It's one thing to say "we think it might be legal to use a cell site simulator in some specific circumstances", but another thing to say "our cell phone infrastructure allows anyone to successfully pretend to be a tower and spy on people, and we're not going to try to fix that".
According to the United States Census Bureau Anaheim County has a population of 346,997 (2014). Not being from the US, the fact that a county police from an area with a population of 350k is able to afford to buy and operate airplanes amazes me.
N508BH, the Cessna, is probably the one they're using for surveillance (See the 2012 OC Register article, "$2.2 million Cessna will help fight crime"[2]).
FlightAware shows that N508BH flies to northern california a lot. You can also see what looks like a probable surveillance flight path at http://flightaware.com/live/flight/N508BH/history/20151128/2...
Three aircraft for a California city with population 350K isn't crazy--Glendale and Burbank together have about 300K people, and their police forces have gone in together to create a "joint air support division" that has 4 helicopters[3].
[1] http://www.faa.gov/licenses_certificates/aircraft_certification/aircraft_registry/releasable_aircraft_download/
[2] http://www.ocregister.com/articles/air-356706-police-cessna.html
[3] http://www.mdhelicopters.com/news/pdf/2014/111914.pdfAs a point of contrast, the New Zealand police own 1 helicopter, and contract out flying light aircraft to commercial operators.
Upon saying that, they often call upon the air force for logistical support (in particular for helicopter operations, usually for drug operations, such as airlifting cannabis for destruction, not for raids).
I will say, being from the US, the fact that any branch of the government would use such a device should amaze me, but unfortunately I have to admit I have heard of worse abuses of power.
Its on my list of projects to look at with SDR, but sadly I am no Fabrice Ballard (who no doubt has already built such a system as a proof of concept and then tossed it away)
Then you need a way to recoup all this cost.
Being a cell carrier takes staggering amounts of money and staggering amounts of schlep. It's not for hobbyists, hackers, or small companies (who are not in fact carriers but just resell and rebrand real carriers' services). There is a reason it's the domain of giant corporations run by the kind of people who make deals (and not write code) for a living.
The actual cellular mechanics are quite an undertaking, but something along the lines of a coded point to point system would be implementable by a small group of people.
A lot of companies have their own towers that only provide service within of a city, and for events, you can even set up your own network, like the CCC always does during their conferences.
Having a national, or even global network is a lot harder, though.
I'm reminded of a British comedy that included a poacher being caught after a tagged animal was found to be traveling at 55mph down the m5.
Some detection methods rely on this, as well as fingerprinting the Stingray (they negotiate a drop in encryption and ask the phone to max signal strength)
Current solutions for Android will point out new base stations that stand out and are likely an IMSI catcher:
http://secupwn.github.io/Android-IMSI-Catcher-Detector/
The better method, since the devices change and some are stationary, is to authenticate the real cell phone towers. This would involve either updating the GSM protocol, or having the carriers send out additional settings that make the phone aware of their legitimate sites and only connect to them.
iOS doesn't make these settings available in official API's, but if they did it would be possible to develop apps or features that could detect/avoid IMSI catchers.
The best non-tech solution is to have an anonymous IMSI. The attack relies on linking an IMSI to a real person, or the pattern behavior of a phone to a real person. So - anonymous SIM cards, change them up often, don't have it switched on with any of your real phones or real phones of friends, leave it switched off, etc.
A recent news report mentioned that a "cell tower" moved along with participants in a demonstration (in London IIRC), and also that it switched networks, so obviously someone noticed that.
Time division logic involves keeping track of how far each phone is from the tower. I think GSM uses 50m or 100m bands, ie. phones that are 200m from the tower time their broadcast bursts so as not to conflict with phones that are 100m from the tower. I don't know whether the distance information is available to the phones, or is kept internally in the tower, though. (I'm not an expert on this, I just heard that this need paid for a fair amount of NTP research/development, many years ago.)
Units are GSM symbol periods, defined to be 48/13 µs = 3.69µs, which, multiplied by the speed of light (3⋅10^8 m/s) is 1108m. As the distance contributes in both ways (from base-station to handset, and back) one timing advance step is half the distance: about 550m.
The base station measures the relative phase of received transmissions from the mobile and will send information to the mobile to set or adjust the timing advance. [look for "timing advance" in http://www.etsi.org/deliver/etsi_gts/04/0408/05.03.00_60/gsm... which specifies the information elements that are exchanged.] So, yes, it should be possible to get TA for each cell the mobile exchanges data with from the phone.
This is about the only thing I found, but it's promising for the long term -- http://secupwn.github.io/Android-IMSI-Catcher-Detector/ -- note that they list themselves as still in alpha and to expect false indications.
I think the typical advice I've heard -- turning off your phone or turning off the baseband functionality is pretty impractical for most folks.
http://money.cnn.com/2014/06/06/technology/security/nsa-turn...
Is it illegal for an 'average joe' to build or develop one of these? Or is it just super high difficulty, ie the protocols just aren't published or [easily] reverse-engineered? Or right now is it just the illegality of call recording entirely that is "preventing" it's use?
Pretty sure I watched a conference talk that demoed a functional one that included pass-thru [to prevent suspicion/non-functional devices] to the real cell tower IIRC).
I'm just curious because obviously this isn't something you want just anyone to be able to build & deploy -- so much potential for abuse, anything from basic identity theft to serious securities fraud, and much more quickly becomes a very serious & probable threat once these become even just slightly more "mainstream" for the public / criminals / mafia / etc...
Theoretically calls are encrypted, however security researches have shown vulnerabilities due to old/incorrectly applied primitives. Not sure exactly which protocol versions this applies to. Stingray might just have asked nicely for the keys.
Commercial IMSI-catchers (made with the cooperation of carriers?) do exist, and there are some hobbyist proofs of concept. It is very hard to get caught doing passive receiving.
Transmit in a way that catches the eyes of carrier network engineers, though, and the federal government will come knocking with criminal charges.
FCC makes exceptions to most things for official purposes. For example, government installations can be licensed to operate cell phone jammers
So the most likely scenario is that the carriers are cooperating... Are they cooperating only with the US, or are they cooperating with other nations as well? Seems safe to assume they're cooperating with any/all nations that have a significant market for their products (ie leverage).
That's fairly scary though -- I assume the keys / encryption stays the same across similar networks, regardless of nation (given that phones continue to work abroad)? Perhaps the keys / encryption does differ by carrier, I'm not sure, but I'd definitely be curious. As long as they stay undetected, sounds like there is very little stopping COUNTRY_X from deploying these in COUNTRY_Y for their own gain, not to mention 'lower level' criminals / mafia / etc...
And obviously there are plenty of people out there (reverse-engineers, employees/insiders, et al) that have access to the keys...
Any idea if the exceptions that the FCC makes are public information, or obtainable via FOIA or similar? I'm guessing the FCC has a rigid "exception request process" in place and, hopefully, they only provide [super] limited-scope exceptions (without warrants, eh)... I'd love to see what exceptions are actually being made and what limits, if any, they contain.
Anyways, this is definitely pretty far outside of my realm of knowledge but I find the tech incredibly intriguing and very interesting nonetheless (and I agree with commentshere regarding the FCC).
Also, it's not entirely illegal to operate on some cellular frequencies which overlap with ham bands, if you're a licensed ham radio operator, which Chris apparently was (KJ6GCG).
He also had to disable encryption (illegal on ham bands), use extremely low power and a highly directional antenna (to ensure he didn't intercept anyone outside of the room), and ensure everyone inside the room was aware of the demonstration (IIRC there were signs outside the room). He also destroyed the USB stick the base station was writing to. Even then it was definitely a legal gray area...
> The StingRay is an IMSI-catcher (International Mobile Subscriber Identity), a controversial cellular phone surveillance device, manufactured by Harris Corporation.[2] Initially developed for the military and intelligence community, ....
> Active mode operations
1. Extracting stored data such as International Mobile Subscriber Identity ("IMSI") numbers and Electronic Serial Number ("ESN"),[9]
2. Writing cellular protocol metadata to internal storage
3. Forcing an increase in signal transmission power,[10]
4. Forcing an abundance of radio signals to be transmitted
5. Interception of communications content
6. Tracking and locating the cellular device user,[4]
7. Conducting a denial of service attack
8. Encryption key extraction.[11]
9. radio jamming for either general denial of service purposes[12] or to aid in active mode protocol rollback attacks
> In active mode, the StingRay will force each compatible cellular device in a given area to disconnect from its service provider cell site (e.g., operated by Verizon, AT&T, etc.) and establish a new connection with the StingRay.[13] In most cases, this is accomplished by having the StingRay broadcast a pilot signal that is either stronger than, or made to appear stronger than, the pilot signals being broadcast by legitimate cell sites operating in the area.[14] A common function of all cellular communications protocols is to have the cellular device connect to the cell site offering the strongest signal. StingRays exploit this function as a means to force temporary connections with cellular devices within a limited area.
So does that mean it would show up as a different carrier on my iPhone, or I'd be blind to the tower choice?
> Furthermore while the IMSI is not transmitted often a silent SMS or a failed call will induce the phone to transmit its IMSI or TMSI also in and out of airplane mode while registering on the network.
I'm not well-versed on how cell carriers & landline carriers differ as far as common-carrier & wiretapping laws go.
There was temporary cell service at Burning Man for the first time this year, supposedly to "support" law enforcement. I guess you could interpret that in two different ways...
”Stingrays and Dirtboxes are mobile surveillance systems that impersonate a legitimate cell phone tower in order to trick mobile phones and other mobile devices in their vicinity into connecting to them and revealing their unique ID and location.“
Hence the high casualty rate, they bomb people based on phone metadata. Don't borrow a friends phone.