
FBI Smartphone Surveillance Tool Details Revealed in Court - choult
http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard
======
trotsky
It seems like it would be faster to make a list of things verizon won't accept
an administrative subpoena for in lieu of a warrant as opposed to the other
way around.

On an unrelated note, if you have verizon FIOS they can push a new firmware
package to your router and reboot it easily, without you ever knowing. And
they log in every day and confirm the hash of the firmware you're running - if
it's not on the approved list (which is generally just the current one they
have you set for) it automatically reflashes. A properly written firmware
could monitor not just all traffic that was internet bound, but also
everything on the local lan and wireless net.

At least in the router I have, there is a significant amount of dark radios on
the board. There's a second (unused) 802.11n radio that in other editions is
used as a second n stream but easily could be used to do full site surveys or
packet capture or as an evil twin, a DECT (cordless phone) compatible phy that
could impersonate a cordless basestation and if I read the spec sheet right a
bluetooth and powerline phy.

The verizon STB for their converged QAM/IPTV also downloads a portion of their
firmware from the management servers and verifies hashes and oprational state
TCG style - if they aren't connected to the network they will never actually
finish booting.

Details are limited about what the CISCO built STB contains on the inside, but
it at least has a light sensor (ir remote) and a vibration / accelerometer
(for sudden drop hd head park) that they have been touting as a feature that
allows them to measure ad exposure based on floor vibrations that suggest you
walked away during a commercial.

They've also been recently touting a 99% effectiveness rate at uniquely
identifying the viewer in multi person households based on statistical
modeling of the order and speed buttons are pressed on the remote, though I'm
unsure if that's with the current cisco gear or the new motorola (google) gear
that they are just rolling out.

~~~
cliffy
You can replace their router with one of your own. On my ONT there are two
ways of connecting to the Verizon service:

1) Ethernet. If you connect this way then running your own router is trivial,
but by using Ethernet you lose some services related to TV.

2) Coax. This is a bit more complicated. You'll still have to power the
Verizon router, but everything behind, and including, your router still will
be under your control. You need a Coax to Ethernet adapter like this one:

[http://www.netgear.com/service-
provider/products/powerline-a...](http://www.netgear.com/service-
provider/products/powerline-and-coax/moca/MCAB1001.aspx)

I don't remember all the specific steps I had to take to enable this offhand.
I need to go back and write a howto. In any case, The final setup will look
like this:

    
    
      Verizon ONT --[Coax]--> Moca Adapter --[Ethernet]--> Your router.
                              Moca Adapter --[Coax]--> Verizon router.
    

One important point is that you must release your DHCP IP on the Verizon
router before your router can obtain one.

I think you can dispense with the Coax connection to the Verizon router if you
don't care about TV capabilities, but if you don't you might as well switch
the ONT to use Ethernet instead and avoid this mess.

My main motivation for doing this was that the wireless capabilities of the
Verizon-supplied router were terrible, but it has the added bonus of keeping
Verizon's prying eyes out of my home network.

~~~
trotsky
Yeah, I've taken a similar approach - my comments were more just to raise
awareness about how much verizon is theoretically able to do in light of what
a low bar they have for doing them for LEO.

You can get it set up so all your iptv services work with the ONT using the
ethernet port BTW - that is the default install configuration these days for
people on the faster service tiers as moca caps some where north of 100mb. In
that setup the actiontec is connected both via coax and ethernet to the ont,
and it serves as a ethernet<-> moca bridge internally to support the ip
features of the stbs.

Running the STB's without any moca is basically unusable, no epg, no dvr, no
vod etc. And it's worth noting that even though my actiontec is physically
separated from my home net through a tweaky setup, they could still
theoretically do full stream wireless packet capturing of whatever the radio
could hear, or become an active node on your other 802.11 network. Brute
forcing a WPA2 secret is a common enough practice that they have purpose built
luggable SFF pc's with 4 tesla cards inside for field work.

You can actually remove 100% of the verizon CPE and still good tv if you're
willing to pay for it. Once I found out all the stuff the STB's are doing I'm
in the process of replacing them with a tivo with a cable card and a tivo mini
(basically a slave). Even slightly cheaper per month than the multiroom dvr,
though the upfront is $$$

~~~
JagMicker
Could you give an example of the WPA intercept system you speak of (SFF /
Tesla)?

There are some interesting things on the Harris site, but seemingly no open
source info on such systems they may have.

~~~
trotsky
I think I was abusing terms when I said SFF, I guess I was thinking more like
"in comparison to" an HPC rack.

similar to the intermediate CA black box providers they seem to have much
larger presences at trade shows than on the web, but this is pretty close to
what I'm talking about:

<https://www.nor-tech.com/clusters/cs-darpa.htm>

but this is a little closer to the look: [http://www.captec-group.com/wp-
content/uploads/captec_dsei_2...](http://www.captec-group.com/wp-
content/uploads/captec_dsei_2011_blog_61.gif)

But the one I was thinking of was more along the line of a comically oversized
air travel case for a projector or so.

------
ck2
I guess if they have a specific warrant with oversight for using it, I don't
have a problem with this.

Now if the agent with the hardware can decide to use it on their girlfriend or
brother-in-law or something like that without anyone else knowing, well we've
got a big problem.

And apparently, we've got a big problem:

 _Rigmaiden and the American Civil Liberties Union and Electronic Frontier
Foundation have argued that the government did not obtain a legitimate warrant
to conduct the intrusive surveillance through the stingray. They say it’s
indicative of how the government has used stingrays in other cases without
proper disclosure to judges about how they work, and have asked the court to
suppress evidence gathered through the use of the device._

------
DannyBee
Oversight?

Y'all know the FBI has no direct oversight from Congress, right?

That the oversight happens (theoretically) through the promulgation and
enforcement of guidelines from the attorney general?

There are public ones: <http://www.justice.gov/ag/readingroom/guidelines.pdf>

and there are also secret ones that are not published.

Occasionally the FBI goes to congress out of the goodness of their heart and
gives them an update, to avoid congress getting uppity.

The last 3-4 times this has happened, it's usually been to say "whoops, we've
been completely and totally violating our internal guidelines"

~~~
RexRollman
When it comes to protecting the people they represent from unconstitional
monitoring, Congress has failed epically. I suspect that it is because the
people and groups who care about this subject don't line their pockets.

------
cheez
Well, as long as they have a warrant. Oh...

"The government has long asserted that it doesn’t need to obtain a probable-
cause warrant to use the devices because they don’t collect the content of
phone calls and text messages and operate like pen-registers and trap-and-
traces, collecting the equivalent of header information."

Fuck you.

~~~
bediger4000
Indeed.

Personally, I've always wondered how pen-registers could be legally used
without the permission of the registered. It just _seems like_ snooping. Yes,
I realize Courts Have Decided, and The Legal Issues Are All Tidily Wrapped Up,
but really, how un-American is a pen-register?

On a related note, do US federal law enforcement agencies suffer a significant
personnel turnover because people finally have pangs of conscience over what
they're required to do?

~~~
kefka
With a 99% conviction rate in federal court....

"They only find the bad people. What's there to be ashamed of that?"

------
belorn
> _the wireless provider reached out remotely to reprogram an air card_

It's almost like people don't their own bought property after sale. The person
who thought he owned the device after buying it basically got fooled - it was
only rented for an unlimited time.

Going from there to an warrant-less tracking is easy. If Verizon permit the
reprogramming and tracking of "their" device, then its legally allowed. They
might need to add something to the 35 pages EULA, in case some states dislike
warrant-less tracking of the person using the device, but it can be phrased as
"improving the experience".

~~~
nateabele
I had one of these a number of years ago, and it wouldn't surprise me if
something like this was in Verizon's terms of service (I remember giving the
device back after canceling the contract).

However, going from there to accepting the hardware as a personal surveillance
device is something else entirely.

------
svag
All the pages [http://www.wired.com/threatlevel/2013/04/verizon-
rigmaiden-a...](http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-
aircard/all/)

------
joshuahedlund
There are certainly grave concerns about oversight, abuse, privacy, etc, here.
However, I find it interesting that the FBI had to have the card reprogrammed
to conduct their surveillance. Similar to Google and others revealing
government requests for data, these incidents imply that the government at
least doesn't quite have complete unfettered access to all of our online
communications, as I often hear some claiming (NSA super data center!!). Not
that it's still not prudent to assume otherwise and work towards greater
privacy and all that. But sometimes I find it a useful perspective to keep in
mind even as we seem to slide further toward such a state.

~~~
lawnchair_larry
The NSA has nothing to do with the FBI.

~~~
16s
NSA is development, FBI is production ;)

~~~
betterunix
I doubt that. The NSA is extremely secretive even within the government, and
in general the different members of the intelligence community (which
disturbingly includes the FBI and the DEA) are barely able to cooperate.

~~~
16s
I was joking.

~~~
betterunix
It's hard to tell online!

~~~
16s
Agreed. I added a smiley face to the end... maybe that will help others see
the humor.

------
UnoriginalGuy
That was actually one of the most interesting articles I've read today. I'm
fairly familiar with the technology discussed but the specifics of how far it
has come in practical use is quite interesting.

Relevant: <https://www.youtube.com/watch?v=wjYAAmHvt-g>

------
runjake
An aside, tower information is/was available via the Android frameworks.

When I was on Android, I wrote a little widget that displayed the tower ID and
other information of the tower I was currently connected to.

In short order, I had the few tower IDs that I used as I roamed around the
metro memorized.

After reading the article, which was great and had many details, I think this
would be a viable strategy for activists worried about governmental abuse,
harassment, and surveillance. Spoofing tower IDs would probably present some
operational issues amongst customers. Of course, I wouldn't rely on this if my
life or freedom depended on it -- and I'd certainly use a community-based ROM,
such as Cyanogenmod.

[http://developer.android.com/reference/android/telephony/cdm...](http://developer.android.com/reference/android/telephony/cdma/package-
summary.html)

[http://developer.android.com/reference/android/telephony/cdm...](http://developer.android.com/reference/android/telephony/cdma/CdmaCellLocation.html)

[http://developer.android.com/reference/android/telephony/gsm...](http://developer.android.com/reference/android/telephony/gsm/package-
summary.html)

------
16s
Cellphones are tracking devices. Plain and simple. The fact that the
trackees/victims are paying 70 to 100 bucks each month to build and support
the tracking infrastructure is the amazing part.

~~~
sukuriant
Ever tried working in BigCo since they've been a part of the world for any
extended period of time?

I only know one person that successfully lived without a cell phone in the
modern world for a while.

~~~
Pwnguinz
I live in the South Bay. I do not have a cell phone. I'm a full stack engineer
at a startup that's raised series A--not some grumpy "Get off of my lawn!"
grandpa.

What urgency is there to need a cellphone for, in most routine days? Sure, it
would suck if something horrible happened to a member of my family and I
couldn't be contacted until I got home, oh maybe 4 hours later. Short of some
such edge case scenarios, "it can wait".

~~~
lurkinggrue
My car broke down earlier today and I had to call AAA. Glad I didn't have to
get out of my car to contact somebody.

This would have been a routine day if I hadn't broke down.

Bet you don't own a TV either.

~~~
16s
Carry a 2M HT and hit the local repeater when you break down. Give them your
position and they'll call a tow truck for you.

~~~
lurkinggrue
This is why I come here, for the practical solutions to problems.

------
futhey
Even in an active DF system you don't need to flash the phone's programming
(not exactly firmware, more like settings, the short list of instructions the
phone regularly receives from cellular networks that `hack` it to work within
it's operating environment)

