In Unsealed Document, FBI Admits Stingray Devices Will Disrupt Phone Service

from the making-Stingray-omelets-required-breaking-a-few-communications dept

A small crack in the FBI’s Stingray secrecy has appeared. A 2012 pen register application obtained by the ACLU was previously sealed, but a motion to dismiss the evidence obtained by the device forced it out into the open. Kim Zetter at Wired notes that the application contains a rare admission that Stingray use disrupts cellphone service.

[I]n the newly uncovered document (.pdf)—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge.

“Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity. Any potential service disruption will be brief and minimized by reasonably limiting the scope and duration of the use of the Mobile Equipment.”

Notably, the application (and the magistrate’s approval) do not refer to the device by any of the common names (Stingray, IMSI catcher, cell tower spoofer, etc.), but rather as “mobile pen register/trap and trace equipment.” While it does admit the device will “mimic Sprint’s cell towers,” it downplays the potential impact of the device’s use.

The fact that Stingray devices disrupt cell service isn’t new, but an on-the-record admission by law enforcement is. The warrant application claims that numbers unrelated to the ones being sought will be “released” to other cell towers. The unanswered question is how long it takes before this release occurs.

“As each phone tries to connect, [the stingray] will say, ‘I’m really busy right now so go use a different tower. So rather than catching the phone, it will release it,” says Chris Soghoian, chief technologist for the ACLU. “The moment it tries to connect, [the stingray] can reject every single phone” that is not the target phone.

But the stingray may or may not release phones immediately, Soghoian notes, and during this period disruption can occur.

The problem with the so-called “release” is related to the amount of disruption that occurs when the device is used. Advances in cell technology have surpassed the ability of Stingray devices to capture calling info and location data. Upgrades are available and law enforcement agencies are scrambling to get their cell tower spoofers up-to-date, but the general process still involves “dumbing down” everyone’s connection to the least secure and most easily-intercepted connection: 2G.

In order for the kind of stingray used by law enforcement to work, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.

If a device is in operation nearby, all calls that can’t find a better connection will be routed to the cell tower spoofer. This means calls won’t be connected, texts won’t be sent/received and internet service will be knocked offline. While Stingrays are supposed to allow 911 calls to pass through without interruption, these are far from the only type of “emergency” communications. If the device is deployed for any considerable length of time, citizens completely unrelated to the criminal activity being investigated may find themselves unable to communicate.

And while the targeted number apparently belonged to Sprint, the warrant application notes that all service providers in the area will be asked to turn over a large amount of subscriber information.

[D]irecting AT&T, T-Mobile U.S.A., Inc., Verizon Wireless, Metro PCS, Sprint-Nextel and any and all other providers of electronic communication service (hereinafter the “Service Providers”) to furnish expeditiously real-time location information concerning the Target Facility (including all cell site location information but not including GPS, E-911, or other precise location information) and, not later than five business days after receipt of a request from the Federal Bureau of Investigation, all information about subscriber identity, including the name, address, local and long distance telephone connection records, length of service (including start date) and types of service utilized, telephone or instrument number or other subscriber number or identity, and means and source of payment for such service (including any credit card or bank account number), for all subscribers to all telephone numbers, published and nonpublished, derived from the pen register and trap and trace device during the 60-day period in which the court order is in effect…

This request seems to run contrary to what’s asserted earlier in the warrant application, in reference to the Stingray device itself.

In order to achieve the investigative objective (i.e., determining the general location of the Target Facility) in a manner that is the least intrusive, data incidentally acquired from phones other than the Target Facility shall not be recorded and/or retained beyond its use to identify or locate the Target Facility.

It appears there is a “catch-and-release” policy when it comes to Stingray devices, but the FBI’s data request to every cell phone service provider in the area contains no such assurances about minimization. Additionally, the request for data on “all subscribers to all telephone numbers” covers a 60-day period, while the use of the tower spoofer is limited to two weeks.

So, not only did the FBI potentially disrupt cell service while searching for the robbery suspects, it also collected a massive amount of data on every subscriber whose phone happened to connect with its fake tower. It’s not really “catch-and-release” if additional call/location data on unrelated subscribers is obtained from from other providers. This broad request was granted without question or additional stipulations by the magistrate judge — the only limitation applied (in a handwritten addition, no less) being that the FBI would not be able to use the device “in any private place or when they have reason to believe the Target Facility is in a private place.” (This falls in line with the FBI’s “warrant requirement,” which is written in a way that ensures the FBI will never have to seek a warrant for Stingray use.)

The FBI, along with other law enforcement agencies, has refused to answer questions about the disruptive side effects of Stingray device usage. With the unsealing of this document, their silence no longer matters. These agencies are well aware of these devices’ capabilities — something they’re clearly not comfortable discussing. The excuses deployed routinely involve “law enforcement means and methods” and claims about “compromising current and future investigations,” but with more heat being applied by the nation’s legislators, this code of silence may finally be broken. The use of these devices — despite being fully aware that critical communications may be at least temporarily prevented — sends a continual implicit message to the public: your safety and well-being is subject to law enforcement’s needs and wants.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “In Unsealed Document, FBI Admits Stingray Devices Will Disrupt Phone Service”

Subscribe: RSS Leave a comment
Anonymous Coward says:

What’s this “Target Facility” phrase being used? The phrase makes me envision a building, otherwise known as a facility, that is capable of moving down the road and changing it’s locations. Ridiculous! I’m sure there’s some legal tap dancing reason for calling a targeted person a facility instead of a individual.

Anonymous Coward says:

Re: I wonder...

It depends on the phone, but in general, no, you can’t force your phone to ignore 2G. Most phones ship with firmware that lacks such a knob, and it’s almost unheard of for a phone to allow replacing the relevant firmware with one that has the required knob. Some smartphones can run an app that alerts you when the phone is using 2G, but I think even there, it is on the user, not the app, to notice this and stop using the network.

Anonymous Coward says:

Re: I wonder...

Yes, for Android, dial ##INFO## and as soon as you press the last * it will open a diagnostics screen. Choose the first option (“Phone information”) and set the first dropdown to “WCDMA only”. Now your phone will only use 3G. Note: this setting is forgotten on reboot, so you have to do this dance every time you turn on the phone. Also, if your phone has a “2G only” setting, it changes the same internal variable, so if you use it it’ll override your “WCDMA only” setting.

The same dropdown also has LTE options, but I’m using an older phone which doesn’t have LTE so I don’t know the right one for 4G.

Anonymous Coward says:

Re: I wonder...

With a WiFi-enabled computer, you can set it up to automatically or manually connect to any particular router/access point rather than the default setting of auto-connecting randomly to anything within range (much like a cell-phone does). You can also pinpoint where any particular router is located (especially if you have a directional antenna on your pc). Presumably, smart-phone software could perform something similar.

But even without a smart-phone running custom applications, it would not be hard to design any cellular telephone to identify -and avoid- a Stingray interceptor. For instance, if your GPS location has not changed (much) and a new “cell tower” suddenly pops up out of nowhere, that situation alone would make it highly suspect.

John Fenderson (profile) says:

Re: I wonder...

“If there’s any way to tell a phone to not ever use 2G.”

In most cases, not easily. If you’re using Android, there are a couple of options that I know of, but they require root access. One is to replace the stock OS with Cyanogenmod, which lets you control that directly.

If you can’t use Cyanogenmod, then there is another option (this is what I do): using Tasker and a little magic, you can run custom scripts every time the protocol changes. My script notifies me that it has changed, and if it changed to 2G then it attempt to change back. If that fails, it disables the cell radio entirely (as if it were in Airplane Mode), then polls periodically to see if it can connect to 3G or better yet.

I’m unaware of an easily downloadable app that can accomplish all of this, but it probably exists somewhere. For my purposes, the Tasker solution is just fine.

art guerrilla (profile) says:

Re: Re: Re:3 I wonder...

c’mon, johann, you know better: DOES NOT MATTER if you are ‘100% legit’ these days, if the eye of sauron turns on you, you are toast…

ALL KINDS of copyright use, etc is ‘100% legit’ doesn’t stop people from being jacked up by the (il)legal system…

at the very least, you become one of the ‘persons of interest’ due to even THINKING about privacy, talking about technical workarounds, tinkering with software, going to protests, having a copy of the declaration of independence on their wall (ooops, …), donating money to organizations that are deemed ‘terrorist’ AFTER THE FACT, etc ad infinitum…

John Fenderson (profile) says:

Re: Re: Re:4 I wonder...

Well, true enough, but if I was going to spend even a picosecond actually worrying all that, then I wouldn’t be able to get out of bed. As you correctly point out, if they want to take you down, they can. It doesn’t matter who you are or how perfect a life you lead.

After my many decades of activism and being an opinionated loudmouth, that they haven’t done so yet tells me that the Eye of Sauron has juicier targets in view.

John Fenderson (profile) says:

Re: Re: Re: I wonder...

I haven’t tried it, but it isn’t as good of a solution as the one I have with Tasker, for two reasons: first, it’s temporary and has to be done on every reboot and second, it makes switching between 2G and 3G+ a manual operation rather than automatic. My script does some other things to determine if it is (relatively) safe to be using 2G so I have use of the cell network where 3G+ isn’t available.

Anonymous Coward says:

I hope this isn’t the only argument EFF/ACLU and the like will be using against Stingrays and FBI’s use of them.

There are cell-switching technologies coming soon into Qualcomm modems and others that will make the switching “seamless” between a real tower and a fake one.

EFF and ACLU need to use a stronger 4th amendment argument against Stingrays, not just that it “disrupts some calls”.

John Fenderson (profile) says:

Re: Re:

“Phone companies are gonna use resources that could be spent on GOOD things, instead it’ll be spent specifically on improving government surveillance compatibility”

True, but they’re used to it and have already spent to put in much of the infrastructure. CALEA already requires telephone companies to provide surveillance capabilities to law enforcement.

Anonymous Coward says:

Re: Re: Re:

It’d be funny if someone developed an app that checked for a switch to 2G service, checked the tower ID when that switch is attempted, and then would broadcast a “potential stingray alert” w/ GPS coordinates to all registered users of the app if the tower ID isn’t found.

Perhaps the police would finally have those “flash mobs” they’re apparently so scared of.

John Fenderson (profile) says:

Re: Re: Re: Re:

That’s an interesting idea. My phone does something very like this. When it detects that it has been forced to 2G, it checks the identifier against the list of fixed towers. If the it determines that the “tower” is suspicious, it warns me and turns off the phone’s radio.

Sending an alert to others is an interesting idea, but if I were to consolidate all of this into a single app, I’d just recommend that everyone run that app to detect rogue stations themselves. There’d be no need to send out any kind of alert.

Anonymous Coward says:

Re: Re: Re:2 Re:

I read your earlier post about using a custom Tasker script to monitor for protocol changes. I’ve neglected learning anything about Android (or any smartphone OS) programming, and this at least sounds like a fun reason to dip my toe in the water.

I was only half-joking about the flash-mob thing. I was thinking that orgs like PINAC could use these alerts as a means of getting people to look for and photograph IMSI catchers in the wild (even if they’re just unmarked panel vans).

Less fun, but more useful, would be trying to gather data about how widely (and frequently) deployed stingrays are. Even with lots of noise, at least there’d be a starting point.

Coyne Tibbets (profile) says:

Keep up the pressure

Keep up that pressure: They’re starting to fold. This is the FBI confessing to a lesser crime, so as to keep the greater crime concealed.

Which, of course, would be that Stingray allows them to record all cell conversations in the vicinity. Do I have proof? Nothing but their hypersensitive reaction to any inquiry related to Stingray; which springs from a guilty conscience.

Believe me, they aren’t concealing that Stingray “disrupts phone calls;” we already knew that. No, their guilty conscience comes from something much more ugly, something they’re still hiding.

Let’s find out what.

spankydoesdallas (profile) says:

Wonder If Calling Problems are Stingray Use

I visit the area of Fayetteville, TN often and have had problems with the cell service there. I am a Sprint customer and I get a “five bar” cell signal there but each time I try to call out, I get hung up on before the call completes. I wonder if TN state law enforcement is using a stingray device in the community. There are no other cell towers close and therefore I cannot connect to any other cell tower. It is a “black hole of cell” there for me and even affects my vehicle’s QualComm communication computer assist adversely (I am a truck driver). It has been that way for many months. There also always seems to be a “maintenance type” truck at the base of the cell tower in question. This cell is located just north of Huntsville, AL where the space center is located too. Odd fact, I have called Sprint many times regarding this issue and they seem to know about it but do not give explanation for it’s befuddling hang-up behavior.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...