Hacker News new | past | comments | ask | show | jobs | submit login
ACLU sues Homeland Security over 'stingray' cell phone surveillance (techcrunch.com)
730 points by mindgam3 5 months ago | hide | past | web | favorite | 153 comments

If we had a crowd-sourced database of cell towers (picture & coordinates) wouldn't it then be straightforward to know (and report) when your phone wasn't connecting to a legitimate tower?

I for one want to make sure the criminals aren't intercepting my signal with home-made stingrays; the police have other lawful ways to get what they need.

No, because the cell carriers have "tower in a box" kits that they make available to various people. These are real towers, but they move often. If you go to a large event (something like burning man, though I don't know if they do for that specific event) there is a good chance the carrier has scattered a few of these around the venue because the fixed location towers (often miles away) would be overwhelmed and nobody would be able to use their phones.

Agreed - there are companies that specialize in ad-hoc towers to provide service. Example: Mobilitie in Chicago. Very important piece of mobile data infrastructure, but a rogue tower is still a real security risk.

Mind you, it would be straightforward to use such a database to find out whether you're connected to a mobile or fixed cell station.

Not sure if those apps works as well as advertised.


Edit: fully removing amp from link

Fixed, thanks.

Considering all the stuff that's open public information, it's a bit surprising that cell tower locations aren't.

It's kind of sensitive information with regards to communications infrastructure. Not too dissimilar from various details of sensitive sites not being disclosed to reduce the risk of a coordinated attack.

Not saying it's effective, but I can understand the reasoning.

Tower data is public record. Here’s a search aggregator: http://www.antennasearch.com

The issue is that the baseband should be handshaking cryptographically with your provider’s towers to prevent MITM attempts, and no downgrade should be possible. Between eSIM and 5G, honestly surprised it’s not a standard yet.

Antennasearch is a good resource, and somehow the database update functions still work, but it appears unmaintained, somewhat janky, and the copyright notice reads 2004-2009. I resent the popup windows and the google maps integration is broken. Luckily, there are several community efforts to map the cell coverage.

Check out https://opencellid.org/ which is an open source WiGLE-esque cell location collection. You can contribute with the TowerCollector[1] android app (also on fdroid).

Mozilla also operates Mozilla Location Services[2] as an API for developers. People can contribute location anonymized data to Mozilla by a settings menu checkbox, or using their special app.

WiGLE[3] of course includes cell tower detection in their wireless geographic logging suite.

[0] https://opencellid.org/

[1] https://github.com/zamojski/TowerCollector/

[2] https://location.services.mozilla.com/

[3] https://www.wigle.net/

Are they not registered with the FCC?

A sibling comment noted the FCC rules for antenna structures. FCC regulates some of this, and the cell towers should all be on that list. That said, I don't know how to easily access the FCC information aside from a service like antennasearch or some other thing. There are also paid services for this sort of thing. IF you are searching for towers, also make use of a fiber search, as all these towers need fiber to run, unless they use backhauls or something which seems less likely. The towers are usually owned by something like COMTECH III, LLC and then the entities leasing the tower space operate everything else.

In addition to the FCC, FAA, there should be a massive public paper trail for tower construction. The locality, state, and feds are involved in this.

So, in a roundabout way, I think your thoughts were: "If FCC regulated and lists this, why the tower search crap?" The reason is that if you get the FCC, state, and local to OK your tower and use it for long range deer hunting, the FAA maps will still show your 220ft deer stand, but there are likely no cellular transceivers on the tower. On a cell tower there could easily be 2 today, and then 4 next month.

So the location and use of the towers doesn't always coincide with the cellular network equipment hanging off it, which is what would need to be monitored.

Also I'd wager that the open sensor method of opencellid, MLS, WiGLE will give you better data. If you are doing your own research, it would be greatly helpful to compare to the official lists, but you'll need to verify it anyhow.

If anybody is doing this work I would be interested in knowing more about this landscape.

Interesting stuff.

I believe only those antenna structures that are registered with FCC are public data, and that's only those that are tall enough (200ft), or close enough to an airport, to require a study by the FAA. IOW most urban and suburban cell sites, which tend to be mounted to existing low-rise building structures, aren't included.


Regarding effectiveness, localizing an access point is trivial, so it's a matter of motivation.

Exact cell site locations would be considered competitive strategic information by most carriers, who spend a lot of time, money and energy selecting the right cell sites to cover the right markets at the right cost. Also, they change all the time, eg when leases expire, when customer traffic patterns changes, when there are upgrades, etc.

I don’t buy that. I’m sure the way that they select the sites in the first place is probably proprietary, but once you start broadcasting radio frequencies, it’s trivial to pinpoint the location of the towers, so there’s absolutely nothing stopping anyone, particularly a competitor, from mapping them out quite easily.

Costs $$$ to have techs drive around the land with that kind of gear...

Sure, but if a company is thinking about expanding into another area, they're already going to be doing that, whether or not they need to also know about their competitor's towers.

Encryption helps against IMSI-Catchers, but you can also just implement a form of secure tower identification if ISP want to keep their secrets. The mexican cartels could do it if the urban legends are true.

edit: And as others have said, it compares a bit to wanting to keep the location of a lighthouse a secret.

What is the cartel secure tower identification story?


I think this was an example of such a network.

This is categorically untrue. They are not a secret due to the approvals required at a local level and by the FCC.

Many carriers lease space on the same towers, or have agreements to lease space from others in certain markets. You almost never get the site placement you want: you are operating in a built environment and have to work within those constraints.

The problem is that knowing the co-ordinates of the tower does nothing to defend against Stingray-like devices: coordinates aren’t a means of authentication.

I'm not sure what approvals you're talking about. For individual small sites in already-built structures, neutral-host sites, or for leasing agreements with other operators where you're just putting a new cabinet in an existing site, what approvals are needed that would publish cell site locations?

Some informed person can probably tell us: are there any technical developments on the horizon which could plausibly make stingrays unviable? From a lay perspective, it seems like cell tech hasn't been designed to meet some criteria that ought to be achievable.

- Are there future cell technology standards being planned which would make it harder for a 3rd party device to impersonate a cell tower? (e.g. the police would actively need the cell network to help them sign something)

- Why can't we encrypt calls and texts in a way which doesn't let all this stuff get read? Like (handwaving) either trust the network and encrypt with a key they provide, or else some form end-to-end encryption (where maybe generating keys is part of what happens when you activate a sim card or something)?

Like, sure the lawsuits are important, but why did we end up with a system where these tools are possible?

The key factor is the compatibility with international roaming - customers, manufacturers and operators really want the phone to "just work" when you step out of a plane in a random place where the only cell tower in range is run by an operator that was established after your phone was made. There can't be a global list of 'trusted operators' for political reasons (long story), and in order to make calls, your phone needs to work with that operator directly - it can't do end-to-end to your home provider, your data streams won't get routed halway across the world and back for no good reason, they'll route only the billing info and metadata as per the roaming agreements.

The other problem IIRC is virtual towers - when operator A gains improved coverage by renting capacity on a tower of operator B, they want the phone to seamlessly connect to that tower as if it's run by operator A (even if it's not) without the phone being able to inform the customer that hey, you're now connected to operator B - because it might rise confusion about roaming charges, and also give bad PR about coverage which might suggest the customer to switch to that competitor.

What could work is the combination of (a) your phone being able to cryptographically verify if it's really connected to your 'main' operator or someone they explicitly authorized (isn't this something that 5g and even 4g protocol supports?) and (b) requiring explicit confirmation if connecting to someone that's not. Of course, (a) would mean that police Stingrays would be recognized as legitimate cell towers, they'd need cooperation from the cell network, but's IMHO not really a problem, just some paperwork whenever they need to activate a new batch of intercepting devices.

> The key factor is the compatibility with international roaming

You could have an encryption setting in the phone, and the handshake with the network could have a bit telling you the setting isn't supported.

>can't do end to end ....

so then you use a vpn and voip instead of using the phone system directly...

Actually it looks like the two problems with your obvious solutions (political and companies being cranky about you noticing you're on a different tower) are complete bullshit and can be solved with very simple legislation. The more complicated and expensive solution doesn't need to happen.

> Why can't we encrypt calls and texts in a way which doesn't let all this stuff get read? Like (handwaving) either trust the network and encrypt with a key they provide, or else some form end-to-end encryption (where maybe generating keys is part of what happens when you activate a sim card or something)?

We can have E2E encryption on cellphones today, just make calls and send texts over Signal (with other people who also have Signal installed).

Here's an article on using SIM cards as a secure element: https://nelenkov.blogspot.com/2013/09/using-sim-card-as-secu...

I would really like a hardware interface for changing a key, or a mechanism where you flip the card over to expose a separate set of contact plates which have write permissions. Stock Android will allow carriers to fuck with your SIM card sans user permissions.

Interestingly, at DefCon last year, a presentation was talking about how in Africa there are interposer SIM shims that slip over the top of the simcard and provide additional functionality. Citation needed, but I was impressed they could fit a small MCU in such a thin form factor!

Oooh, I like that idea. I've seen those used to bypass carrier locks, but never considered the possibility of restricting write access with one.

I don't think American carriers care at all about preventing government spying.

The CEO of Qwest did and he was subsequently jailed.


From a YCombinator comment: "The way that Qwest CEO Joseph Nacchio so meaningfully resisted the government that he was convicted of insider trading for telling people his company would be successful when it actually relied on a government contract that was pulled in retaliation, which he couldn't use as a defense in court because of national security concerns? For which he served four years in prison, and Qwest no longer exists? That sort of meaningfully resist? The message to me from that case is clear—if the US government tells you to jump, you answer, how high."


If he's telling the truth, major props to that guy for sticking to his principles regardless of what he had to lose.

5G is by nature shorter range, which at least makes the surveillance harder to do and more targeted when it happens. But I can't say much for the protocol, having not done much with it.

On the flip side, I think this would make pinpoint the device‘s geo-location much easier.

Yeah that seems true, if there's more signal towers in a particular space it'll make triangulation of a person and their device easier to achieve through an increase of reference points.

I don't see this as being a stop gap, the short comings (not an intended pun) of the range and potential penetration of 5G almost certainly means 4G is going to be around in the long term.

mmWave 5G is shorter range.

5G runs also on sub-6. The spec defines the modulation and the network, it doesn't hard-spec the frequency.

So the coverage on low band 5G will be the same as 4G

Since the FCC sanctions stingray use for law enforcement I'm sure they make sure that any new mobile radio technology is compliant with police spying requirements.

Last I heard these things were FCC licensed for "emergency use only". The issue is that the FCC can't override federal law and deliberate interference with radio communications is illegal under such law.

It used to be that only 2G was vulnerable, but newer devices don't depend on downgrading. But with suitable phones, I gather that one can detect suspicious baseband activity. However, by the time that's obvious, the phone will already be pwned.



Contribute to the ACLU here:


Canadian equivalent: https://ccla.org/give

100% agree, I've contributed for a couple of years now and headlines like this just brighten up my day knowing I've helped.

Have been a contributor for years. They fight the good fight.

Hopefully, this puts to rest the idea that government can use "private contracts" as a end-run around constitutional and legal restrictions on their activity

They have been hiding behind the NDA as a reason they should not have to follow federal disclosure laws, but never in the history of the law has a private contract superceeded the law itself.

they also hide behind these same NDA's when criminal defendants get to court and want to challenge the use of the tech on 4th amendment grounds

Hopefully the ACLU can put a end to that, the government should not be able to contract with any organization that prevents them from disclosing their activity to the public. Seems law enfrocement has lost sight of who they awnser to, which should be the people of this nation

The third party doctrine loophole is huge and not likely to be impacted very much by this, unfortunately.

Here's a relevant talk from the National Constitution Center, if you want to hear some of the nuance: https://www.youtube.com/watch?v=hW32k7x7zE0

Third party doctrine has little to with this case, I agree it is a problem, but that is not what I was talking about in my post

The Thrid Pary doctrine allows the Government to end run the 4th amendment if you discloused info to a 3rd party.

In this instance, the government is claiming they do not have to talk about the technology at all, even to the point of proving it actually does what they claim.

In criminal Trails they treat it as a black box that is magical.. this should not be allowed evidence collected by it directly or as a result of his use should be barred unless the defence has access to the technology fo independent review

The government claims they do not have to disclose anything because they signed a contract with the manufacturer saying they would not disclose anything about the tech.

True, but I was talking about the actual issue primarily being that Stingrays are mostly micro targeted, often with warrants due to costs, etc, while the vast majority of cell providers have warrantless, sometimes even subpoena-less web portals for LEAs to conduct spying operations on the public, or how the vast majority of the cell tower companies (separate from the major providers) themselves have the most useful information and do the same types of things.

While stingrays are an issue, the vast majority of spying on cell phone users (read: vast majority of US pop) comes from those other mechanisms which do employ the third party doctrine loopholes. I should have been more specific, but you are right about Stingray.

Well some of that falls on Congress not the 4th amendment

We need to redefine data ownership in this country, not just to curb police abuse, but to curb the abuse of corporations as well

That extends well beyond the 3rd party doctrine

cough Five eyes cough

Stingray use requires a warrant and every case should be dismissed where one was used without a warrant. I'm sure that's the main reason they want to hide the use of stingrays, they know they're doing something wrong.

Police having the ability to spy on everyone with little to no oversight is nightmarish authoritarianism, it's completely against the spirit of American democracy, not to mention in violation of The Constitution.

As part of some volunteer work I'm doing with Lucy Parsons Labs, I submitted a FOIA request to every single state's largest city, asking for search warrant records that would likely exist on complaints for search warrants, the warrants themselves, or from any audit. About 100 requests in total.

After two months, only two cities have sent me their search warrant records. All other states have given me rejections saying:

1. The records are on paper and never transcribed.

2. The records are digital, but there's no way to query from a frontend.

3. The records are digital and queryable, but the agency considers the use of queries "creating reports", where tons of states have case law backing this up.

4. Nothing, because they haven't responded yet.

So far I've received three enormous fee estimations of ~500k, ~400k and ~150k. Obviously not affordable.

Chicago is one of the few cities that sent records (though, it took a year). They've sent three separately sized files for the same timeframe - 11k rows, 9k rows, and 20k rows. The data is messy, and there is some very important info missing from their records. Can't speak too much about it yet, since I'm still confirming the reasons. It's been blindingly frustrating trying to get a consistent message about whether the data is even accurate.

All this goes to show that police agencies don't make records on search warrants even remotely easily available to the public, and we have no way of gauging whether our constitutional rights are being upheld throughout the US. It's honestly very sad.

If you want to support this work and our other projects, please consider a donation to Lucy Parsons Labs: https://lucyparsonslabs.com/support/

Ahhh, good ol' government inefficiencies and obfuscation. I have no faith in there ever being efficient systems in place because it'll just make it harder to hide shady behavior.

That’s how it’s been developed, continues, and planned. If it wasn’t, it wouldn’t be like this.

There is a similar problem with FOI requests in Australia.

It's not there to get information, it's there to give the appearance that they give information.

The most used excuse here is it will take "too many resources".

They often follow the same set of steps to legally delay or prevent information going out.

There is a FOI ombudsman, but they are so swamped the backlog is enormous.

Thanks for sharing. Sounds like a useful project.

> don't make records on search warrants even remotely easily available to the public,

It seems like the right reform would be for all approved search warrants to be automatically posted online one year after issuance.

If an innocent person had a warrant issued for them, and they were cleared, I bet employers would still routinely query those records if they were able to. It could affect people’s lives if it was too public

This is a non-issue within the context of these requests. The only names that I am requesting are the names of the officers and judges involved. The requests are not seeking any names of anyone the search warrants are meant for.

> If an innocent person had a warrant issued for them, and they were cleared, I bet employers would still routinely query those records if they were able to. It could affect people’s lives if it was too public

I know it is unlawful to ask about arrests without convictions as a precursor to employment in at least a few jurisdictions in the US. [0]

[0]: https://www.workplacefairness.org/criminal-records-workplace...

I wonder, are court records generated by the issuing of warrants? If so, I imagine you could have gone at it from the other direction and simply gotten a list of warrants and looked for terms that looked stingray-ish. So maybe warrants aren't actually recorded in court records?

> I wonder, are court records generated by the issuing of warrants? If so, I imagine you could have gone at it from the other direction and simply gotten a list of warrants and looked for terms that looked stingray-ish. So maybe warrants aren't actually recorded in court records?

That's probably the case as I believe warrants can be requested even when court is not on session. As someone who has sat in court a couple times I can say the only warrant I ever saw a judge issue was a bench warrant.

Thanks for your work

Do you happen to have a city-by-city breakdown of the responses anywhere?

Nothing yet, but I hope to get something in the next couple weeks. Here are all of the requests, including their responses: https://www.muckrock.com/project/search-warrant-data-608/

Do you have a template for this? I'd like to submit such a request to my own city.

Yep, please check out the requests at: https://www.muckrock.com/project/search-warrant-data-608/

It'd be a good idea to limit the set of record points to only those that you're interested in.

The problem is knowing a Stingray was ever used in the first place. It's been documented that the police routinely utilize parallel construction when they discover things through illegal means in the first place.


Seems like the police casually breaking the law is the core of the issue. Quis custodiet ipsos custodes?


edit: to be clear, I think the government itself could really do with reeling it back a bit as well - but this very news is a reminder that some people are watching out for the watched.

The ACLU was mostly mute on these issues during the prior administration, when these abuses became routine.

gnud 5 months ago [flagged]

Providing information is fine, but please omit the name-calling.


The first two are state cases, not federal, as are many of the others. I would have thought that "the administration" would clearly refer to Federal cases.

Latin for "Who will guard the guards themselves?".

Alternatively also translated as “Who watches the watchmen?”

And even without knowing Latin the sentence is recognizable :) At least to me, when I looked at it, it looked very similar to that. Guards, watchmen, custodians. Guarding, watching, being in custody of. And I know from other languages like French words like "qui" (though I don't speak French either, only know a select few words).

The judiciary branch.

That very same judiciary branch has a secret court that rubber stamps almost all mass surveillance requests given to them.

Almost all airports permanently run a Stingray like device

Care to elaborate more on this?

> For two months last year, researchers at the University of Washington paid drivers of an unidentified ridesharing service to keep custom-made sensors in the trunks of their cars, converting those vehicles into mobile cellular data collectors. They used the results to map out practically every cell tower in the cities of Seattle and Milwaukee—along with at least two anomalous transmitters they believe were likely stingrays, located at the Seattle office of the US Customs and Immigration Service, and the Seattle-Tacoma Airport.

source: https://www.wired.com/2017/06/researchers-use-rideshares-sni...

> At Trudeau airport, Radio-Canada detected the catcher's presence through the use of a CryptoPhone — a cellphone look-alike that emits red alerts when a fake antenna tries to catch its signal. Several red alerts were received, throughout the afternoon and early evening, in the section of the airport for U.S. departures.

source: https://www.cbc.ca/news/canada/montreal/trudeau-airport-spyi...

> The devices are operated out of at least five U.S. airports, "covering most of the U.S. population". It is unclear whether the U.S. Marshals Service requests court orders to use the devices.

source: https://en.wikipedia.org/wiki/Dirtbox_(cell_phone)

That's super interesting. Those are international departure airports. I wonder if what they're doing is sniffing for phone numbers of interest showing up in the international terminal indicating a 'person of interest' is trying to leave or arrive. I assume people trying to leave or enter the country without permission might have false ID and a false name on their ticket but they probably don't think about changing their phone number.

Once you have a number pop up on the Stingray you distribute that person's photo to all the border agents.

Or the reverse.

Since airports are one of the very few places where you can positively identify a certain person was there at a certain time, you can combine a passenger list with a device list to get some soft matches to previously unlinked devices.

Combine that linked metadata with other dragnet metadata, and you're going to learn a lot.

That should mean they can also correlate who picks up or drops off whom... so even if you aren't traveling, you're in their database linked to someone who is.

Combined with APNR and patterns over time, yes.

This makes a lot of sense to me.

Probably used for things like terrorist watch lists, national security ventures, etc... highly doubtful it's used for domestic law enforcement purposes. The US wants to know when foreign nationals of interest attempt to enter/exit the country.

Very naive of you to think that.

What is the difference between a permanent stingray and a cell tower?

One actually provides cell service.

Stingrays provide cell service.

There are issues with some units that downgrade your data signal to a slower connection than you would get with a normal cell tower.. but otherwise you would never know the difference.

The person you are replying to is actually making an excellent point as most current methods of detecting stingrays are heavily reliant on the "tower" moving or changing.

The tv show The Wire was a documentary after all.

But even when they have a warrant to go after one person, the fact that they can scoop up information from everyone else even remotely near that person, and those people never find out is pretty abusive.

Like, if my neighbor is a drug dealer, and the police get a warrant to search their apartment, maybe that's reasonable. If they use that warrant to search every apartment on my block, that's messed up. If they do that without leaving a trace, so I have no idea when or if it has happened ... then I'm living in a panopticon.

You should go read about parallel construction :-)

>Stingray use requires a warrant and every case should be dismissed where one was used without a warrant. I'm sure that's the main reason they want to hide the use of stingrays, they know they're doing something wrong.

they'll just do a parallel construction - use stingrays to find other evidence, scrap stingrays from record and only go forward with evidence gathered from usage of stingray.

OTOH, Google and Facebook, with annual incomes larger than the GDP of a medium European country, can log everyone’s every breath, on the internet and, more recently, in real life, with impunity. I just can’t wrap my head how the municipal police doing it is “nightmarish authoritarianism”, but big adtech, de facto way more powerful, gets a cursory pass.

Because people generally endeavor to stay on the topic of a discussion? You seem to be assuming that criticizing government surveillance is somehow an approval of corporate surveillance - it's not either/or, they're both attacks on Free society.

Google et al don’t arrest people or hold them in jail, so that is one dimension in which they are less able to pose a threat.

That doesn’t mean that they don’t pose a threat though.

No, but they certainly can hand them over to those who can! https://www.vox.com/the-goods/2018/11/12/18089090/amazon-ech...

I think most people would view it from the lens of Police inherently having legislated power over people and the ability to detain, arrest and/or charge people.

Big adtech have insane amounts of data and deep pockets but realistically no means to carry out the above, however that doesn't mean big adtech should get a pass.

The argument is that you use those products and give them that information voluntarily, however under-handed the tactics are to get you to volunteer that info. Law enforcement surveillance isn't voluntary.

If police use the lack of information from those avenues as a justification for a warrant to conduct surveillance then that argument is moot.

Are you privy to any warrants actually being issued solely because the police couldn't turn up info on a suspect via Facebook or Google? Maybe I'm ignorant, but I don't think that's a thing that actually happens.

Although reputation and behavior has a role in the decision other factors would need to be in play. I meant more that no social media could be seen as anti social by a judge and added to the list of things that ultimately satisfies probable cause.

Any smart, ethical police department would go for a warrant. I'm friends with someone in law enforcement and they say the last thing they want is evidence tossed. Often they get warrants they don't even need just so there isn't a chance of having evidence tossed later.

Having dealt with police throughout various stages of my life(never as a suspect,or offender),all I can say is that they lie,cheat and misinform people. I'm sure there are plenty of decent people out there but the force has plenty of those with broken moralle compasses.

They probably can't get warrants for what they are doing, which is trawling large swaths of traffic hoping to find something useful.

Stingrays have been known to be used by law enforcement for a decade now. It's about bloody time more information than just "they are used" is opened to the public.

Seems they were in use for about 15 years -before- cellphones became a thing. (See '2009 Utah case' here: https://www.wired.com/2014/03/stingray/ )

Presumably Homeland Security and its child agencies are targeting everybody within 100 miles of a border (~65% of the population) with any and every form of surveillance they can think of, because why not? It's very legal, and very cool.

> It's very legal, and very cool.

With who? I'd really like to know who is copacetic with this kind of surveillance state.

Per the context at the knowyourmeme link, by "very legal and very cool" I essentially mean "we've decided it's legal and now we're doing it and you might think we're full of shit but what are you going to do about it, little people?"

Cool as in "tacticool," like driving military surplus IED-hardened vehicles around for small town policing.

Or staging a shootout over property theft in an area full of civilians

or taking a guy to the hospital in chains so that doctors can spend the night inspecting the inside of his rectum and colon with increasingly invasive procedures because you think he might be hiding drugs in there

It's a Trump quote.

Wasn't there just a court case that ruled CBP couldn't force you to unlock your device without a warrant? Like just 2-3 weeks ago.


"For any reason" is exactly the opposite of why the Trump campaign drew the scrutiny of intelligence agencies.

Generally if the RSRP or RSSI increases significantly that is a dead give away you are on a stingray. You don't really need an app to see that (google how to see it for your phone type). Of course, it is always possible that your carrier just turned up a new site closer to you but that is not something that happens often and you can usually notice it.

Some comments about mm-wave 5G, keep in mind that mm-wave != 5G. But on mm-wave stingray becomes more difficult due to the high directionality of short wavelengths. But at lower bands, there is no advantage of 5G over 4G in terms of resilience over stingray types of attacks (which are basically a L1 middleman attack, similar to age old wifi types of spoofs).

Watching signal strengths is all well and good, but you need historical data to compare to. This is a viable option for a few sites (maybe near where you live), but not an option when you're on the go.

Knowing Bellard managed to build a 3G cell tower just by using a cheap antenna, I guess it means anybody can build a stingray, although connecting to the cellphone network might not be a trivial thing to do. No idea how companies secure their networks, and I wonder if there are security standard about it.

Where might I find more information about this?


Actually it's a 4G antenna. It's not a stingray, but to me, it's a big step towards it if you're a black hat and can find a way to access the cellphone network.

I have optimism and want to believe most big telco have good security practices and make it extremely difficult or impossible to connect to their network. Although one might be able to do some social engineering and do it, since the cellphone network requires a lot of antenna and manpower to install and maintain them.

For example, imagine you set up a fake company that installs those antennas. How can the telco make sure the antenna is not being moved around (monitoring GPS of the connected smartphones, maybe checking the residency of users to see if something is statistically fishy)? So in short, I tend to think it's not very hard to penetrate cellphone networks, unless the telco spends enough money to secure it and triple check their contractors.

after reading through the comments i found this on hackaday, its from 2018; seems germaine to the current topics in thread:


the first paragraph is an intro speech of sorts then the real content begins. There is an interesting article linked in that part so i want to bring it to the fore.


it seems that a number of factions may have been using "stingray" devices and thier contemporary equivalents for some time.

I have a femtocell in my home, because my small neighborhood sits in a dead zone. Not a repeater, a full femtocell.

To the casual security conscious user, that is probably going to look like a 'stingray', since you will be walking down the street with a gradually dropping RSSI, when all at once, boom, you walk into a five bar signal and life is good.

It covers about a 300 ft radius with the most blessedly beautiful signal you can imagine. Maxes out at 100Mb/S, since that is all the backhaul it gets from the ISP where it is connected. (Not that I am complaining about 100/100 in the house.)

But it isn't a Stingray. It is a fully secure registered femtocell base station.

Given that it hasn't moved in five years, it may well be on someone's map of established cell towers.

Can you use this device to enumerate imei of passers-by?

No. It is a closed secure box with ssl backhaul to the provider.

I was involved in the chip architecture for the silicon that is used in the box as well as the software engineer involved in the secure boot path for the cellular modems. It is one large chip with all the modems and application processors in one chunk of silicon. No unencrypted data, air link or Ethernet back haul, ever leaves the die.

From that, I am familiar with the physical design that the manufacturer implemented. (We did a lot of support work to get the manufacturer up and running)

They even go so far as to have a physical 'self destruct' button within the box. If you try to physically open it, it will never boot again.

The service provider states in the documentation (when you get the box) that if you tamper with the device such that the self-defeat gets activated, you have to pay full retail for the now dead box (they provided the femtocell for free if you live in a dead zone).

I laughed when I opened the retail box and that was the first thing in the document stack. Basically a large font "you have been warned"

Watch Mr Robot and see this in action

This made me wonder,

Do spoofed callers appear on a capture device as the spoofed number?

If so, you could in theory use law to target anyone by calling their number using a spoofed number that is included on a surveillance order. Just keep calling the numbers you want to monitor and the net keeps getting bigger.

Please tell me this is not the case?

Caller ID information is sent to the receiver by the switch.

If your switch is under your control (say, you're using Asterisk), you can send whatever you want, as demonstrated nearly constantly by all those spam calls.

Is it just me, or has the ACLU been on a roll lately? I'm really enjoying its current direction. It might have just been that the most controversial headlines were getting the most airtime, but it seemed to be going off the tracks for a while.

They're "on a roll" lately because there's been egregious overstepping of government against free speech.

When was the ACLU going off the tracks exactly?

I love the work that the ACLU does, but they've always been picking and choosing which rights to actively support. See the opinion of the 2nd amendment on their own website: https://www.aclu.org/other/second-amendment

I personally don't hold the constitution as a sacred document, though I do find that it aligns with my ideals more than the actual policies of modern America. I could respect an organization being opposed to an amendment and deciding not to defend it for that reason, but it's always been weird to me that they have to hide behind a legal rationale rather than just admitting their political opposition to individual gun rights.

I still love the ACLU, and in the past I've given them time (passing out flyers, IANAL) and money despite these reservations. I'm really not trying to hate on them, but I would consider them "off the tracks" in this regard.

Are you concerned that organizations like the NRA are doing an insufficient job defending the 2nd Amendment to the point where the ACLU desperately needs to step in?

The NRA is more an arm of the arms industry than it is an organization actually interested in the rights of individual gun owners; for example, they're in favor of making 3D printed guns illegal. This is good for the industry, but would infringe on the currently recognised rights of individuals. I think the Second Amendment Foundation would be a better example of an organization that actually supports the 2nd. I do think our 2nd amendment rights are slipping away (in the beginning we could own and sell unregulated cannons), but I'm not presuming to tell the ACLU how to spend their time and resources. As noted above, I would appreciate a recognition that their decision to not defend the 2nd is actually political rather than legal in nature, which I believe is pretty obvious.

> As noted above, I would appreciate a recognition that their decision to not defend the 2nd is actually political rather than legal in nature, which I believe is pretty obvious.

You're leaving out the third option, practical.

There are already well funded, effective organizations defending your interpretation of the Second Amendment. It makes little sense for the ACLU to divert resources to that endeavour as a result, even if they agreed with your political view on the individual vs. collective right to bear arms.

That would be fine, too! Knowing that the ACLU doesn't support the 2nd, I can choose to support organizations that do in proportion to how much I care about that amendment as opposed to the others. I'm totally cool with that. But practicality is not their stated reason for not defending the 2nd, and if it were their actual reason then I'm not sure what reason they would have to use a legal rationale instead. If their actual reason is politics, it's pretty obvious why they wouldn't want to admit that; it would alienate some people, and make them appear more partisan.

After giving up on Gilmore v. Gonzales, in my opinion.

I just did a quick read here. What options are there for their case? They tried to escalate to the Supreme Court, and the Supreme Court was not interested. Where do you go from there? (note: Am Canadian, curious about it hypothetically)

You're correct; that case has no options remaining. The ACLU would likely have to get a different district to issue a conflicting opinion in a different case to get SCOTUS to take a look.

Why not focus policies around using the surveillance tools?

The tools should be as powerful as possible. To keep people safe, shouldn't infrastructure be powerful enough to tap anything instantly with proper authorization, even backward in time? Why not?

Then we're focused on making rules better. Isn't that the best thing to do in a system of laws and standards?

Imagine if you could change any aspect of the system to make it more proportional, fair, ethical, whatever. Why not think about asking the right questions, weighing the pros and cons, and tailoring a way to improve it with minimum side effects?

Also, sometimes the regulations are so strict, it's dangerous.

For instance, here's an example where the rules around stingrays being so strict led a guy to get away with murder (in eyes of the judge):

> Circuit Judge Yolanda Tanner said in court Monday that while she is suppressing the evidence “with great reluctance,” Copes is “likely guilty.” https://arstechnica.com/tech-policy/2016/04/citing-unconstit...

I wonder what it would have been like had that case been in Florida. Which has sweet inevitable evidence law.

> The tools should be as powerful as possible.

I think a lot of people would disagree with this premise. The argument against it is basically that abuse of powerful surveillance technologies is inevitable precisely because the technology is so powerful. In reality, law enforcement is only incentivized to catch criminals, not necessarily to protect people's privacy or personal freedoms, so LE will abuse these capabilities 100% of the time they have access to them.

A more subtle argument is that bureaucratic oversight of LE is almost always impotent to reign them in and has every reason not to due so due to a lack of accountability. A "fair, ethical" system is fundamentally incompatible with one in which law enforcement has sweeping surveillance capabilities and the lack of oversight which always results from any sufficiently large/slow/complex legal system.

> The argument against it is basically that abuse of powerful surveillance technologies is inevitable precisely because the technology is so powerful.

What would be some examples of an abuse?

What would be some examples of a powerful surveillance technology?

For instance, what "surveillance technology" isn't already an internal diagnostic tool for day-to-day system administration for a telecom/service provider?

Only difference is who picks the target and them having oversight (likely having to provide a predicate/rationale). Why is this so bad?

If there's a lack of oversight, what rules and systems would you suggest to prevent abuse, as you define it?

I think that part of the issue is that blank surveillance is as easier than surveillaning a single person used to be.

Also, it is possible to build systems where the admins can access the data or metadata. End-to-end encryption, for example parent the admin from seeing the contents of messages. Systems like Tor also prevent any one person from knowing who everyone is and what's saying. Mutual authentication can also help establish that mitm attacks aren't happening, but that's a slightly different problem than when there is access to the back end of the system being used.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact