'It Looks Like You're Trying To Harvest Cell Phone Data…:' Quick-Start Guides For IMSI Catchers Leaked

from the CTRL-ALT-WTF dept

The Intercept has obtained user manuals for Harris Corporation’s IMSI catchers, colloquially known as Stingrays, thanks to an anonymous leaker. The documents appear to have come from a Florida law enforcement agency. This would be the public’s first chance to see these documents in unredacted form. These operating manuals have been held onto tighter by law enforcement agencies than nondisclosure agreements or info on investigations utilizing this technology.

The documents show what’s so attractive about Stingrays: their power and their ease of use.

Richard Tynan, a technologist with Privacy International, told The Intercept that the “manuals released today offer the most up-to-date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.

The tech can be deployed easily thanks to a relatively user-friendly interface and offers an array of tools to be used that go beyond simply tracking the location of a targeted phone. Not only can these devices snag every phone that happens to be in range of the device, but the IMSI catcher can force every phone in the area to come down to its level, so to speak.

In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G.

However one might feel about the lawfulness of deploying mass surveillance to track — in most cases — a single suspected criminal, there has to be at least some concern that law enforcement can downgrade paying customers’ connections while performing an investigation.

The user’s manual [PDF] uses telco jargon almost ironically, referring to targeted phones as “subscribers” (who haven’t intentionally signed up for law enforcement tracking) and the towers officers will be spoofing as “providers” (the cell companies whose connection will be replaced/downgraded as law enforcement sees fit). Lists of “subscribers” and “providers” can be imported and exported. “Subscribing” numbers can be given nicknames to more easily separate them from the countless other cell phone numbers swept up during the device’s deployment.

Much of what’s in the documents isn’t exactly surprising. A lot of this has been sniffed out by FOIA requesters and defense lawyers, but until this point, the underlying details have mostly been implied — read between redactions and parsed from deliberately-obtuse law enforcement testimony.

Harris can’t be happy these documents have leaked. A warning on the Gemini control software manual [PDF] states that Harris must be allowed to challenge any disclosure of the contents of these documents — which presumably includes law enforcement compliance with defense production requests. Law enforcement agencies can’t be happy either, as it shows just how much power many of them have at their fingertips. But nothing stays a secret forever, especially when the surveillance technology in question has gone from overseas deployment against enemy combatants to chasing down fast food thieves in local neighborhoods.

Three can keep a secret if two of them are dead, as the saying goes. With hundreds of law enforcement agencies deploying cell tower spoofers thousands of times, the FBI’s bullshit nondisclosure demands are apparently no replacement for a pile of silenced corpses.

Filed Under: , , , ,
Companies: harris corp.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'It Looks Like You're Trying To Harvest Cell Phone Data…:' Quick-Start Guides For IMSI Catchers Leaked”

Subscribe: RSS Leave a comment
art guerrilla (profile) says:

somewhat off-topic-ish...

live in central florida, rural area, and had a first for me and those i talked to locally: at 3:45 am, got a call from county sheriff that there was an ongoing investigation (or something, don’t remember the exact wording), and advised that all residents receiving that call should stay inside until further notification by another call, blah blah blah…

started out with the *gronk*gronk* sound you get with amber alerts, the phone didn’t ring; wife and i made sure of where the dogs were, locked a couple doors, and went back to sleep… we *assumed* the activity was pretty damn local -like within a half mile- if we were getting the message…
nope, as it turns out after i talk to neighbors a couple miles away, their neighborhood got the calls, too… (different time stamps, by the way, earliest i could tell was 3:30 AM)
thing was, we never got an ‘all clear’ call back… (i am guessing they got a fair ration of shit for the ‘don’t go outside, citizen’ calls, and decided not to whack the hornet’s nest again…)
one neighbor says he told them not to bother calling, he can take care of himself… hmmm, he’s got one foot in the grave, and the other on a banana peel… hmmmm…
i called about 6:30 am, and they said, ‘um, uh, yeah, we, um, forgot to call back…’, but we’re all done…’ wtf ?

hmmmm, felt more big brother-ish than public servant-ish…

oh, when all was said and done, searching for some guy they found 15 miles NW of us… wtf ? ? ? HOW MANY people within a 15 mile radius (plus?) did they roust ? ? ?
that encompasses a couple small towns and a number of large-ish subdivisions…

Anonymous Coward says:

Re: What happens when the Stingrays themselves are hacked?

I actually had access to a UHF/VHF handheld TV back then; with a directional antenna on it, you could wander all over the place and pick up phone calls, despite the fact that it was supposed to be illegal, you couldn’t really help it while you were scanning for strong TV signals.

That One Guy (profile) says:

So about that argument

In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G.

It seems a lawyer would have a field day with this, using it to demolish the ‘voluntarily make available’ argument that police and government agencies like to use to excuse their listening in.

Not only are people not ‘voluntarily’ making their data available the device described intentionally re-routes it, with the one deploying the device hijacking the signal and re-routing it to them in a manner that is anything but voluntary.

Anonymous Coward says:

Re: So about that argument

Nah. The government will argue that people ‘voluntarily make available’ just by using a phone. Any phone. Next they’ll be arguing that you’re ‘volunteering’ to be snooped on by communicating, period. Hey, you don’t have any rights if you give them up ‘voluntarily’, right?

Anonymous Coward says:

Re: So about that argument

“It seems a lawyer would have a field day with this”

You would think.

But ISP’s have been doing this with overlay networks since the mid 2000’s. It started out with in-house BGP4 hacking to get better diagnostic information on network attacks. Now the big vendors make specific boxes just to allow vectoring traffic onto overlay networks on demand. (Stingrays probably started out as diagnostic tools in the same fashion.)

The brochures including capabilities are publicly available. Though unlike the above, they don’t say “Here is your mark 2000 fascist asshole switch. To begin violating peoples civil rights en-mass, first press the on switch.”

The ISP’s do use this capability for diagnostics and security analysis for their own networks. But, there is some question as to how much is actually deployed for that purpose, vs. deployed for bulk surveillance. These companies are large, and responsibility for this stuff is highly compartmentalized.

The only way we will know how much of it is deployed at the edges, if somebody leaks the sales figures. My guess is that on certain networks, EVERY customer port does some form of DPI.

Bergman (profile) says:


The Computer Fraud and Abuse Act makes it a serious crime to access a computer without authorization. Various wiretapping and eavesdropping laws make it a serious crime to intercept electronic communications and electronic devices.

Most of these laws have law enforcement exemptions, but those exemptions require that law enforcement have a valid warrant to qualify for the exemption.

So either we have a case of unequal enforcement of the law (unconstitutional) or use of an IMSI device is not in fact a violation of any of those laws in the United States.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...