The Further Democratization of Stingray

Stingray is the code name for an IMSI-catcher, which is basically a fake cell phone tower sold by Harris Corporation to various law enforcement agencies. (It's actually just one of a series of devices with fish names -- Amberjack is another -- but it's the name used in the media.) What is basically does is trick nearby cell phones into connecting to it. Once that happens, the IMSI-catcher can collect identification and location information of the phones and, in some cases, eavesdrop on phone conversations, text messages, and web browsing. (IMSI stands for International Mobile Subscriber Identity, which is the unique serial number your cell phone broadcasts so that the cellular system knows where you are.)

The use of IMSI-catchers in the US used to be a massive police secret. The FBI is so scared of explaining this capability in public that the agency makes local police sign nondisclosure agreements before using the technique, and has instructed them to lie about their use of it in court. When it seemed possible that local police in Sarasota, Florida, might release documents about Stingray cell phone interception equipment to plaintiffs in civil rights litigation against them, federal marshals seized the documents. More recently, St. Louis police dropped a case rather than talk about the technology in court. And Baltimore police admitted using Stingray over 25,000 times.

The truth is that it's no longer a massive police secret. We now know a lot about IMSI-catchers. And the US government does not have a monopoly over the use of IMSI-catchers. I wrote in Data and Goliath:

There are dozens of these devices scattered around Washington, DC, and the rest of the country run by who-knows-what government or organization. Criminal uses are next.

From the Washington Post:

How rife? Turner and his colleagues assert that their specially outfitted smartphone, called the GSMK CryptoPhone, had detected signs of as many as 18 IMSI catchers in less than two days of driving through the region. A map of these locations, released Wednesday afternoon, looks like a primer on the geography of Washington power, with the surveillance devices reportedly near the White House, the Capitol, foreign embassies and the cluster of federal contractors near Dulles International Airport.

At the RSA Conference last week, Pwnie Express demonstrated their IMSI-catcher detector.

Building your own IMSI-catcher isn't hard or expensive. At Def Con in 2010, researcher Chris Paget (now Kristin Paget) demonstrated a homemade IMSI-catcher. The whole thing cost $1,500, which is cheap enough for both criminals and nosy hobbyists.

It's even cheaper and easier now. Anyone with a HackRF software-defined radio card can turn their laptop into an amateur IMSI-catcher. And this is why companies are building detectors into their security monitoring equipment.

Two points here. The first is that the FBI should stop treating Stingray like it's a big secret, so we can start talking about policy.

The second is that we should stop pretending that this capability is exclusive to law enforcement, and recognize that we're all at risk because of it. If we continue to allow our cellular networks to be vulnerable to IMSI-catchers, then we are all vulnerable to any foreign government, criminal, hacker, or hobbyist that builds one. If we instead engineer our cellular networks to be secure against this sort of attack, then we are safe against all those attackers.

Me:

We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone.

Like QUANTUM, we have the choice of building our cellular infrastructure for security or for surveillance. Let's choose security.

EDITED TO ADD (5/2): Here's an IMSI catcher for sale on alibaba.com. At this point, every dictator in the world is using this technology against its own citizens. They're used extensively in China to send SMS spam without paying the telcos any fees. On a Food Network show called Mystery Diners -- episode 108, "Cabin Fever" -- someone used an IMSI catcher to intercept a phone call between two restaurant employees.

The new model of the IMSI catcher from Harris Corporation is called Hailstorm. It has the ability to remotely inject malware into cell phones. Other Harris IMSI-catcher codenames are Kingfish, Gossamer, Triggerfish, Amberjack and Harpoon. The competitor is DRT, made by the Boeing subsidiary Digital Receiver Technology, Inc.

EDITED TO ADD (5/2): Here's an IMSI catcher called Piranha, sold by the Israeli company Rayzone Corp. It claims to work on GSM 2G, 3G, and 4G networks (plus CDMA, of course). The basic Stingray only works on GSM 2G networks, and intercepts phones on the more modern networks by forcing them to downgrade to the 2G protocols. We believe that the more modern ISMI catchers also work against 3G and 4G networks.

EDITED TO ADD (5/13): The FBI recently released more than 5,000 pages of documents about Stingray, but nearly everything is redacted.

Posted on April 27, 2015 at 6:27 AM • 65 Comments

Comments

mike~ackerApril 27, 2015 7:49 AM

If you or I were to create a fake cell signal -- we'd end up in serious trouble with the FCC

which leads to the question: what regulation allows law enforcement to violate FCC regs ? and the larger question: it such a regulation -- if one exists -- even legal ?

ramriotApril 27, 2015 8:02 AM

Assuming that the use of these devices is to capture representative metadata, then why not build a deaddrop device that generates random IMSI codes.

Thereby flooding their possibly illegal use of the airwaves with useless noise.

Kyle RoseApril 27, 2015 9:49 AM

@mike~acker: What regulation? "FU, that's why." That's the only regulation law enforcement needs for pretty much anything.

I think there's a lot of unfortunate naïveté about citizens' relationship with government, so let me clear it up for you: even in a democracy, unless you are important or get a majority to pay attention long enough for heads to roll, they set the rules, and you obey or go to prison. Trying to beat government agents at their own game using the rules they create and enforce is useful mostly as a smokescreen to occupy their time and waste their resources: real progress against authoritarianism is made on the margins, where resourceful people route around the roadblocks put in place by government.

This is the core notion of agorism: favoring markets over politics as the avenue for effective action.

The domain of real solutions to the problems created by government intrusions into citizens' privacy is almost entirely technological. Certainly paying attention to government policies is important, but asking the government to politely give up power that it can and will exercise in secret whenever possible is a staggering waste of time for resourceful people: look at how little traction the public gets on injustices practiced in the open or later revealed (e.g. civil forfeiture, eminent domain for private profit, militarization of law enforcement, and even the Snowden revelations), and imagine how little effect advocacy will have on government operations that happen entirely in secret! Developing and advocating for the use of technologies that are immune to unfocused government force will by contrast have a much more immediate and lasting effect on the balance of power.

GweihirApril 27, 2015 9:59 AM

I can also confirm that ISMI-catchers are easy to do. The most expensive thing you need is the software-defined radio for it, the rest is a few weeks of work. I personally know somebody that has done it (legally, in the context of a research project). It can definitely be done by a single individual of reasonable technological skills and about $2000 in equipment. This was 3 years ago.

x1998April 27, 2015 10:05 AM

So in some movie I saw years ago (maybe it was "Enemy of the State"), two people had a cell phone that was a replica of someone else's cell phone.

They were able to listen in to the persons phone calls through this replica.

Is this the sort of capability that is provided through an IMSI-catcher?

Martin WalshApril 27, 2015 10:09 AM

I don't understand the repeated use of the word "democratization" in this context. It doesn't make any sense. I can surmise your intention easily, but the usage is questionable.

Z.LozinskiApril 27, 2015 10:10 AM

@mike-acker,

The regulations governing the FCC wireless auctions are: 47 C.F.R. Parts 1, 2, and 27. There are 90-odd pages of Part 27 here:

http://www.gpo.gov/fdsys/pkg/CFR-2009-title47-vol2/pdf/CFR-2009-title47-vol2-part27.pdf

There are regulations on interference with base stations, and the associated regulatory relief, but a cursory scan didn't find anything on interference with mobile terminals. There seems to be an inherent assumption that only licensed users are using spectrum. There are detailed obligations on licensees if their transmissions cause interference with other licensed users.

Note: The NSA referenced in 47 C.F.R Part 27 is the Network Sharing Agreement, *not* the National Security Agency.

Either way, I think the question is what legal theory allows large numbers of unlicensed users (ie Stingray operators) to both transmit and interfere with existing licensed transmissions.

Bruce, time to see if the Berkman center can find any bright young legal theorists.

uh, MikeApril 27, 2015 10:15 AM

@KR, thank you for your insight.

Civilization replaces one form of brute force with another. Force of law, market forces, social forces, information forces, and so forth.

In the information age, we will have a minority who are more adept than the establishment, at the forces the establishment is utilizing for control.

As long as we're a minority, we'll be able to protect ourselves. When we become more numerous, the establishment will shift controls.

AnonApril 27, 2015 10:28 AM

Has anybody been using IMSI-Catcher-Detector for Android? Does it do what it says on the tin? I believe it is available from fdroid as opposed to the Google Play appstore.

Bob S.April 27, 2015 11:02 AM

A little quick research reveals the GSMK’s CryptoPhone 500 costs north of $3k each, and I would guess you need at least two to make it work.

Also, governments are among the primary customers. Do you sense the irony of rogue governments using vast sums of "free" tax dollars to protect their agents from their own lawless mass surveillance?

Mike Acker wants to know where the FCC is on Stingrays. The answer of course is no where. Whatever the government does is exempt from any law or rules it chooses in the name of security. In sum, electronic mass surveillance is in a state of lawlessness.

As for foreign governments and criminals using them, apparently they get a pass too, because this is a "government thing".

Needless to say, the very most rich can easily buy secure phones. I guess that's important.

Maybe Tracfone will come up with a $10 phone, with triple minutes, that emulates Cryptophone security. Now that would be democracy in action for sure!

gordoApril 27, 2015 11:14 AM

@ Martin Walsh

I don't understand the repeated use of the word "democratization" in this context. It doesn't make any sense. I can surmise your intention easily, but the usage is questionable.

In the thread's opener above, Mr. Schneier writes that "the FBI should stop treating Stingray like it's a big secret" from which he links to an article that

...illustrates how cellular interception capabilities and technology have become, for better or worse, globalized and democratized, placing Americans’ cellular communications at risk of interception from foreign governments, criminals, the tabloid press and virtually anyone else with sufficient motive to capture cellular content in transmission. Notwithstanding this risk, US government agencies continue to treat practically everything about this cellular interception technology, as a closely guarded, necessarily secret “source and method,” shrouding the technical capabilities and limitations of the equipment from public discussion, even keeping its very name from public disclosure. This “source and method” argument, although questionable in its efficacy, is invoked to protect law enforcement agencies’ own use of this technology while allegedly preventing criminal suspects from learning how to evade surveillance. [emphasis added]

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678

It would appear that it's usage is an accepted term of art.
.

Please see this article also:

Hacking the panopticon: Distributed online surveillance and resistance
Benoît Dupont
Surveillance and Governance: Crime Control and Beyond. 2008, 257-278

http://www.benoitdupont.net/sites/www.benoitdupont.net/files/Dupont%20HackingPanopticon%202008.pdf

In this article, the section on "The "Democratization of Surveillance," on page 265, starts with a helpful definition.

nobodyApril 27, 2015 11:14 AM

It is time for an open source baseband and for folks to be able to use it easily. I think a lot of stingray issues could be avoided by something as simple as a BTS white-list. But implementing features like that are not in the interests of major baseband suppliers.

65535April 27, 2015 11:30 AM

I attended a non-civilian briefing and heard information of Quantum family of bugs and other modular malware being put on civilians Androids and iOS phones by private investigators. This malware is used in high profile divorce cases where one of the two sides of lawyers is trying to ascertain the next legal move by his adversary.

In short, I sense the Vup@n and the Hacking Te@m style of modular malware are now being used by private investigators on civilian iphones for monetary gain.

gordoApril 27, 2015 11:47 AM

@ Martin Walsh

My apologies. In my previous post I failed to indicate in the quote the [emphasis added], which should have been upon each occurrence of:

globalized and democratized and "sources and methods," respectively.

gordoApril 27, 2015 12:11 PM

@ Bob S.,

In sum, electronic mass surveillance is in a state of lawlessness.

Hmm, meaning, that is, ...

The rule of law (also known as nomocracy) is the legal principle that law should govern a nation, as opposed to arbitrary decisions by individual government officials.

https://en.wikipedia.org/wiki/Rule_of_law

gordoApril 27, 2015 12:28 PM

On a related contextual note:

After Aaron's Law reintroduced, new counter-bill aims to crack down on hackers
Summary: When you don't differentiate between good and bad hackers, you have a problem.

The [Data Breach Notification and Punishing Cyber Criminals Act of 2015] bill doesn't fix what's fundamentally wrong with the law -- the outdated and overbroad definitions that lump in security researchers and those who simply violate a terms-of-service as malicious hackers.

http://www.zdnet.com/article/bill-introduced-forcing-mandatory-disclosure-of-data-breaches-but-at-the-expense-of-hackers/

Mike JeaysApril 27, 2015 1:55 PM

The issue of police officers being required to lie under oath in a court is extremely troubling. What happens if a judge catches them out - do they get a free ride, or are they charged with perjury, as they should be?

This seems to be a complete breakdown of the rule of law.

rgaffApril 27, 2015 2:24 PM

@ Mike Jeays

The answer is "free ride"... because otherwise some Fed would whisk the officer away and the judge would suddenly get, let's say, "limited career opportunities"... You are correct, it is a total and complete breakdown of any semblance of rule of law.


@ Martin Walsh

There are two meanings of the verb "democratize":

1. introduce a democratic system or democratic principles to.

2. make (something) accessible to everyone.

Bruce is correctly using the 2nd definition here.


@ Bruce

I would suggest including a footnote of the definition of this word in all your future posts that use it, I'm a bit weary of the constant barrage of people who don't know English and argue with it.

name.withheld.for.obvious.reasonsApril 27, 2015 2:50 PM

A simple way to determine if a stingray system is operating in your hood is to use a pair of phones as a telemetry tracking network. Place one phone sufficiently distance from the other phone and place a call, leave a voice mail, and then go to the service providers website and review the cell tower location data (should include trunking information). Job done.

Jonas SilverApril 27, 2015 4:10 PM

Okay, so this is news to me. OpenBTS plus 300US for HackRF, install openbts and maybe modify it a bit and you have a stingray. That is trivial level work and a very trivial price range. One paycheck surplus for most IT people.

I would assume you could make your own stingray detector from that.

So, all somebody has to do is do both, demonstrate 'how to' well online, and boom, everyone is doing it. Either way, this would explode the whole stingray issue open.

Is it even cheaper then this? I see SDR which is considerably cheaper. Has anyone broken it down with a clear how to?

The stingray detector is moral and legal. I would guess it is legal. I would think that detector would be passive.

So, this starts to expand and the cops start to get caught using this stuff. As it is all secret, they are probably using it for some very dirty business. Tapping into corporations, government organizations, stealing data, archiving it. Stalking. Zero oversight. As usual.

Of course, as Bruce mentioned, probably foreign nations and criminal organizations are relying on this technology. Anyone seen the FCC hunting these down or asking questions. I have not. Cops don't want them to. "It is official", but dark arts of the state at the level of JimBob who can take apart his cb radio and run a police scanner.

Do cops themselves have protection against this? Doubt it. Probably lotsa hidden corruption stories out there ripe for the taking.

Maybe around DC and military bases these devices are either installed by the US Gov, or tracked by them. But any word about people being warned about their phone being unsafe to use in these areas? No. Probably next to zero enforcement. Or using most people for disinformation projects where only a few are giving false data.

@name.withheld.for.obvious.reasons

That is a good point. You can programmatically get at cell tower information easily for handsets. Having the list in an application, it can be contrasted against what cell tower is being contacted. Viola, a stingray detector on the phone.

That would be a very simple application to make. Someone could do it, build on the hype of the stingray controversy, and make lotsa money.

They could promote it from a conference or even sooner via major security mailing lists to get some media attention.

That is very easy to do, wonder why it has not been done, or if it has been done. Have a little green or red icon to indicate, and a tech screen where details can be examined.

Free money for the developer. Practically. Tool for journalists and activists.

@ramriot

Assuming that the use of these devices is to capture representative metadata

This is all off the books, they won't use it in courts. There is no reason they would not be using it to catch all data.

Problem, as usual, is in using the data. They can't use it in courts, it is really illegal, so corruption is probably rampant. Cops don't have grudges with spouses? It is just bending the law, a little, is their thinking. They deserve to have special benefits. They put their life in danger and look they get not only no respect or credit for this, they get reamed by the people. There are no sociopathic cops? Sociopaths are high in law enforcement, not low.

Plenty of law abiding cops, but you don't put money in front of them.

The silkroad case is a perfect example. The guy in charge knew he was in new tech, new frontier and used his powers to make money. Or the current DEA chief is stepping down. USSS has had similar problems. Mass corruption, and that is just what people see.

Cynicism is high. They want money. Power. Drugs should be legalized, the "drug war" has done nothing.

name.withheld.for.obvious.reasonsApril 27, 2015 4:46 PM

@ Jonas Silver
Yes, a simple app could just pull the tower ID from the base-band radio (almost all phone OS's provide application layer access to the cell tower ID but not through the "normal" API layer) and could even include "a white listed database" where good and bad locations can be mapped...
Their is no simple way (beyond disconnected or RF contained) to keep the base-band radio from giving away IMSI data to any receiver.

Jonathan WilsonApril 27, 2015 6:02 PM

On my Nokia N900, there are a few API calls (documented by Nokia but in a way that suggests the documentation release was unintentional) related to network handling. Specifically, there is a notification signal called cell_info_change that is called each time there is a change of cell (the notification includes the new cell ID) and another call called get_current_cell_info that lets you retrieve the current cell information including cell ID.

Android appears to have a documented API for retrieving the cell tower ID, no clue if iPhone does (best I can find is vague mentions of an undocumented-and-therefore-not-usable-in-app-store-apps API for it).

Given this and some kind of list of the cell IDs matching to the towers of your carrier (how you get that list) you could write an app that would warn you if you were connecting to a cell tower that wasn't white-listed. Or even make that app shut off the phone or switch to airplane mode or something to ensure no leakage of information.

Of course if the stingrays use cell tower IDs that are legitimate for the relavent carrier this wont work. And of course it wont matter if they have a tap on the account itself at the carrier level but it may still be useful.

Nick PApril 27, 2015 6:12 PM

@ Bob S.

There are already free solutions such as RedPhone, cheap one's such as SilentCircle, and more expensive apps that have been around a while. Whether calls or messaging, there is virtually no takeup on these despite them being easy to use and making waves in the press. The issue is demand: hardly anyone cares enough to act even if there's options or buy if there's a supply. Given high development cost, suppliers simply aren't going to build what almost nobody is interested in outside a small few targeting the niche market. That's what we see in practice in the marketplace and it won't change.

The only short-cut around this is embedding security or privacy into something already in use in a way people barely notice. That's what we see Google, Apple, Microsoft, and others doing in various ways. Yet, the phone won't be truly secure because it needs a certified baseband stack. This is usually a chip from a company such as Motorola or Qualcomm running government-approved software. The cost-efficiencies mean there will be only a handful of suppliers, their products have wireless circuits that can leak things in clever ways, and most suppliers will probably accept subversion money from governments.

If one wants to build security in, there is a fairly simple way to do that: a WiFi or (better) wired phone that uses either the Internet or dial-up for trasnport. The phone OS is simple. The system uses Red-Black model for security. There's usually a dedicated chip for crypto and security protocols that sits between the plaintext side and the untrusted transport. You're looking at designing 1 chip, carefully selecting 2 others, picking/building a phone OS, making drivers, making a protocol engine, and integrating it all into a cell phone. This is the model that defense contractors went with for the *real* COMSEC gear as opposed to the Android- and Linux-based crap they recommend to mass market. Even they are building Android models now due to demand, though. ;)

Jonas SilverApril 27, 2015 6:34 PM

@Jonathan Wilson

Yes, what I was referring to. Been awhile since I have written or edited an android app, but they definitely have that capability in there, or did (and I doubt would change due to the strong demand for that information from vendors).

@name.withheld.for.obvious.reasons

Their is no simple way (beyond disconnected or RF contained) to keep the base-band radio from giving away IMSI data to any receiver.

Ah, though I would want to know if I am being wiretapped or not. I would just not make any calls at that time which might be proxied through their fake cell station.

Much less, would be interesting to see, around town, where these suckers are on. Is this on at a nearby telco building? Is it on near a nearby consulate? Is it on nearby a bank?

I could see where hacker hobbyists could get into exploring their neighborhood or using it around police installations, corporations, law firms, downtowns... their own neighborhood.

The potential for bad is obviously very high.

But, been here before with scanners.

And similar territory as with encryption, vulnerabilities, and other areas...


Strangely, wifi and routers have remained in this bad way for years now, still not much progress in site. Websites and SSL over wifi have been dealt with somewhat. But the wireless routers themselves remain weak, as do the landline routers.

But scanners still around, jammers, and for so very long phones were all unencrypted.

name.withheld.for.obvious.reasonsApril 27, 2015 7:15 PM

@ Jonathan Wilson, @ Jonas Silver
Many of the API's provide a limited set of the total radio data handled at the base-band level (quantized data). Threshold, hysteric, timing, levels, and other EM data may or may not be available and many manufacturers refer to this as DEBUG data. Often times the API may specify a lifetime scope or availability to the application developer. It is best to get debug versions of the computing platform and the development tools where much of the base-band stack is accessible.

BuckApril 27, 2015 8:15 PM

@name.withheld

A simple way to determine if a stingray system is operating in your hood is to use a pair of phones as a telemetry tracking network.
...
and then go to the service providers website and review the cell tower location data (should include trunking information).
Wow! Which service providers provide that sort of information to their subjects - err - sorry, customers!? Regardless, it's quite trivial to spoof the ID of an expected base-station... However, sudden changes in signal strength can be a good tell. Newer (and more expensive) versions of the Stingray probably hide this from the target, but it will still be obvious from other locations. Using three or more phones -- distributively communicating the S:N through a secondary trusted channel -- the base-stations can be geographically triangulated. Generally, the legitimate towers will be visually evident; more so, they should rarely move to another location.

Jonas SilverApril 27, 2015 9:12 PM

@name.withheld.for.obvious.reasons

Many of the API's provide a limited set of the total radio data handled at the base-band level (quantized data). Threshold, hysteric, timing, levels, and other EM data may or may not be available and many manufacturers refer to this as DEBUG data. Often times the API may specify a lifetime scope or availability to the application developer. It is best to get debug versions of the computing platform and the development tools where much of the base-band stack is accessible.

Thanks for the insights, btw.

Could be crazy to do. I am not up on these apis and what hijinks may be required for access.

Maybe not so much.

https://play.google.com/store/search?q=cell%20tower&c=apps&hl=en

http://developer.android.com/reference/android/telephony/package-summary.html

Probably could reverse some of these apps (all in java so trivial to do). If there are no open source example code. Which there probably is.

I would probably test out some of those apps, see if any work, then open it up and check out the calls made doing a search for the apis to zero into the applicable code. Sometimes reversed java is spaghetti code but it tends to be readable enough to get a general sense of how to duplicate the functionality.

Getting android to run debug I did a few years ago, but only with the virtual emulator. It was a bit of a bitch at the time. If the code requires higher privileges then what is allowed to non-system apps, that would be probably requiring rooting the phone. I have experimented with that not too long ago, with some wifi apps. Modified existing open source hax0r code out there for pen tests and research. Nothing fancy.


I do not use my phone for anything sensitive and hardly make calls at all. Hardly ever have. I do not do anything sensitive at all, ever, so not very concerned about bugs, wiretaps. If someone wants to waste their time on me I feel sorry for them.

When scanners could pick up cell phones way back when, I ran into that sometimes. It was interesting, but I would change the channel because I do not like privacy invasion.

Programming is not far from my day job and I already make enough money, so not interested in creating, debugging, and managing an application. The theory is kind of interesting to me.


name.withheld.for.obvious.reasonsApril 27, 2015 10:41 PM

@ Buck

Wow! Which service providers provide that sort of information to their subjects - err - sorry, customers!?
All the major cell operators provide a host of data to network providers...for example AT&T and Verizon provide tracking data for registered phones. It is offered as a service to track your children, there are some providers that provide telemetry data to their customers. Even the most basic level of service for cellular telephone networks host databases accessible by registered customers of the service. That's the reason for the second telephone in my scenario, it is less about triangulation and more about determining the network service identifiers...

I am sure that a full blown scenario (I summarized for several reasons) could provide some robust applications that was beyond the scope of my contribution to the thread. @ Jonas Silver did suggest that a market opportunity might exist...just added bits and pieces. I am not offering to write the design and functional specifications or build a demonstration app...I leave that to others.

Like your idea about a "triangulation" service--one could out the operational location of a stingray device. Maybe a website showing the current location of operable stingray devices could be made available nationally/internationally. When the government believes that it has sole sanctity in collecting data (collecting your location data) then the government is making a distinction which can be challenged in court (collecting their location data).

DaveApril 27, 2015 10:48 PM

>Okay, so this is news to me. OpenBTS plus 300US for HackRF, install
>openbts and maybe modify it a bit and you have a stingray.

It's still a bit more complex than that, I think Bruce meant that the hardware to build a Stingray was freely available, but you can't just download stringray.rpm and be ready to run. Firstly, the HackRF is half duplex, so you need two of them. Then, the work on GSM and LTE decoding using the HackRF is at the proof-of-concept stage, it's great to play with but there is some assembly required. Finally, if someone does go to the effort of building an out-of-the-box stringray package for the HackRF, I suspect it may attract just a tiny bit of LE attention...

Jonas SilverApril 27, 2015 11:23 PM

@Dave

It's still a bit more complex than that, I think Bruce meant that the hardware to build a Stingray was freely available, but you can't just download stringray.rpm and be ready to run. Firstly, the HackRF is half duplex, so you need two of them. Then, the work on GSM and LTE decoding using the HackRF is at the proof-of-concept stage, it's great to play with but there is some assembly required. Finally, if someone does go to the effort of building an out-of-the-box stringray package for the HackRF, I suspect it may attract just a tiny bit of LE attention...

Thank you for the clarification. I was looking for that. Telcos, handsets, IMSI... I do not know very much about these things. I have not done my homework.

I did once interview with a mobile provider. He stated they do have upstream IDS. So they do detect attacks on the wire which the general public is not privy to. Which means someone attempting to proxy cell traffic illegally likely would be pinpointed and found out.

I have dabbled in that area before, and my impression was they collect information, do process it, and perform investigations which tend to be very quiet. They will forego arrests to avoid exposure. Much like how in the 'imitation game', it showed how they gave much real data to the Germans to avoid revealing their hand. Complex, crazy, scary stuff.

BuckApril 27, 2015 11:23 PM

A little less than a year ago, I was thinking $300 sounded about right... If Moore's Law is still applicable (and the only limiting factor), I'd suppose we're not looking at much more than $200 these days... Although, it's probably much less if you account for inflation & availability of used/refurbished parts!

Bob S.April 28, 2015 6:37 AM

Here you go:

IMSI Catcher, For Sale: $1800

"An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service providers.

With the PKI 1640 you can catch all active UMTS mobile phones in your proximity. All captured data, such as IMSI, IMEI, TMSI will be stored in the data base and are available for further evaluation at any time. A huge range of statistical data analysis methods is possible. With our 3G UMTS IMSI Catcher you can redirect single UMTS mobile phones to specific GSM frequencies, in order to monitor the conversation with our active or passive cellular monitoring systems. Furthermore, the PKI 1640 allows suppression of specifically selected conversations of targeted persons.

The PKI 1640 comes with BTS unit, laptop with controller software, antenna and power supply."

There are several for sale on the net. It's all not illegal you know.

SkepticalApril 28, 2015 6:46 AM


Re "democratization"

This usage dates at least back to Thomas Friedman's The Lexus and the Olive Tree, published around 2000. In that book he discussed the "democratization and dispersion of technology, information, and finance." Or something like that - the quote is from memory, so consider it a paraphrase.

What distinguishes democratization from proliferation is that the latter refers to an increase in the number of users of a technology, while the former refers to the ease with which individuals - in particular non-state actors - might become users should they so desire.

Schneier's use of the term is perfectly valid and it conveys his point here better than "proliferation" would.

As to the device in question, in the US I'm fairly confident that the private use of the device is illegal as well as easily detected.

Tido SpencerApril 28, 2015 6:54 AM

Nicholas Lemonias did that for the sake of freedom of information. Google Inc was controlling the list, and what was disseminated. The Google advisory was still on packetstorm and never deleted.

There was nothing to hide

Peter A.April 28, 2015 6:56 AM

I guess one should consider all baseband code in commercially offered handset rigged, bugged and backdoored.

Years ago at one company I was on a project tasked in developing testing tool for base stations, which would mimic hundreds of mobile phones making calls etc. in order to test if and how a base station would handle various heavy traffic situations. It was infeasible to do it with hundreds or real handsets.

The company also made handsets, so our first move was to reach out to the handset guys to get hold of their source code for the protocol stack. We got a stout NO! We had to implement the whole stack ourselves, right from the ground, based only on the standardizing body's papers. We shrugged our shoulders a lot, but if the company was willing to pay us for re-inventing the wheel and delay the project by several years before all protocol functions are implemented and tested - that's fine.

I thought - then - it was just a stupid company policy. But the more revelations I read about the more I am convinced it was a kind of gag order or source code arrest - only a chosen few were likely allowed to see what's really INSIDE.

TidoApril 28, 2015 7:00 AM

Nicholas Lemonias did that for the sake of freedom of information. The list was controlled. At least it changed hands/territory and substance.

Google Inc was controlling the list, and what was disseminated. The Google advisory was still on packetstorm and never deleted.

It is a controlled industry. And they wanted to damage Nicholas for publishing information about satellite security in the first place. The very next day, IOACTIVE who works closely with gov, came up with the same research and made headlines - to safeguard their reputation and image.

There was nothing to hide. I watched the whole thing. The advisory is still on packetstorm.

Google attacked the researcher for publishing the issue. It was purely a revenge case, with vitriolic responses from various parties including John

Tido MajesticApril 28, 2015 7:04 AM

Nicholas Lemonias did that for the sake of freedom of information. The list was controlled. At least it changed hands/territory and substance.

It is a controlled industry. And they wanted to damage Nicholas for publishing information about satellite security in the first place. The very next day, IOACTIVE who works closely with gov, came up with the same research and made headlines - to safeguard their reputation and image. It was on SATCOM Security on Softpedia long before IOACTIVE.

There was nothing to hide. I watched the whole thing. The advisory is still on packetstorm.

Google attacked the researcher for publishing the issue. It was purely a revenge case, with vitriolic responses from various parties including John. As you can see there are regular posts to full disclosure by Google employees who work with gov and want to control the security community. That has now changed.

JustinApril 28, 2015 6:22 PM

... we should stop pretending that this capability is exclusive to law enforcement, and recognize that we're all at risk because of it.
I've been reading your book, and my big critique is this nebulous "we". I think that "we" need to recognize that there is no cohesive "we" that even gets to pretend to decide how society functions. Each individual's behavior is governed by that individual's own morality and by the incentives and disincentives that are experienced by that individual. As far as this "Stingray" capability, clearly
  • law enforcement has and wants to keep this capability, and
  • law enforcement is pretending, and wants to keep pretending, (as far as the general public is concerned,) that this capability doesn't exist at all.
Other than that, law enforcement just doesn't care. They particularly don't care about foreign spies or whether or not we think foreigners or criminals are spying on us. It simply isn't their area, (even if off-hand it happens to be illegal.) It might come as a news flash, but law enforcement mostly just cares about law enforcement, and they see warrants and privacy considerations as encumbrances and obstacles for them doing their jobs. If you want to change that, you will have to either change their morals, or change the incentives and disincentives applicable to them doing their jobs. Because right now they have strong incentives to spy on us, and strong disincentives to respect our privacy and our rights. That's why they don't hire cops smart enough to question any of this, (and that wouldn't be smart for any of them individually, ...)

Now you can critique my nebulous "they."

AnonApril 28, 2015 10:31 PM

Surely one method would be to use a highly directional antenna? If you suspect a fake base-station, use the antenna to DF it by pointing it in any direction that isn't towards a real base-station and wait to see if you magically get service?

Conversely, you can also use the highly directional antenna to get service from a real base-station by ensuring it is pointing at one you can see, that is relatively close.

Better yet, don't use a mobile if you can avoid it.

BuckApril 28, 2015 10:57 PM

@Anon

Don't forget to move around a bit if you suspect a fake base-station that might also be using a highly directional antenna!

Your converse could work; unless the fake is in between. A little jiggle along the Z-axis may reveal its presence though...

Better yet, find a nice old decommissioned missile silo to live out the rest of your days in - if you can. ;-)

WaelApril 28, 2015 11:21 PM

@Buck, @Anon,

Better yet, find a nice old decommissioned missile silo to live out the rest of your days in - if you can.

If Bruce Townsley can do it, so can Anon! Easy directions, too!

Head south of Abilene, nearly smack-dab in the middle of Texas, cross a couple of intersections, look for a small lump in the road with mailboxes sprouting out of the ground, and you’re there. At the end of the driveway, an American flag and array of solar panels provide the only evidence of habitation.

I like the "Atlas ICBM Highway" sign!

65535April 29, 2015 12:35 AM

@ Nick P

“If one wants to build security in, there is a fairly simple way to do that: a WiFi or (better) wired phone that uses either the Internet or dial-up for trasnport. The phone OS is simple. The system uses Red-Black model for security. There's usually a dedicated chip for crypto and security protocols that sits between the plaintext side and the untrusted transport. You're looking at designing 1 chip, carefully selecting 2 others, picking/building a phone OS, making drivers, making a protocol engine, and integrating it all into a cell phone. This is the model that defense contractors went with for the *real* COMSEC gear as opposed to the Android- and Linux-based crap…”

That is an interesting solution. How hard would it be to build the “chip” and install it?

@ gordo

“Hmm, meaning, that is, ... The rule of law (also known as nomocracy) is the legal principle that law should govern a nation, as opposed to arbitrary decisions by individual government officials.”

I agree. The current situation appears to be the opposite of the definition of the “rule of law”. There seem to be little need get a warrant signed by a judge [or the judge simply allows overly broad use of these stingrays].

@ Mike Jeays

"The issue of police officers being required to lie under oath in a court is extremely troubling… This seems to be a complete breakdown of the rule of law."

Exactly. You would think there would be harsh punishment for police officers who are essentially lying to a judge during a criminal case – I guess not.

@ Jonas Silver

"They [police] can't use it in courts, it is really illegal, so corruption is probably rampant. Cops don't have grudges with spouses? It is just bending the law, a little, is their thinking. They deserve to have special benefits. They put their life in danger and look they get not only no respect or credit for this, they get reamed by the people. There are no sociopathic cops? Sociopaths are high in law enforcement, not low."

Point well noted. There has to be a way to put a stop to this type of drag net searches. It is bad policy and encourages more law-breaking.

@ Bob S.

‘Here you go: IMSI Catcher, For Sale: $1800 "An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service providers. With the PKI 1640 you can catch all active UMTS mobile phones in your proximity. All captured data, such as IMSI, IMEI, TMSI will be stored in the data base and are available for further evaluation at any time.’

It’s true “democracy” or the “trickle-down” effect at work.

These Stingrays [IMSI catchers] are readily available to a whole range of groups from, Private Investigator to criminal gangs - all they need is the money to buy them. I would not doubt if various unfriendly governments have deployed IMSI catchers in the US for their own purposes.

In my post I mention that sophisticated modular monitoring malware was planted on a civilian’s phone by a private investigator [used in a high dollar divorce case, the malware could secretly turn in the microphone, the camera, capture keystrokes, relay GPS location and has a self-erasing program if discovered].

What I was pointing to was not only the “Democratization” or wide spread use of Stingrays by various groups – but could also be an infection vector of persistent cell phone malware.

The Stingrays sit between the cell phone user and the cell phone tower [in most instances] and seems like a perfect way to "man-in-the-middle" implant malware on cell phones - sort of quasi Quantum malware injectors.

In the long run these IMSI catchers may lead to their own defeat. It doesn’t help to have the NSA/CIA/FBI/DHS/Local police screwing us from behind with IMSI catchers – now other groups of unknown origin are also doing it to us!

It also doesn’t help that huge corporations like Giggle are keep the location of legitimate cell phone towers and their location a secret.

It would greatly increase Giggles image if they were to publish a list of legitimate cell towers and locations. I will not hold my breath that list of legitimate cell towers becomes public [assuming Giggle does have said list].

I sense this whole secret IMSI catcher game will end very badly.

gordoApril 29, 2015 4:04 AM

==================================================================

SEARCH ACLU: Stingray Tracking Devices

Showing 1 - 2 of 2 Results

State Legislature Passes Strong Measure to Regulate Stingrays
APRIL 17, 2015 NEWS/PRESS RELEASE

Stingray Tracking Devices: Who's Got Them?
FEBRUARY 24, 2015 MAP

==================================================================

Now There's an App For Detecting Government Stingray Cell Phone Trackers
Lily Hay Newman | Future Tense | DEC. 31 2014 5:43 PM

==================================================================

Privacy wearables and accessories for the secure – and stylish
GCN Staff | GCN | Dec 19, 2014

DanApril 29, 2015 7:02 PM

Will catchers work on 4G?

I've only seen references of it working on 2G/2.5G(?) but not 3G/4G. Is it possible to use them on 3G/4G without subverting target phone to 2G/2.5G mode?

theBuckWheatApril 30, 2015 6:23 AM

As you said we have a world where others can spy. My problem is how easy we see that government at all levels found to give itself a collective pass, over and over, to violate the Fourth Amendment, to conduct detailed surveillance on broad areas of the public, not only without probable cause and a warrant, but to aggressively collude with each other to keep the means and the details a State Secret.

This shows massive corruption of the most serious kind, where thousands of people who took an oath to uphold the Constitution, and those politicians having political oversight, didn't sufficiently object enough to leak any of this to the press. Not for months, but for years.

We have truly grown from a government of the people to a government that has people. A very self-serving government. One of the root of this dangerous hubris is that government has also given itself the power to create near-infinite money out of thin air by which it can purchase and deploy the means to destroy our rights. The first concrete limit on government abuses is the sheer limit of the budget. A government agency with unlimited money can entertain every whim and power-grabbing scheme. An agency on a limited budget must focus on its core mission.

Every day more people are coming to the judgment that a carefully organized effort to repair the constitution via the States' power to propose and ratify amendments poses less risk to our liberty and prosperity than the present trajectory of the federal government and especially the federal bureaucracy whose self-published rules carry the weight of law.

The first order of business of an Article V Convention must be to limit government's ability to create and spend near-infinite amounts of money.


Jonas SilverApril 30, 2015 6:23 AM

@Peter A.

I guess one should consider all baseband code in commercially offered handset rigged, bugged and backdoored.
I thought - then - it was just a stupid company policy. But the more revelations I read about the more I am convinced it was a kind of gag order or source code arrest - only a chosen few were likely allowed to see what's really INSIDE.

I think it is highly likely it is either directly backdoored, or security flaws were found in it which were not reported to the vendor.

Do note that the government, specifically, the NSA, is charged with finding security flaws in code which runs on DoD systems. This includes telco and would include handsets.

Also do note that with the NSA's backing, and partly by the NSA, are many chiefs of Five Eyes coming forward and demanding that they need not report security vulnerabilities to vendors.

Further, that they believe they have a right to place backdoors in all applications.

I will state, that, I also have a story from a 'few years ago' on baseband vulnerabilities (which, people should bear in mind ARE backdoors when they have a critical rating properly applied)...

There was a largely closed door solicitation for top vulnerability researchers to find baseband security vulnerabilities of critical rating. The reward price was in the six figures.

This could seem to indicate they did not have such a backdoor. Or it could be a challenge to test the security of their existing backdoor.

Problems with all of this: it all remains speculation. Besides anonymous sourcing. Though, in regards to anonymous sourcing, are these statements plausible? I believe they are plausible, taking in the full context for those who have the rare capacity to understand the full context. Can, however, anything be proven? It is not fungible.

Like currency which can be traded between two people, maybe ten, but can not be easily traded with the masses... it is not fungible currency, and therefore will not make it to the masses. Unless it is somehow converted to fungible currency.

But how can that be done? It probably can not, even a leak by the very programmers tasked or code reviewers tasked, it would not be fungible.

It is too plausibly deniable, even if the backdoor(s) could be found. They could be said to be mere unintentional, rather then intentional, vulnerabilities. Win-win.

Another salient argument against this rationale is the very existance and controversy of stingrays. Why, why on earth, would this debacle on stingrays exist if the US Gov secretly has baseband backdoors in the main handsets already??

Of course, no wonder to the audience here. You know the MK-Ultra story like the back of your hand, and are privy to so many related stories. There is a very deep difference between 'throw away' surveillance tech and the most secret surveillance tech.

Such conundrums are not, as many would think... outside the norm... but they are the norm. Even law enforcement themselves are not privy to these matters. Popularization of the "Ultra" story in "the Imitation Game" does not make that situation any better. Turing was so odd and so unique, surely this whole concept of "statistically providing enough true information with just a little false to avoid detection" concept should be considered anomalous in the history of surveillance!

But it is not anomalous, it is the norm.


Jonas SilverApril 30, 2015 6:58 AM

@Skeptical

What distinguishes democratization from proliferation is that the latter refers to an increase in the number of users of a technology, while the former refers to the ease with which individuals - in particular non-state actors - might become users should they so desire.
Schneier's use of the term is perfectly valid and it conveys his point here better than "proliferation" would.
As to the device in question, in the US I'm fairly confident that the private use of the device is illegal as well as easily detected.

This gets into word finery, where the outward appearance of a word is debated, but the substance remains the same. You can call a rose a 'cat', but a rose it will still remain. More obvious with the tangible and specific, not as obvious with the abstract. But if the abstract does, indeed, exist, the external shuffling of the coin under the shells matters just as little.

Democracy, or is it free market economy. While the word "democratization" can be used, to understand this situation as a *system* so as to predict how it would operate can be well studied by putting it in terms of an economic model.

So, in terms of supply and demand:

One caveat to supply you mention as a remark on unlikely high demand and so not worth consideration is "it is illegal in the States". Okay, let us forget the rest of the world for this and simply stick to the States.

For of all, detect systems for these stingray devices have shown there is wide proliferation. Further, that the usage is highly secretive. Both indicators tell us they are unlikely to be caught. We also know another attribute of these systems: they are mobile. Another attribute which decreases the chance for detection.

It is also very likely these systems can be mostly passive (though someone has noted they are not entirely passive, I am not entirely sure). A passive system is especially difficult to detect. Note being able to be detected because of emanations, such as would be with a pirate radio station, the range of detection would be far less.

Maybe it could be detected by anomalies in its' operation as a proxy upstream in the telco network. Very unlikely not, or not easily.

All of these points do effect demand, but demand is also effected by the obscurity of the technology. If you have endless ice to sell in the desert but no one knows about it, not much good it will do for sales. Once people learn about it, you will make a lot of sales.

Demand can be considered by analysis on the potential value of the information a custom "stingray" can provide. I would have to point out that potential value to a very wide range of customers would be very, very high.

Especially for customers who have sufficient money to pay.

I am not stating all of this to indicate this is an area I invest in, it is not, and such comments would be foolhardy to make if otherwise. Rather, I am stating it because it is a reality. As price drops for that ice and word gets out that ice is available, the ice will most surely "proliferate", or, if you wish, be well picked up, sold into, bought into, and voted for.

None of this is new. We have seen similar situations before, time and time again. When there is an easy method for governments to spy on private, confidential data they will use it, abuse it, and eventually so will the public. Until the problem has to be tamped.

With the internet, this meant the "proliferation" of encryption. In many fronts, at many times. Improvements made again and again. Not sure way back when "encryption" was treated like a weapon before ecommerce could be made. But, even recently, such as with many bugs with SSL over WIFI or other SSL implementation problems.

In the 90s, likewise, cell phones used to be easy to remotely surveil with cheaply bought scanners. Good with cops. But also good with criminals.

All of this could be short circuited, waste reduced, problems avoided: but it means that the private public might have their privacy. This is something near and dear to many who would rather that not be the case.

Should local government continue to have these capabilities? What good does it do. Conceivably? None. While it may give some illusion of progress on some cases, in reality, it its' self violates bedrock, constitutional level law. And so morally decays the foundation of the very legality of the entire system.

Like torture does. Like assassinations do.

Like crime and criminals does.

It blurs that line, it crosses that line, and so it decays the entire difference between the two. Cop becomes criminal -- eventually there is no longer any cop at all. Just criminal.

Not difficult to understand. But because they are invested in an erroneous belief system, truth makes no difference.


gordoApril 30, 2015 8:19 AM

@ Dan

Is it possible to use them on 3G/4G without subverting target phone to 2G/2.5G mode?

Cities scramble to upgrade “stingray” tracking as end of 2G network looms
Oakland is latest city confirmed seeking Hailstorm upgrade, targeting 4G LTE.
Cyrus Farivar | ARS Technica | Sep 1, 2014

Christopher Soghoian, a technologist with the American Civil Liberties Union and a close observer of stingray technology, told Ars that little is known about the upgrades Hailstorm offers.


"The only difference that we know about is the 4G," he said, citing a purchase order from the Drug Enforcement Agency first unearthed by The News Tribune in Tacoma. That March 2014 document states: "Stingray II to Hailstrom Upgrade, etc. The Hailstorm Upgrade is necessary for the Stingray system to track 4G LTE Phones"

He explained that the new upgrade will continue to provide existing surveillance capability even after major cellular providers turn off support for the legacy 2G network, which is expected to occur in upcoming years. In 2012, AT&T announced that it would be shutting down its 2G network in 2017. Without the forced downgrade to 2G, a 4G phone targeted by a stingray would not be susceptible to the same types of interception at present, but it likely would still be susceptible to location tracking.

"Presumably, at some point after, new phones sold by AT&T will no longer support 2G," Soghoian added. "Once new phones stop working with 2G, Stingrays won't work any more. At that point, the Hailstorm will be the only way."

http://arstechnica.com/tech-policy/2014/09/01/cities-scramble-to-upgrade-stingray-tracking-as-end-of-2g-network-looms/

Also, on DocumentCloud, Privacy International contributed a product brochure from cellXion [1], with two items, listed on p. 3, described as: "performing acquisition in 3G mode, not jamming." The note attached to p. 1 is of interest, as well.

[1] Hyperlink not included here. Consistent with their line of business, i.e., not anomalous, a visit to cellXion's Website will show a standard advisory posted at the bottom of the home page that begins with: "Your IP address, [ . . . ], has been recorded and all activity on this system is actively monitored." And so on . . .

65535April 30, 2015 5:47 PM

@ Dan

“Will catchers work on 4G?”

I believe the answer is yes.

The broad wording of CALEA allows any large communications network to be monitored – with a court order. And, that would include 3G and 4G/LTE.

The problem with the “Stingray” is that it is used broadly WITHOUT a court order.

[CALEA]

“The Communications Assistance for Law Enforcement Act (CALEA) is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton (Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 USC 1001-1010). CALEA's purpose is to enhance the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to wiretap any telephone traffic; it has since been extended to cover broadband internet and VoIP traffic… In the years since CALEA was passed it has been greatly expanded to include all VoIP and broadband internet traffic. From 2004 to 2007 there was a 62 percent growth in the number of wiretaps performed under CALEA — and more than 3,000 percent growth in interception of internet data such as email… By 2007, the FBI had spent $39 million on its DCSNet system, which collects, stores, indexes, and analyzes communications data…”

https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

I cannot imagine that “Stingrays’” or IMSI catchers would not be modified to tap 3G/4G cell phone networks.

rgaffApril 30, 2015 8:37 PM

@ Jonas Silver

I've enjoyed your last couple posts. Some of the points mentioned clarifies things I've "felt" for a long time now but could not explain well...

Don't give up.

Jonas SilverApril 30, 2015 11:55 PM

@rgaff

:-)

I noticed you had an interesting observation about how people can kind of meld together, which I think is a sign of being a deeper thinking sort of individual. One cognizant of the more strange ins and outs which can happen. Which can be fascinating.

I can get very empathic and somehow tune into people, I suppose, scientifically, one could say it is picking up on bare unconscious clues in the tiny hidden ins and outs of language. Though could be having dropped far too much acid when I was younger, mixed with the nuclear accident of being overly engaged in acting as well as esoteric areas like hypnosis and personality disintegration. :-)

Whatever the case, even tonight had a lady tell me, "you know, you said just exactly what I was thinking". Who knows, collective unconscious, spirits, whatever. Gets me rapport here and there.

I have had and do have a very strange work experience, some of which well touches on computer security areas. While that has gotten deep, technically, it has largely been secondary to people work stuff which is definitely security related. But it is also very strongly people work stuff in unusual realms of personal communication.

One major concept I do try and rely which I was impressed you were getting into was how convincing it can be when two parties are at odds with each other. But not really. That is a very important concept to get, I believe. Agents pretend to be something the opposite of what they are, nations can do the same, leaders, and then on a more core human level, we often find ourselves doing things we do not seem to find usually within our own character.

A lot is exactly as it seems... and a lot is not...

Darkness is light, light is darkness.... if people come out of living in cave deep darkness all their life, light will be even more darkening for them. And that cave deep darkness they maybe had more light then everyone else around them. Even if we are as lights, we are in a world of darkness and can see only so far in any direction.

The world gets very complicated. Some think in five years, some in the immediate, some in ten, some in longer term. Multiple parties can engage in singular projects with entirely different intentions and it can be difficult to see who got them all engaged in the first place or what their intentions were and are.

Further, if you want to understand anything, you have to attack the issue from different perspectives, always considering your own heart suspect for hidden subjectivity. What is the left view? What is the right view? What are all of the other views? So often contrasting two extremes gives illumination.

But not always. Also, so often two extremes are the exact same animal using just different words for the very same thing. :-)

Anyway, it will probably get a lot more interesting on here in the not so distant future. :-)


CodyMay 2, 2015 12:32 AM

"One major concept I do try and rely which I was impressed you were getting into was how convincing it can be when two parties are at odds with each other. But not really. That is a very important concept to get, I believe. Agents pretend to be something the opposite of what they are, nations can do the same, leaders, and then on a more core human level, we often find ourselves doing things we do not seem to find usually within our own character."
Jonas Silver

Art is as old as dirt gets. Chinese philosophers illustrated this in form known as tai chi. Indian mythology preached of god wills both creation and destruction. Egyptions, and god knows who else, gave concept to 'third eye.' And so forth...

Still most are in it for the silver.

CodyMay 2, 2015 12:35 AM

@ Jonas Silver

one more point to add.... insects often evolve to mimic their predators.

Jonas SilverMay 2, 2015 1:09 AM

@Cody

Art is as old as dirt gets. Chinese philosophers illustrated this in form known as tai chi. Indian mythology preached of god wills both creation and destruction. Egyptions, and god knows who else, gave concept to 'third eye.' And so forth...
Still most are in it for the silver.
one more point to add.... insects often evolve to mimic their predators.

I actually studied tai chi under a student of a main american author of the subject who lived in China and Taiwan. Tai Chi in China is very much watered down these days... not unlike korean American martial arts.

Unfortunately, to make a comparison in terms of "natural predators", I have no natural predators in my own pool of existence. While I could, I suppose, appear as rogue or a mimic, a fact I am not so willing to disprove... the fact does remain that it would be impossible to either dislodge me or arrest me.

I do have a career. And, quite frankly, I do have much amusement at anyone who would even pretend to make the conjecture that I do not. I will and do present myself as small and singular, but I also find it irrevocable that I am far from this. Hence, yet again, I must extol the virtue of Sun Tzu, 'if large, make one's self small; if many, make one's self few'.

*shrug*

I have plenty of information to give, and have over the years.

The obvious level is easily found... which leads to a wide variety of departments. Army, CIA, NSA, FBI, Air Force, Navy. Not sure which one people wish to throw their cards to.

I do not make so much money that anyone could well accuse me of 'being it in for the money'.

"Silver" pertains to my real age. Not monetary compensation.

I definitely have led many agencies to aggravation.

But, then, they are corrupt.

They are predators, you are correct. But weak ones at that. :-)

And, yes, they are ultimately our prey.

There does have to be Insurance in all of this, you understand.


TRXMay 3, 2015 11:26 AM

> "democratization"

It means that at the $1,500 price point, it is now possible for an individual who is sufficiently nosy to buy his own stingray equipment and listen in to the police and government, which conduct a great amount of official business on cellular phones nowadays.

miceMay 4, 2015 12:14 AM

Goverment aginces are just like a normal computer or electronics company, they arnt ahead by miles in technology, unless the staff find something new and devolpe it, the blackhats would have better technology than Nsa etc, for reasons... If they have stingray it would be old, the only advance they have is a bottomless pit of money, ie advance tools, and ability to link up smart people in the field.

2 cents

gordoMay 5, 2015 5:49 AM

U.S. Will Change Stance on Secret Phone Tracking
Justice Department will reveal more about the use of such devices and launch a review
DEVLIN BARRETT | The Wall Street Journal | May 3, 2015

http://www.wsj.com/articles/u-s-will-change-stance-on-secret-phone-tracking-1430696796

U.S. Will Change Stance on Secret Phone Tracking
WSJ Video | May 4, 2015
The Justice Department is urging more transparency over the use of secret cellphone tracking devices and reviewing the way they are used in law-enforcement agencies. WSJ’s Devlin Barrett joins MoneyBeat. [04:44]

https://www.youtube.com/watch?v=aZQhcycu9so

thevoidMay 31, 2015 5:52 PM

@Clive, @other EM engineers

i was waiting for the new squid thread for this, but since the old one probably has to last another week, i decided to ask this here, since this is at least peripherally related.

i've done some checking but my technical knowledge here is rather weak, so hopefully i am explaining this right.

in my homeghetto, across the street from my grandmother's house, someone erected a gigantic yagi antenna. the first time i saw it it reminded me of a giant crane, the type they use on skyscrapers.

the tower is about 70 feet tall. the cross beam is ~50 feet across, is about 10 feet below the top, and it is slightly shorter on one end. the longer end has 2 equally spaced parasitic elements (henceforth rods). one at the end, and another equally between the tower and the end. there is another rod right at the intersection between the tower and the crossbeam. the slightly shorter end has 3 rods, though they are more closely spaced and clustered together nearer to the end of the crossbeam, and the middle one has a thick cable running down to the ground. the rods are all the same size and about 20-25 feet across.

some ascii art (ignore the dots, used for spacing, though this may still not turn out as intended.)

from above
[-------~50ft----------]

|..|.|.....|.....|.....|
|__|_|_____|_____|_____|
|..|.|.....|.....|.....|
|..|.|.....|.....|.....|
...^.......^
feedline tower

what might that be used for?

my grandmother has problems with the tv, where periodically you get someone shouting in spanish, which usually sounds like gibberish (aah-ee-bah repeated constantly), but we know it's spanish because we have rarely heard some clear spanish words. you hear this even if you mute the tv. so of course my suspicion falls on this monstrosity.

there are also broadcasts that interfere with regular radio as well. they are a little more coherent and my cousin made out a word that apparently means 'little white paper' or something.

this is a residential neighborhood for the most part. it's actually one of the first industrial centers in the US, and i once heard has the highest factory density anywhere in the world, though most of them are now abandoned.

FigureitoutMay 31, 2015 9:47 PM

thevoid
--Not an RF engineer, but do work w/ it and have an amateur license; Clive'll give a much better explanation probably. What I think is happening is a common yet very intriguing phenomenon to me, called "audio rectification". It gets in larger headphones and speakers. Voice gets this cool distortion to it too, other than that it's just RF "buhn buhn buhn" type noise. We also have speakers throughout the house and same thing, turning up the volume potentiometer and you get the beacon "buhn buhn's" of CW in the attic.

http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf01379.html

I say it's "cool" b/c this could be a way to find bugs in your house; and it illustrates the insanity that every single wire is an antenna constantly receiving all kinds of noise... If you're in the "ghetto" I don't know about asking your neighbor to learn how to be a responsible amateur radio operator; if s/he keeps being a jackass start complaining on some ham forums and they may find him/her for fun. Or, get a ham license, a 1500W amplifier, and a simple CW radio and keyer and just a simple dipole antenna. Turn off everything in your house you don't want to break except the tv to hear him/her come on air, then obliterate the air waves w/ CW tapping out "suck it amigo" lol. Lights may flicker. :p

thevoidJune 1, 2015 3:37 AM

@Figureitout

"audio rectification". hadn't thought of that. know the phenomena, but not the name. i used to hear it at work back when cell phones weren't as common, and i'd get this distorted alien-like voice coming out of my speakers. found out later it was a cell phone (i think someone was nearby using one). i've also heard it's a good way to see if your cell phone is transmitting, by putting it next to a speaker.

yeah, and forget the idea of anybody being reasonable there, in anything. well, there ARE a lot of hardworking people in the ghettos, and they have to suffer from the assholes too. and the cops are just as bad (acording to other cops even). even the churchgoers are some of the biggest assholes you will meet, if you can even call them churches. except for the fact that they meet on sunday, there is nothing remotely 'faithful' about them. there are dozens of these pseudo-churches all over, and none of them (or their members) show any basic decency or compassion (or anything remotely like 'Christian values').

i wouldn't doubt if this tower was illegal, despite it's obviousness. police don't do much around there, except beat people nearly to death and harass old women. i exagerate, somewhat, but there was in incident about half a block away, news was even there and didn't cover it, until days later, after someone put up video of it (then they all covered it). one set of cops arrested someone, had it under control, another group came in and beat a handcuffed man nearly to death, and then tried to cover it up. i missed most of it, but saw they wouldn't let the paramedic through, and stuffed the victim into a van and rushed him off. got there just as the van was closing... interesting to see them do damage control, spreading disinfo. the undercovers even tried to get an idea of what people saw. i could see they were hiding it from other cops as well (most there were just as clueless as other onlookers, and left just as confused.) in the other incident, the old woman was my mother, and our 'finest' acted like a bunch of chimps. she used to be more supportive of the police, not so much now. another time she spoke to an officer who was temporarily detailed in, and he couldn't wait to get back to his own district because of the corruption...

i digress, but especially in these places, you are on your own, the authorities are not there to help you... but enough of the wreckage of our dying civilization.

the idea about ham forums is interesting one, i'll have to keep that in mind. i doubt whoever is doing this is licensed either, and i seriously doubt this is just your average amateur, if it's related to the tower. this tower is HUGE. like i said, i thought it was a large crane at first. you can apparently see it clearly on google earth. really looks out of place amid houses, churches, and a pizza place. unfortunately, even if i had the equipment, i couldn't retaliate in that way, since my grandmother depends on a few machines. (admittedly i would like too though...)

Clive RobinsonJune 1, 2015 4:31 AM

@ the void,

The way to deal with local cop deficiencies is to get the Feds of ona form or another sniffing around.

But to get them interested you have to do some of the ground work.

Obviously you have to start a file and diary, the file contains photos and maps, the diary times and events. As it appears to be an HF yagi antenna of some form, you should find out what direction it points in both true and magnetic and plot this on a "great circle" map (you should be able to find a "ham app" to do this on the internet, or a program that will do a "nasa style" coverage map).

The first real step after that is to check the local zoning regulations, then check if the lattice mast you describe is "fixed", "tempory" or "mobile" and go and look up the planning request down at your local equivalent of City Hall Planning Office. If there is a planning notification or consent you should be able to get a copy of it including covering letters etc which should identify the principles.

The next stop if it's a commercial operation is the FCC all non mobile transmitting stations should be registered with them, this includes frequencies of operation etc.

All this goes in the file, and this file will tell any official you are sane, serious and determined to get to the bottom of what at the very least is a legal nuisance. Likewise the official will know that any journalist seeing the file will make the journo take a second look and either direct interest or give you details of another journalist who will be interested.

As for what the "station" is, well I could take some guesses, based on licence application statistics, one of which is those from "missions" broadcasting to the faithfull... The fact it's in Spanish and almost certainly some form of amplitude modulation makes it likely it's facing towards an old "Spanish colony" in South America or similar, possibly Africa.

As you've experienced new "Mission Churches" are shall we say there for the intrests of the church hierarchy, not the worshippers. Some are effectivly lucrative businesses amounting to front organisations for "get rich quick" schemes including "charitable collections" of cloths as well as much worse. The poor are easy victims for such schemes, and they have been a real growth industry in times of recession.

pJune 18, 2015 1:10 AM

In short: IMSI catcher run MitM attacks on the communication between the terminal and the network. They can succeed in 2G only. 3G and later uses AKA (Authentication and Key Agreement security protocol) characterized, amongst others, by mutual authentication that hinders MitM.

AKA does not prevent 4G -> 3G -> 2G downgrade attacks. In this case the attack vector would be to raise 2G signal strength such that terminal thinks other radios aren't available, force re-association of terminal with (now faked) 2G base station and run the MitM.

David LDecember 10, 2015 9:12 AM

Greetings,

There were,as of a few months ago,a number of stingray detection apps in playstore,also named IMSI catchers,etc. But now,almost ever single one is gone. Then I did a Google Search,and found that the stingray mapping project had a notice "we are taking a break" which had an email address,which I fired off a query as to the nature of this break. Like did you receive some kind of official letter? There were apps for Android rooted,and non-rooted previously. Some looked rather promising. Now,I'm not sure what has happened,whether my having change devices had anything to do with this,but I'm on the same Sprint network and using the same oem devices. But I have strong suspicions as to the apps disappearing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.