'It Looks Like You're Trying To Harvest Cell Phone Data...:' Quick-Start Guides For IMSI Catchers Leaked

from the CTRL-ALT-WTF dept

The Intercept has obtained user manuals for Harris Corporation's IMSI catchers, colloquially known as Stingrays, thanks to an anonymous leaker. The documents appear to have come from a Florida law enforcement agency. This would be the public's first chance to see these documents in unredacted form. These operating manuals have been held onto tighter by law enforcement agencies than nondisclosure agreements or info on investigations utilizing this technology.

The documents show what's so attractive about Stingrays: their power and their ease of use.

Richard Tynan, a technologist with Privacy International, told The Intercept that the “manuals released today offer the most up-to-date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.

The tech can be deployed easily thanks to a relatively user-friendly interface and offers an array of tools to be used that go beyond simply tracking the location of a targeted phone. Not only can these devices snag every phone that happens to be in range of the device, but the IMSI catcher can force every phone in the area to come down to its level, so to speak.

In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G.

However one might feel about the lawfulness of deploying mass surveillance to track -- in most cases -- a single suspected criminal, there has to be at least some concern that law enforcement can downgrade paying customers' connections while performing an investigation.

The user's manual [PDF] uses telco jargon almost ironically, referring to targeted phones as "subscribers" (who haven't intentionally signed up for law enforcement tracking) and the towers officers will be spoofing as "providers" (the cell companies whose connection will be replaced/downgraded as law enforcement sees fit). Lists of "subscribers" and "providers" can be imported and exported. "Subscribing" numbers can be given nicknames to more easily separate them from the countless other cell phone numbers swept up during the device's deployment.

Much of what's in the documents isn't exactly surprising. A lot of this has been sniffed out by FOIA requesters and defense lawyers, but until this point, the underlying details have mostly been implied -- read between redactions and parsed from deliberately-obtuse law enforcement testimony.

Harris can't be happy these documents have leaked. A warning on the Gemini control software manual [PDF] states that Harris must be allowed to challenge any disclosure of the contents of these documents -- which presumably includes law enforcement compliance with defense production requests. Law enforcement agencies can't be happy either, as it shows just how much power many of them have at their fingertips. But nothing stays a secret forever, especially when the surveillance technology in question has gone from overseas deployment against enemy combatants to chasing down fast food thieves in local neighborhoods.

Three can keep a secret if two of them are dead, as the saying goes. With hundreds of law enforcement agencies deploying cell tower spoofers thousands of times, the FBI's bullshit nondisclosure demands are apparently no replacement for a pile of silenced corpses.



Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: imsi catcher, law enforcement, manual, stingray, surveillance
Companies: harris corp.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Lurker Keith, 20 Sep 2016 @ 2:58pm

    Gotta love Ol' Ben

    You all know if Ben was alive today, every thing he says would be a meme faster than GLaDOS.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 20 Sep 2016 @ 3:35pm

    Now the carriers need to upgrade their towers and completely break this technology.

    link to this | view in thread ]

  3. icon
    art guerrilla (profile), 20 Sep 2016 @ 3:40pm

    somewhat off-topic-ish...

    live in central florida, rural area, and had a first for me and those i talked to locally: at 3:45 am, got a call from county sheriff that there was an ongoing investigation (or something, don't remember the exact wording), and advised that all residents receiving that call should stay inside until further notification by another call, blah blah blah...

    started out with the *gronk*gronk* sound you get with amber alerts, the phone didn't ring; wife and i made sure of where the dogs were, locked a couple doors, and went back to sleep... we *assumed* the activity was pretty damn local -like within a half mile- if we were getting the message...
    nope, as it turns out after i talk to neighbors a couple miles away, their neighborhood got the calls, too... (different time stamps, by the way, earliest i could tell was 3:30 AM)
    thing was, we never got an 'all clear' call back... (i am guessing they got a fair ration of shit for the 'don't go outside, citizen' calls, and decided not to whack the hornet's nest again...)
    one neighbor says he told them not to bother calling, he can take care of himself... hmmm, he's got one foot in the grave, and the other on a banana peel... hmmmm...
    i called about 6:30 am, and they said, 'um, uh, yeah, we, um, forgot to call back...', but we're all done...' wtf ?

    hmmmm, felt more big brother-ish than public servant-ish...

    oh, when all was said and done, searching for some guy they found 15 miles NW of us... wtf ? ? ? HOW MANY people within a 15 mile radius (plus?) did they roust ? ? ?
    that encompasses a couple small towns and a number of large-ish subdivisions...

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 20 Sep 2016 @ 3:43pm

    What happens when the Stingrays themselves are hacked?

    The Stingray itself is the biggest back door in the whole cellphone system.

    Remember when your ordinary UHF TV could listen in on the old analog cellphones?

    link to this | view in thread ]

  5. icon
    That One Guy (profile), 20 Sep 2016 @ 3:44pm

    So about that argument

    In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G.

    It seems a lawyer would have a field day with this, using it to demolish the 'voluntarily make available' argument that police and government agencies like to use to excuse their listening in.

    Not only are people not 'voluntarily' making their data available the device described intentionally re-routes it, with the one deploying the device hijacking the signal and re-routing it to them in a manner that is anything but voluntary.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 20 Sep 2016 @ 3:56pm

    I think we should harass Harris. Thousands of phone calls, etc.

    link to this | view in thread ]

  7. icon
    Bergman (profile), 20 Sep 2016 @ 5:47pm

    Eavesdropping/CFAA/Wiretapping?

    The Computer Fraud and Abuse Act makes it a serious crime to access a computer without authorization. Various wiretapping and eavesdropping laws make it a serious crime to intercept electronic communications and electronic devices.

    Most of these laws have law enforcement exemptions, but those exemptions require that law enforcement have a valid warrant to qualify for the exemption.

    So either we have a case of unequal enforcement of the law (unconstitutional) or use of an IMSI device is not in fact a violation of any of those laws in the United States.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 20 Sep 2016 @ 6:57pm

    Re:

    Now the carriers need to upgrade their towers and completely break this technology.

    You're kidding, right? The phone companies depend on government permission (licenses) to operate. They're going to kiss up every opportunity they get.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 20 Sep 2016 @ 7:09pm

    Re: So about that argument

    Nah. The government will argue that people 'voluntarily make available' just by using a phone. Any phone. Next they'll be arguing that you're 'volunteering' to be snooped on by communicating, period. Hey, you don't have any rights if you give them up 'voluntarily', right?

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 20 Sep 2016 @ 7:11pm

    Re: Eavesdropping/CFAA/Wiretapping?

    "...those exemptions require that law enforcement have a valid".

    I don't think so. I think they're just exempt, period.

    link to this | view in thread ]

  11. icon
    Padpaw (profile), 20 Sep 2016 @ 9:24pm

    Now remember citizens criticism of how the police do their illegal crimes means you support terrorism. A law abiding citizen keeps their eyes down, ears closed and mouth shut and only believes what they are told to believe by the police. All else is treason in the police state.

    link to this | view in thread ]

  12. icon
    Padpaw (profile), 20 Sep 2016 @ 9:30pm

    Re: somewhat off-topic-ish...

    you ever hear the story about when the police stopped a highway full of people and screamed and threatened every driver with loaded guns because they were looking for someone and decided stopping and threatening people was the best way to find a man on foot.

    link to this | view in thread ]

  13. icon
    Kathy (profile), 20 Sep 2016 @ 10:35pm

    So about that lousy telco service...

    Not that I think the telcos have great service, but this does make me wonder if the reason for bad service in some areas is because of Stingrays downgrading the service.

    Too bad the telcos can not use it as an excuse. /s

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 21 Sep 2016 @ 12:58am

    Hey Mike, at least it's proving CwF+RtB right!

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 21 Sep 2016 @ 6:55am

    Re: Re: somewhat off-topic-ish...

    I imagine this happens a lot, everywhere.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 21 Sep 2016 @ 6:58am

    Re: Re: So about that argument

    One does not give up rights before the fact.
    This is a bologna sandwich fed to the public by fraudsters.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 21 Sep 2016 @ 7:15am

    Re: So about that argument

    "It seems a lawyer would have a field day with this"

    You would think.

    But ISP's have been doing this with overlay networks since the mid 2000's. It started out with in-house BGP4 hacking to get better diagnostic information on network attacks. Now the big vendors make specific boxes just to allow vectoring traffic onto overlay networks on demand. (Stingrays probably started out as diagnostic tools in the same fashion.)

    The brochures including capabilities are publicly available. Though unlike the above, they don't say "Here is your mark 2000 fascist asshole switch. To begin violating peoples civil rights en-mass, first press the on switch."

    The ISP's do use this capability for diagnostics and security analysis for their own networks. But, there is some question as to how much is actually deployed for that purpose, vs. deployed for bulk surveillance. These companies are large, and responsibility for this stuff is highly compartmentalized.

    The only way we will know how much of it is deployed at the edges, if somebody leaks the sales figures. My guess is that on certain networks, EVERY customer port does some form of DPI.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 21 Sep 2016 @ 9:29am

    Re: What happens when the Stingrays themselves are hacked?

    I actually had access to a UHF/VHF handheld TV back then; with a directional antenna on it, you could wander all over the place and pick up phone calls, despite the fact that it was supposed to be illegal, you couldn't really help it while you were scanning for strong TV signals.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.