Feds: There are hostile stingrays in DC, but we don’t know how to find them (opens in new tab)

(arstechnica.com)

238 pointslgs17y ago97 comments

97 comments

I work in wireless telecom: Really doubtful "we don't know how to find them". The FCC's enforcement bureau has a set of vans equipped to find unauthorized transmitters. IMSI catchers must transmit and remain on the air. It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours. The only other explanation I can think of is being operated from embassies with full diplomatic protections, but that runs the risk of the host county (USA) PNG'ing several staff with 24 hour notice as punishment.

Quick edit: Whole US federal agencies have their own TSCM (technical surveillance countermeasures) staff entirely separate from the FCC. It is a job position at the dept of state. Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

trhway7y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

how about quick switching between several [semi-stationary or briefcase carried] catchers (by analogy with an old Russia/USSR anti-aircraft tactic of quickly switching between several radars to avoid being detected and locked-in by an anti-radar missile :).

walrus017y ago

Theoretically possible. Using current off the shelf tech, several imsi catchers could be networked together by normal LTE data networks with battle tested VPN crypto. Doable with any mifi type hotspot device or even just a modern phone and tethering. People with high end spectrum analyzers and directional antennas would struggle to locate a thing that only powers on for 1-2 minutes, and the relocated to a random location. If I were trying to find such things I would need three separate DF (direction finding) teams, and try to establish a pattern of behavior or movement on the part of the operators to narrow down the target areas. Could take weeks.

2 more replies

PeterisP7y ago

The other explanation is very low power / short range e.g. femtocells. If a Stingray-like device is affecting a single building or the like, targeting a particular person, it likely won't be noticed by anyone.

walrus017y ago

Something strong enough to get a whole building full of phones to ping it most certainly can be found by a $70,000 spectrum analyzers and trained RF engineer.

1 more reply

ilkan7y ago

This doesn't sound like a technical problem. More like a government is being defunded, half the vans need repair, lack of senior management, no direction, other priorities, shortage of techs, hiring freeze, the remaining people only work from 9-5 and we don't pay overtime, type of problem.

spartango7y ago

While there is extensive infrastructure for detecting active transmitting devices like Stingrays, there's no discussion (or tooling) around passive IMSI grabbers. These devices are significantly more limited (no IMEI or MSISDN, GSM-only), they remain pretty effective in areas/networks where GSM is still in place.

walrus017y ago

https://mg.co.za/article/2016-09-01-00-meet-the-grabber-how-...

Verint engage gi2

subway7y ago

Depends on how much the devices cost to procure, and the budget of the party using them. Seems like these could be treated as "black-throws" given the right cost:budget ratio.

bigiain7y ago

OpenBTS and Ettus USPR (software defined radios) have made it inexpensive enough for hobbyists to set up cellular base stations at Burningman.

The difference between an open source base station, and a homebuilt stingray in negligible.

While a grand or two's worth of radio hardware and however many weekends/evenings spent getting it all set up and the a software configured is _kind of_ expensive - it's effectively free at criminal org, corporate espionage, or state levels of action.

1 more reply

vvanders7y ago

Not even that, if you want to use them as a MitM just broadcast the data you want and any arbitrary receiver will pick them up that can't be pinpointed.

That's assuming you don't mind losing the transmitting hardware.

1 more reply

beamatronic7y ago

I am not familiar with this term, “black-throw”, can you elaborate?

1 more reply

rsync7y ago

"It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours."

Even more so in 2018 where an IMSI catcher is only relevant/useful if you downgrade the target to 2G operation, which requires some kind of additional interference/jamming.

Unless they are using "stingray" as some kind of generic term for "device you use to intercept mobile phones" and there are now 3G/LTE "stingrays".

This would all be so simple to deal with if phones just displayed an "unlocked" or "downgraded" warning when operating in 2G or unencrypted mode ...

walrus017y ago

IMSI catchers exist for at least 3gpp release 12, which is one type of LTE.

https://www.unwiredinsight.com/2014/highlights-of-3gpp-relea...

https://www.google.ca/search?q=3gpp+release+12+imsi+catcher&...

rainbowmverse7y ago

>> Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

Relevant: http://www.cryptomuseum.com/covert/bugs/selectric/index.htm

sorokod7y ago

I think it is reasonable to ask if the "feds" actually want to find those stingrays.

Disinformation is a powerful tool.

greggarious7y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

I'd assume if it was run from an embassy it's not risky at all actually - they can just tell the FCC to pound sand

blitmap7y ago

I'm laughing because that's how this discussion will go when posted here: We'll detail a method to catch rogue sting-rays, then brainstorm how to operate them with less risk.

crankylinuxuser7y ago

Well, yeah. That's standard operating procedure for Red/Blue team work.

By knowing how to hack, one knows how to defend. But knowing how to defend also imparts the knowledge to hack.

616c7y ago

How do I get into TSCM from convential appsec work? Is it EE guys and gals and smizmars?

upofadown7y ago

Most will probably be owned by law enforcement. Many will be operating without the benefit of a warrant. So what do you do when you find one? You won't make many friends if you interfere with an ongoing investigation particularly if you raise questions about the legality of the operation at the same time.

Things were much the same back in the old days. If a telephone employee would find listening devices on the lines they were best off just quietly removing them and disposing of them. In the wild, surveillance equipment legally installed under a warrant looks exactly the same as all of the other kinds.

So in practice everyone got to tap phone lines, just as long as they didn't annoy anyone too official while doing so. The targets would never find out, unless the were willing to climb a telephone pole and check for themselves. The same thing will probably happen with stingray type devices. People like private investigators are likely already using them.

itronitron7y ago

That reminds me of some photos my dad took years ago of a line technician on a crane truck fiddling with some equipment on a utility pole at the edge of our front yard for about thirty minutes. He thinks the guy was testing for some illegal cable descrambler on the line although I suppose it could have been anything since this happened in the DC Metro area :)

bvinc7y ago

Can someone please explain to me why this cell security problem seems to be completely ignored? If encryption algorithms are broken, they're phased out and untrusted. But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.

Why don't towers have a sort of encryption certificate verifying they're legit?

Why doesnt my cell provider just provide my phone a list of it's legit towers?

I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

noselasd7y ago

> Why don't towers have a sort of encryption certificate verifying they're legit?

Pushback from various parties/regimes to keep this out of the standards. (e.g. the brits pushed back against strong encryption in the 1. GSM standards, https://www.aftenposten.no/verden/i/Olkl/Sources-We-were-pre... , and this has gone round to other countries pushing back in all kinds of ways since then.)

> Why doesnt my cell provider just provide my phone a list of it's legit towers?

It does, but not securely, so it can be faked. And since the towers does not authenticate themselves to the phone, you can just pretend to be a tower anyway.

> I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

Sure, there's numerous ways to solve this - but there is little incentives to do so. it does get somewhat better - LTE can authenticate the network to the phone. But then there are countries where it's illegal to encrypt the public phone networks, so the protocol specs include an option to just disable this mechanism alltogether.

- Phone manufactures want to make their phones work everywhere, and the standards make them have all kinds of fall back mechanisms. So new LTE phones supports everything from LTE to the oldest GSM standards - they don't want a reputation of their phone not working when traveling to XXX.

- Telco companies gets pushback from governments, or in most cases around the world are owned and operated by governments - and they want backdoors into networks for surveillance.

- Telco equipment manufactures just make equipment that the telco companies wants. While all the standards for all the protocols and mechanisms work, they are product of a design-by-commitee, mostly made up by telco companies and telco manufacturers.

rsync7y ago

"I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works."

LTE and 3G solve the problem of authentication and encryption with the tower - the problem is that an attacker can, through interference or other means, force your handset to downgrade to 2G operation.

There is a very, very simple solution to this: display an icon/error when you downgrade to 2G and an even bigger icon when your 2G connection has no encryption (which is a valid option for a 2G connection).

This would be trivially simple but for reasons that are difficult to understand, phone OS and SIM providers do not do this.

"But it's super hard to find any information if how this all works."

I would recommend viewing/listening to the CCC (Congress) talks on GSM subjects that have been given over the last ten years. The osmocom "baseband-devel" is also a good mailing list to read the archives of ...

munin7y ago

> But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.

Good news I guess: AT&T turned off their 2G in December of 2016: https://www.att.com/esupport/article.html#!/wireless/KM10848...

It caused a bit of a stir in the alarm system market, because so many of the alarm panels connected to the home office via embedded 2G modems.

libdjml7y ago

I’ll take a wild guess:

* a lot of legacy kit that’s expensive and hard to upgrade

* lots of things rely on backward compatibility

* attacks are still too difficult/expensive to the point that only hushed adversaries are performing attacks

* lack of motivation from cell providers

droopybuns7y ago

I think there is a perfect storm of savant security nerds with piss-pour communications skills and telcos over-indexing on mba/finance leadership.

The security nerds make blustery comments that “anyone with motivation and a couple g’s worth of gear can target ANYONE.”

There are a bunch or problems with this argument. Gnuradio is not easy. You need to be in radio proximity to your target. Targeting someone requires some homework and luck (converting msisdn to timsi isn’t trivial. It’s doable, but the nerds double down on trivial, burning credibility by claiming triviality that can easily be argued against by half-wits.). The mbas (whose job it is to move the needle on billion dollar businesses) are getting asked to add expenses that require new software at the base stations, replacement of mobile endpoints, Break roaming and generate NO ADDITIONAL REVENUE BECAUSE CONSUMERS DONT REALLY CARE ABOUT SECURITY.

What would you do? These are not the best and brightest. They have built careers in avoiding risk.

The MNOs have a serious culture problem. The single best solution would be to incentivize competition, but the only thing the SV people want is net neutrality, which only entrenches the established players.

We only have ourselves to blame for this mess. The moves that would resolve this problem: taking on risk that most wont recognize will not move the needle in the right direction. Consumers think mobile internet is too pricey- they won’t pay more for security. The solution creates costs. We are doomed.

lostlogin7y ago

> piss pour

Eww. That’s nasty. ‘Piss poor’ is likely the phrase you’re looking for.

obmelvin7y ago

Naive question: how does net neutrality entrench companies? To me it seems the opposite, the more you can pay the better service your company can offer which directly benefits larger entrenched companies, no?

1 more reply

chisleu7y ago

It's not the algo. The keys are the problem

BuildTheRobots7y ago

Actually with 2G (especially A5/0, /1, /2), it's very much the algorithm that's the problem.

A5/2 which is the precursor to the encryption used for 3G and LTE is a lot better but there's still issues that are only just coming to light.

1 more reply

pacificmint7y ago

I'd say let's hope they'll remember that the next time they'll ask for backdoors in some other technology.

But in reality I have very little hope that they will.

RpFLCL7y ago

That was the first thing that struck me too. There's some irony about these showing up on the streets of DC.

New technology only stays in the hands of "our team" for so long before ultimately showing up on our doorstep. Especially when that's low cost surveillance technology...

alexhutcheson7y ago

I wasn't familiar with the term 'stingray', so this headline was both confusing an amusing to me. I was confused about why they would even be looking for 'hostile' cartilaginous fish. I can't be the only one.

JCharante7y ago

I too thought that for a brief moment when reading the title before remembering what stingrays were.

Overtonwindow7y ago

As a resident, let me pose to you this : The government doesn't always know what the rest of the government is doing. I would be surprised if there weren't rogue Stingray's out there, and even more not surprised that it's some discreet arm of the government.

bigiain7y ago

Yeah, like the local garbage collection agency, or the animal welfare agency, or the horse racing regulators. All of whom will claim, if cornered, "We don't need a warrant, because, ummm, we're doing this TO PROTECT THE PRESIDENT!!!"

(That list may sound idiotic, but you can't make this shit up - there's examples where I live of those exact agencies (and more) requesting warrantless access to telecommunications metadata: https://www.smh.com.au/technology/dozens-of-government-agenc... )

walrus017y ago

More likely explanation is various intelligence agencies with contracts with companies like Booz, ITT-Exelis, LockheedMartin, etc that have the technical capability to do private signals intelligence gathering.

jumelles7y ago

Yes, I'm sure both likely exist, but that doesn't make Stingrays operated by eg. China, Iran, DPRK, Russia any less of a problem !

lolc7y ago

You're jumping to conclusions. You don't need to be a nation state to operate a dingy IMSI-catcher.

YouKnowBetter7y ago

This is not limited to the US. In fact, you are late to the party. Both in Oslo and in London these where uncovered and published about, that was 2015.

https://www.aftenposten.no/norge/i/kamWB/New-report-Clear-si...

https://commsrisk.com/reporters-find-20-imsi-catchers-in-lon...

pcmaffey7y ago

> IMSI-Catchers also allow adversaries to intercept your conversations, text messages, and data. Police can use them to determine your location or to find out who is in a given geographic area at what time. [1]

Does turning one's phone off not disable pinging cell towers?

[1] https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

bitexploder7y ago

Wrong. This is an exaggeration at best and just plain wrong for most US LTE users. LTE is very hard to fully MiTM. You can still catch / observe through IMSI, but the phone won't deal with your rogue tower. If you can downgrade someone to 3G you can more easily observe voice and or texts. Data is actually harder to MiTM, even on 3G. That said, it is not feasible to down grade any modern US LTE devices as far as I know.

Turning your phone off usually does prevent tower pings, but some phones have been known to be sneaky.

shakna7y ago

Many modern phones don't turn off all the way, and continue to ping towers.

I can't find any official documentation, but several Android phones I've owned over the years have powered themselves on when switched off and receiving a phone call.

eigenvector7y ago

Why can't they find them the same way government agencies normally enforce radio licensing? Drive around with a receiver (a cell phone, basically) enumerating all the purported cell towers in a geographic area, then cross-check that with a list of legitimate carrier infrastructure?

phusion7y ago

It MAY not be that easy... femtocells and whatnot may make that a difficult task. I wondered this myself, since nearly all pirate radio stations are caught.. but cell sites don't work the same way. Just a thought.

Slansitartop7y ago

I think this is good news. I think the kinds of politicians that are typically over-friendly with the police are also the kind that want a strong military. The use of "law enforcement" technology like stingrays by hostile intelligence agencies, might create a useful tension in them that could help convince them to harden domestic communications against law enforcement spying.

mkempe7y ago

If only they cared about protecting our rights in the first place, as much or more than they apparently care about alleged spying by foreign powers.

itronitron7y ago

except that if/when politicians get cozy, either willingly or not, with the hostile intelligence agencies then they would likely want all the benefits of that cozy relationship to continue indefinitely

chapill7y ago

Seems like a good reason to install and use something like

https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

Do the Feds have bounties for catching illegal stingrays?

et-al7y ago

Layman question: one can limit their exposure with encrypted VoIP communications (e.g. FaceTime) and chats (iMessage, Signal), correct?

That being said, the intercepter would still know:

- phone being connected (IMEI)

- location of the phone

- which servers were requested, but not the encrypted content (yet)

- how much data was transmitted, "call time"

So if two phones were talking with each other over FaceTime connected to stingrays, a third-party can still deduce that they were talking to each other given the amount of data being transferred and when the requests occurred.

walrus017y ago

Re: your last sentence, a stingray rarely if ever offers actual network connectivity, either ss7 or data. Its purpose is just to catch the unique ID numbers from the phone. Whatever you have set into your phone for LTE APN data settings isn't going to work with a random imsi catcher. Such a thing won't have an uplink anyways outside of its command/control functions.

gruez7y ago

Doesn't that make them really detectable? A deadspot with full signal bars would be really suspicious.

1 more reply

et-al7y ago

Thanks! Didn't know that about stingrays.

cryptonector7y ago

The metadata is most of the story. Certainly, if the stingray lets arbitrary protocols through, you can secure the contents of your communications, including any metadata tunneled through (e.g., if you're using VPN), but not the metadata on the outside of the tunnel. Depending on the VoIP protocol, you may not get any protection for metadata unless you're using a VPN.

walrus017y ago

Possibly rogue IMSI catchers have also been spotted in in Ottawa. If I had to bet they're run by CSE, which of course will neither confirm nor deny.

https://www.google.ca/search?q=ottawa+imsi+catcher&oq=ottawa...

kornish7y ago

For those confused about the terminology in the title...

> The devices, which are also known as stingrays or IMSI catchers, are commonly used by domestic law enforcement nationwide to locate a particular phone. Sometimes, they can also be used to intercept text messages and phone calls. Stingrays act as a fake cell tower and effectively trick a cell phone into transmitting to it, which gives up the phone’s location.

mkempe7y ago

My understanding is that all stingrays are by definition hostile.

mkempe7y ago

And if the NSA and FBI had devoted less energy to turning this country into a corrupt republic on its way to a totalitarian nightmare, I am sure they would have had the ability and resources to ensure that such stingrays were impossible to set up.

mkempe7y ago

Here is what the EFF says: "[Stringrays] can also intercept metadata (such as information about calls made and the amount of time on each call), the content of unencrypted phone calls and text messages and data usage (such as websites visited). Additionally, marketing material indicates that they can be configured to divert calls and text messages, edit messages, and even spoof the identity of a caller in text messages and calls." [1]

This is what the FBI and NSA love. They never try to protect the American public from such weaknesses in the country's infrastructure, although that is what they are supposed to be doing. All so they can spy on everybody, feed illegal parallel-construction activities, and generally nurture the growth of a police state; it is also clear by now that these agencies have been interfering with national politics. These are not friends of our freedoms.

[1] https://www.eff.org/pages/cell-site-simulatorsimsi-catchers

palisade7y ago

Is that Russian ship still parked nearby? I recall reading about that a while back. Maybe that's where the signal is coming from. https://www.cnn.com/2018/01/22/politics/russia-spy-ship-us-c...

tbihl7y ago

I admit that I don't have much expertise on the matter, having only ever operated a GSM cell site simulator (never LTE), but the max range I remember (in ideal conditions) is something like 35 miles.

bigiain7y ago

35km - which is a TDMA timing issue, not a radio range one - that damned pesky speed of light problem...

https://en.wikipedia.org/wiki/Timing_advance

(Note there's and "extended range" feature, where you can halve the cell site's capacity by waiting two timeslots in the TDMA schedule instead of one - which lets you go as far as 120km...)

elipsey7y ago

Ambiguous title. On my first reading I thought: do they mean animals? ...or missiles? ...oh no it's even scarier then the first two!

bsder7y ago

Is Milenage still a safe protocol?

Or are all of these stingrays still dependent upon forcing you to switch down to the older 2G protocols?

Rjevski7y ago

Yep most of this bullshit is because garbage like 2G (and 3G) is still in operation. Phones should just phase that out (less code, thus less attack surface).

benpiper7y ago

The headline doesn't at all agree with the what the article and its sources say, which is basically a whole lot of nothing.

ConcernedCoder7y ago

Why would they admit that they could find them?

homero7y ago

The same backdoors politicians want in our devices will come back to haunt them.

vl7y ago

>we don’t know how to find them

Triangulation?

j / k navigate · click thread line to collapse

97 comments

walrus017y ago

trhway7y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

walrus017y ago

2 more replies

PeterisP7y ago

walrus017y ago

Something strong enough to get a whole building full of phones to ping it most certainly can be found by a $70,000 spectrum analyzers and trained RF engineer.

1 more reply

ilkan7y ago

spartango7y ago

walrus017y ago

https://mg.co.za/article/2016-09-01-00-meet-the-grabber-how-...

Verint engage gi2

subway7y ago

Depends on how much the devices cost to procure, and the budget of the party using them. Seems like these could be treated as "black-throws" given the right cost:budget ratio.

bigiain7y ago

OpenBTS and Ettus USPR (software defined radios) have made it inexpensive enough for hobbyists to set up cellular base stations at Burningman.

The difference between an open source base station, and a homebuilt stingray in negligible.

1 more reply

vvanders7y ago

Not even that, if you want to use them as a MitM just broadcast the data you want and any arbitrary receiver will pick them up that can't be pinpointed.

That's assuming you don't mind losing the transmitting hardware.

1 more reply

beamatronic7y ago

I am not familiar with this term, “black-throw”, can you elaborate?

1 more reply

rsync7y ago

"It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours."

Even more so in 2018 where an IMSI catcher is only relevant/useful if you downgrade the target to 2G operation, which requires some kind of additional interference/jamming.

Unless they are using "stingray" as some kind of generic term for "device you use to intercept mobile phones" and there are now 3G/LTE "stingrays".

This would all be so simple to deal with if phones just displayed an "unlocked" or "downgraded" warning when operating in 2G or unencrypted mode ...

walrus017y ago

IMSI catchers exist for at least 3gpp release 12, which is one type of LTE.

https://www.unwiredinsight.com/2014/highlights-of-3gpp-relea...

https://www.google.ca/search?q=3gpp+release+12+imsi+catcher&...

rainbowmverse7y ago

>> Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

Relevant: http://www.cryptomuseum.com/covert/bugs/selectric/index.htm

sorokod7y ago

I think it is reasonable to ask if the "feds" actually want to find those stingrays.

Disinformation is a powerful tool.

greggarious7y ago

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

I'd assume if it was run from an embassy it's not risky at all actually - they can just tell the FCC to pound sand

blitmap7y ago

I'm laughing because that's how this discussion will go when posted here: We'll detail a method to catch rogue sting-rays, then brainstorm how to operate them with less risk.

crankylinuxuser7y ago

Well, yeah. That's standard operating procedure for Red/Blue team work.

By knowing how to hack, one knows how to defend. But knowing how to defend also imparts the knowledge to hack.

616c7y ago

How do I get into TSCM from convential appsec work? Is it EE guys and gals and smizmars?

upofadown7y ago

itronitron7y ago

bvinc7y ago

Why don't towers have a sort of encryption certificate verifying they're legit?

Why doesnt my cell provider just provide my phone a list of it's legit towers?

I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

noselasd7y ago

> Why don't towers have a sort of encryption certificate verifying they're legit?

> Why doesnt my cell provider just provide my phone a list of it's legit towers?

It does, but not securely, so it can be faked. And since the towers does not authenticate themselves to the phone, you can just pretend to be a tower anyway.

> I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works.

- Telco companies gets pushback from governments, or in most cases around the world are owned and operated by governments - and they want backdoors into networks for surveillance.

rsync7y ago

"I can think of so many ways to solve this problem. But it's super hard to find any information if how this all works."

This would be trivially simple but for reasons that are difficult to understand, phone OS and SIM providers do not do this.

"But it's super hard to find any information if how this all works."

munin7y ago

> But if 2g is insecure, there's not a single peep from networks or phone manufactures or Google or Apple about phasing out 2g. There isn't even an option to disable it.

Good news I guess: AT&T turned off their 2G in December of 2016: https://www.att.com/esupport/article.html#!/wireless/KM10848...

It caused a bit of a stir in the alarm system market, because so many of the alarm panels connected to the home office via embedded 2G modems.

libdjml7y ago

I’ll take a wild guess:

* a lot of legacy kit that’s expensive and hard to upgrade

* lots of things rely on backward compatibility

* attacks are still too difficult/expensive to the point that only hushed adversaries are performing attacks

* lack of motivation from cell providers

droopybuns7y ago

I think there is a perfect storm of savant security nerds with piss-pour communications skills and telcos over-indexing on mba/finance leadership.

The security nerds make blustery comments that “anyone with motivation and a couple g’s worth of gear can target ANYONE.”

What would you do? These are not the best and brightest. They have built careers in avoiding risk.

lostlogin7y ago

> piss pour

Eww. That’s nasty. ‘Piss poor’ is likely the phrase you’re looking for.

obmelvin7y ago

1 more reply

chisleu7y ago

It's not the algo. The keys are the problem

BuildTheRobots7y ago

Actually with 2G (especially A5/0, /1, /2), it's very much the algorithm that's the problem.

A5/2 which is the precursor to the encryption used for 3G and LTE is a lot better but there's still issues that are only just coming to light.

1 more reply

pacificmint7y ago

I'd say let's hope they'll remember that the next time they'll ask for backdoors in some other technology.

But in reality I have very little hope that they will.

RpFLCL7y ago

That was the first thing that struck me too. There's some irony about these showing up on the streets of DC.

New technology only stays in the hands of "our team" for so long before ultimately showing up on our doorstep. Especially when that's low cost surveillance technology...

alexhutcheson7y ago

JCharante7y ago

I too thought that for a brief moment when reading the title before remembering what stingrays were.

Overtonwindow7y ago

bigiain7y ago

walrus017y ago

jumelles7y ago

Yes, I'm sure both likely exist, but that doesn't make Stingrays operated by eg. China, Iran, DPRK, Russia any less of a problem !

lolc7y ago

You're jumping to conclusions. You don't need to be a nation state to operate a dingy IMSI-catcher.

YouKnowBetter7y ago

This is not limited to the US. In fact, you are late to the party. Both in Oslo and in London these where uncovered and published about, that was 2015.

https://www.aftenposten.no/norge/i/kamWB/New-report-Clear-si...

https://commsrisk.com/reporters-find-20-imsi-catchers-in-lon...

pcmaffey7y ago

Does turning one's phone off not disable pinging cell towers?

[1] https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

bitexploder7y ago

Turning your phone off usually does prevent tower pings, but some phones have been known to be sneaky.

shakna7y ago

Many modern phones don't turn off all the way, and continue to ping towers.

I can't find any official documentation, but several Android phones I've owned over the years have powered themselves on when switched off and receiving a phone call.

eigenvector7y ago

phusion7y ago

Slansitartop7y ago

mkempe7y ago

If only they cared about protecting our rights in the first place, as much or more than they apparently care about alleged spying by foreign powers.

itronitron7y ago

chapill7y ago

Seems like a good reason to install and use something like

https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...

Do the Feds have bounties for catching illegal stingrays?

et-al7y ago

Layman question: one can limit their exposure with encrypted VoIP communications (e.g. FaceTime) and chats (iMessage, Signal), correct?

That being said, the intercepter would still know:

- phone being connected (IMEI)

- location of the phone

- which servers were requested, but not the encrypted content (yet)

- how much data was transmitted, "call time"

walrus017y ago

gruez7y ago

Doesn't that make them really detectable? A deadspot with full signal bars would be really suspicious.

1 more reply

et-al7y ago

Thanks! Didn't know that about stingrays.

cryptonector7y ago

walrus017y ago

Possibly rogue IMSI catchers have also been spotted in in Ottawa. If I had to bet they're run by CSE, which of course will neither confirm nor deny.

https://www.google.ca/search?q=ottawa+imsi+catcher&oq=ottawa...

kornish7y ago

For those confused about the terminology in the title...

mkempe7y ago

My understanding is that all stingrays are by definition hostile.

mkempe7y ago

[1] https://www.eff.org/pages/cell-site-simulatorsimsi-catchers

palisade7y ago

Is that Russian ship still parked nearby? I recall reading about that a while back. Maybe that's where the signal is coming from. https://www.cnn.com/2018/01/22/politics/russia-spy-ship-us-c...

tbihl7y ago

I admit that I don't have much expertise on the matter, having only ever operated a GSM cell site simulator (never LTE), but the max range I remember (in ideal conditions) is something like 35 miles.

bigiain7y ago

35km - which is a TDMA timing issue, not a radio range one - that damned pesky speed of light problem...

https://en.wikipedia.org/wiki/Timing_advance

(Note there's and "extended range" feature, where you can halve the cell site's capacity by waiting two timeslots in the TDMA schedule instead of one - which lets you go as far as 120km...)

elipsey7y ago

Ambiguous title. On my first reading I thought: do they mean animals? ...or missiles? ...oh no it's even scarier then the first two!

bsder7y ago

Is Milenage still a safe protocol?

Or are all of these stingrays still dependent upon forcing you to switch down to the older 2G protocols?

Rjevski7y ago

Yep most of this bullshit is because garbage like 2G (and 3G) is still in operation. Phones should just phase that out (less code, thus less attack surface).

benpiper7y ago

The headline doesn't at all agree with the what the article and its sources say, which is basically a whole lot of nothing.

ConcernedCoder7y ago

Why would they admit that they could find them?

homero7y ago

The same backdoors politicians want in our devices will come back to haunt them.

vl7y ago

>we don’t know how to find them

Triangulation?

j / k navigate · click thread line to collapse