In Unsealed Document, FBI Admits Stingray Devices Will Disrupt Phone Service
from the making-Stingray-omelets-required-breaking-a-few-communications dept
A small crack in the FBI's Stingray secrecy has appeared. A 2012 pen register application obtained by the ACLU was previously sealed, but a motion to dismiss the evidence obtained by the device forced it out into the open. Kim Zetter at Wired notes that the application contains a rare admission that Stingray use disrupts cellphone service.[I]n the newly uncovered document (.pdf)—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge.Notably, the application (and the magistrate's approval) do not refer to the device by any of the common names (Stingray, IMSI catcher, cell tower spoofer, etc.), but rather as "mobile pen register/trap and trace equipment." While it does admit the device will "mimic Sprint's cell towers," it downplays the potential impact of the device's use.
“Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity. Any potential service disruption will be brief and minimized by reasonably limiting the scope and duration of the use of the Mobile Equipment.”
The fact that Stingray devices disrupt cell service isn't new, but an on-the-record admission by law enforcement is. The warrant application claims that numbers unrelated to the ones being sought will be "released" to other cell towers. The unanswered question is how long it takes before this release occurs.
“As each phone tries to connect, [the stingray] will say, ‘I’m really busy right now so go use a different tower. So rather than catching the phone, it will release it,” says Chris Soghoian, chief technologist for the ACLU. “The moment it tries to connect, [the stingray] can reject every single phone” that is not the target phone.The problem with the so-called "release" is related to the amount of disruption that occurs when the device is used. Advances in cell technology have surpassed the ability of Stingray devices to capture calling info and location data. Upgrades are available and law enforcement agencies are scrambling to get their cell tower spoofers up-to-date, but the general process still involves "dumbing down" everyone's connection to the least secure and most easily-intercepted connection: 2G.
But the stingray may or may not release phones immediately, Soghoian notes, and during this period disruption can occur.
In order for the kind of stingray used by law enforcement to work, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.If a device is in operation nearby, all calls that can't find a better connection will be routed to the cell tower spoofer. This means calls won't be connected, texts won't be sent/received and internet service will be knocked offline. While Stingrays are supposed to allow 911 calls to pass through without interruption, these are far from the only type of "emergency" communications. If the device is deployed for any considerable length of time, citizens completely unrelated to the criminal activity being investigated may find themselves unable to communicate.
And while the targeted number apparently belonged to Sprint, the warrant application notes that all service providers in the area will be asked to turn over a large amount of subscriber information.
[D]irecting AT&T, T-Mobile U.S.A., Inc., Verizon Wireless, Metro PCS, Sprint-Nextel and any and all other providers of electronic communication service (hereinafter the "Service Providers") to furnish expeditiously real-time location information concerning the Target Facility (including all cell site location information but not including GPS, E-911, or other precise location information) and, not later than five business days after receipt of a request from the Federal Bureau of Investigation, all information about subscriber identity, including the name, address, local and long distance telephone connection records, length of service (including start date) and types of service utilized, telephone or instrument number or other subscriber number or identity, and means and source of payment for such service (including any credit card or bank account number), for all subscribers to all telephone numbers, published and nonpublished, derived from the pen register and trap and trace device during the 60-day period in which the court order is in effect…This request seems to run contrary to what's asserted earlier in the warrant application, in reference to the Stingray device itself.
In order to achieve the investigative objective (i.e., determining the general location of the Target Facility) in a manner that is the least intrusive, data incidentally acquired from phones other than the Target Facility shall not be recorded and/or retained beyond its use to identify or locate the Target Facility.It appears there is a "catch-and-release" policy when it comes to Stingray devices, but the FBI's data request to every cell phone service provider in the area contains no such assurances about minimization. Additionally, the request for data on "all subscribers to all telephone numbers" covers a 60-day period, while the use of the tower spoofer is limited to two weeks.
So, not only did the FBI potentially disrupt cell service while searching for the robbery suspects, it also collected a massive amount of data on every subscriber whose phone happened to connect with its fake tower. It's not really "catch-and-release" if additional call/location data on unrelated subscribers is obtained from from other providers. This broad request was granted without question or additional stipulations by the magistrate judge -- the only limitation applied (in a handwritten addition, no less) being that the FBI would not be able to use the device "in any private place or when they have reason to believe the Target Facility is in a private place." (This falls in line with the FBI's "warrant requirement," which is written in a way that ensures the FBI will never have to seek a warrant for Stingray use.)
The FBI, along with other law enforcement agencies, has refused to answer questions about the disruptive side effects of Stingray device usage. With the unsealing of this document, their silence no longer matters. These agencies are well aware of these devices' capabilities -- something they're clearly not comfortable discussing. The excuses deployed routinely involve "law enforcement means and methods" and claims about "compromising current and future investigations," but with more heat being applied by the nation's legislators, this code of silence may finally be broken. The use of these devices -- despite being fully aware that critical communications may be at least temporarily prevented -- sends a continual implicit message to the public: your safety and well-being is subject to law enforcement's needs and wants.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fbi, phone service, stingray
Reader Comments
Subscribe: RSS
View by: Time | Thread
obvious
Which is why Gemalto's hack is such a big deal. It's what Stingray uses to operate, as I even noted myself.
https://www.techdirt.com/articles/20150225/07101530138/gemalto-ok-yes-we-were-hacked-yes-some -sim-cards-may-be-compromised-not-because-us.shtml#c133
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I wonder...
[ link to this | view in chronology ]
Re: I wonder...
[ link to this | view in chronology ]
Re: I wonder...
The same dropdown also has LTE options, but I'm using an older phone which doesn't have LTE so I don't know the right one for 4G.
[ link to this | view in chronology ]
Re: I wonder...
But even without a smart-phone running custom applications, it would not be hard to design any cellular telephone to identify -and avoid- a Stingray interceptor. For instance, if your GPS location has not changed (much) and a new "cell tower" suddenly pops up out of nowhere, that situation alone would make it highly suspect.
[ link to this | view in chronology ]
Re: I wonder...
In most cases, not easily. If you're using Android, there are a couple of options that I know of, but they require root access. One is to replace the stock OS with Cyanogenmod, which lets you control that directly.
If you can't use Cyanogenmod, then there is another option (this is what I do): using Tasker and a little magic, you can run custom scripts every time the protocol changes. My script notifies me that it has changed, and if it changed to 2G then it attempt to change back. If that fails, it disables the cell radio entirely (as if it were in Airplane Mode), then polls periodically to see if it can connect to 3G or better yet.
I'm unaware of an easily downloadable app that can accomplish all of this, but it probably exists somewhere. For my purposes, the Tasker solution is just fine.
[ link to this | view in chronology ]
Re: Re: I wonder...
[ link to this | view in chronology ]
Re: Re: Re: I wonder...
[ link to this | view in chronology ]
Re: Re: Re: I wonder...
http://www.huffingtonpost.com/2015/01/26/google-police-tracking-waze_n_6547262.html
[ link to this | view in chronology ]
Re: Re: Re: Re: I wonder...
[ link to this | view in chronology ]
Re: Re: Re: Re: I wonder...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: I wonder...
ALL KINDS of copyright use, etc is '100% legit' doesn't stop people from being jacked up by the (il)legal system...
at the very least, you become one of the 'persons of interest' due to even THINKING about privacy, talking about technical workarounds, tinkering with software, going to protests, having a copy of the declaration of independence on their wall (ooops, ...), donating money to organizations that are deemed 'terrorist' AFTER THE FACT, etc ad infinitum...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: I wonder...
After my many decades of activism and being an opinionated loudmouth, that they haven't done so yet tells me that the Eye of Sauron has juicier targets in view.
[ link to this | view in chronology ]
Re: Re: Re: I wonder...
It has "WCDMA only" and "LTE only", but unfortunately no "LTE/WCDMA only". It also seems a bit abandoned, judging by the commits.
[ link to this | view in chronology ]
Re: Re: Re: I wonder...
[ link to this | view in chronology ]
Re: Re: Re: Re: I wonder...
[ link to this | view in chronology ]
Re: I wonder...
[ link to this | view in chronology ]
There are cell-switching technologies coming soon into Qualcomm modems and others that will make the switching "seamless" between a real tower and a fake one.
EFF and ACLU need to use a stronger 4th amendment argument against Stingrays, not just that it "disrupts some calls".
[ link to this | view in chronology ]
Time for some FUD!
[ link to this | view in chronology ]
Re: Time for some FUD!
When a kidnapped child gets hold of a cellphone to call for help and can't make the call it is dead.
The statement is (probably) false but hey, if the DOJ can use it against encryption...why not.
[ link to this | view in chronology ]
Phone companies are gonna use resources that could be spent on GOOD things, instead it'll be spent specifically on improving government surveillance compatibility, if the advocates of the surveillance state get their way, like they've already been
[ link to this | view in chronology ]
Re:
True, but they're used to it and have already spent to put in much of the infrastructure. CALEA already requires telephone companies to provide surveillance capabilities to law enforcement.
[ link to this | view in chronology ]
Are there also apps to check a cell ID (tower ID) against a map? That would seem to be a give-away as well.
[ link to this | view in chronology ]
Re:
Yes, there are a number of them available for Android. My quick count is around a half dozen.
[ link to this | view in chronology ]
Re: Re:
Perhaps the police would finally have those "flash mobs" they're apparently so scared of.
[ link to this | view in chronology ]
Re: Re: Re:
Sending an alert to others is an interesting idea, but if I were to consolidate all of this into a single app, I'd just recommend that everyone run that app to detect rogue stations themselves. There'd be no need to send out any kind of alert.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I was only half-joking about the flash-mob thing. I was thinking that orgs like PINAC could use these alerts as a means of getting people to look for and photograph IMSI catchers in the wild (even if they're just unmarked panel vans).
Less fun, but more useful, would be trying to gather data about how widely (and frequently) deployed stingrays are. Even with lots of noise, at least there'd be a starting point.
[ link to this | view in chronology ]
Seems Dangerous
[ link to this | view in chronology ]
Re: Seems Dangerous
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Jammers
[ link to this | view in chronology ]
But why would we think that they would use it that way?
[ link to this | view in chronology ]
Keep up the pressure
Which, of course, would be that Stingray allows them to record all cell conversations in the vicinity. Do I have proof? Nothing but their hypersensitive reaction to any inquiry related to Stingray; which springs from a guilty conscience.
Believe me, they aren't concealing that Stingray "disrupts phone calls;" we already knew that. No, their guilty conscience comes from something much more ugly, something they're still hiding.
Let's find out what.
[ link to this | view in chronology ]
Hey I just lost signal again?
[ link to this | view in chronology ]
Wonder If Calling Problems are Stingray Use
[ link to this | view in chronology ]
Jamming Calls for Legal Assistance
[ link to this | view in chronology ]