EFF Posts New White Paper On Stingray Device Capabilities

from the keeping-abreast-of-the-fuzz dept

The EFF has published a primer on IMSI catchers. Harris Corporation’s success in this market has led to near-genericide, as almost every one of these cell tower spoofers is usually referred to as a “stingray.”

The white paper [PDF], titled “Gotta Catch ‘Em All,” runs down what’s known about cell-site simulators used by a number of government agencies. Most of this has been gleaned from secondhand info — the stuff that leaks out during prosecutions or as the result of FOIA requests.

The technical capabilities of CSSs have been kept under wraps for years. The reasoning behind this opacity is that if criminals know how these devices work, they’ll be able to avoid being tracked by them. There may be a few technical details that might prove useful in this fashion, but what is known about Stingray devices is that the best way to avoid being tracked by them is to simply not use a cellphone. But who doesn’t use a cellphone?

The report is definitely worth reading, even if you’ve stayed on top of these developments over the past several years. It breaks down the technical subject matter in a way that makes clear what CSSs can and can’t do — and how they’re capable of disrupting cellphone networks while in use.

While CSSs can intercept communications, it’s hardly worth the effort. Unless the CSS can talk the phone into accepting a 2G connection (which eliminates encryption and severely limits the type of communications originating from the dumbed-down phone), it just doesn’t work. This doesn’t mean the devices are never used this way. But it does mean it’s not a very attractive option.

On the other hand, CSSs impersonate cell towers, so they’re able to pull all sorts of info from every device forced to connect with the faux cell tower. These devices are used most often to locate criminal suspects, meaning precise GPS location is a must-have. Operating on their own, cell-site simulators can’t generate pinpoint accuracy. Working in conjunction with nearby towers, they can triangulate signals to provide better location info. But there’s another option — one rarely discussed in courtroom proceedings. CSSs can also force phones to give up precise location info.

First, the Stingray extracts info from nearby cell towers. Using this info (which the EFF points out anyone can access), the CSS alters its signal to become the highest priority connection in the area of operation. Once it’s done this, GPS info can be coaxed from phones now connected to the fake cell tower.

[T]he attacker creates a “RRC Connection Reconfiguration” command, which contains the cell IDs of at least 3 neighbouring cell towers and their connection frequencies and sends this command to their target’s phone.

Usually, the “RRC Connection Reconfiguration” command is used to modify an existing connection to a base station, but the attacker is only interested in the target phone’s initial response to its message. This response contains the signal strengths of the previously specified cell towers, which can then be used to find the phone’s location via trilateration.

For newer phones and networks which support the “locationInfo-r10” feature, this report will also contain the phone’s exact GPS coordinates, meaning no trilateration calculations are required. The exact GPS coordinates are just a field in the response (Shaik et al, 2017).

There are few options available for people wanting to use a cellphone but are also wanting to avoid being swept up by a Stingray. As the report notes, there are a few cell tower spoofer detection apps on the market, but they may be more likely to generate false positives than detect IMSI catchers. There’s no baseline for carrier behavior, much less “normal” Stingray use.

And, in any event, the EFF isn’t publishing a handbook on how to evade detection by these devices. It’s simply informing the public of the power of these devices, which are becoming as ubiquitous as the phones they track and trace. Since the public hasn’t been invited to any these discussions by law enforcement agencies, it’s up to everyone else to detail known capabilities and assess the potential damage to the public’s expectation of privacy.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EFF Posts New White Paper On Stingray Device Capabilities”

Subscribe: RSS Leave a comment
Arthur Moore (profile) says:

Re: Librem 5

Ideally the cell phone would not support some of this functionality. Alternately, it can spoof results to this call. Cell carriers should start to be worried about these things. It’s their technology that’s being used by the government. Traditionally this hasn’t been a PR nightmare, but it could easily turn into one.

Anonymous Coward says:

Re: Re: Librem 5

Cell carriers should start to be worried about these things. … Traditionally this hasn’t been a PR nightmare, but it could easily turn into one.

And they’re in the best position to do anything about it. It’s basically a solved problem to use zero-knowledge proofs for anonymous network access.

Bergman (profile) says:

How can this possibly be lawful?

If I intercept a wireless communication, I have committed wiretapping, a felony.

If I pull files off someone’s computerized device under false pretenses, I have violated the Computer Fraud & Abuse Act.

People are being arrested and prosecuted (Aaron Swartz for example) for accessing public information in creative ways, yet the government is accessing confidential information without bothering with warrants via far more invasive means.

Every government exemption built into the laws I mentioned in this comment absolutely require a valid warrant and make it absolutely clear that doing without a warrant is a felony.

Cops like to talk about a few bad apples and isolated incidents, but for a government agency to get away with this sort of thing without being prosecuted or even arrested for it, means that 100% of the government officials involved in even the most peripheral way are corrupt and criminal.

If it were one good cop amongst an army of bad ones, we’d hear about them being fired for opposing this crap. But we don’t. Our government appears to be in the hands of domestic enemies of the Constitution and the people.

David says:

Re: What does lawfulness have to with it?

"How can this possible be lawful?" is kind of a droll question suggesting that you are eager to swallow their koolaid if they let you access it.

The technical capabilities of CSSs have been kept under wraps for years. The reasoning behind this opacity is that if criminals know how these devices work, they’ll be able to avoid being tracked by them.

The actual reasoning behind this opacity is that if upright citizens got to know how these devices work, they’d be able to put a stop to being tracked by them. In the mean time, money passes hands.

Policemen steal money off the records with "civil forfeiture" and buy Stingrays off the books in order to illegally surveil people in order to find out where they can steal more money.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...