The ‘surveillance industry’
Soft Cloud Tech – In the past decade there has been a boom in the domestic ‘security industry,’ a proliferation of military-grade weapons and surveillance equipment to local police departments in an effort to prosecute the ‘War on Terror’ at home. The “Stingray” is a military eavesdropping device manufactured by Florida-based Harris Corporation; the device’s generic name is ‘cell site simulator’ (or ‘IMSI-catcher‘) because it disguises itself as a cell tower in order to covertly collect information from cell phones. Thanks to the efforts of dedicated lawyers and privacy activists, it is now known that these devices—called “the biggest technological threat to cell phone privacy” by the Electronic Frontier Foundation—are in widespread use by police departments across the United States. Little is known about how these devices are used, because of the dense cloud of secrecy surrounding the Stingray and its family of surveillance tools.
As the Stingray’s use has come under increasing scrutiny, federal and local police have maintained a strict code of silence. According to a recently leaked document, police agencies have been ordered to report any person who files a Freedom of Information Act request about the Stingray to the FBI. Another leaked document revealed that the FBI has asked local police departments to dismiss any cases in which Stingray-use has been called into question, rather than disclose any information about the devices. The ‘non-disclosure’ agreement binds all police departments that have purchased the technology—perhaps for this reason some police have felt compelled to circumvent the law to make use of the equipment. In a series of emails obtained by the American Civil Liberties Union, some officials conspired to file fraudulent warrant applications, claiming to have obtained information about a suspect’s location from a ‘confidential source,’ rather than reveal they had used the Stingray. Although police in Erie County obtained a court order only once, the Stingray was put into action almost fifty times between 2010 and 2014 (and the one time the department did seek court approval, they lied and identified the device as a ‘pen register,’ a relatively innocuous instrument that records a phone’s call history). Similar stories from Los Angeles to Santa Clara and all across the country—a detective in Baltimore recently testified that the city’s police department had used the technology a stunning four thousand times since 2007.
How does a stingray work?
Although news outlets tend to refer to all IMSI catchers as ‘stingrays,’ the actual ‘Stingray’ is a shoebox-sized machine manufactured by the Harris Corporation, used in conjunction with a large suite of surveillance hardware and computer software also sold by the firm. In the early 2000s, Harris Corporation was awarded an exclusive, ‘sole source‘ contract with the U.S. military and federal police agencies for its IMSI catcher. The Stingray has since become so popular that ‘stingray’ is now a generic name for the device—but Harris Corporation is only one of many firms that develops this kind of mobile surveillance technology. We may not know how police departments are making use of the device, but thanks to a few court cases and persistent journalists, we have a general idea of how they work.
The Stingray’s functions are categorized as either ‘passive’ or ‘active.’ ‘Passive’ capabilities are those that don’t involve mimicking a cell tower—instead, the Stingray connects to nearby (real) cell towers, and records information about which devices they recently connected to. Police can then see a rudimentary ‘map’ of the phones that traveled through the area in the past; this way, police can access much of the useful information stored by a cell tower without having to subpoena the cellular company. In ‘passive’ mode, the Stingray can also transmit a ‘jamming’ signal that blocks communications between phones and cell towers, within a certain radius (with the help of a hardware upgrade called ‘Harpoon,’ the Stingray’s area of access can reach up to several miles). But the device’s real strengths come from its ‘active’ mode—when it dons the ‘disguise’ of a cell tower to gain direct access to individual phones.
Whether you’re on a call or not, your cell phone is transmitting a signal every few seconds to search for the nearby cell tower with the strongest signal. 3G and 4G networks have authentication protocols to distinguish ‘real’ and ‘fake’ cell towers—the older 2G networks do not. The Stingray ‘jams’ local 3G and 4G networks, forcing all phones in the area to ‘drop down’ to 2G (which, of course, disrupts everyone’s internet connection). Cell phones communicate much like a walkie-talkie: they transmit a signal to a cell tower, which ‘repeats’ the signal to adjacent towers (by radio or land-line) until it reaches its destination. To conserve energy, phones and towers will use only the minimum power necessary to maintain the connection—when a particular phone is transmitting a weak signal and the call isn’t coming in ‘clearly,’ then the system will instruct it to boost the signal. Because of this ‘limit,’ the Stingray can easily overpower the cell tower by broadcasting a stronger signal, forcing all phones in its area to disconnect from their service provider’s cell tower (e.g., Verizon, Sprint, etc.) and reconnect to the Stingray.
As each phone connects, the device downloads the phone’s subscriber number, serial number, and any other identifying data it can strip directly. Sometimes, the police have already obtained the subscriber number of a target individual from the service provider—in this case, as soon as the device identifies the target phone, it stops the ‘dragnet’ search and focuses on the target (playing a game of ‘catch’ and ‘release’ with everyone else’s phone until then). But other times, the Stingray is used to collect information about a target area, rather than a target individual—then, the device downloads identifying information for every phone in the target radius, and the police can order the service providers to identify these accounts. (There is currently a lawsuit to determine if Stingrays were used in this way to spy on protestors in Chicago.) The Stingray can utilize an antenna called Amberjack, designed for the roof of a police car, to continuously ‘ping’ connected phones to measure their signal strength—from multiple locations—and triangulate the precise position of the targets.
Once the Stingray is in control of the phone’s signal transmission, it can easily prevent a target from making or receiving any calls or messages (and it can also force connected phones to make an abundance of boosted signals, draining the battery). With the help of some software upgrades, the Stingray and its cousins can also intercept mobile communications via a man-in-the-middle attack. These software packages (also named after aquatic animals, like “FishHawk” and “Porpoise“), allow the Stingray to extract a phone’s encryption key, making it possible to disguise itself as the phone to the cell tower—then, the Stingray simply sits ‘in the middle’ of the cellular transmission, forwarding the signal back-and-forth between the phone and the tower, while decrypting and recording calls and messages. The capacities of these devices are growing; as more service providers follow AT&T in shutting down their 2G networks, police agencies will require Harris Corporation’s ‘Hailstorm’ upgrade, which now promises effective surveillance of 4G LTE phones (though there is little information available about these devices).
Look out for spies
Although there are some tools for detecting IMSI catchers, they are not widespread and often have significant compatibility restrictions. SnoopSnitch is an Android app that collects and analyzes mobile radio traffic to detect when a Stingray or similar device is ‘snooping’ on your phone. The software, developed by a team of German mobile security researchers, works by looking for ‘tells’ that indicate the presence of an IMSI catcher, such as poor or nonexistent encryption or strange behavior in standard GSM protocols. (For more information, you can hear cryptographer Karsten Nohl’s talk on SnoopSnitch here.) For now, only certain cell phone chipsets collect the data necessary to perform this kind of analysis—specifically, SnoopSnitch only works on Android phones with root access and Qualcomm hardware. “The phone receives information that’s useful for the attacker, but it’s also useful for the defender,” Nohl explained. “It’s still ongoing work as these chipsets progress. Phones are capturing this data but we have to find a way to hack it out.” In the future, as more phones become capable of recording this information, Sherbit will also be able to ‘hack out‘ this kind of data. In the meantime, try to stay out of trouble! And sign up for the beta for more insights into your electronic information.
“Neighborhood Watch Guy” by Steve-Lovelace.com, “Map of the United States of America with States – Single Color” by FreeVectorMaps.com, “Gossamer” trademark of Warner Bros. Entertainment.