Surveillance Case May Reveal FBI Cellphone Tracking Techniques

glittermage writes "The WSJ reports on an ongoing case about alleged 'Hacker' Daniel David Rigmaiden, regarding the government's tools used to track mobile devices with or without a warrant. The judge may allow Daniel to defend himself against the government's claims by putting the technology into the light. Sounds good to me."

Or not

[Hatta]

The judge could just as easily deny him an opportunity to defend himself based on unspecified "national security" fears.

Re:Or not

[Z00L00K]

From a technical point of view what can be done is to trace cell-towers and cells that his phone has accessed and do a rough estimation of his location.

However if you are indoors in rural areas you can get rather weird results in location-handling since your phone isn't omni-directional but only sees towers in certain directions, which can make it appear that you are 10 miles off from where you actually are.

And it's fairly easy to detect this on some devices - it's just a question of sending some "AT" commands to your phone and ask it which towers/cells it sees.

Re:Or not

from TFA:

A stingray works by mimicking a cellphone tower, getting a phone to connect to it and measuring signals from the phone. It lets the stingray operator "ping," or send a signal to, a phone and locate it as long as it is powered on, according to documents reviewed by the Journal. The device has various uses, including helping police locate suspects and aiding search-and-rescue teams in finding people lost in remote areas or buried in rubble after an accident.

Re:Or not

[AngryNick]

Interesting timing. The Supreme Court is hearing oral arguments on the question of GPS tracking without a warrant on November 8th. I suspect the ruling could be applied to this kind of technology. Granted, one is "passive" tracking (the person owns the tracked device) and the other "active" (the government attaches the device to the person), but I see similarities in how the use of tracking technology in general impacts society's expectation of privacy.

Civics homework: Defend your position on how the 4th amendment protects/allows cell phone tracking of suspected criminals.

Re:Or not

This sounds like the perfect device for prisons to locate cell phones and disable their usage.

Re:Or not

[networkBoy]

Is there a reasonable expectation of privacy as it relates to what towers your phone connects to (and if it will connect to a spoofed tower?).

I.e. Postcard vs. Letter.

Is connecting to the cell tower analogous to sending a postcard? The voice call equivalent to a letter in an envelope?
-nB

Re:Or not

[frosty_tsm]

Is there a reasonable expectation of privacy as it relates to what towers your phone connects to (and if it will connect to a spoofed tower?).

I.e. Postcard vs. Letter.

Is connecting to the cell tower analogous to sending a postcard? The voice call equivalent to a letter in an envelope? -nB

The difference is that someone would have to happen upon a Postcard (unless they were specifically looking through the person's mail), which happens to have their name and address. Doing the same on a cell tower with lots of data requires a bit of cross checking to come up with the individual in question. Determining where they are based on multiple cell towers is even more involved.

Re:Or not

[uvajed_ekil]

...or suddenly drop the charges without explanation. You know, the same tact the MAFIAA take in civil cases - go for it big-time, until it looks like you are not going to get the result you want, then give up, act like nothing happened, and move on to the next poor sap.

Re:Or not

[Stan92057]

The 4th amendment went out the window when they allowd the police to pull us over for no other reason but to see if we were drinking. The laws allowed to do that with no real reason, why not GPS tracking?

Re:Or not

[plover]

It's not like a postcard. This is actually more like entrapment. They didn't simply monitor his cell device, they actively asked it to betray him.

On its face it sounds similar to the police sending you a letter saying "Congratulations, Mr. networkBoy! You have won a cash prize of at least $10 from the 'Get What's Coming To You!' lottery! Show up at 123 Main St at noon on Friday the 13th to claim your prize, and be prepared to show a photo ID", paying you $10 for arriving and presenting your ID, bringing you to the "back room" to "process your award" and then applying the handcuffs while out of sight of the rest of the crowd. But there's a significant difference. You read the letter, you can make your own determination whether or not to believe the letter is legitimate, and you decide whether or not to show up. (By the way, I understand these police run reverse-scams have been extremely effective at rounding up lots of criminals.)

In this case, your cell phone will not evaluate the authenticity of the broadcast message, and it will not tell you "hey boss, I see a new cell tower, want me to talk to it?" It simply answers as it would any legitimate cell tower.

Re:Or not

[MrL0G1C]

If the supreme court ruled it legal for police to attach trackers to peoples cars without out warrants then anybody should be able to do it cos it's would be legal....right????

Re:Or not

[WNight]

Do you have an expectation of privacy when broadcasting signals? No. Of course not. And that's why, despite the USA's stupid laws, we encrypt our radio communications.

But it should be reasonable to expect the company selling you an encrypted phone not sell you out without a warrant.

Without the phone company identifying your phone for the snoopers you wouldn't stand out from the other anonymous devices. And because they refuse to use DOS-resistant protocols (ie, the phone only answering location queries from devices it trusts, like the base station, and not some random spoofer), you have a crippled device serving more as a leash than a phone.

Freedom Gone Missing

Doubt it. We have too much wealth to protect from the communists, I mean terrorists.

LEO Only?

[PPH]

From TFA:

According to a Harris document, its devices are sold only to law-enforcement and government agencies.

Harris isn't the only one building these (other brands look a lot less like 1960's era gear) and we don't have assurances from these other manufacturers that they aren't being sold to private individuals or investigative firms.

Re:LEO Only?

Anyone else besides the law enforcement and wireless carriers themselves using these equipment --- wouldn't this be illegal wiretapping, in effect ?

Re:LEO Only?

[rahvin112]

Without a warrant it's all illegal wiretapping IMO.

Re:LEO Only?

[chrb]

Well the FBI say not. From TFA:

A spokeswoman with the Bureau of Criminal Apprehension in Minnesota says officers don't need to seek search warrants in that state to use a mobile tracking device because it "does not intercept communication, so no wiretap laws would apply."

The big question is: if the device works as advertised by faking a basestation, pinging the phone and measuring the returned signal level, but does not intercept voice or data traffic, is that a wiretap?

Re:LEO Only?

[Khopesh]

From TFA:

According to a Harris document, its devices are sold only to law-enforcement and government agencies.

Harris isn't the only one building these (other brands look a lot less like 1960's era gear) and we don't have assurances from these other manufacturers that they aren't being sold to private individuals or investigative firms.

We also don't have assurances that this can't be built by enterprising criminals. In another few years, home-brewed equivalent devices will likely be easy to make, thus empowering criminals, overprotective parents, and wannabe stalkers. If a warrant is not required, doesn't this mean that this technology fair game for anybody to use?

Better to have the technology exposed and patch the security hole, then consider a warrant-requiring backdoor for law enforcement (i.e. use the existing providers' antennae rather than shelling out the money for taxpayer-funded stalkers in vans).

Re:LEO Only?

Worry less about criminals and more about companies

Re:LEO Only?

[Dravik]

Private people have been building these for DEFCON for a couple of years. This technology is out in the open for anyone who wants to look up the presentations.

Re:LEO Only?

[sjames]

That depends. If they use it to track a citizen, then naturally, it is not. If a citizen uses it to track law enforcement personnel, then naturally it is a wiretap and probably a dirty bomb while we're at it.

Re:LEO Only?

[mikael]

Flying drone can crack wifi networks and snoop on cell phones

They would be handy if there is a power outage, then you could fly a whole squadron of them over a city and create a new cellphone network.

Re:Golden Girls!

That's confidant, not cosmonaut.

Then again Bea Arthur looked like the monkeys the Soviets sent into space. It's a natural mistake to make.

They could always just use this - LEGALLY

[Lashat]

http://www.spyanycellphone.com/

I'm not a shill. Just had a great laugh over this advertised website at the bottom of TFA. The kind of thing you must share with the rest of the cubefarm residents.

 

Re:They could always just use this - LEGALLY

[liquidweaver]

Oh yeah, looks like any other 100% legit testimonial style website, with a web clip at the top that doesn't mention their product at all. I like how when you go to the order screen and check the phone model, it simple takes what you type there and says it's compatible.
For example:
Easy-Cell-Phone-Spy
Is Compatible with
Macron Overlord

Re:They could always just use this - LEGALLY

[simtel]

What are you talking about, this looks totally legit: http://imageshack.us/f/163/easyspycomp.jpg/

Re:They could always just use this - LEGALLY

Easy-Cell-Phone-Spy
Is Compatible with
Burma-Shave

Re:They could always just use this - LEGALLY

[liquidweaver]

nice

Same with British Intelligence & Wiretaps

[chrb]

Wiretaps carried out by MI5 and MI6 are blocked from being been used in court cases. The legal rationale is that if the wiretaps were used, then they would have to disclose the intercept technology and methods. Obviously they don't want that. Craig Murray, as ambassador to Uzbekistan, had knowledge of the intercept methods in use and he revealed them in his book 'Murder in Samarkand':

You can be bugged very easily. A sound bug can be no bigger than a pin, but it is not necessary to plant one. Directional microphones are very effective, and can be used from several hundred metres away if necessary, but it is much easier to use the telephone. Either a home landline or a mobile can be remotely activated to serve as a microphone, bugging the room even though the handset is down, or the mobile switched off. The resulting sound can be cleaned up to surprising quality."

The FBI apparently uses similar technology that they call a "roving bug". Apparently this is the big secret that they don't want to reveal in court - that they can remotely modify the firmware or baseband firmware of various cell phones and then record all communications and utilise them as remote bugs, even when the phone is turned off.

Re:Same with British Intelligence & Wiretaps

Some phones, definitely not all. I'd wager my i560 doesn't have that functionality, and even then I can still pull the battery so it CAN'T have that functionality.

Otherwise, this sounds like the absurd Eagleeye movie.

I'd be worried more about smartphones, I keep hearing about phones that never actually shut down, just soft-off. That, combined with a phone where you can't pull the battery....

Re:Same with British Intelligence & Wiretaps

[negRo_slim]

Either a home landline or a mobile can be remotely activated to serve as a microphone, bugging the room even though the handset is down

Certainly not POTS? I wasn't aware they could remotely close your circuit to make you appear off the hook.

Re:Same with British Intelligence & Wiretaps

[chrb]

I had thought the same, but with modern digital phones and firmware, who knows? If the design of the phone allows the firmware to control the circuit, rather than having it mechanically linked to the handset being picked up, then it must be possible. Certainly, for systems that combine phone function with answerphone, it must be possible for the firmware to order the phone "off-hook".

Re:Same with British Intelligence & Wiretaps

[networkBoy]

They can on some phones.
Not sure about all, or newer ones. In the former USSR this was commonplace. I have some Bell rotary phones (setup a basic three phone partyline as an intercom with them) that relied on this ability to work properly.
(Kids love the partyline BTW).
-nB

Re:Same with British Intelligence & Wiretaps

this is exactly what is going on.
theyre doing these same exact things with computers and televisions nowadays as well.
it isnt just the government either it is industry, ESPECIALLY the entertainment industry.
the technology exists and is being put to use. it is truly big brother.
wherever, whenever, and however they want.

Re:Same with British Intelligence & Wiretaps

[Alex+Belits]

In the former USSR this was commonplace.

In the former USSR it was believed to be commonplace, however it was technically impossible.
The 30V loudspeakers connected to the local radio, on the other hand, were perfectly usable as microphones, and I would guess, some lucky KGB agents found such speakers in a mode suitable for listening. But everyone over the age of 15 knew that it's possible -- those speakers were commonly used as microphone replacement in home recording.

Re:Same with British Intelligence & Wiretaps

[Bob+the+Super+Hamste]

Sounds like we need to go back and use the old model 500 phones. No software there to hack and the things last forever, my grandmother had a model 544 phone (the wall mount version of the model 500) that she replaced a couple of years ago so she could have a cordless and not have to sit or stand near the phone. .

Interesting end run

[IamTheRealMike]

Hrmm. There are several parts of the FBIs story here that aren't internally consistent.

It's pretty well known by now thanks to Hollywood and TV shows that police can track mobile phones by triangulating signal strengths at different cell towers. Heck, phones do it themselves these days. The fixes can be fairly accurate in urban areas. There's no need for the phone to be making a call in order to be traced this way, because as the article points out, towers can talk to the phone any time they want.

Presumably, phone companies require a warrant of some kind before performing this type of trace. This leads me to wonder if fake base stations like the Stingray devices have any use at all beyond avoiding phone companies legal processes. I could buy the explanation that a fake base station lets you get slightly more accurate fixes on the phones location, except that apparently even with these devices the best they were able to get was to a particular apartment block and they had to do old fashioned detective work to get closer. "Nearest block" is about as good as modern smartphones can do by themselves.

There are a few other puzzlers in there. The government claim they can't reveal the devices capabilities without compromising future investigations, and then go on to state quite clearly that the devices can't intercept calls or data and that's why they don't feel they need a proper search warrant. This makes sense. Some kind of roving fake base station in an FBI van wouldn't be able to route calls successfully. And the GPRS/3G protocols don't terminate data encryption at the base station, but rather further back in the core network. But that implies the person being traced would be able to notice - if the data connection stops working, or calls fails to place, it could be a sign you're being traced. Time to switch the phone off. That could even be automated by a smartphone app. Is that trivial workaround what they're afraid of?

Another puzzler. The 3G/UMTS protocols have the handset authenticate the network exactly to protect against fake base station attacks. How does the StingRay device handle this? Presumably, the major networks have all been required to hand over their root keys/certs so the FBI can emulate them. It makes you wonder how secure these keys can really be, if there are cops running around with the keys inside a box. If one of these devices got lost or was somehow sold to the wrong people, how hard would a key rotation be? Presumably you'd have to replace the SIMs? Again, this seems like a lot of problems that could easily be avoided by tracing the target device with the direct co-operation of the phone companies.

I'd like to think there's a purely technical reason for the use of these things, but given the FBIs prevarication over exactly what kind of warrants they are getting, I'd be worried it's more a legal dodge.

Re:Interesting end run

[sjames]

If the thing tricks phones into thinking it's a tower, how many 911 calls fail (with fatal results) while the FBI hunts for a tax cheat?

Re:Interesting end run

[Anaerin]

Another puzzler. The 3G/UMTS protocols have the handset authenticate the network exactly to protect against fake base station attacks. How does the StingRay device handle this? Presumably, the major networks have all been required to hand over their root keys/certs so the FBI can emulate them.

Not necessary. It goes something like this:

• StingRay sends out "I am a cell tower" message
• Cellphone responds asking "Really? I am xxxx, who are you?"
• StingRay uses diversity antennae to triangulate position as it receives, then sends out "Oh, nobody important"

Cellphone found.

Re:Interesting end run

[dopodot]

The 3G/UMTS protocols have the handset authenticate the network exactly to protect against fake base station attacks.

For GSM, this is not the case -- handsets do not authenticate the towers they're connecting to. It's trivial to become the loudest tower and get the phone to switch over to you... but there are technical hurdles around connecting back to the wireless carriers and getting calls / SMS to work correctly in both directions.

Re:Interesting end run

Presumably, phone companies require a warrant of some kind before performing this type of trace

That's a pretty big assumption there. The government will do everything it has the capability to do unless it is explicitly prohibited from doing it. That's partially because when you really get down to it on a personal level, some guy just wants to do his job, and isn't really thinking of the overall implications.

However, the majority of the blame lies on people who erroneously believe and accept as justification the concept that with respect to the powers of the government, anything not prohibited, is permitted. Of course, this goes completely against the way the US government was authorized to operate, and all of our checks against corruption and misuse of power rely on the fact that anything not permitted to the government, is prohibited. So many court decisions have cut away at this concept by incrementally declaring more and more activity to be permissible by the government, that we've effectively flipped the entire derivation of authority on its head!

So now we have a system where the 'Companies' which presume will require a warrant, will NOT require a warrant.

1. They are indebted to the government and not the citizens. The government has the authority to remove their ability to 'exist' or operate. The citizens only have the power to attempt to avoid interaction with these corporations, and given the nature of telecommunications, that isn't really possible. (You can't really boycott infrastructure)

2. They have no financial motivation to demand a warrant. The Government writes the laws so that corporations who turn over data to the government become exempt to data protection/privacy laws, and grant them immunity from lawsuits, or just make it so there is no way of knowing if your data WAS subject to a warrant.

On the other side, a company that demands a warrant is faced with a legal bill at a minimum. More often than not, these companies will be subject to a suddenly dry market for government contracts, legal action with the full force (and money) of the US government behind it, and potentially even masked armed men who could smash in their doors at noon, and walk out with EVERY computer, filing cabinet, paper, etc, and not face a single repercussion (And don't forget, you can't sue the government for the damage done during the execution of a warrant, because everything will always be 'reasonable'.

So no, most likely, the company will setup a fee based system, probably automated on the internet, by which police departments and federal agents can log in and collect whatever information they so desire, and warrants? Wait... that's not likely, they already do that now.

Why bother with demanding a warrant when compliance often comes with perks?

Re:Interesting end run

what is a tax cheat? Is it even illegal? Is it really worth pulling the FBI away from terrorists, pedophiles, and p2p users?

Re:Interesting end run

[Alex+Belits]

I would guess, the device is actually very primitive -- it either:

1. Acts as RF man in the middle between the phone and tower. Since it can't get identifying information, someone has to make a very short phone call that will be dropped immediately after they noticed that connection is established (and that is a BIG SECRET they are trying to protect).
2. Forces fallback into an unencrypted or weakly encrypted mode (and then BIG SECRET is that the device is actually perfectly capable of intercepting conversations).

All the high-tech-looking stuff is likely for analog measurements and antenna pattern control that allows easier and more precise procedure to determine the location of the phone.

Re:Interesting end run

1.) "Presumably, phone companies require a warrant of some kind before performing this type of trace."

Not true, IIRC several if not most major cell carriers have given LEOrgs carte blanche access via web/browser based apps to do just this. Remember Congress (including Obama) voted to give the telcoms retroactive immunity for any and all actions in cooperation with LEOrgs with respect to national security concerns.

2.) "The government will do everything it has the capability to do unless it is explicitly prohibited from doing it."

The Obama administration has refused to clarify to congressional oversight committees exactly how it is interpreting the PATRIOT act i.e. “yes you wrote A_B_C_D but we really think you meant E_F_G_H and no we will not put in writing what E_F_G_H is in our opinion.”

3.) What Cases Have the PATRIOT Act's Sneak-and-Peek Warrants Been Used For?

For drugs = 1618 For Fraud = 122 For Terrorism = 15

http://reason.com/blog/2011/09/07/what-cases-have-the-patriot-ac

Re:Interesting end run

Another puzzler. The 3G/UMTS protocols have the handset authenticate the network exactly to protect against fake base station attacks. How does the StingRay device handle this? Presumably, the major networks have all been required to hand over their root keys/certs so the FBI can emulate them. It makes you wonder how secure these keys can really be, if there are cops running around with the keys inside a box. If one of these devices got lost or was somehow sold to the wrong people, how hard would a key rotation be?

http://www.ebay.co.uk/itm/Harris-TriggerFish-TF-3000-Frequency-Surveillance-1001-/260821112830

The Wall Street Journal

[Dunbal]

Owned by News Corporation, talks about hacking. Pot, kettle, black.

Re:The Wall Street Journal

How does this apply since no phones were actually hacked by Sky news? It was voicemail accounts.

Re:The Wall Street Journal

Unless this is a joke, you miss the point.

One is a company invading your phone who you can sue the hell out of.

The other is the government voiding you Constitutional Rights, by not gettin a warrant, and invading your communications sphere.

Depending upon how much you value your Constitutional Rights, you should be happy or pissed.

Messing w/ a hacker

[Synerg1y]

Well, what did they expect?

They aren't trying to catch a pedo here, but somebody w/ the knowledge to break into computer systems. Of course he will challenge the law in every single manner he can think of to win his freedom. You can call it an attempt to get off the hook, except what the FBI is doing is in violation of the 4th by not obtaining legal permission to use their technology and furthermore it's unethical, these people are paid to protect us, not spy on us, if I need protection that only the FBI can provide I'd ask!

Re:Messing w/ a hacker

[hairyfeet]

I'm sorry but didn't you get the memo? The government has been just as nasty as any other bad guy for a number of years now, and hadn't paid attention to that little piece of paper called the constitution since Hoover and COINTELPRO. I mean when they went so far as to drug and execute an American on American soil because he advocated views the government didn't like? I'd say all bets are off after that comrade.

And I'd be worried about that whole "catch a pedo" remark too, as that is how they ramrod new nasty laws into effect, by saying its to "save the children/protect us from terrorists" For example just look at the guy now in jail for writing the "pro pedo' book, no children touched, no pictures, just his thoughts on a page. Seems I remember someone writing about a time when people will be arrested for thoughts somewhere, or for one the feds pull how about how they set up "pedo honeypots" but then didn't bother capturing the fricking referrer so that if some troll rickrolled you with a link to that site you could be in jail right now! Hell if I remember correctly the judge even ruled that it didn't matter that there was no actual CP anywhere on their honeypot because simply accessing the site was proof of intent!

So I'm sorry friend, but the government has been evil and/or batshit insane for quite awhile now. Presidents and politicians come and go, but the three letter guys? They are always there, with too damned little oversight (if there is any at all) and too damned much power. I wish I was a tinfoil hatter, but anyone who has watched the moves this country has been doing for the past couple of decades and which accelerated like mad after 9/11 knows they are drunk on power and rules don't seem to matter much anymore.

Re:Messing w/ a hacker

"Single acts of tyranny may be ascribed to the accidental
  opinion of a day. But a series of oppressions, begun at a
  distinguished period, and pursued unalterably through every
  change of ministers (administrations), too plainly proves a
  deliberate systematic plan of reducing us to slavery."
  -- Thomas Jefferson

I don't get it. How can they..

How can they intercept a communication by playing "phony cell phone tower"? Is that not ILLEGAL!!??! Without a warrant none the less?
How many laws are being violated that no one is even mentioning?

If you dont want anyone to know about it...

[Gravis+Zero]

don't build it.

Charlie Savage's NYT article today is similar

[Thagg]

Charlie Savage reports for the New York Times on intelligence gathering. He has an article today that dovetails nicely into this Wall Street Journal article. Savage reports that two senators are concerned that the government is using secret means to surveil US citizens based on a ruling from the FISA court -- rulings that are secret. This is tantamount to having a secret law; something that is anathema to the Constitution.

Turned off?

[dutchwhizzman]

How can they use the device if the battery is taken out then? Never turn your phone off and leave the battery in, if you want it to be truly off. Of course, you'd need a device that has a user replaceable battery, not an iPhone or alike.

Radio Waves Broadcast Pervasively

I don't see why the technical possibility of this is such a shocker. I mean cell phones are radios. They broadcast signals. Not just to one place at a time, but everywhere, even to places that might not be directly within line-of-sight of the transmitter.

People need to understand: YOU ARE CARRYING AN INDIVIDUALLY IDENTIFIABLE RADIO BEACON ON YOUR PERSON WHEN YOU TAKE YOU CELL PHONE ANYWHERE OUT IN PUBLIC WITH YOU. HOW ELSE WOULD YOUR PHONE COMPANY BE ABLE TO BILL YOU?

Why is this news? Sure the *TRAFFIC* containing your telephone call to and from the handset is an encrypted digital signal, but from point A to point B, ANY CELL TOWER needs to know which handset gets which call.

Thus defacto privacy is technically not even possible. The system depends on being able to identify a handset.

Whether you want to cry boo-hoo-hoo about people actually taking advantage of that fact is irrelevant to the fact that it is on the table at all times, and impossible to distill and decouple from the very premise of owning and using a cell phone.

If you don't like it, don't use cell phones.

(as to whether the government should *EVER* leverage tax payer dollars against presumably ordinary law-abiding citizens is another matter)