In Unsealed Document, FBI Admits Stingray Devices Will Disrupt Phone Service

from the making-Stingray-omelets-required-breaking-a-few-communications dept

A small crack in the FBI's Stingray secrecy has appeared. A 2012 pen register application obtained by the ACLU was previously sealed, but a motion to dismiss the evidence obtained by the device forced it out into the open. Kim Zetter at Wired notes that the application contains a rare admission that Stingray use disrupts cellphone service.
[I]n the newly uncovered document (.pdf)—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge.

“Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity. Any potential service disruption will be brief and minimized by reasonably limiting the scope and duration of the use of the Mobile Equipment.”
Notably, the application (and the magistrate's approval) do not refer to the device by any of the common names (Stingray, IMSI catcher, cell tower spoofer, etc.), but rather as "mobile pen register/trap and trace equipment." While it does admit the device will "mimic Sprint's cell towers," it downplays the potential impact of the device's use.

The fact that Stingray devices disrupt cell service isn't new, but an on-the-record admission by law enforcement is. The warrant application claims that numbers unrelated to the ones being sought will be "released" to other cell towers. The unanswered question is how long it takes before this release occurs.
“As each phone tries to connect, [the stingray] will say, ‘I’m really busy right now so go use a different tower. So rather than catching the phone, it will release it,” says Chris Soghoian, chief technologist for the ACLU. “The moment it tries to connect, [the stingray] can reject every single phone” that is not the target phone.

But the stingray may or may not release phones immediately, Soghoian notes, and during this period disruption can occur.
The problem with the so-called "release" is related to the amount of disruption that occurs when the device is used. Advances in cell technology have surpassed the ability of Stingray devices to capture calling info and location data. Upgrades are available and law enforcement agencies are scrambling to get their cell tower spoofers up-to-date, but the general process still involves "dumbing down" everyone's connection to the least secure and most easily-intercepted connection: 2G.
In order for the kind of stingray used by law enforcement to work, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.
If a device is in operation nearby, all calls that can't find a better connection will be routed to the cell tower spoofer. This means calls won't be connected, texts won't be sent/received and internet service will be knocked offline. While Stingrays are supposed to allow 911 calls to pass through without interruption, these are far from the only type of "emergency" communications. If the device is deployed for any considerable length of time, citizens completely unrelated to the criminal activity being investigated may find themselves unable to communicate.

And while the targeted number apparently belonged to Sprint, the warrant application notes that all service providers in the area will be asked to turn over a large amount of subscriber information.
[D]irecting AT&T, T-Mobile U.S.A., Inc., Verizon Wireless, Metro PCS, Sprint-Nextel and any and all other providers of electronic communication service (hereinafter the "Service Providers") to furnish expeditiously real-time location information concerning the Target Facility (including all cell site location information but not including GPS, E-911, or other precise location information) and, not later than five business days after receipt of a request from the Federal Bureau of Investigation, all information about subscriber identity, including the name, address, local and long distance telephone connection records, length of service (including start date) and types of service utilized, telephone or instrument number or other subscriber number or identity, and means and source of payment for such service (including any credit card or bank account number), for all subscribers to all telephone numbers, published and nonpublished, derived from the pen register and trap and trace device during the 60-day period in which the court order is in effect…
This request seems to run contrary to what's asserted earlier in the warrant application, in reference to the Stingray device itself.
In order to achieve the investigative objective (i.e., determining the general location of the Target Facility) in a manner that is the least intrusive, data incidentally acquired from phones other than the Target Facility shall not be recorded and/or retained beyond its use to identify or locate the Target Facility.
It appears there is a "catch-and-release" policy when it comes to Stingray devices, but the FBI's data request to every cell phone service provider in the area contains no such assurances about minimization. Additionally, the request for data on "all subscribers to all telephone numbers" covers a 60-day period, while the use of the tower spoofer is limited to two weeks.

So, not only did the FBI potentially disrupt cell service while searching for the robbery suspects, it also collected a massive amount of data on every subscriber whose phone happened to connect with its fake tower. It's not really "catch-and-release" if additional call/location data on unrelated subscribers is obtained from from other providers. This broad request was granted without question or additional stipulations by the magistrate judge -- the only limitation applied (in a handwritten addition, no less) being that the FBI would not be able to use the device "in any private place or when they have reason to believe the Target Facility is in a private place." (This falls in line with the FBI's "warrant requirement," which is written in a way that ensures the FBI will never have to seek a warrant for Stingray use.)

The FBI, along with other law enforcement agencies, has refused to answer questions about the disruptive side effects of Stingray device usage. With the unsealing of this document, their silence no longer matters. These agencies are well aware of these devices' capabilities -- something they're clearly not comfortable discussing. The excuses deployed routinely involve "law enforcement means and methods" and claims about "compromising current and future investigations," but with more heat being applied by the nation's legislators, this code of silence may finally be broken. The use of these devices -- despite being fully aware that critical communications may be at least temporarily prevented -- sends a continual implicit message to the public: your safety and well-being is subject to law enforcement's needs and wants.

Filed Under: fbi, phone service, stingray


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Designerfx (profile), 3 Mar 2015 @ 9:36am

    obvious

    This isn't new, this was obvious from many times prior.

    Which is why Gemalto's hack is such a big deal. It's what Stingray uses to operate, as I even noted myself.

    https://www.techdirt.com/articles/20150225/07101530138/gemalto-ok-yes-we-were-hacked-yes-some -sim-cards-may-be-compromised-not-because-us.shtml#c133

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 9:39am

    Must be nice to be able to legally and secretly mount a wide area Denial of Service on unsuspecting bystanders. Now we just need to establish that robbers always hide in movie theatres.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 9:41am

    What's this "Target Facility" phrase being used? The phrase makes me envision a building, otherwise known as a facility, that is capable of moving down the road and changing it's locations. Ridiculous! I'm sure there's some legal tap dancing reason for calling a targeted person a facility instead of a individual.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 9:56am

    I wonder...

    If there's any way to tell a phone to not ever use 2G. Some setting or such? It won't prevent my calls from dropping near one of these things, but it will prevent my phone from attempting to connect to it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Mar 2015 @ 10:02am

      Re: I wonder...

      It depends on the phone, but in general, no, you can't force your phone to ignore 2G. Most phones ship with firmware that lacks such a knob, and it's almost unheard of for a phone to allow replacing the relevant firmware with one that has the required knob. Some smartphones can run an app that alerts you when the phone is using 2G, but I think even there, it is on the user, not the app, to notice this and stop using the network.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Mar 2015 @ 10:14am

      Re: I wonder...

      Yes, for Android, dial *#*#INFO#*#* and as soon as you press the last * it will open a diagnostics screen. Choose the first option ("Phone information") and set the first dropdown to "WCDMA only". Now your phone will only use 3G. Note: this setting is forgotten on reboot, so you have to do this dance every time you turn on the phone. Also, if your phone has a "2G only" setting, it changes the same internal variable, so if you use it it'll override your "WCDMA only" setting.

      The same dropdown also has LTE options, but I'm using an older phone which doesn't have LTE so I don't know the right one for 4G.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Mar 2015 @ 10:20am

      Re: I wonder...

      With a WiFi-enabled computer, you can set it up to automatically or manually connect to any particular router/access point rather than the default setting of auto-connecting randomly to anything within range (much like a cell-phone does). You can also pinpoint where any particular router is located (especially if you have a directional antenna on your pc). Presumably, smart-phone software could perform something similar.

      But even without a smart-phone running custom applications, it would not be hard to design any cellular telephone to identify -and avoid- a Stingray interceptor. For instance, if your GPS location has not changed (much) and a new "cell tower" suddenly pops up out of nowhere, that situation alone would make it highly suspect.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 3 Mar 2015 @ 10:23am

      Re: I wonder...

      "If there's any way to tell a phone to not ever use 2G."

      In most cases, not easily. If you're using Android, there are a couple of options that I know of, but they require root access. One is to replace the stock OS with Cyanogenmod, which lets you control that directly.

      If you can't use Cyanogenmod, then there is another option (this is what I do): using Tasker and a little magic, you can run custom scripts every time the protocol changes. My script notifies me that it has changed, and if it changed to 2G then it attempt to change back. If that fails, it disables the cell radio entirely (as if it were in Airplane Mode), then polls periodically to see if it can connect to 3G or better yet.

      I'm unaware of an easily downloadable app that can accomplish all of this, but it probably exists somewhere. For my purposes, the Tasker solution is just fine.

      reply to this | link to this | view in chronology ]

    • identicon
      Evan, 3 Mar 2015 @ 11:58am

      Re: I wonder...

      An Android app named Network will allow you to choose to not use GSM, which I believe will translate to 3/4G only.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 10:09am

    I hope this isn't the only argument EFF/ACLU and the like will be using against Stingrays and FBI's use of them.

    There are cell-switching technologies coming soon into Qualcomm modems and others that will make the switching "seamless" between a real tower and a fake one.

    EFF and ACLU need to use a stronger 4th amendment argument against Stingrays, not just that it "disrupts some calls".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 10:24am

    Time for some FUD!

    But if people are allowed to make phone calls whenever and wherever they want, that will allow terrorists to also make calls to remote bombs and blow up our children and the internet.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Mar 2015 @ 1:28pm

      Re: Time for some FUD!

      Stingray Devices kill children.
      When a kidnapped child gets hold of a cellphone to call for help and can't make the call it is dead.

      The statement is (probably) false but hey, if the DOJ can use it against encryption...why not.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 10:28am

    Whats gonna happen

    Phone companies are gonna use resources that could be spent on GOOD things, instead it'll be spent specifically on improving government surveillance compatibility, if the advocates of the surveillance state get their way, like they've already been

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 3 Mar 2015 @ 12:52pm

      Re:

      "Phone companies are gonna use resources that could be spent on GOOD things, instead it'll be spent specifically on improving government surveillance compatibility"

      True, but they're used to it and have already spent to put in much of the infrastructure. CALEA already requires telephone companies to provide surveillance capabilities to law enforcement.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 11:41am

    Given a distinct effect of a stingray, it should be relatively easy to use standard radio detection finding techniques to locate the transmitter (stingray device).

    Are there also apps to check a cell ID (tower ID) against a map? That would seem to be a give-away as well.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 3 Mar 2015 @ 12:53pm

      Re:

      "Are there also apps to check a cell ID (tower ID) against a map?"

      Yes, there are a number of them available for Android. My quick count is around a half dozen.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Mar 2015 @ 2:18pm

        Re: Re:

        It'd be funny if someone developed an app that checked for a switch to 2G service, checked the tower ID when that switch is attempted, and then would broadcast a "potential stingray alert" w/ GPS coordinates to all registered users of the app if the tower ID isn't found.

        Perhaps the police would finally have those "flash mobs" they're apparently so scared of.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 3 Mar 2015 @ 3:23pm

          Re: Re: Re:

          That's an interesting idea. My phone does something very like this. When it detects that it has been forced to 2G, it checks the identifier against the list of fixed towers. If the it determines that the "tower" is suspicious, it warns me and turns off the phone's radio.

          Sending an alert to others is an interesting idea, but if I were to consolidate all of this into a single app, I'd just recommend that everyone run that app to detect rogue stations themselves. There'd be no need to send out any kind of alert.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 3 Mar 2015 @ 3:37pm

            Re: Re: Re: Re:

            I read your earlier post about using a custom Tasker script to monitor for protocol changes. I've neglected learning anything about Android (or any smartphone OS) programming, and this at least sounds like a fun reason to dip my toe in the water.

            I was only half-joking about the flash-mob thing. I was thinking that orgs like PINAC could use these alerts as a means of getting people to look for and photograph IMSI catchers in the wild (even if they're just unmarked panel vans).

            Less fun, but more useful, would be trying to gather data about how widely (and frequently) deployed stingrays are. Even with lots of noise, at least there'd be a starting point.

            reply to this | link to this | view in chronology ]

  • icon
    connermac725 (profile), 3 Mar 2015 @ 11:49am

    Seems Dangerous

    I see future lawsuits if it causes someone to die who could not reach 911

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Mar 2015 @ 1:35pm

      Re: Seems Dangerous

      Can't sue if proof that a stingray was in use in the relevant area isn't available because of an NDA. Hell, if a judge demands the info anyway, the FBI can just come in and seize all the records in the name of "National Security."

      reply to this | link to this | view in chronology ]

  • identicon
    Aerilus, 3 Mar 2015 @ 12:56pm

    and i cant even buy a femtocell from sprint.....

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 2:27pm

    Jammers

    And so, the FCC apparently has no problem letting any cop in the country go around jamming cell phone services as they please. Nice. And this is on LICENSED frequencies that that the telcos bought and paid for licenses on. No wonder Marriott didn't see any problem with jamming the UNLICENSED frequencies that wifi uses.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2015 @ 2:28pm

    >[the stingray] can reject every single phone

    But why would we think that they would use it that way?

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 3 Mar 2015 @ 5:19pm

    Keep up the pressure

    Keep up that pressure: They're starting to fold. This is the FBI confessing to a lesser crime, so as to keep the greater crime concealed.

    Which, of course, would be that Stingray allows them to record all cell conversations in the vicinity. Do I have proof? Nothing but their hypersensitive reaction to any inquiry related to Stingray; which springs from a guilty conscience.

    Believe me, they aren't concealing that Stingray "disrupts phone calls;" we already knew that. No, their guilty conscience comes from something much more ugly, something they're still hiding.

    Let's find out what.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Mar 2015 @ 1:31am

    Hey I just lost signal again?

    hmm must be them pesky coppers with them stingrays again. I better get out of range until I have no cell disruptions anymore before I continue my criminal activities :D

    reply to this | link to this | view in chronology ]

  • icon
    spankydoesdallas (profile), 4 Mar 2015 @ 4:31pm

    Wonder If Calling Problems are Stingray Use

    I visit the area of Fayetteville, TN often and have had problems with the cell service there. I am a Sprint customer and I get a "five bar" cell signal there but each time I try to call out, I get hung up on before the call completes. I wonder if TN state law enforcement is using a stingray device in the community. There are no other cell towers close and therefore I cannot connect to any other cell tower. It is a "black hole of cell" there for me and even affects my vehicle's QualComm communication computer assist adversely (I am a truck driver). It has been that way for many months. There also always seems to be a "maintenance type" truck at the base of the cell tower in question. This cell is located just north of Huntsville, AL where the space center is located too. Odd fact, I have called Sprint many times regarding this issue and they seem to know about it but do not give explanation for it's befuddling hang-up behavior.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2015 @ 12:08am

    Jamming Calls for Legal Assistance

    Oh yeah they do that. THey will not let you call a lawyer.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.