Comments 16, 2013 8:05 AM

Wow. I am wondering why there is still organized crime,
especially the italian mafia which has been around for so
long if the FBI can do all of this.

I do have to admit, this guy was a highly paid criminal,
so from that perspective, who cares if they get on his
system and change a file. Problem is just that they made
some sketchy shortcuts in their investigation and in
obtaining warrants which begs the question: is the federal
government hacking innocent civilian's systems in the
same manner as they have done in the past under the guise
of "national defense".

Basically, our FBI is not unlike a reformed serial
offender. They have a long track record of serious criminal
offenses when it comes to illegally wiretapping criminals.
Have they truly changed? Can they?

Clive RobinsonApril 16, 2013 8:45 AM


Wow. I am wondering why there is still organized crime especially the italian mafia which has been around for so long if the FBI can do all of this.

You need to remember it was the Italian Maffia that invented and first used various miniture bugging devices like the "Harmonica and infinity Bugs" and it took quite a while for the Feds to catch up. Under Hoover the Feds (or more correctly Hoover's cleaque) assumed they were the kings of the surveillance hill they were not and still are not today.

If you are good at surveillance technology and you have found a customer who will pay yoy to improve things, you and they become difficult to put surveillance on as you and they are "aware" of the what and how of it.

It also turns out that for all the Feds and other TLA claims of being the best the majority of surveillance devices and techniques were not invented by them, but others not in beuearuecratic service.

The exception used to be the NSA simply because they had a market monopoly on employment. But the likes of Google and Facebook and a host of others offer a better set of rewards for those with talent...

tedApril 16, 2013 9:11 AM

If I have an aircard, ...
How can I tell if it is changing towers?
How can I tell if the tower it is communicating with is a MITM and not an actual tower?
How can I know if an outside entity is making changes to my aircard settings?
How can I prohibit this?

AnonApril 16, 2013 11:54 AM


How can I tell if it is changing towers?

An RF signal strength meter should be able to tell if the card is sending a stronger than average signal. This would be about the only obvious means of detecting a tower change.

How can I tell if the tower it is communicating with is a MITM and not an actual tower?
How can I know if an outside entity is making changes to my aircard settings?

Aside from having full access to the firmware of the card I don't think either of these are possible.

How can I prohibit this?

Again, I don't think prevention is possible. Detection, on the other hand, should be relatively easy with $150 - $300 worth of electronics and the right experience.

If it were me, I'd start by using a very high gain unidirectional antenna (at least 15dBi) to make triangulation more difficult. That also has the side effect of reducing the number of cell towers the card can connect to. Next, I'd put a RF signal strength meter in front of the antenna and monitor it to create a baseline. Any deviation from the baseline without environmental factors (precipitation, geomagnetic storms, etc.) would indicate possible tampering. According to the article, the attackers caused the card to step up the transmission power as part of the attack. The signal strength meter would detect this.

If active tampering is detected, powering down the card and moving to a new location would be the only means of preventing triangulation. It basically comes down to the question "How hard are you willing to work to keep 'them' from tracking you?" Judging from the article, after moving to a new location you'd have about an hour of use of the card before they got "too close for comfort." After that, you'd have to move again. If the article is accurate, and your movements were at least to another county, you could theoretically maintain the cat and mouse game indefinitely.

Another thing to note: if you are in constant motion while using your aircard, triangulation will be several orders of magnitude harder. I'm not saying impossible, just a lot more expensive in both manpower and equipment. This is how commercial semi-truck drivers can get away with CB radios broadcasting with multiple hundreds of watts (FCC limit is AFAIK 4 watts) without the FCC cracking down on them.

Dom De VittoApril 16, 2013 4:11 PM

Motion is the worst thing you can do.
Unless you're in a 10-mile corn field, you'll be on a road, or other movable space. That's just reduced search space by a couple of orders.
Imagine plotting lots of (iphone-style) error circles around a dot, and doing that once a second for an while and it's obvious not only which road you're on, but how fast, how much error is in the system (instrument error) - because you'll be on one side of the road, even it you could be +/- 100m along it.

Staying still, however, and that error circle stays the same size due to instrument error, and in the circle is hovering over a 50-floor block of flats, that's a lot a house-to-house searches.

SpiesApril 16, 2013 5:35 PM

The real problem is they knew he used an air card/sim card dongle in the first place. If this guy was using tor with proxies chained to the end so he could do his fraud it's unlikely they would've been able to find him.

I haven't read the court docs but I'm guessing he used some silly 'Super Anon VPN' service which handed over logs to the feds, which identified his IP thus air card.

Spies2April 16, 2013 7:29 PM

So, after reading all the motions and exhibits/warrant it appears the FBI did not only use the reprogramming of the card by Verizon to determine his location. Verizon states they are unable to do what the FBI asked and not capture data at the same time, as the FBI wanted some sort of real-time access to the air card.

The FBI warrant explicitly stated they were not seeking for communications eavesdropping but instead location information. However mysteriously according to the court documents, all evidence retrieved from the air card was deleted by the FBI after they presented sword statements of information they collected. Most likely because it was full of communications they weren't supposed to have without a warrant, so to save the case they destroyed this information.

The FBI didn't have to use this method. If you read the history of this guy's dumb crimes, he is the poster boy for everything you never do while committing felonies. He used the same air card to commit his massive tax fraud and to contact all his associates who were by this time CIs. His little fraud script he used messed up and some of the fake returns were processed using the air card's real IP.

He also contacted his cronies (FBI CIs) through, which everybody knows is not safe. He used his real IP a few times there as well.

He also constantly bragged and dropped OPSEC whenever he could to basically confess his whole operation, computer setup, history of crimes (they could look up and further match to his air card, or trace pseudonyms he used because he kept reusing the same ones), his insane plans to wage war on the feds with assassin air drones and other hilarious comedy gold.

He picked up mailed cash from the CIs on camera and reused the same cards over and over to clean out fraudulent tax refunds so his picture would've led them to him eventually not to mention his detailing of absolutely everything to the CIs through bragging.

He used Windows XP (lol) with Diskcryptor, which the feds were unable to decrypt except for one virtual drive but details on how they did it I couldn't find. I assume he just left it mounted and open.

Shockingly, the feds used WinRAR to archive all the data on that drive for forensic analysis, which should be thrown out of court because WinRAR changes the access times of all the files, and he was in custody by then. They are supposed to image the drive and then do stuff like that.

So if he wins all his motions most of his charges are gone, except for the fact he's on camera withdrawing fraud funds numerous times and on camera picking up mailed cash from CIs. He's still going to get hefty prison time but I hope the judge in this case doesn't let the FBI get away with their mysterious deletion of all data obtained from the card, or very shoddy forensic acquisition by the IRS investigators.

tl;dr if this idiot threw that card out and used a new one he wouldn't be in jail, but it's probably a good thing he is since he's a violent criminal nutjob judging by his endless threats he emailed to CIs that if they tried to bust him while picking up mailed money he would kill everybody in the fedex store with his AR-15

Peter A.April 17, 2013 5:39 AM

@ted & @anon: for a CDMA2000 aircard (as it was apparently the case) getting to recognize "tower change" without a decent signal analyzer that can decode and interpret the spread-spectrum signal - or access to the card's internals or a diagnostic mode - would be very difficult if not impossible. The reason is that the transmitted power varies significantly during normal operation.

First of all, for a simple voice call, power level would depend not only on environmental conditions, but also of number of other users active in your area.

Secondly, data connection is different. It keeps a low-speed channel (same as for voice, 9600 bits per second) for most of the time; but can drop it completely (and "re-dial" later) when there's no data to send for some time (10-30 seconds, usually). This low-speed fundamental channel (in CDMA tech-speak) is augmented by higher-speed (power-of-two multiplies of 9600 bps), transient (hundreds of milliseconds), supplemental channels, assigned by the cellular system on request, if there's some more data waiting in the buffers. The system tries to assign transmission capacity fairly for all active users.

So during normal data transmission power varies depending on the amount of data available for transmission and of currently available capacity of the system. Simple RF power meter would show constantly changing readings. It just *may* be possible, by averaging the power for a longer time while sending a constant-througput data stream, to discern some longer-term changes that just *may* mean a "tower change" - but it could as well mean that some more users came in and you are getting a smaller share of the resources or some users just left your area, and you're getting more share of spectrum - and your phone is putting out less/more power as a result.

Having said that, many phones (and possibly aircards too) have a diagnostic mode, that allows "peeking" at cellular protocol internals. If you know how to enable it, or are able to upload a software version with diagnostic mode to your device, and know the usually proprietary diagnostic protocol, you could see what your device is doing. If you know what to look for, you'll know what it's up to, including "tower changes". But to know which ones are legitimate, you'll need a list of them - possibly by mapping them out yourself beforehand, using the diagnostic mode. If a new tower appears, look for construction work nearby... OR RUN!!!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.