story

Feds: There are hostile stingrays in DC, but we don’t know how to find them (opens in new tab)

arstechnica.com

238 pointslgs18y ago97 comments

97 comments

I work in wireless telecom: Really doubtful "we don't know how to find them". The FCC's enforcement bureau has a set of vans equipped to find unauthorized transmitters. IMSI catchers must transmit and remain on the air. It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours. The only other explanation I can think of is being operated from embassies with full diplomatic protections, but that runs the risk of the host county (USA) PNG'ing several staff with 24 hour notice as punishment.

Quick edit: Whole US federal agencies have their own TSCM (technical surveillance countermeasures) staff entirely separate from the FCC. It is a job position at the dept of state. Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

trhway8y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

how about quick switching between several [semi-stationary or briefcase carried] catchers (by analogy with an old Russia/USSR anti-aircraft tactic of quickly switching between several radars to avoid being detected and locked-in by an anti-radar missile :).

walrus018y ago

Theoretically possible. Using current off the shelf tech, several imsi catchers could be networked together by normal LTE data networks with battle tested VPN crypto. Doable with any mifi type hotspot device or even just a modern phone and tethering. People with high end spectrum analyzers and directional antennas would struggle to locate a thing that only powers on for 1-2 minutes, and the relocated to a random location. If I were trying to find such things I would need three separate DF (direction finding) teams, and try to establish a pattern of behavior or movement on the part of the operators to narrow down the target areas. Could take weeks.

bertjk8y ago

I'm not a wireless expert, but then wouldn't it also be theoretically possible to have a network of direction finders? Isn't direction finding also a repeatable set of steps that can benefit from automation?

1 more reply

spaceman13318y ago

> networked together

The manufacturer bears responsibility for misuse given the current state of the market; this is why markets exist, to trade information. If there is a genuine inability to communicate, then the market ceases to exist.

Open societies favor markets for a reason: communication, open lines of communication, and stable ones at that. There are all kinds of ways a computer virus can infect a system that is automatic; consider the possibility that a virus has infected an "autonomous" control system for a moving vehicle. A mechanical coupling usually makes this impossible, a steering wheel.

1 more reply

PeterisP8y ago

The other explanation is very low power / short range e.g. femtocells. If a Stingray-like device is affecting a single building or the like, targeting a particular person, it likely won't be noticed by anyone.

walrus018y ago

Something strong enough to get a whole building full of phones to ping it most certainly can be found by a $70,000 spectrum analyzers and trained RF engineer.

bigiain8y ago

Hell - I bet you could find that with a $12 RTL-SDR and a home built antenna plugged into your laptop - if you were curious and suspected there was one nearby...

1 more reply

ilkan8y ago

This doesn't sound like a technical problem. More like a government is being defunded, half the vans need repair, lack of senior management, no direction, other priorities, shortage of techs, hiring freeze, the remaining people only work from 9-5 and we don't pay overtime, type of problem.

spartango8y ago

While there is extensive infrastructure for detecting active transmitting devices like Stingrays, there's no discussion (or tooling) around passive IMSI grabbers. These devices are significantly more limited (no IMEI or MSISDN, GSM-only), they remain pretty effective in areas/networks where GSM is still in place.

walrus018y ago

https://mg.co.za/article/2016-09-01-00-meet-the-grabber-how-...

Verint engage gi2

subway8y ago

Depends on how much the devices cost to procure, and the budget of the party using them. Seems like these could be treated as "black-throws" given the right cost:budget ratio.

bigiain8y ago

OpenBTS and Ettus USPR (software defined radios) have made it inexpensive enough for hobbyists to set up cellular base stations at Burningman.

The difference between an open source base station, and a homebuilt stingray in negligible.

While a grand or two's worth of radio hardware and however many weekends/evenings spent getting it all set up and the a software configured is _kind of_ expensive - it's effectively free at criminal org, corporate espionage, or state levels of action.

int0x218y ago

Try less than $200. LimeSDR Mini or a couple Motorola C123s running Osmocombb with a filter swap...or a hacked femtocell

vvanders8y ago

Not even that, if you want to use them as a MitM just broadcast the data you want and any arbitrary receiver will pick them up that can't be pinpointed.

That's assuming you don't mind losing the transmitting hardware.

subway8y ago

I think we're saying the same thing.

beamatronic8y ago

I am not familiar with this term, “black-throw”, can you elaborate?

subway8y ago

blackthrow or svartkast is a term for a device left behind in potentially hostile territory to continue operating until it is discovered or fails

1 more reply

rsync8y ago

"It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours."

Even more so in 2018 where an IMSI catcher is only relevant/useful if you downgrade the target to 2G operation, which requires some kind of additional interference/jamming.

Unless they are using "stingray" as some kind of generic term for "device you use to intercept mobile phones" and there are now 3G/LTE "stingrays".

This would all be so simple to deal with if phones just displayed an "unlocked" or "downgraded" warning when operating in 2G or unencrypted mode ...

walrus018y ago

IMSI catchers exist for at least 3gpp release 12, which is one type of LTE.

https://www.unwiredinsight.com/2014/highlights-of-3gpp-relea...

https://www.google.ca/search?q=3gpp+release+12+imsi+catcher&...

rainbowmverse8y ago

>> Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

Relevant: http://www.cryptomuseum.com/covert/bugs/selectric/index.htm

sorokod8y ago

I think it is reasonable to ask if the "feds" actually want to find those stingrays.

Disinformation is a powerful tool.

greggarious8y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

I'd assume if it was run from an embassy it's not risky at all actually - they can just tell the FCC to pound sand

blitmap8y ago

I'm laughing because that's how this discussion will go when posted here: We'll detail a method to catch rogue sting-rays, then brainstorm how to operate them with less risk.

crankylinuxuser8y ago

Well, yeah. That's standard operating procedure for Red/Blue team work.

By knowing how to hack, one knows how to defend. But knowing how to defend also imparts the knowledge to hack.

616c8y ago

How do I get into TSCM from convential appsec work? Is it EE guys and gals and smizmars?

upofadown8y ago

Most will probably be owned by law enforcement. Many will be operating without the benefit of a warrant. So what do you do when you find one? You won't make many friends if you interfere with an ongoing investigation particularly if you raise questions about the legality of the operation at the same time.

Things were much the same back in the old days. If a telephone employee would find listening devices on the lines they were best off just quietly removing them and disposing of them. In the wild, surveillance equipment legally installed under a warrant looks exactly the same as all of the other kinds.

So in practice everyone got to tap phone lines, just as long as they didn't annoy anyone too official while doing so. The targets would never find out, unless the were willing to climb a telephone pole and check for themselves. The same thing will probably happen with stingray type devices. People like private investigators are likely already using them.

itronitron8y ago

That reminds me of some photos my dad took years ago of a line technician on a crane truck fiddling with some equipment on a utility pole at the edge of our front yard for about thirty minutes. He thinks the guy was testing for some illegal cable descrambler on the line although I suppose it could have been anything since this happened in the DC Metro area :)

bvinc8y ago

Can someone please explain to me why this cell security problem seems to be completely ignored? If encryption algorithms are broken, they're phased out and untrusted. But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.

Why don't towers have a sort of encryption certificate verifying they're legit?

Why doesnt my cell provider just provide my phone a list of it's legit towers?

I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

noselasd8y ago

> Why don't towers have a sort of encryption certificate verifying they're legit?

Pushback from various parties/regimes to keep this out of the standards. (e.g. the brits pushed back against strong encryption in the 1. GSM standards, https://www.aftenposten.no/verden/i/Olkl/Sources-We-were-pre... , and this has gone round to other countries pushing back in all kinds of ways since then.)

> Why doesnt my cell provider just provide my phone a list of it's legit towers?

It does, but not securely, so it can be faked. And since the towers does not authenticate themselves to the phone, you can just pretend to be a tower anyway.

> I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

Sure, there's numerous ways to solve this - but there is little incentives to do so. it does get somewhat better - LTE can authenticate the network to the phone. But then there are countries where it's illegal to encrypt the public phone networks, so the protocol specs include an option to just disable this mechanism alltogether.

- Phone manufactures want to make their phones work everywhere, and the standards make them have all kinds of fall back mechanisms. So new LTE phones supports everything from LTE to the oldest GSM standards - they don't want a reputation of their phone not working when traveling to XXX.

- Telco companies gets pushback from governments, or in most cases around the world are owned and operated by governments - and they want backdoors into networks for surveillance.

- Telco equipment manufactures just make equipment that the telco companies wants. While all the standards for all the protocols and mechanisms work, they are product of a design-by-commitee, mostly made up by telco companies and telco manufacturers.

rsync8y ago

"I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works."

LTE and 3G solve the problem of authentication and encryption with the tower - the problem is that an attacker can, through interference or other means, force your handset to downgrade to 2G operation.

There is a very, very simple solution to this: display an icon/error when you downgrade to 2G and an even bigger icon when your 2G connection has no encryption (which is a valid option for a 2G connection).

This would be trivially simple but for reasons that are difficult to understand, phone OS and SIM providers do not do this.

"But it's super hard to find any information if how this all works."

I would recommend viewing/listening to the CCC (Congress) talks on GSM subjects that have been given over the last ten years. The osmocom "baseband-devel" is also a good mailing list to read the archives of ...

munin8y ago

> But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.

Good news I guess: AT&T turned off their 2G in December of 2016: https://www.att.com/esupport/article.html#!/wireless/KM10848...

It caused a bit of a stir in the alarm system market, because so many of the alarm panels connected to the home office via embedded 2G modems.

libdjml8y ago

I’ll take a wild guess:

* a lot of legacy kit that’s expensive and hard to upgrade

* lots of things rely on backward compatibility

* attacks are still too difficult/expensive to the point that only hushed adversaries are performing attacks

* lack of motivation from cell providers

droopybuns8y ago

I think there is a perfect storm of savant security nerds with piss-pour communications skills and telcos over-indexing on mba/finance leadership.

The security nerds make blustery comments that “anyone with motivation and a couple g’s worth of gear can target ANYONE.”

There are a bunch or problems with this argument. Gnuradio is not easy. You need to be in radio proximity to your target. Targeting someone requires some homework and luck (converting msisdn to timsi isn’t trivial. It’s doable, but the nerds double down on trivial, burning credibility by claiming triviality that can easily be argued against by half-wits.). The mbas (whose job it is to move the needle on billion dollar businesses) are getting asked to add expenses that require new software at the base stations, replacement of mobile endpoints, Break roaming and generate NO ADDITIONAL REVENUE BECAUSE CONSUMERS DONT REALLY CARE ABOUT SECURITY.

What would you do? These are not the best and brightest. They have built careers in avoiding risk.

The MNOs have a serious culture problem. The single best solution would be to incentivize competition, but the only thing the SV people want is net neutrality, which only entrenches the established players.

We only have ourselves to blame for this mess. The moves that would resolve this problem: taking on risk that most wont recognize will not move the needle in the right direction. Consumers think mobile internet is too pricey- they won’t pay more for security. The solution creates costs. We are doomed.

lostlogin8y ago

> piss pour

Eww. That’s nasty. ‘Piss poor’ is likely the phrase you’re looking for.

obmelvin8y ago

Naive question: how does net neutrality entrench companies? To me it seems the opposite, the more you can pay the better service your company can offer which directly benefits larger entrenched companies, no?

droopybuns8y ago

Imagine deciding to run a local ISP for 300 homes in your neighborhood. You don't know if all 300 will sign up for service. You don't know how long it will take to get to 300.

Do you pay for peering agreements that will meet the demands of 300 homes for the two years it will take to get there, or do you try to build up gradually? Will you be in a situation where you can't meet your existing customers' demand? Who will have leverage in that next peering agreement? It's clearly the entrenched backhaul provider.

If you have some ability to steer & prioritize traffic, you will have some wiggle room when it comes time to negotiate your next agreement. With net neutrality concepts- you lose that tool. You're totally dependent on the accuracy of your traffic predictions & the peering partner has a significant negotiating advantage.

You're going to take on the risk of digging trenches & negotiating peering agreements for underserved, rural or suburban locations. You're going to need a mass of homes to agree to the trenching & installation. You're going to have to negotiate labor for digging these trenches & laying cable in a way that will resist water damage & other threats.

All of this sucks and is hard.

>>the more you can pay the better service your company can offer which directly benefits larger entrenched companies, no?

I don't believe that anyone really wants to rate websites differently than they already are (via peering arrangements- which are how the Internet works, folks). But the argument that most people want to make is that ISPs will block access to example.com. The best example of access to a website being cut off I can point to is google's decision to block Amazon devices from accessing youtube.com.

If no ISP is doing this kind of blocking, then what's the point of exposing ISPs to risk of unfounded claims from random customers that you are violating net neutrality principals? Do you now need to absorb the cost of Audits to prove you're not? Digging trenches is hard, expensive & risky. What happens when you pile on more regulations?

Who is excited to get into this business? The established providers already have legal teams & are prepared to deal with legislators. Startup ISPs are annoying bugs that can easily be crushed with regulatory pressure. Add "ability to absorb regulatory & legal tangles" to your list of runway calculations.

All I see are increasingly challenging hurdles for startup ISPs that need pricing flexibility to manage the early, high risk tasks of starting an ISP.

chisleu8y ago

It's not the algo. The keys are the problem

BuildTheRobots8y ago

Actually with 2G (especially A5/0, /1, /2), it's very much the algorithm that's the problem.

A5/2 which is the precursor to the encryption used for 3G and LTE is a lot better but there's still issues that are only just coming to light.

1 more reply

pacificmint8y ago

I'd say let's hope they'll remember that the next time they'll ask for backdoors in some other technology.

But in reality I have very little hope that they will.

RpFLCL8y ago

That was the first thing that struck me too. There's some irony about these showing up on the streets of DC.

New technology only stays in the hands of "our team" for so long before ultimately showing up on our doorstep. Especially when that's low cost surveillance technology...

alexhutcheson8y ago

I wasn't familiar with the term 'stingray', so this headline was both confusing an amusing to me. I was confused about why they would even be looking for 'hostile' cartilaginous fish. I can't be the only one.

JCharante8y ago

I too thought that for a brief moment when reading the title before remembering what stingrays were.

Overtonwindow8y ago

As a resident, let me pose to you this : The government doesn't always know what the rest of the government is doing. I would be surprised if there weren't rogue Stingray's out there, and even more not surprised that it's some discreet arm of the government.

bigiain8y ago

Yeah, like the local garbage collection agency, or the animal welfare agency, or the horse racing regulators. All of whom will claim, if cornered, "We don't need a warrant, because, ummm, we're doing this TO PROTECT THE PRESIDENT!!!"

(That list may sound idiotic, but you can't make this shit up - there's examples where I live of those exact agencies (and more) requesting warrantless access to telecommunications metadata: https://www.smh.com.au/technology/dozens-of-government-agenc... )

walrus018y ago

More likely explanation is various intelligence agencies with contracts with companies like Booz, ITT-Exelis, LockheedMartin, etc that have the technical capability to do private signals intelligence gathering.

jumelles8y ago

Yes, I'm sure both likely exist, but that doesn't make Stingrays operated by eg. China, Iran, DPRK, Russia any less of a problem !

lolc8y ago

You're jumping to conclusions. You don't need to be a nation state to operate a dingy IMSI-catcher.

YouKnowBetter8y ago

This is not limited to the US. In fact, you are late to the party. Both in Oslo and in London these where uncovered and published about, that was 2015.

https://www.aftenposten.no/norge/i/kamWB/New-report-Clear-si...

https://commsrisk.com/reporters-find-20-imsi-catchers-in-lon...

pcmaffey8y ago

> IMSI-Catchers also allow adversaries to intercept your conversations, text messages, and data. Police can use them to determine your location or to find out who is in a given geographic area at what time. [1]

Does turning one's phone off not disable pinging cell towers?

[1] https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

bitexploder8y ago

Wrong. This is an exaggeration at best and just plain wrong for most US LTE users. LTE is very hard to fully MiTM. You can still catch / observe through IMSI, but the phone won't deal with your rogue tower. If you can downgrade someone to 3G you can more easily observe voice and or texts. Data is actually harder to MiTM, even on 3G. That said, it is not feasible to down grade any modern US LTE devices as far as I know.

Turning your phone off usually does prevent tower pings, but some phones have been known to be sneaky.

shakna8y ago

Many modern phones don't turn off all the way, and continue to ping towers.

I can't find any official documentation, but several Android phones I've owned over the years have powered themselves on when switched off and receiving a phone call.

eigenvector8y ago

Why can't they find them the same way government agencies normally enforce radio licensing? Drive around with a receiver (a cell phone, basically) enumerating all the purported cell towers in a geographic area, then cross-check that with a list of legitimate carrier infrastructure?

phusion8y ago

It MAY not be that easy... femtocells and whatnot may make that a difficult task. I wondered this myself, since nearly all pirate radio stations are caught.. but cell sites don't work the same way. Just a thought.

Slansitartop8y ago

I think this is good news. I think the kinds of politicians that are typically over-friendly with the police are also the kind that want a strong military. The use of "law enforcement" technology like stingrays by hostile intelligence agencies, might create a useful tension in them that could help convince them to harden domestic communications against law enforcement spying.

mkempe8y ago

If only they cared about protecting our rights in the first place, as much or more than they apparently care about alleged spying by foreign powers.

itronitron8y ago

except that if/when politicians get cozy, either willingly or not, with the hostile intelligence agencies then they would likely want all the benefits of that cozy relationship to continue indefinitely

chapill8y ago

Seems like a good reason to install and use something like

https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

Do the Feds have bounties for catching illegal stingrays?

et-al8y ago

Layman question: one can limit their exposure with encrypted VoIP communications (e.g. FaceTime) and chats (iMessage, Signal), correct?

That being said, the intercepter would still know:

- phone being connected (IMEI)

- location of the phone

- which servers were requested, but not the encrypted content (yet)

- how much data was transmitted, "call time"

So if two phones were talking with each other over FaceTime connected to stingrays, a third-party can still deduce that they were talking to each other given the amount of data being transferred and when the requests occurred.

walrus018y ago

Re: your last sentence, a stingray rarely if ever offers actual network connectivity, either ss7 or data. Its purpose is just to catch the unique ID numbers from the phone. Whatever you have set into your phone for LTE APN data settings isn't going to work with a random imsi catcher. Such a thing won't have an uplink anyways outside of its command/control functions.

gruez8y ago

Doesn't that make them really detectable? A deadspot with full signal bars would be really suspicious.

walrus018y ago

A phone doesn't stay connected to a stingray, it will get the imsi and then move on to a real site of the phone's carrier.

1 more reply

et-al8y ago

Thanks! Didn't know that about stingrays.

cryptonector8y ago

The metadata is most of the story. Certainly, if the stingray lets arbitrary protocols through, you can secure the contents of your communications, including any metadata tunneled through (e.g., if you're using VPN), but not the metadata on the outside of the tunnel. Depending on the VoIP protocol, you may not get any protection for metadata unless you're using a VPN.

walrus018y ago

Possibly rogue IMSI catchers have also been spotted in in Ottawa. If I had to bet they're run by CSE, which of course will neither confirm nor deny.

https://www.google.ca/search?q=ottawa+imsi+catcher&oq=ottawa...

kornish8y ago

For those confused about the terminology in the title...

> The devices, which are also known as stingrays or IMSI catchers, are commonly used by domestic law enforcement nationwide to locate a particular phone. Sometimes, they can also be used to intercept text messages and phone calls. Stingrays act as a fake cell tower and effectively trick a cell phone into transmitting to it, which gives up the phone’s location.

mkempe8y ago

My understanding is that all stingrays are by definition hostile.

mkempe8y ago

And if the NSA and FBI had devoted less energy to turning this country into a corrupt republic on its way to a totalitarian nightmare, I am sure they would have had the ability and resources to ensure that such stingrays were impossible to set up.

mkempe8y ago

Here is what the EFF says: "[Stringrays] can also intercept metadata (such as information about calls made and the amount of time on each call), the content of unencrypted phone calls and text messages and data usage (such as websites visited). Additionally, marketing material indicates that they can be configured to divert calls and text messages, edit messages, and even spoof the identity of a caller in text messages and calls." [1]

This is what the FBI and NSA love. They never try to protect the American public from such weaknesses in the country's infrastructure, although that is what they are supposed to be doing. All so they can spy on everybody, feed illegal parallel-construction activities, and generally nurture the growth of a police state; it is also clear by now that these agencies have been interfering with national politics. These are not friends of our freedoms.

[1] https://www.eff.org/pages/cell-site-simulatorsimsi-catchers

palisade8y ago

Is that Russian ship still parked nearby? I recall reading about that a while back. Maybe that's where the signal is coming from. https://www.cnn.com/2018/01/22/politics/russia-spy-ship-us-c...

QuarterReptile8y ago

I admit that I don't have much expertise on the matter, having only ever operated a GSM cell site simulator (never LTE), but the max range I remember (in ideal conditions) is something like 35 miles.

bigiain8y ago

35km - which is a TDMA timing issue, not a radio range one - that damned pesky speed of light problem...

https://en.wikipedia.org/wiki/Timing_advance

(Note there's and "extended range" feature, where you can halve the cell site's capacity by waiting two timeslots in the TDMA schedule instead of one - which lets you go as far as 120km...)

elipsey8y ago

Ambiguous title. On my first reading I thought: do they mean animals? ...or missiles? ...oh no it's even scarier then the first two!

bsder8y ago

Is Milenage still a safe protocol?

Or are all of these stingrays still dependent upon forcing you to switch down to the older 2G protocols?

Rjevski8y ago

Yep most of this bullshit is because garbage like 2G (and 3G) is still in operation. Phones should just phase that out (less code, thus less attack surface).

benpiper8y ago

The headline doesn't at all agree with the what the article and its sources say, which is basically a whole lot of nothing.

ConcernedCoder8y ago

Why would they admit that they could find them?

homero8y ago

The same backdoors politicians want in our devices will come back to haunt them.

vl8y ago

>we don’t know how to find them

Triangulation?

j / k navigate · click thread line to collapse

97 comments

walrus018y ago

trhway8y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

walrus018y ago

bertjk8y ago

1 more reply

spaceman13318y ago

> networked together

1 more reply

PeterisP8y ago

walrus018y ago

Something strong enough to get a whole building full of phones to ping it most certainly can be found by a $70,000 spectrum analyzers and trained RF engineer.

bigiain8y ago

Hell - I bet you could find that with a $12 RTL-SDR and a home built antenna plugged into your laptop - if you were curious and suspected there was one nearby...

1 more reply

ilkan8y ago

spartango8y ago

walrus018y ago

https://mg.co.za/article/2016-09-01-00-meet-the-grabber-how-...

Verint engage gi2

subway8y ago

Depends on how much the devices cost to procure, and the budget of the party using them. Seems like these could be treated as "black-throws" given the right cost:budget ratio.

bigiain8y ago

OpenBTS and Ettus USPR (software defined radios) have made it inexpensive enough for hobbyists to set up cellular base stations at Burningman.

The difference between an open source base station, and a homebuilt stingray in negligible.

int0x218y ago

Try less than $200. LimeSDR Mini or a couple Motorola C123s running Osmocombb with a filter swap...or a hacked femtocell

vvanders8y ago

Not even that, if you want to use them as a MitM just broadcast the data you want and any arbitrary receiver will pick them up that can't be pinpointed.

That's assuming you don't mind losing the transmitting hardware.

subway8y ago

I think we're saying the same thing.

beamatronic8y ago

I am not familiar with this term, “black-throw”, can you elaborate?

subway8y ago

blackthrow or svartkast is a term for a device left behind in potentially hostile territory to continue operating until it is discovered or fails

1 more reply

rsync8y ago

"It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours."

Even more so in 2018 where an IMSI catcher is only relevant/useful if you downgrade the target to 2G operation, which requires some kind of additional interference/jamming.

Unless they are using "stingray" as some kind of generic term for "device you use to intercept mobile phones" and there are now 3G/LTE "stingrays".

This would all be so simple to deal with if phones just displayed an "unlocked" or "downgraded" warning when operating in 2G or unencrypted mode ...

walrus018y ago

IMSI catchers exist for at least 3gpp release 12, which is one type of LTE.

https://www.unwiredinsight.com/2014/highlights-of-3gpp-relea...

https://www.google.ca/search?q=3gpp+release+12+imsi+catcher&...

rainbowmverse8y ago

>> Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

Relevant: http://www.cryptomuseum.com/covert/bugs/selectric/index.htm

sorokod8y ago

I think it is reasonable to ask if the "feds" actually want to find those stingrays.

Disinformation is a powerful tool.

greggarious8y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

I'd assume if it was run from an embassy it's not risky at all actually - they can just tell the FCC to pound sand

blitmap8y ago

I'm laughing because that's how this discussion will go when posted here: We'll detail a method to catch rogue sting-rays, then brainstorm how to operate them with less risk.

crankylinuxuser8y ago

Well, yeah. That's standard operating procedure for Red/Blue team work.

By knowing how to hack, one knows how to defend. But knowing how to defend also imparts the knowledge to hack.

616c8y ago

How do I get into TSCM from convential appsec work? Is it EE guys and gals and smizmars?

upofadown8y ago

itronitron8y ago

bvinc8y ago

Why don't towers have a sort of encryption certificate verifying they're legit?

Why doesnt my cell provider just provide my phone a list of it's legit towers?

I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

noselasd8y ago

> Why don't towers have a sort of encryption certificate verifying they're legit?

> Why doesnt my cell provider just provide my phone a list of it's legit towers?

It does, but not securely, so it can be faked. And since the towers does not authenticate themselves to the phone, you can just pretend to be a tower anyway.

> I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

- Telco companies gets pushback from governments, or in most cases around the world are owned and operated by governments - and they want backdoors into networks for surveillance.

rsync8y ago

"I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works."

This would be trivially simple but for reasons that are difficult to understand, phone OS and SIM providers do not do this.

"But it's super hard to find any information if how this all works."

munin8y ago

> But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.

Good news I guess: AT&T turned off their 2G in December of 2016: https://www.att.com/esupport/article.html#!/wireless/KM10848...

It caused a bit of a stir in the alarm system market, because so many of the alarm panels connected to the home office via embedded 2G modems.

libdjml8y ago

I’ll take a wild guess:

* a lot of legacy kit that’s expensive and hard to upgrade

* lots of things rely on backward compatibility

* attacks are still too difficult/expensive to the point that only hushed adversaries are performing attacks

* lack of motivation from cell providers

droopybuns8y ago

I think there is a perfect storm of savant security nerds with piss-pour communications skills and telcos over-indexing on mba/finance leadership.

The security nerds make blustery comments that “anyone with motivation and a couple g’s worth of gear can target ANYONE.”

What would you do? These are not the best and brightest. They have built careers in avoiding risk.

lostlogin8y ago

> piss pour

Eww. That’s nasty. ‘Piss poor’ is likely the phrase you’re looking for.

obmelvin8y ago

droopybuns8y ago

Imagine deciding to run a local ISP for 300 homes in your neighborhood. You don't know if all 300 will sign up for service. You don't know how long it will take to get to 300.

All of this sucks and is hard.

>>the more you can pay the better service your company can offer which directly benefits larger entrenched companies, no?

All I see are increasingly challenging hurdles for startup ISPs that need pricing flexibility to manage the early, high risk tasks of starting an ISP.

chisleu8y ago

It's not the algo. The keys are the problem

BuildTheRobots8y ago

Actually with 2G (especially A5/0, /1, /2), it's very much the algorithm that's the problem.

A5/2 which is the precursor to the encryption used for 3G and LTE is a lot better but there's still issues that are only just coming to light.

1 more reply

pacificmint8y ago

I'd say let's hope they'll remember that the next time they'll ask for backdoors in some other technology.

But in reality I have very little hope that they will.

RpFLCL8y ago

That was the first thing that struck me too. There's some irony about these showing up on the streets of DC.

New technology only stays in the hands of "our team" for so long before ultimately showing up on our doorstep. Especially when that's low cost surveillance technology...

alexhutcheson8y ago

JCharante8y ago

I too thought that for a brief moment when reading the title before remembering what stingrays were.

Overtonwindow8y ago

bigiain8y ago

walrus018y ago

jumelles8y ago

Yes, I'm sure both likely exist, but that doesn't make Stingrays operated by eg. China, Iran, DPRK, Russia any less of a problem !

lolc8y ago

You're jumping to conclusions. You don't need to be a nation state to operate a dingy IMSI-catcher.

YouKnowBetter8y ago

This is not limited to the US. In fact, you are late to the party. Both in Oslo and in London these where uncovered and published about, that was 2015.

https://www.aftenposten.no/norge/i/kamWB/New-report-Clear-si...

https://commsrisk.com/reporters-find-20-imsi-catchers-in-lon...

pcmaffey8y ago

Does turning one's phone off not disable pinging cell towers?

[1] https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

bitexploder8y ago

Turning your phone off usually does prevent tower pings, but some phones have been known to be sneaky.

shakna8y ago

Many modern phones don't turn off all the way, and continue to ping towers.

I can't find any official documentation, but several Android phones I've owned over the years have powered themselves on when switched off and receiving a phone call.

eigenvector8y ago

phusion8y ago

Slansitartop8y ago

mkempe8y ago

If only they cared about protecting our rights in the first place, as much or more than they apparently care about alleged spying by foreign powers.

itronitron8y ago

chapill8y ago

Seems like a good reason to install and use something like

https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

Do the Feds have bounties for catching illegal stingrays?

et-al8y ago

Layman question: one can limit their exposure with encrypted VoIP communications (e.g. FaceTime) and chats (iMessage, Signal), correct?

That being said, the intercepter would still know:

- phone being connected (IMEI)

- location of the phone

- which servers were requested, but not the encrypted content (yet)

- how much data was transmitted, "call time"

walrus018y ago

gruez8y ago

Doesn't that make them really detectable? A deadspot with full signal bars would be really suspicious.

walrus018y ago

A phone doesn't stay connected to a stingray, it will get the imsi and then move on to a real site of the phone's carrier.

1 more reply

et-al8y ago

Thanks! Didn't know that about stingrays.

cryptonector8y ago

walrus018y ago

Possibly rogue IMSI catchers have also been spotted in in Ottawa. If I had to bet they're run by CSE, which of course will neither confirm nor deny.

https://www.google.ca/search?q=ottawa+imsi+catcher&oq=ottawa...

kornish8y ago

For those confused about the terminology in the title...

mkempe8y ago

My understanding is that all stingrays are by definition hostile.

mkempe8y ago

[1] https://www.eff.org/pages/cell-site-simulatorsimsi-catchers

palisade8y ago

Is that Russian ship still parked nearby? I recall reading about that a while back. Maybe that's where the signal is coming from. https://www.cnn.com/2018/01/22/politics/russia-spy-ship-us-c...

QuarterReptile8y ago

I admit that I don't have much expertise on the matter, having only ever operated a GSM cell site simulator (never LTE), but the max range I remember (in ideal conditions) is something like 35 miles.

bigiain8y ago

35km - which is a TDMA timing issue, not a radio range one - that damned pesky speed of light problem...

https://en.wikipedia.org/wiki/Timing_advance

(Note there's and "extended range" feature, where you can halve the cell site's capacity by waiting two timeslots in the TDMA schedule instead of one - which lets you go as far as 120km...)

elipsey8y ago

Ambiguous title. On my first reading I thought: do they mean animals? ...or missiles? ...oh no it's even scarier then the first two!

bsder8y ago

Is Milenage still a safe protocol?

Or are all of these stingrays still dependent upon forcing you to switch down to the older 2G protocols?

Rjevski8y ago

Yep most of this bullshit is because garbage like 2G (and 3G) is still in operation. Phones should just phase that out (less code, thus less attack surface).

benpiper8y ago

The headline doesn't at all agree with the what the article and its sources say, which is basically a whole lot of nothing.

ConcernedCoder8y ago

Why would they admit that they could find them?

homero8y ago

The same backdoors politicians want in our devices will come back to haunt them.

vl8y ago

>we don’t know how to find them

Triangulation?

j / k navigate · click thread line to collapse