How the FBI Intercepts Cell Phone Data

Good article on "Stingrays," which the FBI uses to monitor cell phone data. Basically, they trick the phone into joining a fake network. And, since cell phones inherently trust the network -- as opposed to computers which inherently do not trust the Internet -- it's easy to track people and collect data. There are lots of questions about whether or not it is illegal for the FBI to do this without a warrant. We know that the FBI has been doing this for almost twenty years, and that they know that they're on shaky legal ground.

The latest release, amounting to some 300 selectively redacted pages, not only suggests that sophisticated cellphone spy gear has been widely deployed since the mid-'90s. It reveals that the FBI conducted training sessions on cell tracking techniques in 2007 and around the same time was operating an internal "secret" website with the purpose of sharing information and interactive media about "effective tools" for surveillance. There are also some previously classified emails between FBI agents that show the feds joking about using the spy gear. "Are you smart enough to turn the knobs by yourself?" one agent asks a colleague.

Of course, if a policeman actually has your phone, he can suck pretty much everything out of it -- again, without a warrant.

Using a single "data extraction session" they were able to pull:
  • call activity
  • phone book directory information
  • stored voicemails and text messages
  • photos and videos
  • apps
  • eight different passwords
  • 659 geolocation points, including 227 cell towers and 403 WiFi networks with which the cell phone had previously connected.

Posted on March 7, 2013 at 1:39 PM • 29 Comments

Comments

Evan KaufmanMarch 7, 2013 2:20 PM

I'd love to see someone implement an open source IMSI catcher. If the software (and requisite hardware specs) were freely available, I bet major cell providers and law enforcement agencies would get serious about fixing the IMSI problem.

Anon TechieMarch 7, 2013 2:32 PM

Scary !! Trust no one ... least of all the government. Be careful be safe.

KarlMarch 7, 2013 3:02 PM

Anyone know if this works on 3G/4G networks? IIRC, 3G networks introduced mutual authentication to prevent this kind of attack, but most phones will connect to a standard 2G network as well. There is a hidden option in Android to force it to use "WCDMA only" -- which presumably means it will only connect to 3G networks.

anonMarch 7, 2013 3:09 PM


These FOIA docs have been out for nearly three months and nobody has yet noticed page 268:

To use Stringray:
"no court order is required", since only "attached" devices apply under 18 USC 3127. A "digital analyzer" that pulls cell traffic out of the air is not a "pen register " device!
No warrants are needed—"a simple subpoena will do."

Also notice the accidentally visible phrase left in: "when in ??? proximity"; from which we can assume to use Stingray to intercept cell phone traffic requires the FBI to be in some kind of physical vicinity
to the target. Such as in an unmarked white van parked on the street.

Mark AtwoodMarch 7, 2013 3:14 PM

The fact that the network does not trust the terminal, and requires a cryptoprocessor for it to work, but the terminal implicitly trusts the network, is the kind of idiot fuckup that only the telephony industry can commit on such a large scale.

JeffMarch 7, 2013 3:27 PM

Evan Kaufman:

I think open source IMSI catchers have been built by hobbists many times. Using OpenBTS and USRP. Both freely available.

Clive RobinsonMarch 7, 2013 3:37 PM

@ Mark Atwood,

... but the terminal implicitly trusts the network...

That's the way it's always been right from the early POTS switchboard girls.

As for other problems GSM you can blaim on the EU and especialy the UK for most of the security failings from the earliest "System X" digital exchanges pushed outt under what was the British Post Office and later British Telecom when in UK Gov hands (and for a chunk of that time the UK was fighting domestic terrorism in N.I. and wire taping on mass was rife by the various security services).

justashadowinthematrixMarch 7, 2013 4:23 PM

Can anyone with first hand experience doing mobile pen testing discuss the efficacy of various security controls against forensic attack? i.e. good technologies, apple ios encryption, etc? What works and what doesn't?

Bruce, have you had any discussion with Phil Zimmerman about silent circle? That would be a good topic if you have the time to look into it.

BlackHelicoptersMarch 7, 2013 4:34 PM

We have heard in the past about "in the vicinity of" in relationship to some type of criminal activity. And, no, I don't mean "in the vicinity of" with regard to the white van being close to a cell tower or your cell phone. With GPS tracking, not necessarily that through your cell phone, being "in the vicinity of" some criminal activity can put you on the list of suspicous individuals (whether you were in a rental car or someone else was driving your car).

What I am waiting for now is the proclamation that your cell phone activity went through a cell phone tower (enroute to your call endpoint), that you might become a person of interest with regard to some nearby criminal activity or criminal transaction that went through said same cell phone tower.

Just because one is paranoid doesn't mean they aren't out to get you.

weneedhelpMarch 7, 2013 4:43 PM

AK,

"I was curious if you had heard the word on TSA's policy change?"

It's because even the TSA thinks the premise of a bunch of idiots who can barely fly, trying to hijack a airplanes with box cutters and getting several military veteran pilots to relinquish command of their aircraft, while US radar and air defense simultaneously stands-down, then 3 of these aircraft are piloted with what can only be called perfect execution of highly advanced flight maneuvers while exceeding the designed structural capabilities of the aircraft by over 100 knots - equivalent of a 767 going beyond mach 1...

EVEN TSA thinks it's an absolutely ridiculous premise... Talk about a movie plot threat. Operation Northwoods anyone?

NobodyMarch 7, 2013 7:47 PM

It is not hard to find security vulnerabilities in phones or wiretap criminals phones. But, this method they are using is clearly not designed with that sort of mindset.

What can one expect from an agency that was born from Ms J Edgar Hoover, a walking felony factory that made the mafia (which did exist) look like babes in cloth?

I am amazed that there is today any legitimate law enforcement going on there at all.

It sounds like they are about as busy as making sure core communications technology is insecure so they can break it... as they are with chasing the criminals who misuse the holes they created.

The security cycle goes around and around, and it looks like the smartest criminals are those posing as cops.

WinterMarch 8, 2013 3:08 AM

Is this another of these "the police only captures stupid criminals" stories?

If I would commit a crime, I would not let my phone come close to the scene of the crime. If I would really need a phone at a crime scene, I would use a disposable (or cloned?) phone. A different disposable phone than the one I use to communicate with my partners-in-crime.

Maybe we are lucky that smart people do not enter crime, but financial services.

GaryMarch 8, 2013 3:27 AM

@Karl,

Telcos sell home 'femtocells' (or small cell) to boost coverage. They act as mini-cells but only talking to phones on a specific whitelist. The communications are forwarded through an internet connection.
Mostly 3G at the moment.

A stinger sounds pretty much like the same thing.

If you did a tour of all the local cell towers, you could work out all their identifiers. I suspect the stingers would have a different identifier, as otherwise the 'confusion' might cause dropped calls and become too obvious. Also, the more restricted range should be apparent if you measured signal strength while moving around.

The carriers would probably be aware as they need to track where calls start/end etc. for billing. 'Roaming' on a police network would throw up billing issues.

K wardMarch 8, 2013 3:53 AM

I was hacked by Ex boyfriend.. Who has connections in all the right places .. For Him...

Local police seem to think its ok that this person still has access to my phone and iPad and my location at all times.. Meanings some detectives are on the take...
I have contacted AT&T T numerous times, along with Apple.. They always say... It's the other co's issue. Finally got a couple of their tech peeps to admit cloning or hijacking an iPad or iPhone is possible. Most employees treat you like you're a crazy female!
I went to PI School and our FBI instructor told us all about cloning etc.. Ha.. Back in the 90's... Ha like the technology hasn't skyrocketed with the advancements in the tech world. I am on disability and have no available $$$. I have two computers now basically useless because every thing I do is monitored and if I try to talk to any male ... Texts don't send or I never get their response!! Pics are deleted and my Facebook, emails, and a dating sight password were all changed and I still don't have access two months later! I have given up on local police but have resorted to narrowing things down myself and backtracking some things. This person has friends willing to jack with me! I am ready to have my privacy back! Law enforcement seems to need to know if and how it's done before they will proceed with case.. What a joke! I was raped and molested in childhood and as an adult female.. This has caused me to have flashbacks and has caused me to feel I have no privacy, which is what rape and molestation does to you! Please help me to get to the bottom of this and have the person and person involved prosecuted and have the local law enforcement educated on how it's done so if someone else encounters this they won't be met with the type of treatment I have experienced!

My name is K Ward. My number is ............ But since all my keystrokes are captured I can't count on the jerks pretending to be someone who is from your site, so please call 501-835-4141, my local church congregation and ask for Greg or Amanda and let them know who you are. They will contact me where I can get to a secure line! Thank you so much for even your time!!!!!!!!(;-) may God bless and keep you!

MaxiMarch 8, 2013 5:43 AM

I think this Article is factual wrong:
The Police is able to make my phone join "their" gsm-cell and intercept all data that is going through it (if not encrypted on my phone. They are able to break the gsm-encryption)
BUT that does not compromise my Phone!! The extraction session in the second link is AFAIK only possible if they have physical access to the phone! That does NOT happen in the case of me using "their" cell!! The two articles make it seem like they are linked and that is just not the case. As long, as the police does not have physical access to the phone, it is unlikely that they are able to get much data off it apart from what I am sending.

The "cell" is somewhat like any other physical data-connection: as long as there is no "service" on my side of the connection that answers incoming data, there is not much that can be done to me.

derpsecMarch 8, 2013 8:32 AM

Use Android custom rom with no root, encrypt the device using 4.xx android version and forensics are useless, esp if your bootloader locks. Only method is jtag analysis and brute force to try to break the password. If all your comms are through Redphone or other encrypted voip using end to end then rogue towers are also useless

RobertTMarch 8, 2013 11:11 AM

I'll add just two very important words to the conversation:
Burner phones

Tmobile is the best network for doing this because they have lots of cheap pay-as-you go options right down to $2/day and will ship you SIMs on demand

Most important step is to keep'em guessing and be certain that each phones conversations are so limited as to prevent information gathered from that phone being in any way used for later legal proceedings.

BFisherMarch 8, 2013 4:21 PM

Other Android Tips: Remove all permissions from ADB, keep Debugging off, and use an app to change the pre-boot password to greater than 16 characters (it's dm-crypt). Lock Screen is limited to 16, but use full ASCII. Make sure you can turn it off quickly - a phone that is on, is like an encrypted container that is mounted, to a Cellebrite UFED device.

GweihirMarch 8, 2013 9:07 PM

This is actually pretty much a standard technique. A friend of mine managed to do it with just publicly available materials (in a lab setting) with a few months of work aided by one student. The most difficult thing was apparently programming the USD/EUR 2000 software defined radio.

WaelMarch 9, 2013 1:56 PM

@ RobertT

Tmobile is the best network for doing this because they have lots of cheap pay-as-you go options right down to $2/day and will ship you SIMs on demand

You probably don't want T-Mobile to ship SIMs to your address. It will help them guess who you are.

JMCMarch 10, 2013 9:42 PM

Re the second part, phone in cops' hands, how to render it blank?

On an iPhone5 with iOS 6.1.2, if you have the time to run Settings/General/Reset/Erase All Content and Settings, then turn it off, will that render its contents irretrievable? How about removing the nanoSIM and cracking it for good measure (although that will take a wee bit more time)?

x942March 14, 2013 2:50 PM

JMC - iPhones are pitiful for encryption. UNLESS you wipe it as you suggest all I have to do ( and I do this all the time) is boot into DFU mode and upload a custom RAM disk. The RAM disk auto-mounts the "encrypted" partition with the key. Giving me COMPLETE access to the phone with NO password needed.

ONLY consider your iPhone secure if you wipe it. Since there's no pre-boot authentication on the phone the key is always loaded to ram - wiping overwrites this keys with zero's and creates a new one (rendering data recovery useless)

WaelMarch 16, 2013 1:49 AM

@ x942

(1) Since there's no pre-boot authentication on the phone (2) the key is always loaded to ram

I not sure I understand this statement nor the connection between the first part and the second. Would you please elaborate!

MelvinAugust 30, 2013 4:55 AM

Hi,

I chanced upon this page while trying to fend people off cellphone and internet attacked. You were right where too much power given to someone they will just abuse it in the name of "doing good".

I was connected to a fake cellular network as by default iphone uses auto detection of network. Wireless with 63 characters AES encryption comprises of everything was hacked into in a day or two. No thanks to the fact that governments control all 3 telecom companies. The people spread out all by private life to my company, neighbourhood, all contacts in mail and phone because "they" deemed that i neglected my family (NOT terrorist, muderer, drug dealer or rapist that they are after...). Of course, its was a biased opinion of my family members, whom are jealous of me than i neglected them... Furthermore, who has the right to intervene my family matters??

Honestly, i do not mind the authorities spying on everyone and everything but who to keep check that the information collected does not benefit linked companies or even to be used as a tool for revenge, personal agenda?

HELP!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..