The tricky part would be eliminating non-stingray signals.
T-Mobile's HQ is in Bellevue, and I'm sure they have some test towers probably set up in their building. These signals can easily "get away from you."
I worked on Windows Phone, and we had a faraday cage setup with various different cellular networks coming in over the wire, which we would set up with different attenuation to test cellular radio handoff. One time someone left the door open, and the whole floor of the building roamed over to the UK. It was not a good day for international roaming charges.
Yeah, there's a lot of legwork to be done if you want to use this kind of data, but it's legwork that can be distributed fairly easily. People can check public listings for this or that tower type, carriers document their test setups, etc. Once you weed out the strange but not that strange stuff you probably see a few like the one in Sea-Tac.
The next generation of the cellphone protocol should include some kind of PKI so the telco can't be spoofed without its permission.
Don't know if that will actually help, because the telcos are already quite compliant about giving every bit of data that passes through their systems to the NSA.
> The next generation of the cellphone protocol should include some kind of PKI so the telco can't be spoofed without its permission.
3G already does this. But apparently IMSI catchers have often been able to get around this by various means, including downgrading to an earlier GSM protocol (that lacks authentication), or spoofing a carrier from a different region (whose keys they have obtained somehow) in order to induce roaming, or somehow obtaining keys of a local carrier. I have heard there are a couple of other tricks too but I don't know what those are.
> Don't know if that will actually help, because the telcos are already quite compliant about giving every bit of data that passes through their systems to the NSA.
It's true that IMSI catchers can also be used to wiretap mobile telephony and SMS, which trust the carrier to provide confidentiality, but that doesn't cover everyone's use of mobile data services. But IMSI catchers often represent a very different kind of threat, which is not just wiretapping but real-time location tracking and/or enumerating devices that are present in an area.
Do telcos get paid for wire taps? I can't imagine much enthusiasm to make enforcement agencies likely to want another another type of wiretapping system if they're underpaid for the current one.
I spent the last year researching, designing, then implementing an IMSI Catcher detector at first as a hobby then as my capstone project. There already exists working fairly mature solutions for this and they are very open about their detection metrics, specifically SnoopSnitch [1].
The major drawback of the SnoopSnitch solution is that they are phone apps and are tightly coupled with the hardware and drivers. We were attempting to demonstrate that it could be done in a way portable across desktop operating systems and phones and we succeeded in creating a proof of concept at a cost of $200 [2].
This solution is also better suited to use as a centralized device for organizations to use that can be audited by security personnel to protect against corporate espionage. This is a real threat demonstrated by the fact that by simply changing a few lines of code in the IMSI Catcher detector a few undergrads built we could have an IMSI Catcher. This need is often left out of the arguments for IMSI Catcher detectors and I think that is very harmful because the first thing said about the project has always been "They will just make it illegal." This is much more unlikely when you consider that anyone can build one.
I would like to continue development beyond the proof of concept but have lost most of my team now that school is out if anyone would be interested you can contact me. Some commercial IMSI Catcher detectors sell for as much as $40,000.
> This need is often left out of the arguments for IMSI Catcher detectors and I think that is very harmful because the first thing said about the project has always been "They will just make it illegal."
> This is much more unlikely when you consider that anyone can build one.
But that isn't true. Anybody can make fire-arms, explosives and all kinds of bad stuff and plenty of that is illegal depending on where you live.
The fact that something is easy does not have much to do with legality, if it did then pot would have been legal long ago.
True, I just found the argument for IMSI Catcher Detectors to be more effective once I changed from presenting it as "fighting state surveillance" to "protecting corporate IP" most people stopped even suggesting that it will be made illegal (usually citing radar detectors).
How interesting. Thanks for this info. The SeaGlass method is much more data-heavy, it seems, which is both good and bad. A good baseline is labor-intensive to create and requires lots of physical and temporal presence, but once you have it, it's a great way to vet outlier signals. Seems like that's the point you want to apply work like yours.
Yes, SeaGlass seems much more advanced of a technique than the commercial solution I discovered which also just consisted of a single board computer and an SDR. Certainly standalone IMSI Catcher detectors with hardcoded metrics would have a hard time keeping up with the rapidly evolving networks and new attacks without more data about what is going on to update them. I was considering the use of ML for more general detection beyond the hardcoded metrics.
I think I read that SnoopSnitch was gathering data but only for detection of known attacks not anomalies.
One of those moments would be nice to have Steve Jobs step in. He certainly did not like Government abusing its powers (he used to buy or rent [don't remember] his Benz from CA dealer once every six month and drove on paper license plate because that's how long you can drive on non-hard plate) - I bet you newest update of OS would have it by default turned on detection and rejection of connections with unknown sources.