Detecting Stingrays

Researchers are developing technologies that can detect IMSI-catchers: those fake cell phone towers that can be used to surveil people in the area.

This is good work, but it's unclear to me whether these devices can detect all the newer IMSI-catchers that are being sold to governments worldwide.

News article.

Posted on August 2, 2017 at 7:39 AM • 21 Comments

Comments

AndrewAugust 2, 2017 7:53 AM

I've been wondering: Stringrays report a new tower ID and then design so the phone favors it? Or do they re-use the tower ID of a nearby one? If they use a new one, is having the phone alert for new Tower IDs a help in determining the message might be intercepted? At least for someone like me that spends 90% of his time within the same 5 mile radius? (The phone app Tasker for Android shows Tower IDs of connectable cell phone towers, so it seems that information is accessible.)

Jaša BarteljAugust 2, 2017 8:41 AM

Andrew, sure. I brainstormed some approaches how to handle this and it's basically the same problem as the mapping of PKI certificates to domains. How can a phone (browser/TLS client) verify that a given operator's tower (certificate) is one they used before?

Basically the phone needs a constantly updated list of an operators towers to check the given (location, tower) against the list. There are, of course, potential vulnerabilities with any network update mechanisms, and many approaches to building such a tower list:

* regularly get updated list from communications authority/regulator, check against it
+ should have most accurate national tower list as operators are required to register them
- government controlled, determined government with over-reaching repressive branch may manipulate this list
- per-government authority access protocol/data format, may be solved by shifting trust to an aggregator service

* crowdsourced tower observations, similar to the EFF's SSL Observatory
+ government authority independent
+ single format
+ potentially world-wide service
+ any anomaly quickly detected
+ historical observation data
- anomaly not necessarily foul play (may be new tower OR stingray), leading to false positives
- dealing with probabilities, not near certainties (e.g. what are robust criteria to accept a tower as legitimate)

* check against previous device observations
+ offline, more robust in various connectivity states and no information leaks
+ fast
- anomaly not necessarily foul play (may be new tower OR stingray)
- requires a lot of manual work; user must trust any new tower with some out of band trust establishing procedure (think accepting ssh host keys), this is generally bad UX and leads to blind trust

Combinations of approaches of course possible, but a workable solution is automatic. A cellular device should connect to a tower only when the tower is trusted based on some out of band, locally cached key database (similar to SSL PKI).

Who?August 2, 2017 10:30 AM

@Andrew

I've been wondering: Stringrays report a new tower ID and then design so the phone favors it? Or do they re-use the tower ID of a nearby one?

IMSI-catchers that reuse cell-IDs are even easier to detect as towers usually transmit on a single frequency, two at most. My bet is that registering the number of channels used by each tower will help detecting anomalies (I love anomalies! Anomalies usually mean interesting things!). If the number of registered frequencies on a tower changes, or a single tower transmit on three or more frequencies, there is a strong indicator there is an IMSI-catcher in the neighborhood.

Surprisingly detecting new cell sites is less reliable, as a new tower does not mean an IMSI-catcher in the zone every time it happens.

Projects like OpenCelliD may help, but as these databases are intended to be edited by anyone, someone running a surveillance operation can easily hide an IMSI-catcher as a cell site. A possible workaround in not allowing automatic updates on the database stored on the smartphone, so a new entry in the database is not automatically accepted by the IMSI-catcher-catcher.

JG4August 2, 2017 10:47 AM


if the open-source efforts are made at the correct levels of abstraction, then the composite effects can allow the crowd-sourced effort to move in a positive direction. the first step is defining the problem and making a proof that there is at least one solution. I'd welcome some comments from the experts on using the cell system for secure communications. there are three aspects to the security, as I define it here, 1) content, 2) metadata and 3) location. I believe that the first two are completely soluble, given a) robust encryption of the audio (a sort of dual data diode) b) a secure intermediate server, and c) location spoofing. Location spoofing can be taken much further with d) a network of cell transceivers accessible by the server b).

https://www.schneier.com/blog/archives/2017/07/friday_squid_bl_586.html#c6757316
...
there are multiple tradespaces defining and surrounding the problem of secure communications. a related tradespace is given as concurrency, availability and integrity - pick any two. did I mention visiting the Harvard Center is 2015? Bruce had an open-hardware seminar that compared Arduino to a popular open-source cellphone platform that sells for $12 in China. control of the SDR is a given, and it could be forced to only communicate with one tower. further, the latency of the responses to the tower could be offset with a slowly varying constant (or random value) to dilute the position information from meters to kilometres. to place a call, rather than using the cell company's switching gear to connect to the recipient, the call would be placed to a secure server which then calls the recipient. I mentioned before that a sufficiently large user base is required to dilute the traffic. if secure audio endpoints are provided by enclosing the cell phones in a sort of prison that sees only a white noise audio carrier in both directions, then two of three objectives can be fully met, with significant progress on the third. the location information security can be defeated by an adversary who places multiple observing receivers in the cell tower footprint. secure audio with defeat of traffic analysis (the channels all can be open all the time with white noise carrier in transit) and significant defeat of leaking location information.

PhAugust 2, 2017 11:46 AM

I'm curious how a spoofed tower can be detected if it uses the same ID etc as an original nearby but just overpowers the signal in a (small) area.
This is how WiFi is usually hijacked.

TatütataAugust 2, 2017 12:14 PM

IMO, a Stingray would normally get whatever it wants out of an MS and immediately kick it thereafter to a real cell. I would expect to see very little activity on the phony cell's traffic channels. This could be a way to find them out.

As noted by others above, a swarm approach might work in ferreting out these !/$"/$!!, i.e., users could anonymously share their present location, active channels, neighbour lists, and patterns could be detected from the mass of data. (e.g.: cells with very low average MS attachment durations). Cell licences could be included in the database, in countries where these are part of the public record or available through FOI legislation. When wewly active cells pop up, these would be flagged for further examination, and a collective white list established. (There would be an issue with malicious contamination of the data).

I haven't owned a mobile phone for years, and I'm considering the purchase of a so-called "smart phone". How much of a low-level access to the cellular layers information do you have through the Android API? Is there a particular brand/OS version I should look into? (I'm currently favouring LG for the audio quality). Back in the 90s/00s I had enabled the "net monitor" service function on my Nokia GSM, and it was very interesting to see how it behaved when riding a train or public transit, with microcells handovers at subway entrances. Is there anything equivalent nowadays?

Ye Olde GrandpaAugust 2, 2017 12:28 PM

Give the terribly weak end-point security of phones and given the increasing prevalence of Stingrays the message I get is to not use a cell phone at all. Believe it or not people managed to live healthy, productive lives without cell phones....without any phones at all.

WaelAugust 2, 2017 12:48 PM

but it's unclear to me whether these devices can detect all the newer IMSI-catchers

General public don't have the knowledge or the tools to mount an effective structured defense campaign. Unless a knowledgeable insider (team) is involved, the results will be ineffective at best.

@Tatütata,

Is there anything equivalent nowadays?

Two high level references:

logcat -b radio

https://www.codeaurora.org

Deus x MachinaAugust 2, 2017 12:54 PM

If the link to the news article in the blog post doesn't display properly it's because it's for a mobile version on techxplore.

Some more web-searching on the project lead me to:

The SeaGlass project website: https://seaglass.cs.washington.edu

A write-up on Wired: https://www.wired.com/2017/06/researchers-use-rideshares-sniff-stingray-locations/

And an article on TechCrunch: https://techcrunch.com/2017/06/02/who-catches-the-imsi-catchers-researchers-demonstrate-stingray-detection-kit/

Cool project. Thanks for the research and keep up the good work!

AnonymusAugust 2, 2017 1:13 PM

I think that cell towers information would be an ideal use case for a public ledger on a blockchain under the FCC supervision. With multi signature it could be relatively trustworthy. As much as the government is that is.

K15August 2, 2017 3:27 PM

When we no longer have security by obscurity, what is the most secure way to send a document that does not make the sender or receiver practice arcane encryption?

Clive RobinsonAugust 2, 2017 4:31 PM

@ K15,

what is the most secure way to send a document that does not make the sender or receiver practice arcane encryption?

Most Governments have used or still use hand carried "Diplomatic Pouch" for sending the highest level --think OTP-- codes and cipher material.

Osama Bin Laden used trusted couriers, using memory keys that could be concealed in body cavities.

Both used trusted couriers, though an acomponied Diplomatic Pouch is protected by international treaty. Where as OBL's couriers had to use body cavities as they had no legal, diplomatic or treaty protection.

During the cold war Russia was known to not trust the couriers so not only would two be used, the information would be on film that had been fixed but not developed.

CallMeLateForSupperAugust 3, 2017 12:07 PM

@Clive
"... film that had been fixed but not developed"

Make that "exposed but not developed". (Or maybe I don't know "soup" processes.)

AnuraAugust 3, 2017 12:39 PM

@CallMeLateForSupper

Yes! I finally get to put my high school photography class to use!

Developing a film makes the image visible, fixing it removes the magic that makes it photosensitive so you can project it onto photographic paper.

1984againAugust 6, 2017 12:17 PM

A ridesharing catcher sounds pretty absurd.

Read this:
[http://www.rtl-sdr.com/using-an-rtl-sdr-as-a-simple-imsi-catcher/]

[https://thehftguy.com/2017/07/19/what-does-it-really-take-to-track-100-million-cell-phones/]

You basically note real cell towers, then pick up other things. If you have the time to waste on this mapping... no comment. I could care less about what cops do.

There are better preventative communication methods. Watching signal is too late if you popped up on radar. Do you really think cops are sitting around, listening with stingrays? We don't have the tax dollars for the time/man hours. Trap your mind in a paranoid hobby if you like. All of these catches, plus social network revelation, only catches the easy ones. People get away with crime by communicating off the grid. A stupid road IMHO.

Clive RobinsonAugust 7, 2017 11:16 AM

@ 1984again,

Trap your mind in a paranoid hobby if you like

Such hobies can be called paranoid by some, but the simple fact is there is now more than enough evidence to show the devices are being used for mass surveillance by LEO's. Which there is reasonable suspicion is being used for parallel construction. Both of which I understand are crimes in the USA.

For some such a view point would make it not whst you call a "paranoid hobby" but a social duty, in the same way as using smart phones to photograph/film LEO's doing other questionable or arguably illegal acts.

The law and legislation is predicated on certain standards of behaviour. Those falling below those standards should not be doing the job in the same way as if they were taking bribes etc.

There is considerable examples of what happens when LEOs go bad and get court. At the very least it calls into question every other case they have worked on and can and has led to those covicted of crimes having their convictions quashed. Whilst some may be innocent and deserving of freedom others may not, thus a potentialy dangerous criminal gets released.

Thus those indulging in such a hobby and making what they know public has an effect on the LEAs to minimize the use of such equipment to that they have warrants for... Further it enables the likes of parallel construction to get found out about.

1984againAugust 7, 2017 11:51 AM

@Clive
Yes. I am also thinking about motivations. In some countries, the police are insane corrupt under gestapo-like puppet control. The device isn't going to save your life or defend you. There is no point in doing recon if you are not trained in tactics and firearms.

The secondary objective by law enforcement here is to catch people with the older femto cells. Those microcell owners will invade private lives, which is illegal, and more scary than police officers driving around, catching drug dealers.

If there is any reason to make an IMSI-catcher, it would be to discover if some slime bag is living next to you; not the cops. Here in the US, you can reinforce this with crimereports.com. I am surrounded by sex offenders and child abductors.

My deal is this: cops can use discretion on this. On a military base, they have multi-band decoders that can listen to anything 24/7. Out on the street, an officer will minimize exposure profile. Here in the US, if you are that worried about cops, you are illegal. They are trying to catch you in a prosecutable conversation.

All kinds of people feed on fear. I refuse.

Jared HallAugust 15, 2017 3:57 AM

Omar, You might gain better visibility posting your comment in one of Bruce's Friday Squid posts.

I enjoyed your article. I'm not a mathematician or cryptoanalyst, but I have a couple of thoughts on FAROQ:

1) The weakness of Rijndael is the S-Box. While FAROQ seems to address this weakness, it's use is still predictable and still an attack vector.

2) I am unclear where you gain the speed advantage over AES/Rinjdael.

I applaud your efforts and outstanding work. You've certainly created a better "mousetrap". As for commercial viability, I think the market may perceive FAROQ as "just another mousetrap".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.