If my house is on fire and I call 911, but the call doesn't go through because my phone is connected to a nearby Stingray device and not to a real tower, that's a big problem.
The stingray is a man in the middle. It requires an uplink to real cell phone services to operate, so a phone call to 911 is going to be patched through
"Say a murder occurs on a particular street with an estimated time of death between 2 and 4 AM. Local law enforcement would have an obvious interest in compelling cell phone companies to turn over the records of every cell phone that moved in and out of the area between those two time periods. At rush hour, this kind of information would be useless — but if the cell phone network data shows a device in the same approximate area as the murder suddenly leaving the area at a high rate of speed, that cell phone owner is a potential suspect."
This similar to how CCTV is used in the UK. There is apparently one camera for every eleven people [0]. The difference is the majority of it is owned by private businesses though. Public CCTV is usually run by local councils which are independent from the police. If the police want to get any of this footage, and use it to prosecute, they need to get a court order or subpoena.
> Public CCTV is usually run by local councils which are independent from the police. If the police want to get any of this footage, and use it to prosecute, they need to get a court order or subpoena.
I think you're wrong here. In Westminster, where I live, the police just ask for it and get it. Last month I witnessed a street brawl outside where I live, the police already had CCTV before they were on the scene; it was 4am on a Sunday morning, unlikely a judge would issue a warrant at that time. Also I know places like McDonald's will just hand it over to the police when asked if in connection with a criminal investigation.
The analogy with license plate detection appears quite accurate.
At first glance this scheme appeared akin to gathering wifi MAC address broadcasts, but the picture of the box shown in the article has a Tx antenna co-ax connector (looks like SMA). Then there is the question of SIM authentication for service. I don't suppose the cops are going to provide 4G service for free (there is also the issue of service collision and spectrum allocation) so probably what happens is that the SIM data is handshaked using some duplex protocol (hence the need for Tx in the base station), but no connection is made.
Full interception and not 'only' the collection of metadata is possible. IMSI catchers can also be used to block mobile phone usage in an area or send SMS to users in an area (for example to participants in a demonstrations, already done in the Ukraine).
Without full interception, a hidden ID check is IMHO a good analogy: Instead of stopping all persons in an area in order to ask them for their IDs, you collect meta data on all mobile phones and use these data to identify the persons in the area.
I seem to recall that there's an authentication handshake in place with modern protocols so your phone won't connect to any random "cell tower" to prevent abuse like this. Anybody know for sure? But of course if the police or Harris has an agreement with the wireless companies, they may have the authentication credentials pre-loaded allowing them to impersonate said wireless companies at will.
I am not sure about the authentication protocol. But along the same lines of thinking, it really seems like this should be detectable with software. For example, what if you used crowd sourced cell tower information to notify users / block transmissions from any cell phone tower newly detected for 24 hours or so. It seems like a temporary tower setup for a few hours should be easily noticeable compared against static, permanent ones.
Also, judging by how ridiculously hard the company who makes them is trying to keep them hidden (NDA's, etc.), it seems like they may realize that if the details of the product were known it could be easily circumvented.
I tend to believe that the reason that the company uses NDA's is to give the Authorities plausible deniability. "We couldn't apply for a warrant Your Honor, because we would have been breaking our NDA". The cops probably love the NDA, it is probably a feature of the product!
The police has no agreement with the telcos, in the contrary, IMSI catchers ('Stingrays') are a convenient way for lawful interception without involvement of telcos. From a telco's perspective, IMSI catchers kind of hack their network. In any case, you can build your own IMSI catcher, German hackers – among others – published instructions already years ago.
Do you have a source for that? Basically, IMSI catching does not require any cooperation with telcos. On the other hand, it is easy to imagine that some telcos might betray their customers – especially under the cover of secrecy.
GSM has cryptographic challenge-response authentication, but only handset authenticates itself to the network, not the other way around. Also, network can just not require authentication at all (which is how devices like this work).
Having authentication credentials preloaded is impractical for both GSM and UMTS/W-CDMA, as authentication uses secret shared key that is (should be) unique to each customer.
It's called 'Ciphering Indication Feature' – and can be suppressed on the network side … so you can assume that an IMSI catcher ('Stingray') will not let your mobile know that it is using no or weak encryption.
Technically yes, but if you're talking about a stingray then I don't think they're going to have the ability to alter your sim card without authenticating with it; which is a lot harder than just using a null cipher over the air.
Would it be possible to determine if your phone was connected to a Stingray instead of a regular cell phone tower? Could you have multiple phones spread out geographically and attempt to triangulate the "cell phone tower" itself, to see if its moving?
Sure, you could probably see if your cell tower signal is moving, and triangulate it. Probably with just a regular SDR-RTL. Ever better, if you can control your phones signal strength, you could ghost your location by boosting and reducing your signal if and when you detect the tower moving. Bonus points if you can fool the stringray that you are traveling at impossible speeds, like for example the speed of light, around town, ... going through mountains, under water bodies, underground, etc.
GSM relies on some extremely precise timing information that both your phone and the network need to be aware of. You're going to have to do more than fake the signal _strength_.
Assuming it looks the same as a normal tower, you could still make a map of existing cell phone towers (crowdsourced from the phones themselves, or there's probably a regulatory filing somewhere with the information). If your connection is better than it "should" be, you may have found a Stingray.
I don't think you would even need to use the signal strength. You could just flag / block cell towers which are newly detected (say 24-48 hours). Crowd sourcing seems pretty perfect for this, and it's not like new cell phone towers are erected that frequently.
It looks like this website may have that information http://www.cellreception.com/
Establishing a baseline signal strength might be difficult due to environmental factors.
Not Stingray, but cell (and license plate) analysis was mentioned in a recent article in the NY Daily News regarding the white flags on the Brooklyn Bridge.
> Investigators could find names through cell phones if those involved made calls while near the Brooklyn Bridge in the wee hours Tuesday. Cops are analyzing data from the two nearest cell phone towers, the sources said.
> Security cameras and license plate readers also tracked cars that were on the bridge at the time of the heist-and-hoist, a third police source said.
Seems like a lot of "do first, ask for forgiveness later" except here, forgiveness is asked for in the form of judicial opinions that legalize the practice and grant such permission retroactively.
If they can't get that, they just go back to doing.
This article just reeks of bullshit with very little actual technical information to back up what they're saying.
But let's take a look at some of those points in the article:
A stingray is a false cell phone tower that can force phones in a geographical area to connect to it.
CDMA networks have security enabled with their base stations, so only authorized mobile stations are able to access the network. So unless they have access which has been granted by the carrier, they can't just roll up and "impersonate" a base station:
"3.3 Access Network
There are two types of access networks: 1xRTT and 1xEV-DO. The AN is the mobile station’s entry point into the mobile
network and maintains the communications link between the mobile station and the core network. The access network
facilitates security by allowing only authorized mobile stations to access the network. The AN is composed of the
following elements:
Base transceiver station
The base transceiver station (BTS) is physically composed of antennas and towers. The BTS manages radio resources
including radio channel assignment and transmit and receive power management and acts as the interface to
mobile stations.
Packet Control function
The packet control function (PCF) maintains the “connection state” between the access network and mobile stations, buffers
packets when necessary, and relays packets between mobile stations and the PDSN.
Radio network Controller/base station Controller
The radio network controller for 1xEV-DO and the base station controller for 1xRTT schedule packet transmission on the
air interface and manage handoffs between BTSs. For 1xEV-DO, security functionality is maintained by the security
sublayer in the RNC. Security functionality is performed by either the BTS or the RNC, or by both."
while in others they seem to have taken a brute-force approach, dumping the data of every single user on a given tower and then sorting it to find the parties they’re interested in tracking. Stingrays can be used to force the phone to give up its user details, making it fairly easy for the police to match devices and account holders.
Another fantastical claim, but with current security, this is, again, completely impossible:
"But EV-DO doesn't use WEP. Instead, encrypted CDMA transmissions use a 42-bit pseudo-noise (PN) sequence called a long code. The long code scrambles transmissions through the standardized Cellular Authentication and Voice Encryption (CAVE) algorithm to generate a 128-bit subkey called Shared Secret Data (SSD).
This key then feeds into an Advanced Encryption Standard (AES) algorithm to encrypt the transmissions. AES is a symmetric encryption algorithm used by governments to protect sensitive information. If governments use AES to encrypt their data, it should be good enough to protect your data as well."
So unless they have some super duper code crackers from planet Mars, there's no way they're capturing, decoding and then "sorting" through people's conversations and data. Sure, you can match an IMEI to an account, but that's about it. After that, you're going to need a warrant and from what I know, Verizon aren't very keen on giving up the information unless it's something pretty major.
When I worked at Verizon, we had several FBI agents pestering my department to give up a huge Meth dealer's account so they could track him and bust his ring of dealers. Verizon completely stone walled them, insisting on a federal warrant which they didn't want to take time and obtain. After several months of legal posturing back and forth, Verizon finally gave them the account details. By then, he knew what was up. The dealer moved to a different state, and started using prepaid phones so the information was useless.
Nope, just saying this isn't possible under CDMA technology.
>>>> Or claiming that the information released by the manufacturer, or the limited information released under subpoena is all just "bullshit"?
For me, it's pretty hard to believe considering how secure CDMA is. Might be different for GSM. It makes for a good sales pitch though for Stingray, doesn't it??
>>> Because it's entirely impossible that a carrier has given keys to the manufacturer "for authorized legal purposes only"?
I said this is possible if the carrier has given them authorization. Considering my experience working at Verizon, they don't give out stuff like that willy nilly. Maybe times have changed, but it's hard for me to believe Verizon is giving state and local police forces the ability to do what they're claiming in the article.
>>> 3.3 is pretty much irrelevant if you consider that even as a simple statement of purpose, the Stingray -at least- has to relay the raw traffic.
Which on a CDMA network is encrypted. Not sure if that's the case on GSM, but all they're getting is encrypted traffic. They make it seem like they're sitting in a coffee shop just intercepting raw, unencrypted data, which is false on a CDMA network.
Encryption is at the option of the network. Source: connected some cdma2000 mobiles gotten at retail to test equipment without any keys required; connected a DO mobile that probably didn't have any special config, also no keys required.
An attacker couldn't MITM between a mobile and a network that uses encryption, but it could redirect a mobile to the real network if the victim tried to set up a call.
The article is wrong on a key point. Stingrays don't "force" your cell phone to do anything. Your cell phone reaches out and connects to it of its own accord. The Stingray doesn't reach out and collect private data from your phone. Your phone transmits your private data into the aether at the user's direction.
I think this fact has major Constitutional implications. The police should not need a warrant to access information that you carelessly broadcast onto the public airwaves. I don't think there is any privacy expectation there, any more than there would be if I took my "papers" out of my desk drawer and threw them out my car window. They're fair game at that point. Though the 11th Circuit disagrees (another example of judges not understanding technology?).
The article is wrong on a key point. Stingrays don't "force" your cell phone to do anything. Your cell phone reaches out and connects to it of its own accord. The Stingray doesn't reach out and collect private data from your phone. Your phone transmits your private data into the aether at the user's direction.
How do you reconcile this techno-literalist interpretation of Stingray with your techno-intentionalist interpretation of the Aereo decisions[0][1]?
[0] https://news.ycombinator.com/item?id=7945159 (referring to Aereo's "contrived" business model that is based on a strict view of the technology's function as a really long antenna cable)
The intention of the statute in Aereo is to cover things that act like cable companies. Similarly, the intention of the 4th amendment is to protect information that people try to keep private. Where I think I disagree with many people on HN is whether it is reasonable to believe that information on the internet as it is structured today is private. It simply wasn't designed that way. Our protocols and services leak private data to whoever exercises a little ingenuity in listening to it. Many leak private data by design (data mining for advertising, etc).
In other words, I don't think the folks designing internet technology should get a free ride for 4th amendment purposes, that any internet technology should be considered private regardless of the technical reality. I think you have to concede that data sent in plain text, protocols that don't even try to avoid MITM attacks, services that mine user data, etc, shouldn't receive the same protection as services where real effort is taken to keep data private. I think this is educated by the technology and consistent with the intention of the 4th amendment that the expectation of privacy be objectively reasonable.
I think this is educated by the technology and consistent with the intention of the 4th amendment that the expectation of privacy be objectively reasonable.
I thought the expectation of privacy was based on a so-called "reasonable person", not an objective definition of reasonable. Is that not so?
Where I think I disagree with many people on HN is whether it is reasonable to believe that information on the internet as it is structured today is private.
That disagreement seems to be evidence that there is a widespread expectation of privacy, even if the implementation doesn't perfectly preserve privacy.
Especially with regard to the government, I think people could sanely expect privacy to be the default state (even for poorly implemented technology), with narrow exceptions for specific, targeted investigations of small numbers of individuals and well-defined groups.
> That disagreement seems to be evidence that there is a widespread expectation of privacy,
I think HN at times seriously confuses the concepts of expecting privacy and wanting privacy. Everybody says "I expect this to be private" but if you ask why, it seems the answer is "because I would like it to be private".
I think it would help to sit down and explain exactly why one would expect radio waves being broadcast into space not to be picked up by anyone with a radio. (going back to aereo, was the HN consensus not "if they're transmitting their data into space, anyone with an antenna can do anything they like with it"?)
I think HN at times seriously confuses the concepts of expecting privacy and wanting privacy. Everybody says "I expect this to be private" but if you ask why, it seems the answer is "because I would like it to be private".
That should be enough.
I think it would help to sit down and explain exactly why one would expect radio waves being broadcast into space not to be picked up by anyone with a radio.
There are already laws that prohibit listening to certain wireless transmissions (e.g. satellite TV), which I'll assume for the sake this of argument is an acceptable tradeoff to society. While technology should be designed to minimize data leakage, laws should be designed to take user expectations into account.
If, for example, cellphone UX provides every indication to the user that text messages are sent to a person (not to a network), then laws should treat those messages as private until a warrant is issued, even if they are sent in the clear.
...was the HN consensus not "if they're transmitting their data into space, anyone with an antenna can do anything they like with it"?
No, it was "If I can install a very long antenna cable, and/or buy a Slingbox, and watch TV from my home market on my own device, then why can't I pay someone else to run the very long antenna cable and host the Slingbox for me?"
The "reasonable person" standard is always an objective standard. In the 4th amendment context, it's not enough to have a subjective expectation of privacy--that expectation must be objectively reasonable. This has odd implications in the situation where perhaps the majority of people have a misinformed belief.
For example, 56% of people believe the U.S. spends more than 10% of its budget on foreign aid (the actual number is under 1%): http://www.washingtonpost.com/blogs/wonkblog/wp/2013/11/07/t.... Is that belief objectively reasonable, just because it is widely held? I think no: you have to look to the facts to determine whether that belief is reasonable.
And what do you see when you look to the facts of the architecture of the internet? Plain text protocols; data routed through untrusted third parties; data aggregated and stored in plain text; highly sensitive data accessible by system operators with often questionable controls;[1] data that's analyzed and mined for commercial purposes, etc. And in the Stingray context: apparently an architecture totally oblivious to MITM attacks. I don't think it's techno-literalist to say that all this makes having an expectation of privacy in the internet, as it is designed today, objectively unreasonable.
> Especially with regard to the government, I think people could sanely expect privacy to be the default state (even for poorly implemented technology)
The 4th amendment doesn't really admit separate standards for the government versus third parties. "Private" doesn't mean "stuff I don't want the government to see" it means "stuff I don't want other people to see." And I think it tortures the definition of "private" to encompass "me and my 500 closest network ops friends at AT&T."
> that any internet technology should be considered private regardless of the technical reality
I think that there's a pretty bright line distinction between "I read this message you posted on Twitter" and "I set up this fake cell phone tower to intercept the messages you thought you were sending privately through your cell phone carrier."
Similarly, physical locks on doors may be easily circumvented, but that doesn't absolve a burglar of any wrongdoing.
>Stingrays don't "force" your cell phone to do anything. Your cell phone reaches out and connects to it of its own accord.
A distinction without a difference. That's the nature of the prevailing wireless telephony technology. Users wouldn't be able to receive telephone calls if their equipment didn't coordinate periodically with the cellular system's base stations. Although a system that doesn't constantly leak user's data could conceivably be constructed, that is not what is currently in use. Turning one's phone off to avoid tracking isn't a good solution because then the device has ceased being a telephone.
>Your phone transmits your private data into the aether at the user's direction.
No, nobody directs their phone to 'transmit their private data into the aether' people direct their phones to place and receive telephone calls.
>I think this fact has major Constitutional implications.
I think you're inventing a business case for some group such as Aereo's engineers to form another technology company whose purpose is to engineer around weaknesses in the law.
> The police should not need a warrant to access information that you carelessly broadcast onto the public airwaves.
Telephone calls are private. Nobody would select 'carelessly broadcast my information' in their privacy options. The change in technology doesn't render privacy protections in the law moot.
>I don't think there is any privacy expectation there
I hope you're in the minority.
>(another example of judges not understanding technology?).
Perhaps they've rightly noted that a particular weakness of the technology du jour is unrelated to the individual's legal right to privacy.
>There is an enormous difference between you reaching out and contacting the outside world, and the police coming into your private space.
That's an important point of debate at the moment. I'm happy to report that one state disagrees with you at least WRT e-mail. http://txepc.org/sine-die/
>Then the prevailing wireless telephony technology is inherently incompatible with privacy under the 4th amendment.
Actually it's not all that different from a POTS from the perspective that there are plenty of exploitable weaknesses in those systems as well; yet, despite despite weaknesses that would allow similar technological solutions to provide police with unencrypted telephone traffic, we've managed to keep a statutory barrier between police and our private conversations when they are held on a POTS.
If I understand you correctly, your argument basically boils down to "When it becomes physically possible for police to eavesdrop on communications, they ought to be allowed to do so at will."
If you lie to someone in order to induce them to give you valuable private information, that's fraud, not "information you carelessly broadcast". If a Stingray says "Hi, I'm a cell tower, connect to me!" that's not at all the same as mere passive recording.
(Now, mind you, mere passive recording of cellphones without a warrant is _also_ an illegal search as far as I know -- or would be if there were still unencrypted data to passively record. But that's totally unrelated to what a Stingray does.)
Law enforcement are permitted to lie to get private information, e.g. in an interrogation. They would need to have at least probable cause if not a warrant to conduct that interrogation though.
Semantically, it could really go either way. If I 'carelessly' broadcast a letter via the US Postal Service to my grandmother in Hawaii, I have no way of ensuring that its secrets will be preserved in the long journey between my house and it destination.
Similarly, if someone forged a USPS mailbox, placed in front of the post office, and I 'carelessly' dropped my letter in, then by your interpretation, I am a damned fool.
This isn't an area where I'm particularly savvy, but if a private citizen were to stand up one of these mailboxes, it would be a federal crime. I understand that the corollary is not identical, and I agree that it's hard to parallel technologies to their real-world counterparts, but if a private citizen set up one of these towers, they too would be charged with some kind of wire fraud.
In the absence of a warrant, I see no reason the government should have any elevated privileges here.
the courts have usually interpreted the fourth amendment based on the effects of technology, not the mechanisms of technology. they don't have to understand how stingrays work, they only have to understand what impact stingrays have on your freedom from search.
that's why the court ruled that thermal imaging (in kyllo v us) is a search. sure, the mechanism of the technology is that you're carelessly broadcasting your heat signature through the airwaves, but the effect is the same as if the police had entered the home - they can see inside it.
It is a distinction without a difference. Stingray becomes part of the mobile network. That's what enables your phone to connect to it. Your analogy is ridiculous. Throwing your papers out your car is clearly an unusual act. Your phone is behaving to spec when connecting to a Stingray.
It's disturbing how some educated people can excuse a police state. It worse than the police themselves because they ought to know better what the dangers are.
> They're fair game at that point. Though the 11th Circuit disagrees (another example of judges not understanding technology?).
While I respect the fact that you have a different opinion of a lot of those here on HN, I think that perhaps the 11th Circuit disagreeing isn't a case of them not understand technology, but understand the implications of the technology and the law surrounding it. The 4th amendment as written probably doesn't cover things like phone-calls, and I agree that the internet as it stands isn't particularly conducive to keeping your private information private. However, with the fact that our entire lives are lived online at this point in 2014, I think it's a good thing that the 11th Circuit is looking at this holistically, as frankly I'd rather the spirit of privacy is kept. I'm also a big believer in building technology so that privacy isn't even a question, but merely a consequence of using it -- but as it stands today, everyone in the country is leaking their information everywhere and don't have much of a choice in the matter unless they're willing to leave society entirely, or join the Amish.
> I don't think there is any privacy expectation there, any more than there would be if I took my "papers" out of my desk drawer and threw them out my car window.
Isn't this a bit more like the cops replacing your trash can with a scanner, though?
This implies that private use of a system like Stingray should be legal and completely fair game. I somehow doubt the government would agree with that.
"I don't think there is any privacy expectation there"
I think the expectation of a typical cell phone user would be that there are not people other than phone companies for the purpose of providing service slurping up data from their cell phones. Same way I don't expect the kitchen at a restaurant to tell the world what meal I have ordered.
"The police should not need a warrant to access information that you carelessly broadcast onto the public airwaves."
Isn't this similar to the problems that people have with being tracked in retail stores? And for that matter what is the legal difference between the police collecting certain data and, say, a business person collecting that data? And perhaps selling it to the police? (Question not a statement).
Your definition of privacy expectation isn't accurate. For example, you have absolutely no expectation of privacy in what meal you ordered at a restaurant.
>Isn't this similar to the problems that people have with being tracked in retail stores?
You can be tracked in a retail store too.
>And for that matter what is the legal difference between the police collecting certain data and, say, a business person collecting that data? And perhaps selling it to the police? (Question not a statement).
Anything you willfully disclose to a third party is no longer private, with very few exceptions like medical records.
I agree with you on most of it, but I'm not convinced it's as clear as you say it is. Depending on how this works it may be much more like handing your 'papers' to someone dressed up like a Verizon representative with all the proper paper-work to prove it, but actually happens to be a police officer undercover who isn't going to deliver your papers at all.
IMO, the difference in my opinion depends on whether it's just collecting data you were sending out anyway, or if it's pretending to be a cell tower from a specific company and attempting to get your phone to send-out data it normally wouldn't have done.
Based on the discussion in Kyllo v the United States ( http://en.m.wikipedia.org/wiki/Kyllo_v._United_States ), (1) the justices appear to ask "is this sportsmanlike behavior?" when deciding whether a warrant is needed, and (2) the official line is "does the general public believe the police have the power in question?"
It seems to me that this currently would be struck down under Kyllo, but that if the police make a big deal about their new tool, they could eventually use it without a warrant.
