Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI's Smartphone Surveillance Tool Explained In Court Battle

Posted by Soulskill on from the spying-made-simple dept.

concealment writes with news that a court battle has brought to light details on how the FBI's "stingray" surveillance tool works, and how they used it with Verizon's help to collect evidence about an alleged identity thief. Quoting: "Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI. The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location. In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then "broadcast a very strong signal" to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden’s location. To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list."

32 of 168 comments (clear)

  1. Weak hack. by plover · · Score: 4, Interesting

    Chris Paget was able to demo similar behavior at DEFCON 18, and he sure didn't need Verizon's help to do so.

    Pretty sure the FCC wanted to bust him on stage, actually.

    --
    John
    1. Re:Weak hack. by SpectreBlofeld · · Score: 4, Informative

      That's because he spoofed a GSM tower. You'll find that doing the same with CDMA is impossible without Verizon's help - see the bit about reprogramming the phone's roaming list in order to make the phone accept the spoofed tower.

    2. Re:Weak hack. by Obfuscant · · Score: 3, Informative

      How would it look if Gumshoe Freddy tried to hack a cell phone tower and crapped an entire communities' access? 911 calls that go nowhere, customer service lines jammed, people stranded because their GPS glitched out...

      If Gumshoe Freddy was able to hack a cellphone tower and cause somone's GPS to "glitch out", I'd say Gumshoe Freddy was a remarkably skilled hacker. GPS and cellphones use entirely different sets of frequencies, and I doubt that you could coerce a cellphone tower into transmitting on a GPS frequency no matter how good you are at it. Maybe those cell transmitters have a DDS system that can go where the GPS lives, but I doubt the amps or combiners would pass the signal. They kinda have to be selective enough so that the transmitted signal doesn't block the received one, so transmitting out of band is not going to be highly efficient if possible at all.

      For what? I can walk into a cell phone store and get a cell phone "mini cell" to put in my house to help with reception. FCC approved. I don't need a license to do that. Unless he's causing harmful interference to a licensed broadcaster and the broadcaster reports it, the FCC isn't going to do anything.

      You can buy a type certificated cell phone mini cell because the cell phone companies have agreed to allow it and the FCC has created a specification for what they can do and manufacturers have to meet that spec. They aren't just deciding on their own say so that they can do this.

      You don't have to be causing interference to a licensed broadcaster before the FCC cares, all you have to be doing is causing interference. True, most cases come to the attention of the FCC because the licensee complains, but the FCC can act without a complaint. You don't think Verizon or any of the other cell phone companies would complain about someone creating interference publicly?

      The FCC is an administrative government entity. It is not really law enforcement in any meaningful sense.

      That would be news to the FCC Enforcement Bureau, and the people to whom they've issued notices of apparent liability and levied fines.

    3. Re:Weak hack. by SpectreBlofeld · · Score: 2

      More answers than you probably want:

      http://www.scribd.com/doc/22599374/Security-Encryption-in-GSM-GPRS-CDMA

      And note that no traffic was intercepted in the FBI's operation... all they attained, with the carrier's help*, was an identification of the target's device on the network, which they then pinged in order to triangulate its location. Chris Paget's cell site spoofing blows GSM wide open; nothing remotely similar has happened in the CDMA world.

      *(which also required that the carrier remotely reprogram the phone so this could even take place.)

        This has nothing in common with Paget's spoofing. If you have a mobile phone/aircard in your own name, and the Feds go to the carriers with a warrant, they WILL ping your location. If you're paranoid, go prepaid with a 'stage name' and no SSN attached, or establish service in the name of a company or trust that won't be traced back to you. And better hope they don't already know your phone number.

    4. Re:Weak hack. by SpectreBlofeld · · Score: 2

      >GPS and cellphones use entirely different sets of frequencies, and I doubt that you could coerce a cellphone tower into transmitting on a GPS frequency

        To be fair, there is aGPS (assisted GPS) which uses timing signals sent from cell towers for triangulation instead of/in addition to GPS satellites.

    5. Re:Weak hack. by Thor+Ablestar · · Score: 2

      It's a misunderstanding. Nominally, aGPS is the use of ALMANAC and EPHEMERIS data obtained from the network, and not from the navigation signal itself. It speeds the acquisition - and nothing more. At least, U-blox dox say so. Unfortunately, I heard that some GPS chipsets have aGPS ONLY and have NO GPS data channel. The test is simple: Ensure that your smartphone can show your position while the network is absent.

      Full disclosure: I am NOT a GPS specialist (GPS specialists sit in a neighboring lab).

      And BTW: The original post does not talk about GPS - only about intrusion to the phone and conversion of it to the beacon.

  2. Supply Chain Attack by dunkindave · · Score: 5, Informative

    This is basically a supply chain attack. People worry about others breaking into their devices, but the user has to trust the device supplier not to tamper with it before they receive it. This situation is analogous to your PC phoning home to Microsoft for updates, then having a special version sent to your machine at the request of the FBI. No matter how careful you are about what software you run or what security software you employ, Microsoft can compromise your machine.

    1. Re:Supply Chain Attack by SuperTechnoNerd · · Score: 2, Interesting

      Unless of course you block all of Microsoft in your firewall.....

    2. Re:Supply Chain Attack by fredklein · · Score: 5, Interesting

      Screw PCs- how many people have a Microsoft XBox Kinect in their living rooms, complete with camera? You mean to tell me that Microsoft, at the perfectly legal (ie: rubber-stamped) request of the government, couldn't push an update that allows them to turn the Kinect cameras on at will??

    3. Re:Supply Chain Attack by Anonymous Coward · · Score: 3, Insightful

      So you're saying we should all run FSF approved operating systems?

      Even then, unless you intend to audit several billion lines of code of a variety of packages, and understand it well enough to discover flaws that give a 3rd party control over you or your information, you're still trusting someone else that it's safe.

    4. Re:Supply Chain Attack by StrangeBrew · · Score: 4, Funny

      I always face my webcams and Kinect towards the wall when not in use, so I guess I subscribe to your particular brand of paranoia. I suppose they can still watch me when the Kinect is in use, but if they really find me playing Angry Birds in the buff that exciting who am I to deprive them of their entertainment?

    5. Re:Supply Chain Attack by suutar · · Score: 2

      unplug the kinect from the back of the xbox when not in use?

  3. Ok..So verizon has shown they cant be trusted.. by wierd_w · · Score: 4, Insightful

    Issuing a custom radio firmware for a data only device, so that it responds to a telephone network signal demonstrates that verizon is willing to place nonstandard firmware on devices on their network, for the express purposes of aiding investigations that lack proper warrants.

    This is a very bad thing Verizon. A Very Bad Thing.

    Don't underestimate the impact that losing public confidence can have on your business. Being so self-conceited as to feel that you don't have to worry because you have cornered the market would only add fuel to the fire.

    Plan you PR damage control messages carefully. Smile, you're on candid camera.

    1. Re:Ok..So verizon has shown they cant be trusted.. by jbolden · · Score: 4, Interesting

      I don't think Verizon is going to be too upset that publicity that they helped the FBI catch an identify thief in an apartment under one of the assumed names he was identity stealing....

      Besides Verizon works with the military and has most of the government contracts. They've been pretty clear they are going to extra cooperative with the government for many years.

    2. Re:Ok..So verizon has shown they cant be trusted.. by alen · · Score: 4, Informative

      FBI got a warrant and verizon helped catch a suspected scumbag
      what's the problem here?

    3. Re:Ok..So verizon has shown they cant be trusted.. by jchawk · · Score: 3, Insightful

      While I really agree with what you are saying... The market has not demonstrated that it cares about this type of behavior. Joe Six Pack continues to pile on more and more devices onto the Verizon network without a second thought to privacy. If you think I'm wrong look at the 6-strike rule in their Internet business... This hasn't hurt them one bit.

      The average person simply doesn't understand the behinds the scenes technology well enough to care.

    4. Re:Ok..So verizon has shown they cant be trusted.. by semi-extrinsic · · Score: 5, Insightful

      I saw a good quote on this topic yesterday here on /. :
      "The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."
      H. L. Mencken

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    5. Re:Ok..So verizon has shown they cant be trusted.. by Hatta · · Score: 4, Informative

      A court order is not a warrant, and the judge who issued that court order may not have been fully informed. FTFA:

      The government has conceded, however, that it needed a warrant in his case alone â" because the stingray reached into his apartment remotely to locate the air card â" and that the activities performed by Verizon and the FBI to locate Rigmaiden were all authorized by a court order signed by a magistrate.

      The Electronic Frontier Foundation and the American Civil Liberties Union of Northern California, who have filed an amicus brief in support of Rigmaidenâ(TM)s motion, maintain that the order does not qualify as a warrant and that the government withheld crucial information from the magistrate â" such as identifying that the tracking device they planned to use was a stingray and that its use involved intrusive measures â" thus preventing the court from properly fulfilling its oversight function.

      âoeIt shows you just how crazy the technology is, and [supports] all the more the need to explain to the court what they are doing,â says EFF Staff Attorney Hanni Fakhoury. âoeThis is more than just [saying to Verizon] give us some records that you have sitting on your server. This is reconfiguring and changing the characteristics of the [suspect's] property, without informing the judge whatâ(TM)s going on.â

      --
      Give me Classic Slashdot or give me death!
    6. Re:Ok..So verizon has shown they cant be trusted.. by wierd_w · · Score: 2

      I was under the impression that verizon complied with the FBI request in "rubber stamp" fashion, and not due to a warrant. (Which was why their use of the stingray had caused judges to get stingy when discovered.)

      Pushing firmware to devices without permission/authorization from the downstream user can count as vandalism, if the device is not subsidized by verizon, and is the user's personal property. I don't use verizon, so this does not really impact me except as being a chilling effect, as other providers will be compelled to comply by govt agencies as well.

      The above 3 posts fail to take into account that all persons of interest are innocent until proven guilty in a court of law, so all tapping and tracing activities need to be seen as if they were performed on people who have done absolutely nothing wrong. Approaching it from the "we helped them catch a dirtbag" angle is not justifiable, unless you operate under the "guilty until proven innocent" model instead.

      A warrant has to be issued, it has to be specific in what is to be taken, and specific in the place, time, and person of interest investigated.

      Your "la dee dah" blithe response to this kind of thing is exactly why the USA is turning more and more into a police state every day. Keep that in mind.

    7. Re:Ok..So verizon has shown they cant be trusted.. by wierd_w · · Score: 3, Informative

      Reading comprehension fail.

      The FBI agreed that it *needed* a warranted (eg, that what they were doing with the stingray needed one), but said that what verizon did for them was authorized by a court order, and did not need one.

      This does not say that they in fact obtained such warrant, which they did not.

    8. Re:Ok..So verizon has shown they cant be trusted.. by alen · · Score: 2

      go read the linked articles

      the FBI had multiple court orders and warrants. the perp is saying that the wording of their warrant did not allow the use of a stingray device

      rule #1 of criminal law. if you can't fight the evidence then fight to have it excluded from the case. they already had lots of other evidence that he was a scumbag and were only trying to figure out who he was and where he lived

    9. Re:Ok..So verizon has shown they cant be trusted.. by Lumpy · · Score: 2

      Who was also making the #1 mistake, Cracking from home.

      --
      Do not look at laser with remaining good eye.
    10. Re:Ok..So verizon has shown they cant be trusted.. by ShanghaiBill · · Score: 2

      "The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."

      Lenny Bruce was a scoundrel. Larry Flynt was scoundrel. They deserved to be defended. This guy is just a common thief. As long as the FBI has a warrant (it isn't clear that they did), then I don't see the issue here. He deserves a fair trial, but stealing from other people is not a "human freedom", and none of his actions are defensible.

    11. Re:Ok..So verizon has shown they cant be trusted.. by mabhatter654 · · Score: 2

      But the flip side is that their network is secure enough VERIZON has to have their engineers actually write a patch for police to use. So while they have low standards for cooperating, it seems like it is a lot of work for Verison to do... EXPENSIVE work police won't want to use too often.

    12. Re:Ok..So verizon has shown they cant be trusted.. by SpectreBlofeld · · Score: 3, Insightful

      But the perp in question was an identity thief who had activated the device in the victim's name. In this case, the victim technically 'owns' the service/device, right? How can you claim that the FBI/Verizon violated the thief's 'private property' when it was fraudulently bought/activated in the victim's name?

      If the victim gives permission for the FBI/VZW to track the device that's in his/her name, that's good enough for me. If someone stole my identity to activate service, I'd be begging for them to track the fucker down. After all, I'm the legal account holder, whether I like it or not.

      You say that 'Verizon does not own the aircard' but neither does the identity thief, dammit! The victim does!

  4. technology vs law by houbou · · Score: 2, Insightful

    Clearly our technological advances are ahead of the law and it's time for those 2 to sync up in a realistic way.

    Ok, so this is a guy who does identity fraud.
    I'm not crying for him
    He's lucky to even have access to due process as far as I'm concerned However, that your very own devices can be used against you in such ways, which means that the trust you have in your provider is broken, seems unethical.
    If the FBI and/or other agencies require such abilities, perhaps then, companies such as Verizon should place this in their contracts something like "authorities can use your devices to track you and/or use your data for any of their investigations as they see fit".
    Transparency would be nice.
    All I know is that, I've got nothing to hide, so I don't care, but, for those who do, they may have to switch to another provider....

    1. Re:technology vs law by Anonymous Coward · · Score: 2, Insightful

      He's lucky to even have access to due process as far as I'm concerned ... All I know is that, I've got nothing to hide, so I don't care

      Then you, sir, deserve to be dragged off in the night and charged without due process.

      Everybody deserves due process, or you cease to be a free society. And the "you have nothing to fear if you have nothing to hide" is the lament of cowards and fascists.

      Fuck you you worthless sack of shit. You're part of the problem of tacitly accepting it as okay when your government breaks the laws.

  5. Re:Holy crap ... by plover · · Score: 3, Informative

    That's one of the issues in this case. A Stingray is not discriminating and could impact other cellular devices. The FBI also claims they "throw away" all data that is not pertinent to their investigation, meaning there is no way to determine what they did or did not see regarding other people's communications. (Kind of a damned if you do, damned if you don't situation.)

    There is also the difference between wiretaps and pen trace registers. Wiretaps require a warrant, but pen traces don't. The Stingray doesn't record the call or data contents, so it could be claimed to be more like a pen trace. But a Stingray is actively pinging the target's machine to generate data to be used against the owner, which is a completely different use (abuse?) of the technology.

    Anything like this would be perfectly legal with a warrant. The real question is if this is legal without one.

    --
    John
  6. Slip down your law and order slope, citizen by ThatsNotPudding · · Score: 5, Funny

    FBI got a warrant and verizon helped catch a suspected scumbag what's the problem here?

    "When they came for the scumbags, I did not speak out, for I was not a scumbag..."

  7. Re:Holy crap ... by EmperorArthur · · Score: 4, Insightful

    It's a little more complicated than that.

    It seems Verizon pushed an update to his specific wireless card. This update allowed it to receive phone calls, thus allowing them to "ping" him in particular. It also set the preferred tower list so that the stingray would always be connected to first.

    The fun thing is that by modifying his wireless card, the FBI has "planted" a tracker on him. That requires a warrant. If this guy was such a big deal, then it shouldn't have been hard to get the warrant. The problem is the FBI didn't want anyone, even the judges, to know what cards they held. So even when they got there court order, it wasn't a warrant, and they misled the judge who issued the order. That's a big no no.

    --
    So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
  8. Re:Holy crap ... by plover · · Score: 2

    Got it, thanks. I missed equating the change to his card as "planting a tracking device", which makes total sense, at least to me. So now, it's up to the court to decide if the law sees those as equivalent activities, requiring equivalent oversight.

    Oh well. Better to let 100 scoundrels roam free than to wrongly imprison one man.

    --
    John
  9. Um all sorts of AirCards, USB 3G dongles, etc by DiSKiLLeR · · Score: 2

    Um all sorts of AirCards, USB 3G dongles, etc can be made to make and recieve calls.

    All the Huwaei 3G usb modems that are sold by telco's here in Aus/NZ i've managed to get to make and recieve calls. (Yeah you need to use a USB headset or something, but you already do for skype and voip.)

    Is there any point to it? I don't know, but you can.

    Just like most tablets can be made to make/receive phone calls even though they aren't considered phones by the law.

    --
    You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.