator. The hardware/software
required at the time to "man in the middle" Mitnick's cellular calls would not
have fit comfortably with Shimomura in the passenger seat of a car and would
not have run smoothly on a mid-90's era laptop. Also, the bandwidth required
to forward the connections would have only been achievable over directional
microwave or landline which seems unsuitable for use in a moving vehicle.
However, this was the dawn of digital cellular networks. The calls would not
have been encrypted in any way at the time so tracking the source of specific
emissions using triangulation would have been fairly trivial, especially with
the assistance of a Sprint technician with access to the CDMA code Mitnick's
handset was using at any given time.

Actually, I just checked and it seems Sprint didn't launch its PCS network
until later that year[0] so it's possible the network in question was
analog(?), making simply "listening in" even easier, without having to
simulate anything.

[0][http://articles.baltimoresun.com/1995-11-16/business/1995320...](http://articles.baltimoresun.com/1995-11-16/business/1995320051_1_cellular-
sprint-pcs-network)

~~~
zxcmx
Actually, the software to do this kind of thing was actually what Mitnick was
after!

It would be laughably easy by today’s standards. Cloning AMPs phones (with
ESN/MIN from “trashing” and bootleg Motorola service software) was within the
reach of bored teenagers, but the elusive “vampire phone” required decoding
the control channel. This was “hard” at the time.

It could be done with the right service equipment or say, suitably hacked
firmware for something like an OKI 900...

No stingray required, you could indeed do everything passively. Very different
times. Today you could probably do it all by dragging a few blocks around in
gnu radio’s grc tool.

------
ColanR
This is a really old story. The article is new, but I don't see any new data.
It should be labelled (2013).

hn.algolia.com/?query=rigmaiden

~~~
acqq
Read the whole article, it has newer parts of the story, it doesn't stop in
2013:

"Several months later, in April 2015, the New York Civil Liberties Union (the
New York State chapter of the ACLU) managed to do what no one else could:
successfully sue to obtain an unredacted copy of the NDA that the FBI had law
enforcement agencies sign when they acquired stingrays"

------
johnnymonster
This guy wasn't really a hacker, just someone who knew a little bit about tech
and figured out a flawed system. I think that sums him up as a scammer instead
of a hacker.

~~~
yborg
This. He filed false tax returns with stolen identities, I fail to see any
activities one would associate with a technical hack. I also have a hard time
understanding why someone who is engaging in criminal acts has a reasonable
expectation to privacy related to the commission of said crimes.

~~~
sulam
You can't know that a priori, though. The cops should not get to say "I want
to track this cell phone, it's being used for a crime" without filing a
warrant. That is pretty much exactly what warrants are for in other contexts,
cell phones should not be treated differently.

------
decasia
It seems like a terrible security model to "trust whatever cell site is in
range." Are there any alternatives to this state of affairs?

For example, can your carrier supply you with a whitelist of their towers and
then ignore everything else? Or the legitimacy of each tower could be signed
cryptographically by the cell providers? Of course you have to trust the
security infrastructure of your cell provider, but that seems slightly better
than just trusting everything by default. (Disclaimer, I know nothing about
cellular infrastructure...)

~~~
programbreeding
There is an Android app called IMSI-Catcher Detector[0] that is supposed to
help you detect when you're connected to a stingray-type device. I ran it for
around a year and it never once picked up on anything. I'm not involved on the
project and can't personally say if it will catch anything or not, but it is
open source[1].

[0] [https://cellularprivacy.github.io/Android-IMSI-Catcher-
Detec...](https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/)

[1] [https://github.com/CellularPrivacy/Android-IMSI-Catcher-
Dete...](https://github.com/CellularPrivacy/Android-IMSI-Catcher-
Detector/wiki)

------
halfnibble
The police department in Reno, NV uses this in conjunction with thermal
sensors from a helicopter in northern Reno and Sun Valley. Mostly for drug
busts.

------
ernesth
> "The Hacker began breathing more heavily."

Obviously this is fiction. Romance or thriller?

------
rattray
Is there a physical device that can provide VPN-only wifi connection, so that
a laptop or wifi-only ipad (say) which were to connect to it would not risk
ever exposing its IP?

~~~
nodelessness
You can configure your router to route all traffic through a VPN. It's a
standard setting in all routers.

~~~
gusmd
That is incorrect. Many, many routers in fact do not have a setting to route
your traffic through a VPN. My Linksys for instance does not. Famously, people
flash DD-WRT or Tomato on their routers to enable that.

------
ohashi
I haven't worked with this stuff in a couple years (subpoena'd cell records),
but given the date of this stuff, I didn't think cell phone towers could give
a precise location. My understanding of them was they each had three sectors,
so you could see in what general area they were in. With multiple towers, you
might be able to get a more accurate reading, but it makes it sound like
StingRay can actually see in real time their position.

~~~
JdeBP
A mobile telephone transmits an electromagnetic signal. Direction finding and
triangulation for such signals have been known practices since the 19th and
early 20th centuries. Remember that this base station impostor is mobile, and
that there can be more than one.

------
runciblespoon
Filing fake tax returns online and thinking an AirCard keeps him anonymous and
un-locatable hardly makes him a 'hacker' now does it.

------
dannyw
What happened to the charges for this guy? Was the original search via
stringrays ruled unconstitutional?

~~~
dublinben
>By late January 2014, Rigmaiden and federal prosecutors reached a plea deal:
He’d plead guilty and prosecutors would recommend that he be given a sentence
of time served. The agreement was signed on April 9, 2014.

Like many cases involving stingrays, the charges were essentially dropped once
challenged in court.

------
hsienmaneja
Back in the day, beige box with laptop was one way to avoid being traced. Of
course, this ran risk of being physically identified if you operated the
laptop directly from the beige box location..

------
erentz
Jesus. I wanted to keep reading that article but half way through my phone was
hot enough it was burning my fingers and 20% of my battery had disappeared.
What on earth is Politico doing.

~~~
curiousgal
Firefox Focus is your friend.

~~~
Can_Not
I found focus to be woefully unfeatured compared to just using Firefox's
incognito. Last time I tried it, you couldn't install any extensions (privacy
badger, ublock origin, etc.) and also couldn't disable JS.

------
known
How can he call himself a hacker when he doesn't know how to hide his ip?

~~~
Sean1708
He never did as far as I can tell, the FBI did presumable because they
initially thought he was hacking and the name stuck.

------
ezoe
I value the privacy so I don't own or use cellphone.

~~~
greggarious
> I value the privacy so I don't own or use cellphone.

This is a little extreme, but I've started turning off my phone or putting it
in airplane mode when not expecting a call.

In addition to not being as distracted, I've had a marked decrease in spam
calls - I think they tend to mark phones that repeatedly send them straight to
VM as "cold".

~~~
pests
The phone being off or it being on airplane is no longer enough.

It is known that complete operating systems run on every chip on that phone of
which you don't have knowledge of or access to.

To think a software security solution provided by an OS, a pretty high-level
abstraction when considering hardware, of the ability to turn off the radio is
insane in these days and ages.

Furthermore with permanent batteries (or with a backup battery hidden inside)
being off to the user doesn't mean anything either.

~~~
greggarious
I'd love to read a source that describes this in more detail.

Assuming such an exploit exists, I don't think I'd be targeted with it. It's
my understanding three letter agencies tend to hoard that sort of thing, not
blast them at random privacy aficionados.

~~~
bbrian
I remember reading an article years ago: FBI taps cell phone mic as
eavesdropping tool (2006).

> the eavesdropping technique "functioned whether the phone was powered on or
> off."

[https://www.cnet.com/news/fbi-taps-cell-phone-mic-as-
eavesdr...](https://www.cnet.com/news/fbi-taps-cell-phone-mic-as-
eavesdropping-tool/)

~~~
greggarious
Thanks, that seems to apply to older phones.

I would hope that the FBI would not override airplane mode on a smart phone...
what if they did so while a suspect was actually on a plane?

A warrant doesn't give police the right to endanger others IIRC...

~~~
taejo
> what if they did so while a suspect was actually on a plane?

Nothing would happen. Just like nothing happens to the thousands of people who
forget to switch their phones to airplane mode every day.

