Fake Cell Phone Towers Across the US

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US. These seem to be IMSI catchers, like Harris Corporation's Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used security software that's part of CryptoPhone from the German company GSMK. And in both cases, we don't know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?

This is the problem with building an infrastructure of surveillance: you can't regulate who gets to use it. The FBI has been protecting Stingray like it's an enormous secret, but it's not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.

We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I'm tired of us choosing surveillance over security.

Tags: cell phones

Posted on September 19, 2014 at 6:11 AM • 80 Comments

Comments

T!M • September 19, 2014 6:36 AM

Off topic

Maybe I'm wrong, but isn't Friday the time for squids :-)

T!M • September 19, 2014 6:39 AM

@Bruce Schneier

ISMI catcher = IMSI catcher?

Claus • September 19, 2014 7:55 AM

only a matter of time until someone gets their hands on such a IMSI device and reverse engineers+exploits it. Then maybe we'll find out who's running them

Bruce Schneier • September 19, 2014 8:01 AM

"Maybe I'm wrong, but isn't Friday the time for squids"

Not wrong, just early. The squid post is in the afternoon.

Bruce Schneier • September 19, 2014 8:02 AM

"ISMI catcher = IMSI catcher?"

Fixed.

Thanks.

Martin diehl • September 19, 2014 8:09 AM

"the CryptoPhone was forced down from 4G to 2G, a much older protocol that is easier to decrypt in real-time."
Is that true? ... How would end to end encryption be defeated by slower bit rate?

Jay Woods • September 19, 2014 8:09 AM

I had understood that towers required building permits in most localities. Who got the permits for the fake cell phone towers? Who owns the land that the towers are on?

And if they require permits and don't have them, why aren't they being torn down?

keiner • September 19, 2014 8:21 AM

@Jay Woods

"And if they require permits and don't have them, why aren't they being torn down? "

Nice idea, let's start with a little walk around these bildings, but ... wait! They tried that in Germany with the infamous Dagger complex (private airfield NSA complex close to Frankfurt airport and many, many other interesting locations) and got visited by... the POLICE and then the secret service dropped in.

Nice simulation of democracy we have here in "the West".

http://www.spiegel.de/netzwelt/netzpolitik/spaziergang-zum-dagger-complex-interessiert-die-polizei-a-911215.html

paranoia destroys ya • September 19, 2014 8:24 AM

Has there been confirmation that these exist from other sources than a company trying to sell a $3,000 secure phone? All of the linked articles mention the exact model of the CryptoPhone 500 so it probably is a marketing campaign.

bcs • September 19, 2014 8:49 AM

The next gen cell standard should be designed so things like Stingray are trivially easy to build and utterly irrelevant. E.g. SSL encrypt all traffic with pinned certs (or whatever is used to fix/mitigate the problems certs have).

keiner • September 19, 2014 8:52 AM

@paranoia

Absolutely right! These towers have been built by CryptoPhone company, they are the evil! Makes perfectly sense...

H. Smith • September 19, 2014 8:58 AM

@Martin diehl

The 2G contact with the base station is what's being decrypted in real time. Your tls session is probably OK, unless they're also using the extra time to forge MITM certificates, but your phone calls and texts to Aunt Mildred are certainly being listened to.

nobody@localhost • September 19, 2014 9:04 AM

In a pre-Snowden-era presentation, Life as a Target—Welcome to the Club, the retired NSA cryptographer Dickie George repeatedly stated that he wanted everybody's computers and networks to be secure--even the Chinese!--that everybody should be secure, and we can work from there.

He said things on this topic, that I think most people here would agree with (including me). Bruce says, "We can't choose a world where the US gets to spy and the Chinese don't.... We can be secure from everyone, or vulnerable to anyone." Dickie George basically said as much in that presentation.

George also said several times and rather emphatically, he was retired from NSA and only speaking for himself. But still, it was reasonable to think that his expressed position was consistent with the NSA position.

In partial answer to one of my own questions, most people seem to miss that the worst betrayal revealed by whistleblower Edward Snowden is that the "National Security Agency" deliberately makes everything insecure--from the undermining of standards, to the "encouragement" of buggy code.

Everybody even a little bit smart knew for past three decades that the NSA wiretaps everything it can possibly wiretap. I was "shocked but unsurprised" at the documentation of PRISM. I was flabbergasted to learn the NSA is the world's biggest blackhat operation who, like many blackhats, starts and ends by socially engineering our trust.

WE TRUSTED THE NSA. Sure, they might try to tap our lines and read our e-mail. Sure, they might have mathematical wizards like Dickie George working with supercomputers to break our codes. But we trusted they were a Security agency, and would want things to be more secure. Just like Dickie George said.

WE TRUSTED THE NIST STANDARDS PROCESS. Not anymore. No way.

WE RESPECTED THE NSA. Then we learned they are scum. They aren't even "honestly dishonest", like amoral blackhats underground who seem to have a kind of postmodern version of "thieves' guild" culture. The NSA preaches to us, pats us on the head and reassures us, then twists the knife in our backs.

I think many smart people had for many years a kind of ambivalent, love/hate view of NSA. That is now replaced by outrage at an irreparable treachery. Thanks to Snowden, we now know that NSA is the worst insider attack in history.

wiredog • September 19, 2014 9:19 AM

From reading the Post article it's clear that the proper conclusion is that most of the "hits" may be fake towers. Several of the hits described are the phone switching from 3g to 2g. No one's phone ever does that other than when it's being attacked? Because my Nexus 5 drops from 4 to 3 to 2 to 0 and back as soon as I get beyond the Beltway, and often in the more built up parts of Arlington. No way this could be due to weak signal strength. Nope. Must be an attack.

That said, I'd be amazed if there weren't at least 3 domestic agencies tracking things in DC (we've got choppers and fighters constantly circling overhead, too) and, let's see, at least 5 foreign governments "keeping an eye on things" (but not spying!) in DC. Probably have that going on in McLean VA and Columbia MD too. And out Chantilly way.

Concerned Citizen • September 19, 2014 9:21 AM

If you're worried about domestic surveillance, then you indefinably should check out this article on The Reg. Apparently, "The FBI wants greater authority to hack overseas computers." Wow! Am I not even safe if I live and work overseas? Does simply holding US citizenship entitle the government to spy on me wherever I am? Scary.....

keiner • September 19, 2014 9:23 AM

@wiredog and @paranoia you are on my personal list of the worst NSA trolls... :-D

T!M • September 19, 2014 9:29 AM

@ Bruce Schneier
"Not wrong, just early. The squid post is in the afternoon."

Ok, 6:36 AM in your time-zone is a bit too early. My fault, but I hope you like my 350kg squid article :)

@ all
Since 2001 Rohde & Schwarz sells a product called TopSec Mobile and if I would have the need for encrypted phone-calls, this would be my choice.

The Cryptphone is based on Android and I don't have a bit trust in this OS. The TopSec-System establishes a connection via Bluetooth and encrypts anything before sending it to the (potentially hacked) smartphone. If the smartphone is hacked and records anything the microphones can hear, then this wouldn't be a great help, but I think it's better nevertheless.

one more fix pls • September 19, 2014 9:29 AM

"In both cases, researchers used by security software that's part of CryptoPhone"

Cryptic, and/but not grammatical.

Nickie • September 19, 2014 9:32 AM

@Jay Woods: A cell "tower" need not be on an actual tower. Many are on roof tops, water tanks, in church steeples, etc.

It would be trivial to set up a cell site in the window of an upper floor office or apartment. A corner suite would give a nice 270 degree "view" to capture phone traffic.

Bob S. • September 19, 2014 9:32 AM

"...I'm tired of us choosing surveillance over security." ~Bruce Schneier

Me too. Except, do we have any choice at all between the two?

Governments and corporations all over the world have chosen surveillance because it generates data, power and revenue. Meanwhile, elected officials who could put a stop to it simply will not. And, that is happening all over the world, not just a few rogue states like the USA.

What are the real choices here?

Next topic:

"Israeli politicians and a former military intelligence commander have hit back at reservists who criticized Israel for spying on ordinary Palestinians.

Last week, 43 Israeli military intelligence reservists signed a letter refusing to serve in the occupied Palestinian territories over fears snoops were planning to blackmail individuals into becoming informants.

The letter alleged that Israel Defence Force Unit 8200 – Israel's equivalent of the NSA – undertook "all encompassing" surveillance of Palestinians' medical conditions, finances, sexual orientation and infidelity in order to gain information that might be used to blackmail individuals into becoming informants against their own people."

Israeli spies rebel over mass-snooping on innocent Palestinians

There is no doubt in my mind NSA and siblings are capable and likely participate in these kind of activities.

Woo • September 19, 2014 9:39 AM

Pinpoint one of those fake towers, tear it down, and see who comes to fix it...

BoppingAround • September 19, 2014 9:47 AM

> And I'm tired of us choosing surveillance over security.

Funny enough, plenty of those who choose surveillance think they have actually chosen security.

st37 • September 19, 2014 9:47 AM

In Vienna there was a house so called "NSA Villa" that was closed since then.

http://www.presstv.com/detail/2013/09/14/323793/nsa-spy-center-in-vienna-stirs-ruckus/

https://www.youtube.com/watch?v=VxYk_LpQQ_M

http://derstandard.at/1378248644840/NSA-Villa-in-Wien-wird-geschlossen

nobody@localhost • September 19, 2014 9:55 AM

@nickie

@Woo

The term "tower" is totally wrong--perhaps even misdirection. The IMSI catchers can be vehicle mounted, or operated out of something which looks like a large briefcase.

BoppingAround • September 19, 2014 9:57 AM

And I also agree with Bob's (Bob S.) opinion about lack of any real choice.

wiredog • September 19, 2014 10:17 AM

I used to have a micro-cell from Verizon that plugged into my internet router which only connected for 2g, and voice only. I wonder if that would set off one of these phones?

Rae • September 19, 2014 10:48 AM

A lot of ways to find out whats going on. As mentioned, find out who owns the land the tower sits on, although that will likely be a shell corp.

Bring it up with a local governing body. Check tax records.

Surely these towers need regular maintainence? Set up a camera across the street, cause some minor mayhem on the property, and see who shows up to fix it. Investigate from there.

nobody@localhost • September 19, 2014 11:21 AM

@Bruce Schneier

Please append to this post a big bold note that the fake cell "towers" are not actually towers, and can be vehicle-mounted or man-portable.

This is really important. The term "fake cell towers" is serving as a disinfo misdirection. Many people are looking around for actual towers now, and I don't want to spam these comments section saying the same thing again.

Thank you.

@Rae

See above.

Blimp • September 19, 2014 11:24 AM

Bruce, do you still have hope of meaningful anti-surveillance changes happening within society going forward?

CallMeLateForSupper • September 19, 2014 11:38 AM

In a post here nearly two weeks ago,

I parroted what a Chicago CBS-affiliate blog post had stated about the physical nature of these so-called "towers", which is to say they seem to be *portable*electronic*devices* that behave like a commercial cell tower. If that characterization is indeed the case then one would be hard-pressed to "tear down a tower" or "check [property] tax records" in an effort to unmask owners/operators.

IMO, the media should stop saying e.g. "fake cell towers" and say instead e.g. "Stingray-type devices".

OFF topic:
We have cell towers that look like what they are, and we have IMSI catchers that act like real cell towers. There are also cell towers that look like trees or saguaro cacti. I stumbled on an example of the former in a corner of an agri. field (vineyard?) just east of Delano, California,

nobody@localhost • September 19, 2014 12:04 PM

@CallMeLateForSupper

For nomenclature, I suggest "fake cell base stations", "fake mobile phone receiver", or similar. Use familiar language. Your suggestion "Stingray-type devices" requires that people heard of Stingray; my first instinct "mobile man-in-the-middle" rolls off the tongue, but is too technical jargon-like (as is "IMSI catcher"). But everybody can get the idea of what a "base station" or "receiver" is.

Bruce Ediger • September 19, 2014 12:33 PM

Has anyone published specific locations (lat/long or street addresses) for these fake base stations? If I had the address of the one in Denver, I'd go check it out and post pictures and so forth. Anyone?

Andrew Norton (@ktetch) • September 19, 2014 12:37 PM

I know Wigle pulls in cell tower data as well, has anyone been through that data?

Z.Lozinski • September 19, 2014 1:34 PM

@Martin diehl
"Is that true? ... How would end to end encryption be defeated by slower bit rate?"

Yes. It is not the slower bit-rate but the fact that the system design (including the encryption and security) is completely different for 2G ("GSM") and 4G ("LTE"). The over-the-air encryptions algorithms are different in 2G, 3G and 4G. In 2G the device trusts the network, which is why ISMI-catchers work. There was discussion of authentication of the network by the device for LTE. (I'll have to take a look at the specs to see what was finally agreed and how robust it is)

Fatrick • September 19, 2014 1:41 PM

I don't get why I'm supposed to care about this.

I don't rely on my cell service provider to encrypt and care for my data, just like I wouldn't expect my hardwired internet service provider to encrypt and protect my data.

All networks should be considered hostile. If you don't assume that, you get what you deserve.

one more fix pls • September 19, 2014 2:36 PM

"In both cases, researchers used by security software that's part of CryptoPhone"

Cryptic, and/but not grammatical.

I guess I should have been more explicit: I too am asking for a fix b/c I don't know what that is supposed to mean! The "by" is superfluous/extraneous/wrong, and highly flummoxing. And my flummox capacitors are full to bursting.

Name (required) • September 19, 2014 3:00 PM

Bruce says, "I'm tired of us choosing surveillance over security."

That's as concise and blunt an appraisal as any pundit (or expert) is making publicly.

BUT SO WHAT?

Who needs more appraisals? It's time some smart people started speculating, intelligently and impolitely, about WHERE THE HELL all this is coming from.

I don't believe (like 45% of Russians do) that a small and secret cabal of perhaps seven powerful men control the world as if by "puppet strings", but I can believe that the super-rich and corporations have colluded to leverage global power from governments to an unprecedented (in recent times, anyway) degree in an extremist display of extremist self-interest (there are at least a few voices airing these sorts of ideas).

I wish someone would begin writing about the root of the problem, instead of its many branches. We can SEE the damn branches for ourselves (thanks to Snowden, Assange, Manning et al) already. Not saying it's an easy topic to broach, but we could use some leadership.

Mr. Schneier and friends, can you not occasionally take the discussion to a higher level? Or make some contribution (eg. a link!) towards such? Please? We the ordinary voters and activists don't have the info needed to strike at the heart of the problem, it seems. Things aren't getting much better yet, and certainly no government has been reigned in at all, nor anyone else.

JonKnowsNothing • September 19, 2014 3:56 PM

@Name (required)

There is a big reason you won't see detailed specifics about how to fix the problems and that is the problem is in the very fundamental designs of how everything works right now. It's like it's in the DNA of every computer system, communications system, software program, devices like TVs, Cell Phones and soon your home lighting (The Internet of Things). It's so deeply entrenched that finding a way out of the maze is beyond what any one person or even a good size group of people can do.

To do anything is to break everything.

The general public are not ready to accept any breakage at all. Just check the pre-order stats for Apple's new cell phone. It doesn't matter one bit or byte that Apple claims they won't hold your encryption keys because there are a million other ways those can be acquired or the keys may not even be necessary to at all to access your information.

It's not that folks aren't thinking of what to do though but as soon as you stick your head up with an idea you are going to get a ton of bricks dumped on you and make yourself the target of every NSAer on the planet. There isn't a security agency or government or local police department that wants you to be "private". You don't have it now, you only thought you had it in the past and you won't have it anytime in the future.

To break the system means a lot of lost $$ to some huge corporations too. They will drive up your driveway and take all the StreetViews of your house and make sure that your home is the center of the map for anyone calling up your zip code.

It's not easy to redesign the world when there are so many who have a vested interest in keeping it exactly as it is.

The hope is that some of the very biggest targets will get "annoyed" enough to break it for us. Once it's broken, then there's a chance, a small chance, that things will improve. It's not much of a chance, but it's there.

Peter A. • September 19, 2014 4:41 PM

Doesn't FCC (or whatever organization in the USA oversees frequency assignment) keep public record of RF-transmitting civilian-use stations, including "the cell towers"? There is such a list in my country (however deeply buried on the gov's web pages) and there are some hobbyist web apps that pull it from there and overimpose various parts of it on Google Maps.

Just take that list (if it is available) get a phone which can be put into "monitor mode" and verify if the frequencies, IDs and locations of the base stations are on the list... if not, it is a fake (or a femtocell?)

Peter A. • September 19, 2014 4:44 PM

Well, or it is an "official" fake as opposed to a criminal-gang fake...

paranoia destroys ya • September 19, 2014 4:47 PM

@ keiner
Is there confirmation such as pictures or locations other than the claim by CryptoPhone or using their equipment that the towers exist. Otherwise this could be another case like ghosthunters and bigfoot trackers faking evidence.

I don't remember where I heard this quote but it is good too keep in mind to avoid wasting time being misdirected away from the actual security issues we face:
"There are enough real conspiracies out there that we don't need to search for conspiracies theories."

Chris Abbott • September 19, 2014 8:17 PM

An idea:

Use SSL type certificates for every phone tower connection to verify that it's a legit tower, just like https.

nobody@localhost • September 19, 2014 8:33 PM

@Chris Abbott

Given recent discussion (amidst which your name appeared) where it was pointed out the total brokenness of trust model used with SSL/TLS, I ask, did you forget satire tag?

(I only point this out, because I was recently admonished in another thread that I should clearly mark my jokes. ;-)

Skeptical • September 19, 2014 8:55 PM

Bruce, honest question: should I take the logic of this quote to the fullest extent possible, or are there certain qualifications that are not included?

Should it be possible for the government, via a search warrant, to compel a telecommunications carrier to enable eavesdropping or even just enable metadata capture?

If the answer is no - that to be secure we each must have a lockbox to which we only have the key and which cannot be opened by anyone else, including the government - then this would be a dramatic shift in American law and policy.

For while American law has always (albeit imperfectly and to varying degrees) protected privacy, it has also always admitted the strength of the countervailing consideration: the public interest in the government having access to evidence of criminal acts or to foreign intelligence.

Though the standards by which these interests were balanced has shifted over time, the courts and the law were nonetheless viewed as the final arbiters.

Here though, you seem to be saying: if we are vulnerable to a court ordered search warrant, then we are vulnerable to anyone.

That seems like an awfully strong claim to make - which doesn't mean it's wrong of course, but it does raise the task of persuasion considerably.

Or, am I misreading you and are you proposing something more moderate?

nobody@localhost • September 19, 2014 9:29 PM

@"Skeptical"

I usually do not feed trolls-at-work, but: A Court Order is an Insider Attack.

Or, am I misreading you and are you proposing something more moderate?

Am I misreading your suggestion that the Russian and Chinese security services, as well as underground blackhat gangs, should be able to hack my network and illegally wiretap my communications for purpose of identity theft, industrial espionage, etc.?

Because that is required, if you also want to get your co-workers^Wpeople a front door, back door, or any kind of door.

In other words, you cant' have your cake and eat it too. 2+2 will always equal 4 no matter how much you wish otherwise.

Can't speak for Bruce, but this is my interpretation of his post (rephrased in much stronger language).

P.S. as I linked earlier in this same thread, some retired NSA employee have said very similarly. I dearly wish that reflected NSA reality.

Chris Abbott • September 19, 2014 9:34 PM

@Nobody

I thought about that about 15 seconds after I hit submit and immediately said to myself "Chris, you're a dumbass". :/

nobody@localhost • September 19, 2014 9:49 PM

@Chris Abbott

I find myself sometimes 10 times a day, realizing I trust something I know better than to trust. Recognizing this is not natural; I had to cultivate the ability, and I still fail too often for comfort. I don't think I'm a "dumbass".

The whole stack of leaky abstractions and pure foolhardiness we call "The Internet" only exists because of institutionalized culture which depends on certain blind spots. Grandma sees the padlock icon and the green bar; you've probably read the SSL/TLS RFCs, studied other protocols, then lost your head in discussion of whether is better to MAC-then-encrypt or encrypt-then-MAC (or of which hash algo is stronger). So you see a problem with the mobile phone system, and think "let's borrow a well-known, widely-implemented protocol suite we use every day to protect high value transactions".

It's an interesting phenomenon, and also why this mess will not be fixed despite 15 months and counting of giant wakeup calls.

P.S., please provide the host part of my address (not just the box part). I don't want my mail to be lost. ;-)

Chris Abbott • September 19, 2014 10:01 PM

@Skeptical

"Should it be possible for the government, via a search warrant, to compel a telecommunications carrier to enable eavesdropping or even just enable metadata capture?

It is in the public interest for the government to be able to gather intelligence and criminal evidence. The problem is, the government has abused it's abilities in the name of public interest. One must always balance benefit with risk, pros with cons, ect. It's now in the public's best interest to protect itself from extreme government intrusion, since the government has been proven to be untrustworthy with these abilities in the name of "public interest", we now have to chose 'security over surveillance'.

Though the standards by which these interests were balanced has shifted over time, the courts and the law were nonetheless viewed as the final arbiters.

Here's the problem, the courts and the law have proven themselves to be untrustworthy as well. Recent documents indicate the the FISA court has never really denied any requests from the NSA. What builds an even stronger case is, the fact that the Foreign Intelligence Surveillance Court is making rulings regarding Domestic surveillance.

Here though, you seem to be saying: if we are vulnerable to a court ordered search warrant, then we are vulnerable to anyone.

I don't believe he's talking about a warrant. What he's referring to are things the government have naively used for surveillance thinking they would be the only ones that could exploit it (i.e. the whole NOBUS (Nobody but us) thing with the NSA). What Bruce is saying is that there is no such thing as secure backdoor. There is no security in a security vulnerability. That's why he says, since we have one infrastructure, we have the binary choice of either being secure from all attackers or being secure from no attackers. Basically, nobody can have their cake and eat it...

Chris Abbott • September 19, 2014 10:04 PM

@nobody@localhost

I'll definitely provide the host part in the future ;)

Yeah, I tell myself I'm a dumbass in a joking manner, it is really easy to get lost in all of this stuff.

Chris Abbott • September 19, 2014 10:28 PM

@nobody@localhost

MAC then encrypt or encrypt before MAC...

That's tough. Perhaps MAC before crypt and comparing after decrypt would let you know if something fishy happened in the crypto process, or not. I'm really not qualified to determine which is better. I guess it depends on which is more trustworthy. That could vary amongst different implementations. Who knows? As with most things in life, what we know is decimated in size by what we don't know. We have to sink or swim to find out I suppose.

Have a backup plan in order not to sink, just in case. (That's why I use Carbonite, it's the most secure thing in history).

;)

nobody@localhost • September 19, 2014 11:41 PM

@Chris Abbott

Most cogent explanation I've seen is Colin Percival's argument for Encrypt-then-MAC. Part I'd like to highlight, as very few people think this way (emph per original):

Encrypt-then-MAC has another even more important benefit: When decoding data, you can verify the MAC and discard inauthentic packets without ever decrypting anything. This is useful for two reasons: First, it makes a denial of service attack much harder, since it allows you to discard forged packets faster; and second, it reduces your "attack surface". One of the most important rules of computer security is that every line of code is a potential security flaw; if you can make sure that an attacker who doesn't have access to your MAC key can't ever feed evil input to a block of code, however, you dramatically reduce the chance that he will be able to exploit any bugs.

By the way, the same author has taken sideswipe at your favourite Carbonite (really is it closed source?). Of course he is not disinterested party, as he sells his own encrypted backup service (Tarsnap) which he bills as "for the truly paranoid". I have not used either; I just xor all my data with itself to secure it, you know.

This has nothing relevant to IMSI catchers; if you want, I suggest taking this to current squid thread.

Clive Robinson • September 20, 2014 8:17 AM

@ Fatrick,

I don't get why I'm supposed to care about this.

Well one reason is malware being put on your phone by who ever is operating these --presumably-- malicious Base Stations.

By forcing the phone to 2G mode it changes the phones telecom side security model to one where the base station is implicitly trusted.

This is a form of "Fall Back" attack, with the lack of security caused by the implicit trust of the network, all sorts of bits and pieces can be downloaded onto your phone via OTA updating and SMS(0) messages. When you add to this that something like 1/6th of the SIMs out there have deficient security as well the chances are good that most phones could have some form of mal/spy ware added to either the phone baseband processor or to the SIM that controls it...

Just one thing that could be done is causing SMS to be silently copied back to another --burner-- phone, or cause SMS or multimedia messages to be sent from your phone.

The mayhem that this alone could cause, should give you pause for thought.

Skeptical • September 20, 2014 1:26 PM

@Chris Abbott: I don't believe he's talking about a warrant. What he's referring to are things the government have naively used for surveillance thinking they would be the only ones that could exploit it (i.e. the whole NOBUS (Nobody but us) thing with the NSA). What Bruce is saying is that there is no such thing as secure backdoor. There is no security in a security vulnerability. That's why he says, since we have one infrastructure, we have the binary choice of either being secure from all attackers or being secure from no attackers. Basically, nobody can have their cake and eat it...

I think that's a more reasonable interpretation, although, as Nobody@localhost shows, it can be read differently.

But what does your interpretation entail in practice? Can we have a secure system that has a feature which permits government access when authorized by a warrant, or would such a feature fall into the category of a security vulnerability and therefore place us on the "secure from no attackers" side of the binary choice you described?

Here's the problem, the courts and the law have proven themselves to be untrustworthy as well. Recent documents indicate the the FISA court has never really denied any requests from the NSA.

Re "recent documents indicate..." it's always interesting to me when I hear that sentiment, because to me recent documents indicate otherwise. The difference is probably captured in our perception of how government attorneys are likely to approach matters that require court approval.

Ideally you want the legal standards under which the court would approve requests to be clear.

When those standards are clear, the government won't submit a request that clearly violates them, because the outcome is obvious. The government's attorneys will say, "this doesn't stand a chance of being approved, and here's why."

So you would expect, if the standards are clear, a high rate of success in the submission of requests. The very purpose of having attorneys involved is, in part, to tell you what kinds of requests will be approved, and what won't, before you submit them to the court.

But what the documents do contain are significant instances where the FISC undertook a detailed, and lengthy, review of NSA practices. These reviews included orders that the NSA furnish weekly reports of certain surveillance activities, conduct extensive audits, and in some cases stop access to certain collected information altogether.

I think there are ways in which we can improve the laws, but I have not seen any reason for distrusting that the FISC is acting appropriately; far from it.

Chris • September 21, 2014 12:48 AM

Hi just realized there was a thread about IMSI Catchers. Posted on the squidthread. I have a question regarding.Disabling 2G in Android using the hidden INFO page and choosing Use WMCDA Only. I would gess that it might at least complicate things from an adversaries point of view. Any thoughts

Nick P • September 21, 2014 12:01 PM

@ Skeptical

What you're discussing and what they're doing are different. They don't want warranted, targeted surveillance of suspected lawbreakers. The BULLRUN slides indicate they want *everything* weakened so they can have unlimited, stealthy surveillance. That they're collecting... almost everything... further supports that.

The slides (and Stuxnet event) show that they're willing to inject weaknesses that even enemies can use against us. Only the weakened random number generator shows evidence of them trying to keep enemies out of it. However, that they want deniability means the won't use a rock-solid secure backdoor: they have to insert (or find) the regular vulnerabilities that everyone hits. Secure systems can allow lawful 4th amendment searches through a service provider if designed as such. They don't allow sneaky, unlawful, search of everyone and everything. That's why NSA opposes secure computers & weakens systems instead. Infrastructure, banking, government, military... all weakened to maximize their SIGINT abilities.

Note: This is supported by the fact that they tried to block sales of truly secure equipment all the way into the 90's. Logically, that implies they thought it was OK for enemies to control or destroy every computer in the United States except select few in the defense industry. Funny how they're always talking about the risk of cyberwar while constantly (and stealthily) doing things that would ensure the other side wins. (shakes head in disgust) Whose the real "enemy combatant" that's "aiding the enemy?" Answer: NSA.

Clive Robinson • September 21, 2014 1:32 PM

@ Nick P,

Re the NSA and your comment,

Funny how they're always talking about the risk of cyberwar while constantly (and stealthily) doing things that would ensure the other side wins.

The reason is the same for the Fox that want's to be in charge of the hen house...

To get the job you have to convince the selection panel you are the best for the job, so you talk up what they want to hear, not what your real desire is which is be paid to eat a chicken dinner every night, with some one else picking up all the costs, including the blaim.

This is a perennial problem with the suppliers of the various security services available, you can never be sure the poacher realy is a gamekeeper not just now but into the future.

The underlying issue is of course to be a good gamekeeper you have to be up on the latest tricks of the poacher, and as history has proved time and again for the right price morals and principles are negotiable financialy or otherwise for a sufficient large percentage of the population that you should be continuously running oversight with the appropriate watchers watching those watchers.

And as we know oversight in the IC is at best a sick joke, so the Fox gets the chicken dinner and we pickup the eye watering bill.

It's a theme that is even more brutal than Hawks and Doves, maybe somebody should write a book on it ;-)

Skeptical • September 21, 2014 3:11 PM

@Nick: What you're discussing and what they're doing are different. They don't want warranted, targeted surveillance of suspected lawbreakers. The BULLRUN slides indicate they want *everything* weakened so they can have unlimited, stealthy surveillance. That they're collecting... almost everything... further supports that.

I actually wasn't discussing what the NSA is doing, though. I was asking about the particular implications of the paragraph in the post.

Read literally, as nobody@localhost reads it, it implies that even allowing for warranted access renders a system secure against no one. Another reading, such as that provided by Chris Abbott, limits the paragraph to the deliberate injection, or deliberate neglect, of vulnerabilities that can be exploited.

So let me ask a more detailed question:

what kind of system would allow for access with a warrant while also avoiding the "secure against nobody" state? Would the type of technical features that are implemented to comply with CALEA be such a system?

name.withheld.for.obvious.reasons • September 21, 2014 4:12 PM

@ Clive Robinson

And as we know oversight in the IC is at best a sick joke, so the Fox gets the chicken dinner and we pickup the eye watering bill.

Hard to imagine a more prescient statement, it's too bad that neither individuals can recognize their own self interest and those in power that don't recognize enlightened self interest. I can speculate that @ Skeptical is incapable of envisioning either concept.

Sancho_P • September 21, 2014 6:39 PM

@ Skeptical:

The simple answer to your detailed question is: There can't be such a system.
You should take Bruce’s quote to the fullest extent.

The problem for the TLAs is:
Due to their reckless overreach in data-mining they may lose also the metadata.

Mind that we seem to talk only about personal (“private” or business) communication at the moment.

Skeptical • September 21, 2014 8:10 PM

@Sancho: Why? Let me pose a simple hypothetical, since I have great ignorance with respect to technical matters.

Suppose I have a locked box, for which there is one key. Let us postulate that picking the lock on this box is prohibitively expensive. Let us also postulate that this box cannot be forced opened.

Call boxes in this class Pick-0 Boxes. Only the right key opens them.

I choose to give a copy of that key to another individual.

Has the locked box thereby lost security with respect to everyone?

The answer is a qualified no; the qualification would include several factors, including the trustworthiness of the individual to whom you have given the key.

But Sancho, if I understand you correctly, your interpretation of the post would have it that the locked box has lost security with respect to everyone without qualification. This seems to be clearly in error. Perhaps then I've misunderstood you?

As to the other interpretation given by Chris Abbott, let's consider a different locked box. All the same premises are given here, except that the lock to this box is vulnerable to one particular type of pick.

Call boxes in this class Pick-1 Boxes.

Is this box secure against no one, because of the vulnerability in question?

The answer, I would think, depends among other things on the nature of the pick that is needed.

You might have Pick-1-Easy Boxes, where the nature of the pick is such that many parties can create or acquire it.

You might have Pick-1-Hard Boxes, where the nature of the pick is such that few parties can create or acquire it.

I suppose, theoretically, you could have Pick-1-NOBUS Boxes, where the nature of the pick is such that only one party can create or acquire it.

A Pick-1 Box could fall into any of the above categories, depending on technical specifics. It seems to me, therefore, generalizing from Pick-1 Boxes, that the mere fact that a box is vulnerable to 1 pick, or n picks, does not, by itself, establish how secure or insecure the box is with respect to each different party (though of course one might make probabilistic claims based on n).

Chris Abbott • September 21, 2014 10:18 PM

@Skeptical

Basically what you're talking about is the proposed key escrow system proposed back in the 90's. The problem is being able to trust whomever has that "one key" or "one pick", and trusting that they are competent enough to protect it, and will not provide illegitimate access to it.

This is impossible.

A hidden vulnerability would be found by someone eventually, and even if a NOBUS system that was truly perfect was possible, it seems clear at this point that you'll never be able to trust anybody with ability to access it.

We can be secure against all attackers, or be secure against none.

uh, Mike • September 21, 2014 10:59 PM

"We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them."

We (Americans) wanted the NSA. Think back a decade or so. A minority wanted to maintain strong privacy controls in the face of real-time, televised horror.

The NSA has resources, but doesn't own the math. (I remember when they tried that.)

Authority is granted, and can be revoked.

Et cetera, et cetera, et cetera.

nobody@localhost • September 21, 2014 11:18 PM

[Note this is written some hours ago, before the most recent posts by others. I may have interpreted Chris Abbott's previous post, and I tip my hat to him for scooping me on the "Clipper Chip" point (though not in as many words).]

@"Skeptical"

what kind of system would allow for access with a warrant while also avoiding the "secure against nobody" state?

I ask you the same question. You are the one who proposes the inherent contradiction of a system which is "secure" but for the holes required for warrant access; I believe the burden of persuasion ought fall to those who want those holes.

Moreover, please be reminded that you are advocating that to catch "bad people" doing "bad things", we must give "bad people" the ability to do more "bad things". It is incumbent on you to explain. Me, I believe in prevention in preference to cure (although admittedly, such may foreseeably result in budget cuts for "Skeptical"'s department).

So, how do you proposed to secure a system against all manner of attacks, including attacks by insiders (as discussed by Professor Felten, a warrant is technologically indistinguishable from an insider attack), attacks on the increased attack surface required for any kind of backdoor or "skeleton key", and attacks by insiders within agencies which hold "legitimate" backdoor access---while permitting all this super-duper security to be somehow overcome by a signature and a stamp? Contra popular superstition, black robes do not actually confer such magical powers as could resolve the contradiction by fiat, and black hats do not actually care if you designate a backdoor as "authorized access only".

FWIW, all this reminds me of '90s arguments about the Clipper Chip. Only now, we know that the United States government houses the biggest blackhat gang on Earth. Observation: Any system or network so secure as to resist TAO intrusion must necessarily meet the far lower standard of being warrant-proof.

I do realize that Bruce's point may or may not have been distinct from mine---as is the approach by Chris Abbot and Nick P---yet I argue that the distinction is without a difference, per the Felten essay I linked earlier, and per all those old arguments about Clipper Chip.

I also recognize that I am being used as a foil by "Skeptical" to prop up a failing argument against others here; some might characterize my position as extremist, whereas I posit I am simply following reality to its logical end. A properly secured system provides end-to-end security for communications, privilege and policy enforcement for local and remote access, and protection of data-at-rest against both local and remote threats. A system cannot be secured while opening holes for access-by-fiat by such a bureaucracy as would embarrass Byzantium. Not against insiders, as Professor Felten so cogently argues, and not against anybody else.

(So, how do you stop "bad guys"? In this context, such a question would be a fallacious misdirection as a counterargument; yet nonetheless, it is a question some people might ask. Well, my ingeniously inventive idea is to start by securing everything. Prevention, rather than cure. I also note parenthetically that, as "Skeptical" is most exquisitely aware, HUMINT is quite powerful. Not that I am in favour of it, either: A society of informers and stool pigeons is a society of lies and corruption. I merely make the point, that human intelligence cannot be stopped by technological means. Anyway, most actual detective work does consist of pounding the pavement, talking to people, and piecing together clues from the ghastly mistakes people tend to make. It is wise to remember that before telecommunications existed, telecommunications could not be wiretapped. Once upon a time, indeed, homo sapiens somehow survived the depredations of criminals without hidden microphones, ubiquitous security cameras, IMSI catchers, and a segregated sixth floor within a certain wing at Fort Meade.)

QnJ1Y2U • September 21, 2014 11:23 PM

@Skeptical

Here though, you seem to be saying: if we are vulnerable to a court ordered search warrant, then we are vulnerable to anyone.

That's over-stated, which makes it sound a bit like a straw man argument. Qualify it:

If we are vulnerable to a court-ordered search warrant, then we are vulnerable to anyone with the resources to exploit that vulnerability.

The problem is, the pool of attackers continually expands, since attacks always get better. And that expansion happens in ways that are difficult to predict and impossible to control. As Clive noted, key escrow systems are very vulnerable: they can be exploited by insiders, or by anyone with the capability of bribing or extorting those insiders, or by anyone capable of breaking into the key system.

And this article shows another example of a vulnerability being turned into an exploit. The cell phone system is very insecure, in no small part due to CALEA. And now it is vulnerable to anyone with the resources to set up a fake cell 'tower' - a pool of people that looks to be pretty large, and that no doubt includes a number of foreign governments spying on us.

Basically, we chose surveillance over security - and now we're getting lots of surveillance. It's just not limited to those constrained by court orders and warrants.

nobody@localhost • September 22, 2014 12:40 AM

@Clive Robinson (emphasis added)

And as we know oversight in the IC is at best a sick joke, so the Fox gets the chicken dinner and we pickup the eye watering bill.

Cf.:

A 29-year-old walked in and out of the NSA with all of their private records. What does that say about their auditing? They didn’t even know.

I know your point was a bit different---but really, it wasn't, per the below.

@Nick P

(also scooped me on the Clipper Chip point)

Mostly, you make good points. But I disagree that "Secure systems can allow lawful 4th amendment searches through a service provider if designed as such.", for reasons including that as aforesaid, that a computer cannot distinguish a warrant from a(ny other) insider attack. (Funny how "Skeptical" has avoided this point, and indeed anything else of substance I stated---except for brushing by "the trustworthiness of the individual to whom you have given the key", without examining the implications.)

Not to mention the increase in attack surface: As a practical matter, no system today gets front doors or walls right; how do you expect the back doors to work out, particularly if the standards for them are designed by a committee of government employees and/or lowest-bid contractors?

Now, cf. again the Snowden quote above. By the technical definition of the term, that was the biggest "insider attack" since WWII. If Snowden had so intended, he could have done more damage to the U.S. government than every terrorist group on Earth combined. You think Hanssen or Ames had info? Hah. Snowden had everything at his fingertips---everything. Also imagine how Snowden could have exploited his position to (say) gain deep insider information to guide his stock trades---or gather blackmail info---or---"I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President..."

He wasn't even caught until he decided to put his own face on international TV. To this day, nobody even knows exactly what he took---their auditing is worse than bad. And he did that as a contract worker in the facility of what is supposedly the most elite and secure military intelligence agency, the National Security Agency---not the relatively lowly FBI, let alone Podunk PD.

Now, how do you expect your warrant backdoor to be secured again, including against insider attacks?

I think "Skeptical"'s CALEA point is answered both by that, and by the fact that the telecom system is so full of holes that blackhats feast on lower-hanging fruit. Old-fashioned phreakers were pwning whatever they wanted long before CALEA, and security has dropped drastically with time; why bother picking the lock on the "lawful intercept" backdoor, when the walls are three inches high and made of rice paper? Not that I would be surprised at CALEA insider abuses or outsider hacks I simply don't know about...

Stuart Ward • September 22, 2014 5:25 AM

While the use of an IMSI capture false base-station is largely invisible to us, they are very visible to the network operators. The operator will see a large spike in failed handover requests, as nearby calls in progress try to handover to the false base-station.

I do not believe it would be hard for the civil liberties organisations the request this information from carriers so that they could quantify the extent of the use of these devices.

I am sure carriers analyse this information in routine in order to distinguish between a genuine network fault, and the error events caused by false base-stations.

Sancho_P • September 22, 2014 6:12 PM

@ Skeptical:

As often the crux is in the details.
To be clear, your analogy is based on a physical lockbox, but we are talking about communication (software) in a computer … Not the smallest difference to be problematic.

OK, you’ve got your own super secure lockbox, the unique key is still in the lock.
At least you think so.
You’d have to take it out, copy and send it.
Here are four NO-NOs with computers and the Internet:

1)
Did you program / code the lock box yourself from scratch, from other sources, pay for it or did you get if “from the internet”?
Is your lockbox really secure?
Who is liable in case it is not?

2)
Because your system (Win, Linux, OS X, whatever) is incredibly insecure your key is in danger when you manipulate it, probably it was copied during creation. The aggressor may be in your system from the beginning - because security is not an inherent part of the systems we use.
But to securely remove and copy would be impossible not only because of your insecure system but because of other software you have added to your system without knowing all the "side effects".

3)
Next the sending of the copy (you’d need another secured lockbox, wouldn’t you?), how would you know the final recipient is the person you wanted to send / trust?
The transport system is completely open and insecure.
Last not least the intended recipient is not a single person but a computer, ever heard of compromised systems and stolen databases? Or criminals, spies, working even in the government? How many would have access to the “single” copy you’ve sent?

4)
We are talking about communication, so your lockbox contains a single message.
We must assume that there would be much more than 5 billion super secure key copies to store every day, unless you reduce security to some master keys (NOBUS, absolutely a no go because “we” do not trust the “enemy”).
For which time to store them?
It is not feasible to run such a system without enormous costs and risks:
Who is liable in case the copy wouldn’t work (damaged, mismatched) when requested by - uups, whom? - Say a judge?
You, the owner of the lockbox?
And who would be liable when it turns out that something was definitely stolen from your super secure lockbox?

- Regarding the other “pickable” lock boxes you’ve mentioned:
If you (the super sophisticated lock picker = attacker) can pick it today we must assume that nearly everybody can pick it tomorrow.

The point is:
There is no security (like a secure lock box) in an insecure machine / environment.

Nick P • September 22, 2014 10:07 PM

@ Skeptical

High assurance lawful intercept: Revisited

"what kind of system would allow for access with a warrant while also avoiding the "secure against nobody" state? Would the type of technical features that are implemented to comply with CALEA be such a system?"

I proposed a high assurance lawful intercept system a while back, taking quite some flak for it. The fact is that the Constitution I fight for allows warranted search. Federal law expanded that to surveillance with CALEA. Assuming that's Constitutional, then the government needs a way to get the specific data requested in the warrant. Anything preventing this is illegal so LEO's activities working around their security will be considered legal by default as one must be able to search a security-focused system. So, how can one design a system that let's them search it, maybe limits the search to what's in the warrant, and prevents their hijacking the system.

Well, I did come up with a straight-forward prototype. The base system is one whose code is open, the binary certified by government, and running on hardware that vets the correct system code is running. The core system is designed in a way to prevent the user from tampering with it. Customization happens above that level. In the system, user data goes in different spots than system data, including key material. Each app instance, system resource, log entry, etc is registered to a user. So, all the user's stuff will be in a particular spot, private by default, and with the system protecting it.

The intercept system is a component of the certified system. The intercept system only has the ability to read, not write, user data. It can access keys, pull files, intercept networking, etc. The system might even make it a separate version of the system interface that can be swapped out transparently. It must be told to collect information on a user, the command and period it logs in a hardware-assured way. That information is read-only and per-user is similar to previous policies enforced by systems of very high security. It's doable.

The above is just a primitive building block with containment. The functionality backing many government actions will vary. Checking some emails isn't quite the same as following a live IRC session. Plus, the court will have complex policies such as "Snowden's full data & metadata on anyone who emailed him." These will require custom software to be written, which might be a threat. So, there must be a way to write these plugins without (a) them doing things they shouldn't or (b) compromising the system.

The best way is an interpreter + safe language. The language will be designed to prevent errors that allow code injection, with checks added by the compiler. The interpreter will be verified *strongly* with no native libraries or JIT (i.e. risky stuff). The more English like the language is, the better. Wirth's languages come to mind. The routines would be reusable, designed for a certain type of collection, and inspected by third parties the government doesn't control. They'd only interface with the system through the constrained lawful intercept component. If reviewers find no fault, an authenticated command could later load one of these routines with a given user as a target. The routines would produce (or analyze) the data to produce intelligence to be delivered to government. System would certify the integrity and authenticity of that data, as well, before passing it on.

The resulting system is a nice compromise. The system lets a business do their work. The system provides users as much security as its designers want to put in. The lawful intercept core can be designed with just as much security to ensure only comprehensible commands are sent and they only do what they're intended to do. Each thing I've mentioned has been in published academic work or commercial products with strong assurance techniques applied. Putting them together would take minimal resources if low assurance, a moderate amount of resources if medium assurance, and a substantial (but justifiable) amount of resources if high assurance.

So, high assurance lawful intercept is possible. It provides strong assurances to both parties. The Constitution says an intercept system *must* be used. The often dirty tactics of our LEO's show we *should* have more accountable methods. This thing can be built with existing security engineering technology rated at strong government standards (EAL6-7). It's worth building and legislating because at least we get security against *everyone else* in this model.

Note: There's a few more details and concerns I left out because I'm trying to make the post usable for many audiences, lay & technical. Yet most issues have potential solutions that again have worked in the past. And that's still a better situation than lawful intercept required + everything is easily hacked.

Yet Another Random Thought • September 23, 2014 1:28 AM

disclaimer and this could be not quite right.

What are other goals of the added network elements?

1.)MITM for information leakage
many other easy access.
Big physical tower tends to attract attention

2.)MITM for information substitution.
Alice gets the [correct]changed] version of message.

3.)MITM for information addition
Alice gets the [remove critical section + add section]
Useful for no easy tracing of virtual Bob transmits,
without Bob's full authentication.

authenticy from:
1.)who you are - it's your voice or parts of your voice on
replay attack

2.)what you know - real time information synthesis
*case: This American Life Radio High School Reunion
Woman substitutes stripper. Easily fooled for false
memory implantation.
wins the Turing Prize by MITM .

3.)how you are - conversation and word patterns
*case voice impressions
4.)redacted

echo, sound artifacts, noise, ambient tracks allow for
increase in Noise to Signal Ratio (1/SNR).

sample conversation from forthcoming movie script:
You know the two places. Yes. Luv Doughnuts -
translation - its right in the center.
Time we meet?
INSERT MITM substitution
*summary: since both parties authentication
1.)NOT who you are
2.)where and how you are meeting
QED: authentication break >> security break

*case: voice call your good friend. Got cough.
let me play this computer voice.
Uh - huh... Uh-huh ... Uh-huh Yes
got to get this other line - click. end conversation.
apply the Turing Test.

for the males in relationship - husband, etc.
what is the color of your wife's eyes and her EXACT weight?

Somebody • September 23, 2014 11:21 AM

@Skeptical

What kind of system would allow for access with a warrant while also avoiding the "secure against nobody" state? Would the type of technical features that are implemented to comply with CALEA be such a system?

This shows a fundamental misunderstanding of the purpose of a warrant. There are many things the police (and other authorities) are capable of doing that are ordinarily prohibited by law, e.g. kicking down a door or tapping a phone line. Warrants give the police permission to bypass legal prohibitions in specific ways for specific purposes.

CALEA has almost nothing to do with warrants. CALEA comes from a world view where the police are allowed to do anything that is technically feasible and the legal system exist to allow them to do more.

In an alternate reality where Wilkes still held the police would be prohibited from tapping communications without a warrant. Only once they got a warrant they would be allowed to deploy any technical resources they may have, be they password crackers, accidental holes in the implementation, black bag jobs or social engineering. Most of the time they would succeed, because security is hard and most of the people the police go after are not too smart. But some of the time these technical efforts would fail, and the police would have to try other investigative techniques. "C'est la vie", "a police mans lot is not a happy one" and all that.

Secret Police • September 23, 2014 11:27 PM

https://github.com/2b-as/xgoldmon

Buy a device with an Intel/XGOLD baseband and use the log messages to tell you current GSM encryption (if any) and use an app like Darshak to notify you when said encryption disappears and you're connected silently to an interception BTS.

That is until they OTA update the baseband to no longer provide USB logging mode. This is sort of what Cryptophone GSMK does. If really worried use end to end encryption over data channels and MITM stingray attacks are worthless.

Thoth • September 24, 2014 1:42 AM

@Secret Police
Something of the likes of JackPair (https://www.kickstarter.com/projects/620001568/jackpair-safeguard-your-phone-conversation) might be useful despite being imperfect in design.

Shared Secret Key or Asymmetric Keypairs distributed in person (without a CA) would be a useful inclusion for end-to-end crypto.

Hopefully JackPair actually kicks off because the likelihood of stumbling and falling off the cliff due to cross winds are very high on such open source security projects that have high aims.

Skeptical • September 24, 2014 5:13 PM

@Nick: So, high assurance lawful intercept is possible. It provides strong assurances to both parties. The Constitution says an intercept system *must* be used. The often dirty tactics of our LEO's show we *should* have more accountable methods. This thing can be built with existing security engineering technology rated at strong government standards (EAL6-7). It's worth building and legislating because at least we get security against *everyone else* in this model.

This sounds reasonable to me, but I suppose the devil is in the details (as you note, and know far better than I do - though that's not much of a compliment, since I know very little).

A feasible overall solution needs to meld the political and the technical, and to serve both the values of rule of law and of liberty.

That's a hard problem, but also an inescapable one.

@Somebody: CALEA has almost nothing to do with warrants. CALEA comes from a world view where the police are allowed to do anything that is technically feasible and the legal system exist to allow them to do more.

CALEA derives from a judgment by Congress that it is in the public interest for government to be able to conduct a search of telecommunications when properly authorized.

That's not a judgment that the police should be "allowed to do anything that is technically feasible." CALEA doesn't obviate the legal standards that protect your privacy from government intrusion.

There is a counterargument to be made, but "such is life" isn't it. Obviously we have a choice about whether to have things like CALEA, or not. Most would likely agree that CALEA is in the public interest, and would not support removing it from the law.

@QnJ1Y2U: If we are vulnerable to a court-ordered search warrant, then we are vulnerable to anyone with the resources to exploit that vulnerability.

I agree, but the extent to which that is a problem depends upon the nature of the "vulnerability" and the protections, technical and political, against its unauthorized exploitation.

And that's a problem that requires a lot of specific detail, and which ultimately demands a careful weighing of costs and benefits. It is not something that is simply derived from first principles.

For some systems, the costs may weigh more heavily than benefits; for other systems, otherwise; and here I'm simply talking about varying systems across an identical political/social/economic background. If we vary those variables as well, the benefits and costs are further altered.

It seems to me, again, to simply be a problem that requires a lot of discussion, and knowledge, of multiple domains to even begin to grasp. And so I think it can be misleading to suggest that this is all just a matter of deductive reasoning and first principles. It's not - no more than the question of whether to build a highway or a dam is.

CS • September 27, 2014 3:07 PM

Maybe I missed this (regarding building permits) but unless they are soley on solar power, would not there be a record of a electric utility company being tied into these - again permits, even ongoing billing info etc................

Clive Robinson • September 27, 2014 3:57 PM

@ CS,

unless they are soley on solar power, would not there be a record of a electric utility company being tied into these…

It does not need to be solar except for float charging, two sets of batteries a switchover unit and an electricaly started gas (propane etc) generator will last for several months as the power requirment is down below 100W and for some of the TAO units in the 10W or less catagory...

I've designed such systems for FM radio stations in remote places where the ERP was 1200W (300W TX).

The reason for gas powered generators is unlike petrol or diesel generators they don't "gum up" so require a lot less maintenance. Also cylinders of propane are readily available with standard fittings nearly the whole world over for the likes of cooking and heating.

The downside is the required security systems to stop the power system getting stolen by "locals" for their homes or to sell to others.

hmmm • October 27, 2014 11:59 AM

CJDNS any good??

tom • November 10, 2014 12:38 AM

In other words, 2+2=4 is true for anyone who can do the math in base 5 or more.

Alex • November 14, 2014 2:23 AM

http://online.wsj.com/articles/americans-cellphones-targeted-in-secret-u-s-spy-program-1415917533
Americans’ Cellphones Targeted in Secret U.S. Spy Program. Devices on Planes that Mimic Cellphone Towers Used to Target Criminals, but Also Sift Through Thousands of Other Phones.

CyberPink • January 19, 2016 10:16 AM

I look forward to the day when a balance between security and intelligence collection can be restored. I have been aware of the use of stingray devices since about 2010, and have observed their use electronically. There are apps you can install on your phone that allow you to see the location of the cell towers your cell phones connects to; plus you can watch the electronic traffic and all the packets going and coming from your phone. My warning to anyone interested in researching the use of the stingray device -- observing their use may put you under constant surveillance. Only recently have devices been released that monitor the use of fake towers by criminals, rather than law enforcement. The potential for abuse is huge; which is why the police and homeland security must monitor the airwaves - and most importantly catch criminals using fake cell towers to hack cellular traffic.
I work in security for a corporation and support the use of intelligence to resolve difficult and criminal activities; but protocols have to be followed. People have a right to privacy. I do not support the idea that police should wear body cameras. That is too invasive. I also do not support the idea that common everyday Americans should be under constant surveillance. The stingray device transforms your cellphone into a body camera and a covert listening device 24/7.
My suggestion is software needs to be developed to restrict the use of the fake cell towers. For example, a warrant from a judge would have to be entered in the software to allow the persons cell number to under surveillance. Secondly, homeland security should hunt and prosecute the criminal use of fake cell towers. Third, if hiding the existence of stingray devices is preventing the prosecution of the criminal use of the device, and criminal are being released because the device is too secret to discuss in court, we have defeated the use of the device. 2,000 cases in Baltimore alone are up for review and could be overturned because the stingray device was used.
Thanks for your article and bringing light to this topic. When limits are established again, trust in enforcement and intelligence communities can begin to build again. We need police, Homeland Security, the FBI, NSA and CIA. They are our partners in detecting criminal activity and preventing a total breakdown in society. From a strictly technical perspective, the ability to secure the airwaves and our electronic devices is light years behind the ability to share information. In short, cellphones are more akin to walkie talkies. When securing the airwaves becomes a priority with citizens, more security will be built in to our phones and cell towers. Until then, it would be a disservice to America to fight to remove the intelligence community from policing the airwaves; foreign nation-states and criminals would have an unfair advantage on the airwaves. Instead, let's struggle to understand the weaknesses of our infrastructure and fight to repair it. And let's encourage our intelligence communities to adopt strict protocols that restrain the use of stingray devices to protective surveillance. Let's build a bridge between our intelligence agencies and citizens that establishes mutual trust again.

Frutablend • August 8, 2016 6:44 AM

I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this pos

Name (required):

E-mail Address:

URL:

Fill in the blank: the name of this blog is Schneier on ___________ (required):

Comments:

Allowed HTML: <a href="URL"> • <cite> • • • <ul> <ol> <li> • <blockquote> <pre>

← Terrible Article on Vernam Ciphers iOS 8 Security →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

Fake Cell Phone Towers Across the US

Comments

Leave a comment