Hacker News new | past | comments | ask | show | jobs | submit login
Devices Which Track Cellphones, Intercept Calls Found All Over DC, MD, VA (nbcwashington.com)
266 points by walterbell on May 19, 2018 | hide | past | web | favorite | 107 comments

Related article, "Feds: There are hostile stingrays in DC, but we don’t know how to find them" [0], and discussion [1] from 45d ago.

[0]: https://arstechnica.com/tech-policy/2018/04/dhs-to-senator-m...

[1]: https://news.ycombinator.com/item?id=16748971

My guess would be that the situation isn't that they can't find the stringrays but that they can't distinguish between "hostile" and "friendly" stringrays. After all, each agency deploying such devices does so as secretly as possible, naturally not alerting other agencies, and so there's no list of friendly stingrays.

It's all very Kim Stanley Robinsonesque in his climate-change trilogy where there are so many US Shadow agencies that they are constantly getting in each other's way.

Or just your typical Russian, Chinese spy operations...

We'll pull ours back as soon as yours are gone from Moscow.

This response doesn't get enough appreciation.

Especially considering the POTUS uses a standard android phone.

I believe he switched to an iPhone. [1] I was at an analytics event this year where they were analyzing his tweets based on the originating platform. 1. https://www.google.com/amp/s/amp.businessinsider.com/donald-...

I'm more under the impression that there are several people who tweet using that account (you'll remember one of his lawyers claiming they did one time he really screwed up) using different platforms

I can't find the link on mobile right now, but there was an article I read a while back (on HN, actually, I think) where someone did statistical analysis on the speech patterns of Trumps tweets and correlated those with times he was known to have been using his phone (or something like that) and deduced that there were two primary parties responsible for his Twitter account: Trump himself and a PR person/team. Any politically-minded (in the classical sense) or campaign tweet was almost always by the PR team, and every inflammatory, grammatically incorrect, etc. tweet was by him (presumably).

I was thinking of the same article, and found it, I think [1]? There was a higher-rated link also posted around the same time with the same post content [2]. I also found a follow up post [3] while looking for [1].

[1] http://varianceexplained.org/r/trump-tweets/

[2] https://www.r-bloggers.com/text-analysis-of-trumps-tweets-co...

[3] http://varianceexplained.org/r/trump-followup/

lmao at the obvious security risk involved here, surely leaking the location of the President to an external service will not end poorly

Probably, they don't want to find them.

Not knowing how to find them, is a load of crap. You can certainly find them, it just takes expensive equipment and time.

If it were me, the antenna would be a few hundred feet away from the equipment.

And the antenna wouldn’t be anything like an antenna, just something that looks like a lawn-chair.

And I’d move it every day or two. And definitely not run it 24h!!!

Could still be found, but good luck.

Hmm, then you need a super-mega-amplifier tacked on to boost the signal over the cable (AFAIK, the frequencies used really like short antenna runs).

So that then means a super-thick faraday cage around the actual device, and probably somewhat noteworthy power consumption (a battery certainly wouldn't be enough).

Probably meant transmitter (antennae + encoder/decoder) separated from actual BTS hardware & operatives.

So after counter-side finds your camouflaged BTS, it is only disposable and relatively cheap part and doesn’t lead to whole operation uncover.

That probe part then would connect to starbucks wi-fi and interact with BTS software somewhere far from physical location, so you can’t quickly trace channel between probe and spy team.

Doh. I see, of course.

Yeah, I'd gotten it in my head the BTS (TXCO) and the probe equipment needed to be super close together...

or just asking the cell towers providers for list of genuine hardware, and then cross-checking that against triangulated antennas.

This is old news to anyone living here and paying attention. I've been tracking suspicious cell sites for the past three years in my DC metro neighborhood with an old Android phone and some prosumer software.

Some of the sites are mobile, but most of the ones I found were stationarity, and could be easily identified once you know what to look for. I'm pretty sure some of them are seriously degrading cell data/vocie quality.

I stopped once I realized there was nothing you could do once you found them. there are only a couple of options for who is deploying them none of which I want to screw with.

You should report their approximate location to the FCC.

Honestly, I don't want to be on the radar of any entity that is deploying this type of gear in the DC metro area.

I am under no illusion that I can protect myself if targeted by a state based actor. Better to be lost in the crowd.

Best case scenario is it's a legitimate LEO operation.

Worse, it's a federal national security operation.

Worse still, it's a criminal, or foreign national security operation.

Only in the first scenario would the FCC even remotely have the chance to do anything. Even then it might be a legitimate operation, and they do nothing.

I’m interested in attempting something similar in Europe. Do you have some links/pointers?


There was a defcon talk a couple of years ago that covers some of the basics: https://www.youtube.com/watch?v=bbDAa0syz5A

so they could continue to do nothing?

It was the responsibility of the FCC to have never allowed these devices to manufactured, but as typical they fell for the police exemption excuse. Now they'll be abused more and more.

The protocol should have required enough authentication to make it impossible to manufacture these devices without also having a blessed, revocable key from the carrier you're snooping on.

The FCC could have easily had their police exemption without also providing access to your average HAM, any reasonably competent hobbyist, and the security services of every other nation on the planet.

Security on cellular networks is even more of a joke than on consumer-grade wifi... it's basically a pinky promise not to look at stuff you're not supposed to look at. No fucking wonder there's a mountain of stingray clones in DC. Are they planning to fix this on 5g networks? Because there's no reason to be so concerned over backdoors in Chinese cellular modems as long as we're happily letting them in through the front door.

Aren’t Stingrays basically fixed with LTE?

If your phone connects to a Stringray device, it will force it back to older protocols afaik.



Does that mean network quality will significantly go down if we shut down the stingrays? I mean when you have 5 nation states deploying a network of stingrays in DC, all trying to compete on being the relay nodes, that does add quite a lot of bandwidth.

Stingrays don't add bandwidth in normal operation, as they act as a repeater. Most will have the bandwidth halving effect incurred by single transceiver mesh nodes or relay stations: http://www.strixsystems.com/products/datasheets/strixwhitepa...

Even repeater is not really accurate. Like you say, in normal operation these systems are not working in collaboration with a wireless provider for the data passthrough/handoff. In my experience running these, it's more like the user briefly connects with a service with no connectivity and IMSI/IMEI connection logging only.

So in practice it would look like briefly, usually imperceptibly, losing cell service.

you can manufacture one in your bedroom with an sdr and an rpi:


Control of 'manufacturing' was never going to happen. They would literally have to prohibit the sale of high-speed DACs and ADCs to civilians. If you think the War on Drugs was an expensive boondoggle, try keeping LTC2216s out of my hands. :-P

However, it is the responsibility of the FCC to not throw up their hands and say "Duh, we don't know how to find 'em." They have one job -- regulating the use of the RF spectrum -- and that's it.

Or have private-key encoding. That’s the case for HDMI: No-one can manufacture devices that aren’t approved.

Of course the funny part is, it’s designed so pirates can only send HDMI output to approved screens (=not recording devices), but for backwards comparibility, they has to allow HDMI-to-SVGA adapter with decoding, so the breach is wide open. But you get the intent: HDMI was supposed to bea fully-encrypted standard with only preapproved devices.

Until the key was extracted in 2010: https://arstechnica.com/civis/viewtopic.php?t=1122247

The encryption is a legal issue, not a technical one. Of course it can be circumvented like all forms if drm.

The point is that by going around the drm, even if it’s by doing something trivial, you are committing a crime.

> HDMI was supposed to bea fully-encrypted standard with only preapproved devices.

Interesting. Where can I read more about this intent, and how it was compromised?

Thanks. I found that before I asked the question. It doesn't indicate the intent of HDMI, or that HDCP compliance is mandated for HDMI devices.

Android app: https://opensource.srlabs.de/projects/snoopsnitch/wiki/FAQ#W...

> SnoopSnitch offers tests to assess whether a device is exposed to attacks or surveillance from the mobile network. Here, the primary goal is to help mobile users detect network originated attacks, such as via SS7, SMS, or ISMI catchers. Our secondary goal is to provide a fact-based incentive to Mobile Network Operators to better improve the security of their networks.

GSM ratings: https://gsmmap.org/#!/about

> GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen “in the wild”. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.

Bah, looks like SnoopSnitch requires root access (and a Qualcomm chipset in the phone) for most/all of the interesting mobile network tests, which is a shame.

Or just buy a cheap second-hand Android phone - has mostly advantages.

Yeah, great. Get a phone that secretly sends your text messages to a collection point in China.


Doesn’t matter if it’s a $50 burner phone to detect snooping.

True. Would you need to pay for a cellular plan, or would it work without?

Even if you do that's what pay as you go SIMs are for.

Heh. You know what I found most hilarious about this article? I went to it with my iPhone in safari and got asked to share my location. Who needs potential spy devices when all you need to do is compromise your local news site!

I don't understand the assertion that the US Gov't can't do anything to prevent the foreign governments from doing this... The FCC has broad powers to regulate the public airwaves. This technology clearly disturbes authorized and licensed utilizaton of the airwaves OUTSIDE of the bounds of the Embassies. FCC should have the power to prevent this.

The situation discussed in the article was with regard to Stingray-type devices placed at foreign embassies which are considered foreign soil. The FCC doesn't regulate embassies any more than it regulates Beijing or Moscow.

The Stingrays found on K Street (far from Embassy Row) and some bridges were more likely US government operations.

So the question comes back to are there non-embassy, non-US government Stingrays deployed and how to find them.

Embassies are not "foreign soil". The Russian Embassy in London, for example, is not a Russian place, it's a British place that just happens to have a Russian Embassy building on it. Russians there are not magically exempt from British law.

However, in practice diplomacy is impossible without affording Ambassadors, their staff, the places where they live and work and so on, broad immunity to normal civil law enforcement. Eventually this was formalised as the Vienna Convention, and the current iteration of that convention is the state of the art as far as relations between most countries are concerned.

As a result Convention signatories do NOT on the whole search embassies of other signatories in their country. But it's not because the embassy in any sense isn't in their country.

For example the US government absolutely could tell the Russian mission to all shove off back home, they would be entitled to a "reasonable" amount of time to leave, and then the Ambassador (if he has foolishly remained) is just a Russian citizen in the US without immigration papers, the same for all staff and families. The embassy, the homes, and other facilities are all just ordinary buildings able to be searched by police, parcels sent to the embassy become just ordinary parcels which may be opened, examined, redirected or destroyed as appropriate by the USPS. The Americans would never choose to do this, because diplomatic contact with Russia remains essential, in anything short of total war, but legally they absolutely could.

> diplomacy is impossible without affording Ambassadors, their staff, the places where they live and work and so on, broad immunity to normal civil law enforcement.

Why is that?

Because not every place is a shining example of liberal democracy like the United States.

Diplomacy requires representing your country, which sometimes requires advocating against the preferred policies of your negotiating partners. In some places, if you were subject to their laws, that would get you killed.

Makes sense. It would be hard to find willing diplomats without that protection.

Just imagine trying to exert diplomatic pressure on Erdogan while subject to Turkish law, for example.

The claim in the article seems dubious. Why would an embassy operate a stingray? More likely it's US government agencies spying on the embassies.

To track who (or at least what devices) are in the immediate vicinity of the embassy and when. Patterns in that could easily be useful for catching physical surveillance at the least, as well as catching placed/planted devices that check in that way.

Edit: To expand on that, some examples:

If a new device shows up and is always present, particularly if it always has about the same signal strength or doesn't appear to move, that indicates a connected IoT device of some sort, and if you're concerned about espionage you may want to take steps to identify it.

If a particular device shows up for 8-12 hour shifts at varying times, but there are no businesses, etc. that would have that kind of attendance pattern, who's carrying that device? An investigator on-site who's also brought a personal device along?

Heck, if you're in an OnStar-equipped vehicle even if you don't have service, your vehicle may show up as always on, or at least may ping regularly.

I'm sure appropriate data mining techniques could pull a surprising amount of information out of the kind of info gathered from these devices.

Politics and retaliation aside, embassies and diplomatic immunity is nothing more than a courtesy offered by the host country.

Honest question:

If an embassy started blaring very loud music (or a siren), can the US do anything about it?

Likewise, if they started emitting strong microwaves at people, can the US do anything about it?

It seems like there must be some limitation to what you can do from the embassy to people outside of it.

The loud music would draw a political rebuke / protest response, and then after if it didn't cease, it would plausibly draw some kind of tit for tat response in the other nation. The US can expel diplomats and isolate an embassy (eg cut power, water, etc), essentially making it non-maintainable (inhospitable) as a position. It could also surround it literally, effectively sealing it off to access, preventing the ability to leave (with predictable consequences).

The strong microwaves would be treated as an act of war: an attack on Americans, on American soil, by a foreign power. If it didn't immediately stop, the US would invade that foreign soil and do whatever it decided was required.

Given that embassies are not actually foreign soil, if the offense was bad enough, US authorities will simply storm the place and make it stop.

But that's a drastic action that won't happen before many other options have been tried.

> I don't understand the assertion that the US Gov't can't do anything to prevent the foreign governments from doing this...

There has been zero evidence presented so far that it is in fact foreign governments doing any of this. More likely it's the vast cabal of Federal agencies in the greater DC area all disregarding the law because nobody in the US Congress has the will to rein them in. And of course for all we know, the espionage may be entirely legal courtesy of some clandestine national security FISA sign-off.

The US Government system is made up of dozens of extremely powerful agencies, and they are at war with each other at all times for power, information and budget. Sometimes that war is cold, sometimes it's warm.

Simply put, they're all spying on each other and all aspects of the system that is meant to control them (while they attempt to control the system instead).

I wouldn't go so far as to say that there's no federal agencies in the DC Stingray soup, but how can you say it's more likely to be federal agencies in DC of all places?

If there was a single city in the US that foreign agencies would target, it would undoubtedly be DC. The abundance of embassies in the city make it a very easy target.


The irony of this article being posted on a website that asks for location information from mobile users every time you visit.

True, but at least they have to ask in order to get your location. Rather than just getting the information 24/7 without asking you. Slight difference there.

When I was living in DC, I would frequently find that my phone would have a signal but not functioning service, and I'd have to restart it to get service back. I always suspected Stingray devices.

I know journalism is severely challenged these days, but I wonder if anyone has done or is doing investigations in other cities outside of that region? It would be a surprise if it was limited to just that (admittedly interesting, and yes we already know why) geographic area.

This is likely the tip of the iceberg: devices with active transmission that are easy to find with some effort. I bet there are a lot of passive listeners (cheap SDR is probably all you need) sprinkled around as well that would be very hard to find.

> Turner said cell carriers can't completely secure our phones because they have to allow for law enforcement access.

The key sentence in the article. The reason there isn’t a fix is that our (U.S.) government prefers spying on its citizens over being protected from other powers’ spying.

Devices near the embassies can be explained in two ways and the US spying on foreign diplomats is a far more logical one.

Or, Russian spies and other foreign entities listening to the conversations of U.S. Congressional staffers.

Would this be defeated by having those people use some encrypted voip?

You wouldn't get the contents, but you could tell who was talking to whom, when, and for how long.

Unless the encrypted Voip went through a central server.

Or the US spying on its own.

Why is it logical relevant agencies have access to providers they don't need these devices to track cellphones.

Diversification probably.

Looking for patterns that might disclose the watchers that follow diplomats / intelligence officers I assume.

When an encryption algorithm is no longer secure, it gets phased out and any protocol that uses that algorithm eventually gets denied.

Can someone explain why older protocols like 2g with inadequate encryption can't be phased out? Or why there isn't even an effort or attempt or option to disable it?

It’s not just the ciphers that were weak to begin with. It’s also the lack of mutual authentication: the network checks if the phone is entitled to service but the phone never checks if it’s a legitimate base station.

Telcos do not care about technical means of security. As long as the average person can’t eavesdrop it’s good enough. When it comes to protecting their economic interest (preventing free calls) they use smart cards and strong encryption. 800MHz scanners have been illegal for decades.

Legacy support and reliability are very important (in the context of cellular service which still is inferior to fixed telecommunications). Customers will get angry if you tell them their phone is obsolete. Or encryption incompatibility causes failed calls. The FCC takes a dim view on 911 failures, so phones must have a fallback no enciphering mode to maximize 911 call success. Compatibility with roaming host networks must be maintained.

AT&T shut down their GSM network Jan 1 2017 but UMTS has plenty of vulnerabilities too. The SS7 protocol underpinning the PSTN lacks authentication.

What android app shows suspicious events?

Does this apply to iPhones? So someone could put this outside my house and listen to all my iPhone calls?

Any kind of phone.

They can't listen to your calls without cracking the keys shared between the phone company and your phone...though I do remember reading a while back that "someone" managed to steal the list from sim card manufacturers on more than one occasion.

That is not true. Stingray's are cell towers and phones trust them. The device just downgrades to A5/2 (export grade) encryption, or broadcasts that it does not support encryption at all.

Seems like a huge oversight to not let SIM cards disable certain types of encryption (that it knows the home network will never use). IIRC this is how downgrade attacks are prevented in EMV - the chip card will reject known-broken auth methods.

The FCC takes a dim view on 911 call failures. All phones must support disabling GSM encryption as a fail safe. Never disabling encryption would be “fail secure” (like door locks that remain locked during a power outage).

Emergency calls already have a bunch of exceptions that don't apply to regular traffic (e.g. you can use any network, heck you don't even need a SIM card) so allowing only those to be unencrypted shouldn't be too much of a stretch

> though I do remember reading a while back that "someone" managed to steal the list from sim card manufacturers on more than one occasion.

To avoid getting folks too worried about it being a widespread issue, this occurred for specifically targeted MENA-based cellular carriers, as I recall.

Curious what this magic software on the phone detecting the devices is doing, anyone have any insights?

There was a similar thing in Ottawa Canada http://www.cbc.ca/news/politics/cse-supreme-court-cra-cellph...

I know almost nothing about the systems and protocols involved here, but aren't these cell systems hackable? Why has no one tried to connect to one and then compromise it to learn more about what (and who) makes them tick?

Most likely this has been done but the people who did it aren’t posting here.

Occam's razor says that these are all run by the various agencies of the United States government...

Any foreign embassy running one, has no right to radiate beyond the border of the embassy, where it is US soil and not foreign.

>Occam's razor says that these are all run by the various agencies of the United States

Is there a more high value city for a foreign government to spy in? Seems foolish to assume occams razor here, at least for all of the devices

In D.C., I wouldn't be surprised if there also are foreign agents targeting US elected officials, in addition to the normal FBI nonsense.

Fix the busted protocol, why is anyone expecting this not to be a problem? Use legitimate warrants to monitor communications on premise at the telco.

Encryption protocols are hard. Two stories, one public and one from my current job:

HTTPS is secured using SSL/ TLS. SSLv1 is so bad it didn't survive the laugh test when it was explained to actual cryptographers, I can't find any records of what it did. SSLv2 is also pretty bad. SSLv3 is at last good enough that actual cryptographers spent time finding holes in it and today it's considered so broken as to be useless.

TLSv1.0 went to the IETF. More eyeballs will fix it right? Note if they're all engineers. Finally in TLSv1.2 the cryptographers were called in, but only after it was finished. "Hey, is this finished thing secure? Yes or No answers only"

Only in TLS 1.3 which is finished but yet to be official, did they _start_ with cryptographers and do the engineering problems later after the cryptographers had baked in the security.

At work, after a system being in use for several years, I was told we couldn't put more key-value pairs into the session information, it was "full". So I went to see how this could possibly be true. All the session information is turned into a JSON blob, which is turned into a few hundred bytes, and then those bytes are encrypted with RSA with the results stored in a Cookie. RSA is only designed to encrypt small quantities of data, which isn't a problem because it's supposed to be used to move a symmetric key. But far, far more importantly - even if this particular _method_ of doing so is crazy why are we encrypting all this data and hiding it in a Cookie at all? That's crazy.

I agree encryption is hard, but phone encryption protocols are intentionally weak for the wrong reasons. In the past the parameters have been picked low enough that domestic intelligence agencies can purposely hack them, while exporting even worse versions so that foreign adversaries are dead simple to hack. The protocols have changed over time, but this hasn't.

Also the examples you cite it's not clear of those standards bodies were infiltrated by the same agencies implicated above. They very much do run private cover operations and "plant" people or acquire companies that allow them to weaken these protocols or standards.

If these are in embassies, the FBI should just roll up in a van with a HERF gun and take 'em out.

Awesome this was broken by local journalists

The willful negligence from our governments in the (in)security of our communications infrastructure is criminally obscene.

they like it this way, maybe.

The device owners better not accidentally track an EU citizen or they might have to pay fines.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact