This article just reeks of bullshit with very little actual technical information to back up what they're saying.
But let's take a look at some of those points in the article:
A stingray is a false cell phone tower that can force phones in a geographical area to connect to it.
CDMA networks have security enabled with their base stations, so only authorized mobile stations are able to access the network. So unless they have access which has been granted by the carrier, they can't just roll up and "impersonate" a base station:
"3.3 Access Network
There are two types of access networks: 1xRTT and 1xEV-DO. The AN is the mobile station’s entry point into the mobile
network and maintains the communications link between the mobile station and the core network. The access network
facilitates security by allowing only authorized mobile stations to access the network. The AN is composed of the
following elements:
Base transceiver station
The base transceiver station (BTS) is physically composed of antennas and towers. The BTS manages radio resources
including radio channel assignment and transmit and receive power management and acts as the interface to
mobile stations.
Packet Control function
The packet control function (PCF) maintains the “connection state” between the access network and mobile stations, buffers
packets when necessary, and relays packets between mobile stations and the PDSN.
Radio network Controller/base station Controller
The radio network controller for 1xEV-DO and the base station controller for 1xRTT schedule packet transmission on the
air interface and manage handoffs between BTSs. For 1xEV-DO, security functionality is maintained by the security
sublayer in the RNC. Security functionality is performed by either the BTS or the RNC, or by both."
while in others they seem to have taken a brute-force approach, dumping the data of every single user on a given tower and then sorting it to find the parties they’re interested in tracking. Stingrays can be used to force the phone to give up its user details, making it fairly easy for the police to match devices and account holders.
Another fantastical claim, but with current security, this is, again, completely impossible:
"But EV-DO doesn't use WEP. Instead, encrypted CDMA transmissions use a 42-bit pseudo-noise (PN) sequence called a long code. The long code scrambles transmissions through the standardized Cellular Authentication and Voice Encryption (CAVE) algorithm to generate a 128-bit subkey called Shared Secret Data (SSD).
This key then feeds into an Advanced Encryption Standard (AES) algorithm to encrypt the transmissions. AES is a symmetric encryption algorithm used by governments to protect sensitive information. If governments use AES to encrypt their data, it should be good enough to protect your data as well."
So unless they have some super duper code crackers from planet Mars, there's no way they're capturing, decoding and then "sorting" through people's conversations and data. Sure, you can match an IMEI to an account, but that's about it. After that, you're going to need a warrant and from what I know, Verizon aren't very keen on giving up the information unless it's something pretty major.
When I worked at Verizon, we had several FBI agents pestering my department to give up a huge Meth dealer's account so they could track him and bust his ring of dealers. Verizon completely stone walled them, insisting on a federal warrant which they didn't want to take time and obtain. After several months of legal posturing back and forth, Verizon finally gave them the account details. By then, he knew what was up. The dealer moved to a different state, and started using prepaid phones so the information was useless.
Nope, just saying this isn't possible under CDMA technology.
>>>> Or claiming that the information released by the manufacturer, or the limited information released under subpoena is all just "bullshit"?
For me, it's pretty hard to believe considering how secure CDMA is. Might be different for GSM. It makes for a good sales pitch though for Stingray, doesn't it??
>>> Because it's entirely impossible that a carrier has given keys to the manufacturer "for authorized legal purposes only"?
I said this is possible if the carrier has given them authorization. Considering my experience working at Verizon, they don't give out stuff like that willy nilly. Maybe times have changed, but it's hard for me to believe Verizon is giving state and local police forces the ability to do what they're claiming in the article.
>>> 3.3 is pretty much irrelevant if you consider that even as a simple statement of purpose, the Stingray -at least- has to relay the raw traffic.
Which on a CDMA network is encrypted. Not sure if that's the case on GSM, but all they're getting is encrypted traffic. They make it seem like they're sitting in a coffee shop just intercepting raw, unencrypted data, which is false on a CDMA network.
Encryption is at the option of the network. Source: connected some cdma2000 mobiles gotten at retail to test equipment without any keys required; connected a DO mobile that probably didn't have any special config, also no keys required.
An attacker couldn't MITM between a mobile and a network that uses encryption, but it could redirect a mobile to the real network if the victim tried to set up a call.
But let's take a look at some of those points in the article:
A stingray is a false cell phone tower that can force phones in a geographical area to connect to it.
CDMA networks have security enabled with their base stations, so only authorized mobile stations are able to access the network. So unless they have access which has been granted by the carrier, they can't just roll up and "impersonate" a base station:
"3.3 Access Network
There are two types of access networks: 1xRTT and 1xEV-DO. The AN is the mobile station’s entry point into the mobile network and maintains the communications link between the mobile station and the core network. The access network facilitates security by allowing only authorized mobile stations to access the network. The AN is composed of the following elements:
Base transceiver station The base transceiver station (BTS) is physically composed of antennas and towers. The BTS manages radio resources including radio channel assignment and transmit and receive power management and acts as the interface to mobile stations.
Packet Control function The packet control function (PCF) maintains the “connection state” between the access network and mobile stations, buffers packets when necessary, and relays packets between mobile stations and the PDSN.
Radio network Controller/base station Controller The radio network controller for 1xEV-DO and the base station controller for 1xRTT schedule packet transmission on the air interface and manage handoffs between BTSs. For 1xEV-DO, security functionality is maintained by the security sublayer in the RNC. Security functionality is performed by either the BTS or the RNC, or by both."
while in others they seem to have taken a brute-force approach, dumping the data of every single user on a given tower and then sorting it to find the parties they’re interested in tracking. Stingrays can be used to force the phone to give up its user details, making it fairly easy for the police to match devices and account holders.
Another fantastical claim, but with current security, this is, again, completely impossible:
"But EV-DO doesn't use WEP. Instead, encrypted CDMA transmissions use a 42-bit pseudo-noise (PN) sequence called a long code. The long code scrambles transmissions through the standardized Cellular Authentication and Voice Encryption (CAVE) algorithm to generate a 128-bit subkey called Shared Secret Data (SSD).
This key then feeds into an Advanced Encryption Standard (AES) algorithm to encrypt the transmissions. AES is a symmetric encryption algorithm used by governments to protect sensitive information. If governments use AES to encrypt their data, it should be good enough to protect your data as well."
So unless they have some super duper code crackers from planet Mars, there's no way they're capturing, decoding and then "sorting" through people's conversations and data. Sure, you can match an IMEI to an account, but that's about it. After that, you're going to need a warrant and from what I know, Verizon aren't very keen on giving up the information unless it's something pretty major.
When I worked at Verizon, we had several FBI agents pestering my department to give up a huge Meth dealer's account so they could track him and bust his ring of dealers. Verizon completely stone walled them, insisting on a federal warrant which they didn't want to take time and obtain. After several months of legal posturing back and forth, Verizon finally gave them the account details. By then, he knew what was up. The dealer moved to a different state, and started using prepaid phones so the information was useless.
References for my points:
http://www.techrepublic.com/article/understand-how-the-ev-do... https://scache.vzw.com/dam/businessportal/content/assets/fil...