EFF Posts New White Paper On Stingray Device Capabilities
from the keeping-abreast-of-the-fuzz dept
The EFF has published a primer on IMSI catchers. Harris Corporation’s success in this market has led to near-genericide, as almost every one of these cell tower spoofers is usually referred to as a “stingray.”
The white paper [PDF], titled “Gotta Catch ‘Em All,” runs down what’s known about cell-site simulators used by a number of government agencies. Most of this has been gleaned from secondhand info — the stuff that leaks out during prosecutions or as the result of FOIA requests.
The technical capabilities of CSSs have been kept under wraps for years. The reasoning behind this opacity is that if criminals know how these devices work, they’ll be able to avoid being tracked by them. There may be a few technical details that might prove useful in this fashion, but what is known about Stingray devices is that the best way to avoid being tracked by them is to simply not use a cellphone. But who doesn’t use a cellphone?
The report is definitely worth reading, even if you’ve stayed on top of these developments over the past several years. It breaks down the technical subject matter in a way that makes clear what CSSs can and can’t do — and how they’re capable of disrupting cellphone networks while in use.
While CSSs can intercept communications, it’s hardly worth the effort. Unless the CSS can talk the phone into accepting a 2G connection (which eliminates encryption and severely limits the type of communications originating from the dumbed-down phone), it just doesn’t work. This doesn’t mean the devices are never used this way. But it does mean it’s not a very attractive option.
On the other hand, CSSs impersonate cell towers, so they’re able to pull all sorts of info from every device forced to connect with the faux cell tower. These devices are used most often to locate criminal suspects, meaning precise GPS location is a must-have. Operating on their own, cell-site simulators can’t generate pinpoint accuracy. Working in conjunction with nearby towers, they can triangulate signals to provide better location info. But there’s another option — one rarely discussed in courtroom proceedings. CSSs can also force phones to give up precise location info.
First, the Stingray extracts info from nearby cell towers. Using this info (which the EFF points out anyone can access), the CSS alters its signal to become the highest priority connection in the area of operation. Once it’s done this, GPS info can be coaxed from phones now connected to the fake cell tower.
[T]he attacker creates a “RRC Connection Reconfiguration” command, which contains the cell IDs of at least 3 neighbouring cell towers and their connection frequencies and sends this command to their target’s phone.
Usually, the “RRC Connection Reconfiguration” command is used to modify an existing connection to a base station, but the attacker is only interested in the target phone’s initial response to its message. This response contains the signal strengths of the previously specified cell towers, which can then be used to find the phone’s location via trilateration.
For newer phones and networks which support the “locationInfo-r10” feature, this report will also contain the phone’s exact GPS coordinates, meaning no trilateration calculations are required. The exact GPS coordinates are just a field in the response (Shaik et al, 2017).
There are few options available for people wanting to use a cellphone but are also wanting to avoid being swept up by a Stingray. As the report notes, there are a few cell tower spoofer detection apps on the market, but they may be more likely to generate false positives than detect IMSI catchers. There’s no baseline for carrier behavior, much less “normal” Stingray use.
And, in any event, the EFF isn’t publishing a handbook on how to evade detection by these devices. It’s simply informing the public of the power of these devices, which are becoming as ubiquitous as the phones they track and trace. Since the public hasn’t been invited to any these discussions by law enforcement agencies, it’s up to everyone else to detail known capabilities and assess the potential damage to the public’s expectation of privacy.