EFF Posts New White Paper On Stingray Device Capabilities
from the keeping-abreast-of-the-fuzz dept
The EFF has published a primer on IMSI catchers. Harris Corporation's success in this market has led to near-genericide, as almost every one of these cell tower spoofers is usually referred to as a "stingray."
The white paper [PDF], titled "Gotta Catch 'Em All," runs down what's known about cell-site simulators used by a number of government agencies. Most of this has been gleaned from secondhand info -- the stuff that leaks out during prosecutions or as the result of FOIA requests.
The technical capabilities of CSSs have been kept under wraps for years. The reasoning behind this opacity is that if criminals know how these devices work, they'll be able to avoid being tracked by them. There may be a few technical details that might prove useful in this fashion, but what is known about Stingray devices is that the best way to avoid being tracked by them is to simply not use a cellphone. But who doesn't use a cellphone?
The report is definitely worth reading, even if you've stayed on top of these developments over the past several years. It breaks down the technical subject matter in a way that makes clear what CSSs can and can't do -- and how they're capable of disrupting cellphone networks while in use.
While CSSs can intercept communications, it's hardly worth the effort. Unless the CSS can talk the phone into accepting a 2G connection (which eliminates encryption and severely limits the type of communications originating from the dumbed-down phone), it just doesn't work. This doesn't mean the devices are never used this way. But it does mean it's not a very attractive option.
On the other hand, CSSs impersonate cell towers, so they're able to pull all sorts of info from every device forced to connect with the faux cell tower. These devices are used most often to locate criminal suspects, meaning precise GPS location is a must-have. Operating on their own, cell-site simulators can't generate pinpoint accuracy. Working in conjunction with nearby towers, they can triangulate signals to provide better location info. But there's another option -- one rarely discussed in courtroom proceedings. CSSs can also force phones to give up precise location info.
First, the Stingray extracts info from nearby cell towers. Using this info (which the EFF points out anyone can access), the CSS alters its signal to become the highest priority connection in the area of operation. Once it's done this, GPS info can be coaxed from phones now connected to the fake cell tower.
[T]he attacker creates a “RRC Connection Reconfiguration” command, which contains the cell IDs of at least 3 neighbouring cell towers and their connection frequencies and sends this command to their target’s phone.
Usually, the “RRC Connection Reconfiguration” command is used to modify an existing connection to a base station, but the attacker is only interested in the target phone’s initial response to its message. This response contains the signal strengths of the previously specified cell towers, which can then be used to find the phone’s location via trilateration.
For newer phones and networks which support the “locationInfo-r10” feature, this report will also contain the phone’s exact GPS coordinates, meaning no trilateration calculations are required. The exact GPS coordinates are just a field in the response (Shaik et al, 2017).
There are few options available for people wanting to use a cellphone but are also wanting to avoid being swept up by a Stingray. As the report notes, there are a few cell tower spoofer detection apps on the market, but they may be more likely to generate false positives than detect IMSI catchers. There's no baseline for carrier behavior, much less "normal" Stingray use.
And, in any event, the EFF isn't publishing a handbook on how to evade detection by these devices. It's simply informing the public of the power of these devices, which are becoming as ubiquitous as the phones they track and trace. Since the public hasn't been invited to any these discussions by law enforcement agencies, it's up to everyone else to detail known capabilities and assess the potential damage to the public's expectation of privacy.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: imsi catchers, stingray, surveillance
Reader Comments
The First Word
“How can this possibly be lawful?
If I intercept a wireless communication, I have committed wiretapping, a felony.
If I pull files off someone’s computerized device under false pretenses, I have violated the Computer Fraud & Abuse Act.
People are being arrested and prosecuted (Aaron Swartz for example) for accessing public information in creative ways, yet the government is accessing confidential information without bothering with warrants via far more invasive means.
Every government exemption built into the laws I mentioned in this comment absolutely require a valid warrant and make it absolutely clear that doing without a warrant is a felony.
Cops like to talk about a few bad apples and isolated incidents, but for a government agency to get away with this sort of thing without being prosecuted or even arrested for it, means that 100% of the government officials involved in even the most peripheral way are corrupt and criminal.
If it were one good cop amongst an army of bad ones, we’d hear about them being fired for opposing this crap. But we don’t. Our government appears to be in the hands of domestic enemies of the Constitution and the people.
Subscribe: RSS
View by: Time | Thread
Allegedly the Librem 5 will have hardware switches for the baseband (which would allow killing cell signal when not in use).
Would be kind of nice if our 'public servants' actually... had to answer to the... ones they are supposed to be serving.
[ link to this | view in thread ]
Re: Librem 5
Ideally the cell phone would not support some of this functionality. Alternately, it can spoof results to this call. Cell carriers should start to be worried about these things. It's their technology that's being used by the government. Traditionally this hasn't been a PR nightmare, but it could easily turn into one.
[ link to this | view in thread ]
The white paper titled "Gotta Catch 'Em All,"
That title was Onixpected. While I do wish I could Raichu a better comment, I should probably just keep my big Meowth shut. Good Eeveening, folks. And as they say: Kakuna Rattata
[ link to this | view in thread ]
How can this possibly be lawful
[ link to this | view in thread ]
How can this possibly be lawful?
If I intercept a wireless communication, I have committed wiretapping, a felony.
If I pull files off someone’s computerized device under false pretenses, I have violated the Computer Fraud & Abuse Act.
People are being arrested and prosecuted (Aaron Swartz for example) for accessing public information in creative ways, yet the government is accessing confidential information without bothering with warrants via far more invasive means.
Every government exemption built into the laws I mentioned in this comment absolutely require a valid warrant and make it absolutely clear that doing without a warrant is a felony.
Cops like to talk about a few bad apples and isolated incidents, but for a government agency to get away with this sort of thing without being prosecuted or even arrested for it, means that 100% of the government officials involved in even the most peripheral way are corrupt and criminal.
If it were one good cop amongst an army of bad ones, we’d hear about them being fired for opposing this crap. But we don’t. Our government appears to be in the hands of domestic enemies of the Constitution and the people.
[ link to this | view in thread ]
What does lawfulness have to with it?
"How can this possible be lawful?" is kind of a droll question suggesting that you are eager to swallow their koolaid if they let you access it.
The actual reasoning behind this opacity is that if upright citizens got to know how these devices work, they'd be able to put a stop to being tracked by them. In the mean time, money passes hands.
Policemen steal money off the records with "civil forfeiture" and buy Stingrays off the books in order to illegally surveil people in order to find out where they can steal more money.
[ link to this | view in thread ]
Re: Re: Librem 5
And they're in the best position to do anything about it. It's basically a solved problem to use zero-knowledge proofs for anonymous network access.
[ link to this | view in thread ]
Re:
In their view, it's the public who are the servants. That's why they've got keep such a close eye on them.
[ link to this | view in thread ]
Re: How can this possibly be lawful?
Well the difference is it is not legal for you. However it is allowed by the judiciary (and rest of the government by their inaction) for police officers with flimsy excuses why they couldn't get a warrant.
[ link to this | view in thread ]