'It Looks Like You're Trying To Harvest Cell Phone Data...:' Quick-Start Guides For IMSI Catchers Leaked
from the CTRL-ALT-WTF dept
The Intercept has obtained user manuals for Harris Corporation's IMSI catchers, colloquially known as Stingrays, thanks to an anonymous leaker. The documents appear to have come from a Florida law enforcement agency. This would be the public's first chance to see these documents in unredacted form. These operating manuals have been held onto tighter by law enforcement agencies than nondisclosure agreements or info on investigations utilizing this technology.
The documents show what's so attractive about Stingrays: their power and their ease of use.
Richard Tynan, a technologist with Privacy International, told The Intercept that the “manuals released today offer the most up-to-date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.
The tech can be deployed easily thanks to a relatively user-friendly interface and offers an array of tools to be used that go beyond simply tracking the location of a targeted phone. Not only can these devices snag every phone that happens to be in range of the device, but the IMSI catcher can force every phone in the area to come down to its level, so to speak.
In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G.
However one might feel about the lawfulness of deploying mass surveillance to track -- in most cases -- a single suspected criminal, there has to be at least some concern that law enforcement can downgrade paying customers' connections while performing an investigation.
The user's manual [PDF] uses telco jargon almost ironically, referring to targeted phones as "subscribers" (who haven't intentionally signed up for law enforcement tracking) and the towers officers will be spoofing as "providers" (the cell companies whose connection will be replaced/downgraded as law enforcement sees fit). Lists of "subscribers" and "providers" can be imported and exported. "Subscribing" numbers can be given nicknames to more easily separate them from the countless other cell phone numbers swept up during the device's deployment.
Much of what's in the documents isn't exactly surprising. A lot of this has been sniffed out by FOIA requesters and defense lawyers, but until this point, the underlying details have mostly been implied -- read between redactions and parsed from deliberately-obtuse law enforcement testimony.
Harris can't be happy these documents have leaked. A warning on the Gemini control software manual [PDF] states that Harris must be allowed to challenge any disclosure of the contents of these documents -- which presumably includes law enforcement compliance with defense production requests. Law enforcement agencies can't be happy either, as it shows just how much power many of them have at their fingertips. But nothing stays a secret forever, especially when the surveillance technology in question has gone from overseas deployment against enemy combatants to chasing down fast food thieves in local neighborhoods.
Three can keep a secret if two of them are dead, as the saying goes. With hundreds of law enforcement agencies deploying cell tower spoofers thousands of times, the FBI's bullshit nondisclosure demands are apparently no replacement for a pile of silenced corpses.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: imsi catcher, law enforcement, manual, stingray, surveillance
Companies: harris corp.
Reader Comments
Subscribe: RSS
View by: Time | Thread
Gotta love Ol' Ben
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
You're kidding, right? The phone companies depend on government permission (licenses) to operate. They're going to kiss up every opportunity they get.
[ link to this | view in chronology ]
somewhat off-topic-ish...
started out with the *gronk*gronk* sound you get with amber alerts, the phone didn't ring; wife and i made sure of where the dogs were, locked a couple doors, and went back to sleep... we *assumed* the activity was pretty damn local -like within a half mile- if we were getting the message...
nope, as it turns out after i talk to neighbors a couple miles away, their neighborhood got the calls, too... (different time stamps, by the way, earliest i could tell was 3:30 AM)
thing was, we never got an 'all clear' call back... (i am guessing they got a fair ration of shit for the 'don't go outside, citizen' calls, and decided not to whack the hornet's nest again...)
one neighbor says he told them not to bother calling, he can take care of himself... hmmm, he's got one foot in the grave, and the other on a banana peel... hmmmm...
i called about 6:30 am, and they said, 'um, uh, yeah, we, um, forgot to call back...', but we're all done...' wtf ?
hmmmm, felt more big brother-ish than public servant-ish...
oh, when all was said and done, searching for some guy they found 15 miles NW of us... wtf ? ? ? HOW MANY people within a 15 mile radius (plus?) did they roust ? ? ?
that encompasses a couple small towns and a number of large-ish subdivisions...
[ link to this | view in chronology ]
Re: somewhat off-topic-ish...
[ link to this | view in chronology ]
Re: Re: somewhat off-topic-ish...
[ link to this | view in chronology ]
What happens when the Stingrays themselves are hacked?
Remember when your ordinary UHF TV could listen in on the old analog cellphones?
[ link to this | view in chronology ]
Re: What happens when the Stingrays themselves are hacked?
[ link to this | view in chronology ]
So about that argument
It seems a lawyer would have a field day with this, using it to demolish the 'voluntarily make available' argument that police and government agencies like to use to excuse their listening in.
Not only are people not 'voluntarily' making their data available the device described intentionally re-routes it, with the one deploying the device hijacking the signal and re-routing it to them in a manner that is anything but voluntary.
[ link to this | view in chronology ]
Re: So about that argument
[ link to this | view in chronology ]
Re: Re: So about that argument
This is a bologna sandwich fed to the public by fraudsters.
[ link to this | view in chronology ]
Re: So about that argument
You would think.
But ISP's have been doing this with overlay networks since the mid 2000's. It started out with in-house BGP4 hacking to get better diagnostic information on network attacks. Now the big vendors make specific boxes just to allow vectoring traffic onto overlay networks on demand. (Stingrays probably started out as diagnostic tools in the same fashion.)
The brochures including capabilities are publicly available. Though unlike the above, they don't say "Here is your mark 2000 fascist asshole switch. To begin violating peoples civil rights en-mass, first press the on switch."
The ISP's do use this capability for diagnostics and security analysis for their own networks. But, there is some question as to how much is actually deployed for that purpose, vs. deployed for bulk surveillance. These companies are large, and responsibility for this stuff is highly compartmentalized.
The only way we will know how much of it is deployed at the edges, if somebody leaks the sales figures. My guess is that on certain networks, EVERY customer port does some form of DPI.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Eavesdropping/CFAA/Wiretapping?
Most of these laws have law enforcement exemptions, but those exemptions require that law enforcement have a valid warrant to qualify for the exemption.
So either we have a case of unequal enforcement of the law (unconstitutional) or use of an IMSI device is not in fact a violation of any of those laws in the United States.
[ link to this | view in chronology ]
Re: Eavesdropping/CFAA/Wiretapping?
I don't think so. I think they're just exempt, period.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So about that lousy telco service...
Too bad the telcos can not use it as an excuse. /s
[ link to this | view in chronology ]
[ link to this | view in chronology ]