EFF Posts New White Paper On Stingray Device Capabilities

from the keeping-abreast-of-the-fuzz dept

The EFF has published a primer on IMSI catchers. Harris Corporation's success in this market has led to near-genericide, as almost every one of these cell tower spoofers is usually referred to as a "stingray."

The white paper [PDF], titled "Gotta Catch 'Em All," runs down what's known about cell-site simulators used by a number of government agencies. Most of this has been gleaned from secondhand info -- the stuff that leaks out during prosecutions or as the result of FOIA requests.

The technical capabilities of CSSs have been kept under wraps for years. The reasoning behind this opacity is that if criminals know how these devices work, they'll be able to avoid being tracked by them. There may be a few technical details that might prove useful in this fashion, but what is known about Stingray devices is that the best way to avoid being tracked by them is to simply not use a cellphone. But who doesn't use a cellphone?

The report is definitely worth reading, even if you've stayed on top of these developments over the past several years. It breaks down the technical subject matter in a way that makes clear what CSSs can and can't do -- and how they're capable of disrupting cellphone networks while in use.

While CSSs can intercept communications, it's hardly worth the effort. Unless the CSS can talk the phone into accepting a 2G connection (which eliminates encryption and severely limits the type of communications originating from the dumbed-down phone), it just doesn't work. This doesn't mean the devices are never used this way. But it does mean it's not a very attractive option.

On the other hand, CSSs impersonate cell towers, so they're able to pull all sorts of info from every device forced to connect with the faux cell tower. These devices are used most often to locate criminal suspects, meaning precise GPS location is a must-have. Operating on their own, cell-site simulators can't generate pinpoint accuracy. Working in conjunction with nearby towers, they can triangulate signals to provide better location info. But there's another option -- one rarely discussed in courtroom proceedings. CSSs can also force phones to give up precise location info.

First, the Stingray extracts info from nearby cell towers. Using this info (which the EFF points out anyone can access), the CSS alters its signal to become the highest priority connection in the area of operation. Once it's done this, GPS info can be coaxed from phones now connected to the fake cell tower.

[T]he attacker creates a “RRC Connection Reconfiguration” command, which contains the cell IDs of at least 3 neighbouring cell towers and their connection frequencies and sends this command to their target’s phone.

Usually, the “RRC Connection Reconfiguration” command is used to modify an existing connection to a base station, but the attacker is only interested in the target phone’s initial response to its message. This response contains the signal strengths of the previously specified cell towers, which can then be used to find the phone’s location via trilateration.

For newer phones and networks which support the “locationInfo-r10” feature, this report will also contain the phone’s exact GPS coordinates, meaning no trilateration calculations are required. The exact GPS coordinates are just a field in the response (Shaik et al, 2017).

There are few options available for people wanting to use a cellphone but are also wanting to avoid being swept up by a Stingray. As the report notes, there are a few cell tower spoofer detection apps on the market, but they may be more likely to generate false positives than detect IMSI catchers. There's no baseline for carrier behavior, much less "normal" Stingray use.

And, in any event, the EFF isn't publishing a handbook on how to evade detection by these devices. It's simply informing the public of the power of these devices, which are becoming as ubiquitous as the phones they track and trace. Since the public hasn't been invited to any these discussions by law enforcement agencies, it's up to everyone else to detail known capabilities and assess the potential damage to the public's expectation of privacy.

Filed Under: imsi catchers, stingray, surveillance


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 15 Jul 2019 @ 3:52pm

    Allegedly the Librem 5 will have hardware switches for the baseband (which would allow killing cell signal when not in use).

    Would be kind of nice if our 'public servants' actually... had to answer to the... ones they are supposed to be serving.

    reply to this | link to this | view in chronology ]

    • icon
      Arthur Moore (profile), 15 Jul 2019 @ 4:22pm

      Re: Librem 5

      Ideally the cell phone would not support some of this functionality. Alternately, it can spoof results to this call. Cell carriers should start to be worried about these things. It's their technology that's being used by the government. Traditionally this hasn't been a PR nightmare, but it could easily turn into one.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jul 2019 @ 5:31am

        Re: Re: Librem 5

        Cell carriers should start to be worried about these things. ... Traditionally this hasn't been a PR nightmare, but it could easily turn into one.

        And they're in the best position to do anything about it. It's basically a solved problem to use zero-knowledge proofs for anonymous network access.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2019 @ 7:36am

      Re:

      Would be kind of nice if our 'public servants' actually... had to answer to the... ones they are supposed to be serving.

      In their view, it's the public who are the servants. That's why they've got keep such a close eye on them.

      reply to this | link to this | view in chronology ]

  • icon
    lorgskyegon (profile), 15 Jul 2019 @ 5:40pm

    The white paper titled "Gotta Catch 'Em All,"

    That title was Onixpected. While I do wish I could Raichu a better comment, I should probably just keep my big Meowth shut. Good Eeveening, folks. And as they say: Kakuna Rattata

    reply to this | link to this | view in chronology ]

  • icon
    Bergman (profile), 15 Jul 2019 @ 9:43pm

    How can this possibly be lawful

    reply to this | link to this | view in chronology ]

  • icon
    Bergman (profile), 15 Jul 2019 @ 9:53pm

    How can this possibly be lawful?

    If I intercept a wireless communication, I have committed wiretapping, a felony.

    If I pull files off someone’s computerized device under false pretenses, I have violated the Computer Fraud & Abuse Act.

    People are being arrested and prosecuted (Aaron Swartz for example) for accessing public information in creative ways, yet the government is accessing confidential information without bothering with warrants via far more invasive means.

    Every government exemption built into the laws I mentioned in this comment absolutely require a valid warrant and make it absolutely clear that doing without a warrant is a felony.

    Cops like to talk about a few bad apples and isolated incidents, but for a government agency to get away with this sort of thing without being prosecuted or even arrested for it, means that 100% of the government officials involved in even the most peripheral way are corrupt and criminal.

    If it were one good cop amongst an army of bad ones, we’d hear about them being fired for opposing this crap. But we don’t. Our government appears to be in the hands of domestic enemies of the Constitution and the people.

    reply to this | link to this | view in chronology ]

    • identicon
      David, 16 Jul 2019 @ 2:49am

      What does lawfulness have to with it?

      "How can this possible be lawful?" is kind of a droll question suggesting that you are eager to swallow their koolaid if they let you access it.

      The technical capabilities of CSSs have been kept under wraps for years. The reasoning behind this opacity is that if criminals know how these devices work, they'll be able to avoid being tracked by them.

      The actual reasoning behind this opacity is that if upright citizens got to know how these devices work, they'd be able to put a stop to being tracked by them. In the mean time, money passes hands.

      Policemen steal money off the records with "civil forfeiture" and buy Stingrays off the books in order to illegally surveil people in order to find out where they can steal more money.

      reply to this | link to this | view in chronology ]

    • identicon
      bob, 16 Jul 2019 @ 10:23am

      Re: How can this possibly be lawful?

      Well the difference is it is not legal for you. However it is allowed by the judiciary (and rest of the government by their inaction) for police officers with flimsy excuses why they couldn't get a warrant.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.