New App Detects Government Stingray Cell Phone Trackers

← Back to Stories (view on slashdot.org)

New App Detects Government Stingray Cell Phone Trackers

Posted by timothy on Thursday January 1, 2015 @05:45AM from the ones-you-know-about-at-least dept.

HughPickens.com writes IMSI catchers, otherwise known as stingrays, are those surveillance tools that masquerade as cell towers and trick mobile phones into connecting, spewing private data in the process. Law-enforcement agencies have been using them for almost two decades, but there's never been a good way for individuals to detect them. Now Lily Hay Newman reports that SnoopSnitch scans for radio signals that indicate a transition to a stingray from a legitimate cell tower. "SnoopSnitch collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates." say German security researchers Alex Senier, Karsten Nohl, and Tobias Engel, creators of the app which is available now only for Android. The app can't protect people's phones from connecting to stingrays in the first place, but it can at least let them know that there is surveillance happening in a given area. "There's no one set of information, taken by itself, that allows you to detect an IMSI catcher," says Nohl. "But we do stream analysis of everything that happens on your phone, and can come out with a warning if it crosses a certain threshold."

Stingrays have garnered attention since a 2011 Arizona court case in which one agent admitted in an affidavit that the tool collaterally swept up data on "innocent, non-target devices" (U.S. v. Rigmaiden). The government eventually conceded in this case that the "tracking operation was a Fourth Amendment search and seizure," meaning it required a warrant. But given that the Justice Department has continued to claim that cellphone users have no reasonable expectation of privacy over their location data, it may take a Supreme Court judgement to settle the Stingray issue countrywide.

71 comments

Min score:

Reason:

Sort:

Oh, an app you say by Anonymous Coward · 2015-01-01 05:56 · Score: 0, Troll

Remember the 90s and early 2000? People sent all kinds of small applications as attachments in emails. It could be everything from a small animation to some stupid happy face. Almost all were infested with malware. Apps are the new version of these. But today, malware has become mainstream. It is no longer considered bad practice to harvest all the private data from someones phone. That's just the way it should work. The platform makers (Google and Apple) don't care. In fact, at least when it comes to Google, they almost seem to promote the idea with utter an worthless permission system. So... Okay, dear security researchers, where is the source of your app? Because I don't trust any app that is not open source.
1. Re:Oh, an app you say by Anonymous Coward · 2015-01-01 05:59 · Score: 5, Informative
  
  JFGI
  https://opensource.srlabs.de/projects/snoopsnitch/repository
2. Re: Oh, an app you say by Anonymous Coward · 2015-01-01 06:03 · Score: 0
  
  Hahahaha... That should shut him up...
3. Re:Oh, an app you say by Anonymous Coward · 2015-01-01 06:06 · Score: 2, Informative
  
  Here
  git clone --recursive https://opensource.srlabs.de:/git/snoopsnitch.git
Fourth amendment searches and warrants by Entrope · 2015-01-01 05:59 · Score: 1

Lots of 4A searches do not require warrants -- searches incident to arrest, custodial searches, searches with consent, and probably more. The warrant requirement only kicks in when a warrantless search would be "unreasonable" (violate a reasonable expectation of privacy, and such expectation is narrower than most non-lawyers would believe).
1. Re:Fourth amendment searches and warrants by Anonymous Coward · 2015-01-01 07:38 · Score: 0
  
  and such expectation is narrower than most non-lawyers would believe.
  Which would make it something quite different than a "reasonable expectation of privacy." Besides, I think it should be something more like whether the government is ethical in violating your privacy in a specific instance, not whether it's 'reasonable' to expect them to.
  Our government is full of hardcore authoritarians who ignore the constitution, so it's no surprise that privacy protections are weak and they pretend as if their activities are constitutional.
No reasonable expectation of privacy... by Anonymous Coward · 2015-01-01 06:02 · Score: 1

That's one thing. But these are ILLEGAL devices being used without even so much as warrants.
1. Re: No reasonable expectation of privacy... by Kichigai+Mentat · 2015-01-01 07:06 · Score: 1
  
  How are the devices illegal? The FCC has approved their use. The devices are legal. It's the use that can be illegal. There has never really been a reasonable assumption of privacy with cell phone communications, hasn't been since people were picking up phone calls with baby monitors. And it's been long known that the encryption used in signal encryption is weak. If you have a âoereasonable assumption of privacyâ while using a cell phone then I suggest you do some research and reconsider your assumption.
  
  --
  Rawr
2. Re:No reasonable expectation of privacy... by xeoron · 2015-01-01 07:08 · Score: 1
  
  And to detect it, you are going to need a root for Snoopsnitch to run.
3. Re: No reasonable expectation of privacy... by Anonymous Coward · 2015-01-01 08:02 · Score: 0
  
  There has never really been a reasonable assumption of privacy with cell phone communications, hasn't been since people were picking up phone calls with baby monitors.
  Well, the FCC has banned the sale of receivers capable of operating in cellular bands in the USA (never mind how trivially easy it is to bypass this feature).
  But I'll have to side with you. The accumulation of cell phone location and identification data in the vicinity of military and federal intelligence facilities and its subsequent sale to foreign nations is a very lucrative business. And I'd hate to see some arbitrary and capricious FCC regulations or court rulings put an end to a legitimate profit making enterprise.
4. Re: No reasonable expectation of privacy... by Anonymous Coward · 2015-01-01 13:53 · Score: 0
  
  Funny you should bring that up. Standards involving the word reasonable also refer to an average reasonable person.your average person does not know the ins and outs of how cell phones work and does not know strong from weak encryption. Those points you bring up are known to people like you and me, and a good number of readers of this site, but not to the average person.
  Now let's take a look at why the Justice Department is full of crap on this one. First off, back in the analog cell phone days there was a law passed making it illegal to sell scanners in the US that could listen in on those frequencies. As offensive as that law is to us geeks who know that it's completely ineffective, it indicates that Congress believed that there should be an expectation of privacy on a cell phone call.
  Second, encryption might be bad but it is not non-existent on today's cell phone networks. You don't encrypt things for no reason.
  So phone calls are not broadcast in the clear on modern hardware, and making them do so requires an active attack. That fairly well constitutes a reasonable expectation of privacy even in my technically knowledgeable book.
  Do I personally trust this as sufficient? I don't trust any encryption where I don't control the keys. If I make that statement to an average person on the street he or she will have no idea what I'm talking about. That is the sort of person one is looking to when determining what are reasonable standard is when one is speaking about things that most of the population engages in.
5. Re: No reasonable expectation of privacy... by Anonymous Coward · 2015-01-01 22:06 · Score: 0
  
  cell phone encryption is from phone to tower, it is not end-to-end. Therefor you should not expect your phone calls to be private.
6. Re: No reasonable expectation of privacy... by Anonymous Coward · 2015-01-02 01:18 · Score: 0
  
  Well that's just stupid reasoning. We have a basic, reasonable expectation of privacy for a land-line call, yet there's no encryption on that either.
  If we have that basic expectation, why the fuck should we not expect the same of a cellular call once it's reached the tower, encryption or not?
  Now had you gone the 911 GPS data route, you might have had an argument. That still is questionable for me, though far more likely an argument than your "after the tower it's not encrypted" argument.
7. Re: No reasonable expectation of privacy... by Kichigai+Mentat · 2015-01-03 03:11 · Score: 1
  
  Well, the FCC has banned the sale of receivers capable of operating in cellular bands in the USA (never mind how trivially easy it is to bypass this feature).
  No it hasn't. It regularly signs off on cellular equipment, it just requires a license to use it. They've also approved the use of IMSI catchers. It's unlicensed devices that the FCC has banned.
  Now, that's not to say that the use of these devices is entirely appropriate, and there are examples of cases where their use has been potentially illegal, but that doesn't make the devices themselves illegal.
  
  --
  Rawr
requires root access and will only run on Qualcomm by kipple · 2015-01-01 06:03 · Score: 5, Interesting

"This app requires root access and will only run on devices with Qualcomm chipset."
That's not "for android". That's playing a Qualcomm trick with the baseband.
I also wonder if a better way might be (but I'm speculating here) to use the measured distance from the nearest cell tower (called Timing Advance), as in http://stackoverflow.com/a/137... - and couple it with a public database of known celltowers locations to spot recent "additions".

--
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
Re:requires root access and will only run on Qualc by spacefight · 2015-01-01 06:06 · Score: 2

It's still better than having nothing at hand.
Why is this allowed in the first place? by DigitAl56K · 2015-01-01 06:11 · Score: 1

Can't we add support to Android so that e.g. I can load a carrier cert into a special store used only for the cell radio operations and then have an option to authenticate towers before connecting to them? Is there any way for a carrier to publish a whitelist of tower info that can't be easily cloned? How do we have this infrastructure where anyone can start broadcasting and sweep up everyone's traffic and very little is being done about it?
1. Re:Why is this allowed in the first place? by Xicor · 2015-01-01 06:18 · Score: 2
  
  you are talking about the government here... all they would have to do is strong-arm the carrier to add their towers to the list.
2. Re:Why is this allowed in the first place? by DigitAl56K · 2015-01-01 06:22 · Score: 1
  
  Yes, and then we'd have proof, somewhere, of how many there are and could track where they have been used and who was actually affected.
3. Re:Why is this allowed in the first place? by wierd_w · 2015-01-01 06:30 · Score: 5, Interesting
  
  A better approach would be to keep a triangulation map of available towers over time.
  The point of stingrays is that they are mobile. Cell towers are NOT.
  Similar to older war-driving apps, the app looks for tower broadcast signals, even when it does not intend to hop. It keeps a record of the GPS coordinates of the handset (Seriously, a smartphone without a gps these days?) and the detected signal levels of all towers it sees.
  It then builds a virtual geographical map of cellular towers based on its own radio data over time. The sudden, mysterious appearance of a new tower where there previously was not one, (and also where there does not seem to be capacity reason for one to be added, or one with a suspiciously small radius of service) would get flagged, and should get blacklisted by the phone until the user specifically says "No, it's OK to connect" (It may be a microcell at a crowded event or something)
  That should allow creation of a stable whitelist over time.
4. Re:Why is this allowed in the first place? by hidden · 2015-01-01 06:56 · Score: 1
  
  Actually mobile cell towers (legit ones) are a thing. They're widely used to expand tower capacity near large events, as well in emergency response.
5. Re:Why is this allowed in the first place? by wierd_w · 2015-01-01 07:04 · Score: 2
  
  I know. the problem is that it is impossible to tell a legit microcell from a totally not legit stingray.
  the default should be "suspicious: do not use", with an option to manually enable.
  the user will know if they are at a major civic event or not, and hopefully will know when they are under a major emergency situation.
6. Re:Why is this allowed in the first place? by Anonymous Coward · 2015-01-01 07:25 · Score: 0
  
  This is the 21st century, kid. Cell towers have been mobile for a long time. We get them brought in for bigger events.
7. Re:Why is this allowed in the first place? by wierd_w · 2015-01-01 07:32 · Score: 1
  
  Yes. I KNOW.
  If you had READ THE WHOLE THING, you would have seen the parenthetical comment at the end about how the micro cell could be at an event!)
  For fuck's sake, this is the last comment like this I am going to respond to!
8. Re:Why is this allowed in the first place? by Kernel+Kurtz · 2015-01-01 09:06 · Score: 1
  
  I've been using a beta version of Spidey - it does triangulation. https://github.com/jtwarren/sp...
9. Re:Why is this allowed in the first place? by PopeRatzo · 2015-01-01 09:22 · Score: 1
  
  For fuck's sake, this is the last comment like this I am going to respond to!
  Take it easy. You're getting all worked up for nothing.
  It's a new year. Make the best of it and learn to deal with your stress level. You'll live a longer, healthier life.
  
  --
  You are welcome on my lawn.
10. Re: Why is this allowed in the first place? by link-error · 2015-01-01 09:32 · Score: 1
  
  Who cares if the towers are comprised. Never trust the carrier. Encrypted ip calls and messages.
  
  --
  -Unresolved symbol? Byte me!
11. Re:Why is this allowed in the first place? by Anonymous Coward · 2015-01-01 11:30 · Score: 0
  
  you are talking about the government here... all they would have to do is strong-arm the carrier to add their towers to the list.
  But still - you'll have protection against foreign governments and private initiatives (backed by corporations if money is a problem). Note that a government capable of strong-arming the carriers have a different option: strong-arm them into accepting backdoors in the real towers.
12. Re:Why is this allowed in the first place? by Anonymous Coward · 2015-01-01 11:33 · Score: 0
  
  For fuck's sake, this is the last comment like this I am going to respond to!
  Take it easy. You're getting all worked up for nothing.
  It's a new year. Make the best of it and learn to deal with your stress level. You'll live a longer, healthier life.
  You cannot blame him for his outrage at the level of stupid that was shown.
  New Years makes not a jot of difference, if you are confronted with obscene amounts of lazystupid, the correct and therapeutic response is outrage that somebody could be that much of an idiot for not reading what the person was vehemently replying to.
  OP did good. Your sarcastic passive-aggressive response did not.
13. Re: Why is this allowed in the first place? by plover · 2015-01-01 11:40 · Score: 1
  
  The point is not that the messages are being intercepted by the stingrays, the point is that the individual phones are being identified. If they have a stingray in downtown Ferguson when the protesters are marching, they can add you to that list of "troublemakers".
  
  --
  John
14. Re:Why is this allowed in the first place? by PopeRatzo · 2015-01-01 12:07 · Score: 1
  
  Wasn't "passive-aggressive" at all. I'm genuinely concerned when I see someone get uncharacteristically upset over what may be a simple missed point.
  I don't do passive-aggressive very much. I'm more the aggressive-aggressive type if I have reason to lash out. I also don't much care for sarcasm unless it can't be avoided.
  
  --
  You are welcome on my lawn.
15. Re:Why is this allowed in the first place? by billstewart · 2015-01-01 14:29 · Score: 1
  
  The point of Stingrays is that they're controlled by the cops, not the phone company, and they can hijack cellphones whenever an "authorized" user wants, without the inconvenience of actually having to present documentation to somebody at the phone company claiming to have a warrant or equivalently warrant-like document.
  By contrast, the point of COWs is to be mobile so you can deploy large additional cell capacity at locations that don't normally need it, and the point of femtocells is to be able to get phone service where there's not enough signal and to provide data service to your phone using your own (free) internet connections instead of paying the phone company for expensive mobile data (though the latter application is largely handled by Wifi these days.)
  
  --
  
  Bill Stewart
  New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
16. Re:Why is this allowed in the first place? by Thor+Ablestar · 2015-01-01 15:16 · Score: 1
  
  Triangulation device with good resolution is by necessity much bigger than the wavelength since it uses directional antennas. And it requires you to rotate it (See the "Fox Hunt"). The trilateration device would be nicer but it works in well synchronized packs only and doesn't seem to be produced easily. And you need a stationary system that stores the history in order to suspect a new base.
  http://en.wikipedia.org/wiki/T...
17. Re:Why is this allowed in the first place? by green1 · 2015-01-02 03:58 · Score: 1
  
  That's unlikley, if they were willing to simply strongarm the carriers, they wouldn't need the stingray in the first place as it can only gather the same information the cell tower already has available. The only reason to ever use a stingray is to bypass the (trivial) step of involving a carrier who might insist on something like a (rubber stamp) warrant.
Re:requires root access and will only run on Qualc by kipple · 2015-01-01 06:12 · Score: 4, Informative

In fact, there's already something similar: http://wiki.opencellid.org/wik... and probably https://github.com/SecUpwN/And...

--
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
Re:requires root access and will only run on Qualc by wierd_w · 2015-01-01 06:36 · Score: 2

One still needs a way to prevent the cellular device from being pushed to the "New" tower.
Sadly, handset makers and mobile OS makers have not been able to give a "Blacklist tower" feature, or have not been willing to give such a feature. The towers MUST be uniquely identifiable for the tower mesh network to communicate reliably-- so, a means of uniquely identifying and refusing to play ball with a specific "Tower" should absolutely be possible.
Google and Apple should step up to the plate on that.
SDR? by Guy+From+V · 2015-01-01 06:40 · Score: 0

What is the frequency range of an IMEI snatcher...could the RTL-SDR (software defined radio) dongle with the correct firmware and antenna pinpoint these as well?
http://en.wikipedia.org/wiki/S...
1. Re:SDR? by wierd_w · 2015-01-01 06:46 · Score: 1
  
  I'd say that depends on the cellular technology in question.
  Most likely the signals will be in the 700-850mhz band, or the 1700-2100mhz band, depending on the technology and carrier.
  I Do think that this is technically inside the RTL-SDR dongle's reception capabilities.
2. Re:SDR? by fisted · 2015-01-01 06:49 · Score: 1
  
  What is the frequency range of your cell phone?
  
  --
  CLI paste? paste.pr0.tips!
3. Re: SDR? by Kichigai+Mentat · 2015-01-01 07:28 · Score: 1
  
  What is the frequency range of an IMEI snatcher
  I would assume they operate in the same frequencies as any given carrier, so potentially and of these frequencies depending on the carrier you're targeting.
  
  could the RTL-SDR (software defined radio) dongle with the correct firmware and antenna pinpoint these as well?
  I don't think so. If I understand it right, the way this detector works is by spotting discrepancies in the handoff between your carrier's tower and the IMSI catcher. Since your SDR isn't connected to the carrier there is no handoff. So the IMSI catcher would be indistinguishable from any other fixed tower, mobile tower, or microcell, as it is designed to be.
  
  --
  Rawr
4. Re:SDR? by thygate · 2015-01-01 07:57 · Score: 1
  
  RTLSDR has pisspoor dynamic range (8 bit ADC), sure you can do some triangulation, but it will be very inaccurate & unreliable. Also current generation technology has a bandwidth of ~10MHz, RTLSDR can only do about ~3MHz max. (example of triangulating a VHF signal here : http://www.rtl-sdr.com/triangu...) There's plenty of cheap SDR projects out there nowadays, much, much better than the RTLSDR. And if you're serious, really advanced hardware will only set you back a few thousand $$$. (http://www.ettus.com/product/details/E310-KIT)
5. Re:SDR? by Thor+Ablestar · 2015-01-01 15:05 · Score: 1
  
  There are some interesting chips, i mean Silicon Laboratories EzRadioPro Si4464 and the similar ones. They receive a GMSK and I think it's possible to tune them to 900-MHz GSM band. Unfortunately I have no idea about 1800 MHz bands. The specialized GSM modules look more interesting and require less work.
Re:requires root access and will only run on Qualc by wbr1 · 2015-01-01 06:58 · Score: 1

Instead of just spotting recent additions, also looking for timing advance shifts over a certain margin while the tower/antenna ID remain the same. I am not cellular engineer, but it would see that would be a possible indicator of a spoofed tower.

--
Silence is a state of mime.
FCC? by tompaulco · 2015-01-01 07:04 · Score: 0

Are these towers allowed by the FCC? I would think hijacking signals would be extremely illegal. Also, how do they make sure these stingers only allow connections from the person that they are tracking? If they are not narrowing it down to a single person and non-targeted persons are able to connect with it and are not covered by a warrant, then that would be extremely illegal.

--
If you are not allowed to question your government then the government has answered your question.
1. Re:FCC? by wierd_w · 2015-01-01 07:17 · Score: 3, Informative
  
  You havent been following the stories on stingray use, have you?
  Law enforcement agencies use them to eavesdrop on multiple cellular devices in the espionage radius, hoping to catch thier perps. the data of innocent civilians driving past also gets logged. this has been reported on. it is not handset specific.
  the illegality of the practice does not seem to matter much except when the triale judge demands to know the source of the evidence. Even then, law enforcement frequently LIES about using stingrays.
  a community method of tracking and recording stingray deployments in large urban centers that is public domain would open the doors to some serious FOIA request hilarity.
  "hello, NYPD? yes, according to OpenTowerMap.Org, it appears that a new cell tower with unique ID XXXXXXXX went into operation in the area near to where your investigation into Nicky the Nose was going on, suspiciously consistent with the length of your investigation. Since your investigation agrainst Mr Nose has concluded, there should be no reason whatsoever to deny my request for any information you have on the use of a cellular monitoring device during that period at that location. Specifically, we want to know how many non-suspects accessed the device, and what the current status of thier records is, and also what degree or level of transparency your agency has taken to inform those innocent citizens that thier data was collected as part of your investigation."
  etc.
2. Re:FCC? by Anonymous Coward · 2015-01-02 00:08 · Score: 0
  
  the illegality of the practice does not seem to matter much except when the triale judge demands to know the source of the evidence.
  The illegality is interesting; it opens for problem-solving using violence.
  1. Detect a stingray
  2. Triangulate its precise location
  3. Have fun vandalizing the equipment, or steal it for profit
  It is hard to complain when something happens to illegal equipment - it is similiar to report the theft of all your dope . . .
Re:requires root access and will only run on Qualc by anagama · 2015-01-01 07:09 · Score: 2

I just looked at one of the apps using opencellid -- and I'm not sure how clean the data will be. The default is to upload the position of any cell tower it sees, which means it would be uploading the position of Stingrays too. Then when a user connects to a Stingray listed in the database of towers, well, they've been given a false sense of security.

--
What changed under Obama? Nothing Good
Re: requires root access and will only run on Qual by Kichigai+Mentat · 2015-01-01 07:17 · Score: 1

Isn't the tower handoff stuff all handled in the baseband firmware, though? I'd think that there would be memory limitations in current designs to prohibit that being feasible. And I'd also think that adding more memory wouldn't be feasible because handset manufacturers want tiny, low power components, and more memory and more complicated firmware logic might "blow their budget" so to speak.

--
Rawr
Re: requires root access and will only run on Qual by wierd_w · 2015-01-01 07:30 · Score: 1

All you need is a few kilobytes of storage. Most phones have this already in the underlying hardware for use with things like the region ID and the like.
Seriously, each entry in the blacklist needs only the UUID of the blacklisted tower. That's it. Hell, this could live in the damned SIM card.
Everything else can live in the app.
Re detecting/creating by terbo · 2015-01-01 08:07 · Score: 1

The primary methods of detecting IMSI-Catchers and Fake BTS's is described here (pdf), and due to the variety of manufacturers' baseband interfaces, there wasn't an easy way to uniformly detect these devices.
IMSI-Catcher doesn't seem to work on my old, non-GSM Android, but I've also found OsmocomBB to be interesting; it's an open source GSM broadband implementation that seems to work on some older, cheap phones, like some motorola candy bars; check out Catcher Catcher for more info.
In terms of the IMSI Catcher devices themselves, I've seen estimations of $20 to $1500 to make one, from using cheap RTL-SDR devices to a full SDR (~$400-1500) to run a full fake GSM BTS.
The legal usage of IMSI-Catchers doesn't seem clear to me. It is essentially a MiTM attack, which at least android devices seem to go out of their way to ignore. The law enforcement usage seems worded in ways that would just confuse 50+ year old judges. And they have to go far out of the way to make sure that you don't notice an interruption in service, by forwarding any on-going communications to their intended recipients and tunneling them back, if they go are run over time and don't disassociate.
I haven't seen any estimation on how often these things are used. Besides, hacked femtocell's are probably also responsible for a lot of these rogue BTS's; I wonder if that would be discovered with such detection methods?

--
If you're interested in facts I'll tell you what they are and I'll give you sources - Chomsky on The Big Idea
Re:requires root access and will only run on Qualc by Kernel+Kurtz · 2015-01-01 09:10 · Score: 1

Seems to run fine on my rooted Galaxy Note 3.
Mod Parent Up ! by Anonymous Coward · 2015-01-01 09:22 · Score: 0

Many thanks for the link !
BTW, does the app works in countries outside of US? I routinely go to countries where the government is known to have been spying on their own citizens, such as Singapore and Saudi Arab for business trip, and I suspect the 'stingray' towers are set up there as well
If this app works in those countries as well, it would be *MOST WONDERFUL* for users worldwide, at least enable them to know when they are being spied to, and so on
1. Re:Mod Parent Up ! by Anonymous Coward · 2015-01-01 11:26 · Score: 0
  
  It won't help against the Saudi government in Saudi Arabia. A government with sufficient tyrannical powers won't need stingray towers. They will simply control the real towers and the telecommunications backbone that in turn connects the towers and the landlines. When they don't need a warrant for wiretapping the real network, why would they bother with fake towers?
  However, the app will certainly help you if russians/chinese/americans are operating stingray towers in Saudi Arabia. Which they may very well do; there is big money in Saudi oil and all that.
Re: requires root access and will only run on Qual by jonwil · 2015-01-01 09:38 · Score: 1

Even without baseband support, if your OS/platform of choice exposes the cell tower ID to the main processor and gives you APIs to trigger it you could have an app that looks for the towers you dont like and when it finds one, switches the phone to airplane mode and gives you a warning. Apple does not provide the relavent APIs (although anyone concerned enough about privacy that they are worried about rogue cell towers shouldn't be using a crApple phone anyway)
Android appears to provide APIs for getting the cell tower ID. Switching airplane mode on cant be done by apps as of Android 4.2 (it was made a protected setting, presumably for valid reasons) but if you root your device you can overcome that limitation.
If you have an N900, you can easily get access to the cell tower ID AND toggle airplane mode via dbus calls.
Some more information by Anonymous Coward · 2015-01-01 10:55 · Score: 0

Not only does this app detect suspicious network configurations and behaviors on your phone, you can also optionally upload your results to improve a web site where the security level and abnormal behavior of networks worldwide is crowdsourced: gsmmap.org.
The app, the theory behind it and information about other attack vectors beside IMSI catchers, SS7 in particular, was presented at the 2014 Chaos Communication Congress in Hamburg, Germany. You can download videos of the talks by Tobias Engel and Karsten Nohl. Of course those weren't the only interesting talks. Almost all recordings should be available on the CCC-TV page by now. There are more SS7 talks, but for something different I recommend this presentation. OMFG.
Re:requires root access and will only run on Qualc by plover · 2015-01-01 11:13 · Score: 1

Unfortunately, that will primarily give false positives. Cell companies bring in COWs to serve in temporary situations, such as county fairs, sporting events, concerts, and disasters. A COW is indistinguishable from a StingRay.

--
John
Editors WTFt!?!? by Anonymous Coward · 2015-01-01 12:21 · Score: 0

which is available now only for Andriod. Queue the editors bullcrap.
requires root access and will only run on Qualcomm by Anonymous Coward · 2015-01-01 13:05 · Score: 0

Of course it's "for android", you idiot. It's for Android because it requires a device running Android. The extra restriction of requiring Qualcomm's chipset doesn't negate the primary requisite.
Re:requires root access and will only run on Qualc by wbr1 · 2015-01-01 13:51 · Score: 1

You seem to know more than I do,however, the COW, being a device inserted into the carriers network by said carrier, I would think would have a different ID for whatever loadbalancing/handoff protocols occur on that network. This may not be true, as it may be easier to just copy an existing base station ID than provision all the backend hoo haw for a temporary device. But if it is true, my scheme should not produce as many false positives as thought.
By their nature (unless willingly installed by the carrier), a stingray would be spoofing its identity and therefore slightly easier to detect. Combined with a crowdsourced map to create a basic whitelist, you could do quite a bit I wager.

--
Silence is a state of mime.
You can do this to protect yourself . . . by Anonymous Coward · 2015-01-01 13:52 · Score: 0

IMSI catchers work in part by forcing a channel downgrade to the earlier GSM standard where the phone has to authenticate to the tower, but the tower does not have to authenticate to the phone. UMTS requires two-way authentication. Current cell phones allow "fallback" to GSM from UMTS to handle service areas and IMSI catchers exploit this. If your phone supported only UMTS, an IMSI catcher would be unable to authenticate to your phone. I'm sure it's no coincidence that phones do not allow you to select UMTS only, but you can change this on a jailbroken iPhone my modifying one of the configuration files. When picked up by an IMSI catcher, such a modified iPhone would be unable to make/receive calls, but at least you would know what is happening and there is nothing for the government to tap into.
IMSI Catchers are Wiretaps, usually illegal by billstewart · 2015-01-01 14:09 · Score: 2

No, the 4th Amendment bans "unreasonable" searches and seizures. The warrant kicks in when a court thinks a search or seizure *would* be reasonable, and has a lot of limitations like particularly describing what's being searched for, and the court's supposed to kick the prosecutors out if the search wouldn't be reasonable. (Yeah, right, don't hold your breath too long.)
Wiretapping a phone requires a warrant, and it's not clear whether broad general wiretaps like IMSI catchers violate the 4th Amendment even if they can get a court to rubber-stamp them. (It's clear to me that they're not, but I'm not in charge of policy, and with Roberts in charge of the Supreme Court, he's presumably just fine with them.)

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
1. Re:IMSI Catchers are Wiretaps, usually illegal by Anonymous Coward · 2015-01-02 11:59 · Score: 0
  
  Wiretapping a phone requires a warrant, and it's not clear whether broad general wiretaps like IMSI catchers violate the 4th Amendment even if they can get a court to rubber-stamp them.
  It's clear to me. The fact that the Feds are willing to commit perjury in court (parallel reconstruction) and steal evidence (that case in Florida where the Feds swooped in to "confiscate" stingray records before it could be turned over to the press with a FOIA request) tells me that the DOJ is desperately trying to keep use of Stingrays out of the court system so they can't be ruled on. That tells me that they darn well know what they are doing is illegal.
2. Re:IMSI Catchers are Wiretaps, usually illegal by Entrope · 2015-01-04 01:13 · Score: 1
  
  You are just addressing a different part of the 4A's limits than I am. Some things are not 4A searches. The government theory here is probably that Smith v. Maryland (1979) makes an IMSI catcher not a 4A search. Some things are 4A searches, but do not require a warrant to be reasonable -- if the police say "mind if I search your car?" and you say that's okay with you, they don't need a warrant. Other things are 4A searches, but require a warrant to be reasonable -- non-consensual searches of a home, absent some imminent danger, require a warrant. Other things would be considered searches under the 4th Amendment, but even a warrant cannot make them reasonable; but this category is so small that I don't know of any good examples (a lot of possible examples are more clearly prohibited by the Fifth Amendment's limits on compelled testimony against oneself).
  My personal take is that use of an IMSI catcher is probably a 4A seizure that would need a warrant -- it disrupts the normal functioning of many phones in an area, temporarily disconnecting them from the cell phone network -- or alternatively it counts as a search because it scoops up so much data from so many people (similar to the "mosaic theory" that some circuits have recently approved).
Too bad it needs that hefty a phone by billstewart · 2015-01-01 14:22 · Score: 1

What I'd really like for an application like this is something that can run on a $50 burner phone, most of which run Android 2.3 because they don't have the CPU horsepower for 4.x (or more realistically, something I can run on my old Android 2.1 phone :-) There are starting to be
This is mainly because I'm not interested in rooting my main phone, but would like to try it anyway, but also, if I were doing the kinds of protests where cops are hauling around IMSI catchers to track people, I'd want to be using a burner phone.
(Yes, I realize that here in the San Francisco Bay Area, a "Burner Phone" can just as well mean a propane-powered phone with a steam whistle and an MDMA dispenser in the back that only runs on the Playa.)

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Stingray locator? by Thor+Ablestar · 2015-01-01 14:56 · Score: 1

Some time ago I have worked with a cellular modem. The cellular modem has lots of AT commands including the ones that show the actual frequency, base IDs, power and all this stuff. I also have looked at cellular modules for Arduino, and they have such commands too. I've seen no cellphones that have such functions (I don't count smartphones since nobody knows what kind of malware are there).
In every location there is a fixed set of visible bases. There may be some bases visible intermittently but such bases would have a low power level (Stingrays have a high power level by definition). And this is the one of lots of methods of stingray detection.
What does it mean? That it's possible to assemble the Arduino or PIC with such module and make a simple cellphone with Stingray detector and everything else you like (including the scrambler). Since you need a programmer to load a program such device would be absolutely immune to malware, too.
Re: requires root access and will only run on Qual by Thor+Ablestar · 2015-01-01 15:21 · Score: 1

I looked at GSM modules on Ebay. They are small enough to fit in a watch and they have all the needed features in their only firmware. They only need a battery, mike, speaker and something that would give them AT-commands to connect. And they are cheap enough.
Re: requires root access and will only run on Qual by TFlan91 · 2015-01-01 15:56 · Score: 1

I recently purchased and starting playing with the one plus one. It's easily rooted (this is my first non-apple mobile phone) and I've already have many apps that track tower ID's, but...
For someone like myself who doesn't travel all that often, I look at these apps every now and then to remember where my towers are. This is so that when I do need to do something I want private, I can simply recall if the tower I'm connected to is what I remember.
Not hard to do
Re: weak encryption ? by Anonymous Coward · 2015-01-01 21:05 · Score: 0

And it's been long known that the encryption used in signal encryption is weak
Thats an easy one: just invoke DMCA. If we are not allowed to "circumvent security measures" -- no matter how pathetic -- than others should not be allowed to circumvent ours.
Oh wait: its "the bullies of the block" who are ignoring such stuff with impunity, and who's going to tell them that they should not be doing it ?
Re: weak encryption ? by Kichigai+Mentat · 2015-01-03 03:21 · Score: 1

Thats an easy one: just invoke DMCA. If we are not allowed to "circumvent security measures" -- no matter how pathetic -- than others should not be allowed to circumvent ours.
But they're not, as I understand it, circumventing the encryption. They're simply using it to track you by your cellular signal, as opposed to some other method that would require installing a program on your phone and activating GPS. It's closer to radio direction finding than snooping in on your phone calls (which is already easy enough to do, just get a warrant for a tap on your line).
My point was, though, since there are numerous examples of weaknesses in the phone system that no one should simply assume it's secure, or that any data transmitted across it is private. You're carrying a portable radio tower in your pocket, for crying out loud, broadcasting each and every bit for everyone in a certain area to hear. What's to stop anyone from setting up an unlicensed device and snooping in on your signals?

Oh wait: its "the bullies of the block" who are ignoring such stuff with impunity, and who's going to tell them that they should not be doing it ?
I never said they should be doing it, only that within the context of existing laws the devices themselves are legal, and that because of known problems with cellular phones no one should expect anything done with them to be private. It's like complaining that someone abused a security vulnerability on Facebook and leaked some private stuff: Facebook has a long history of privacy snafus, putting private information on there and expecting it to stay private and nothing to ever go wrong is the act of a dum-dum.

--
Rawr
And if you're not a cop? by eric_harris_76 · 2015-01-03 05:58 · Score: 1

Say you're an ordinary person, and you got ahold of one of these Stingrays, and started gathering data? Would you be breaking any laws?
What if you were interested in blackmailing the people you snooped on? Would you have to actually threaten to reveal the information you had gathered to get arrested, or is possession of the device and the gathered information enough?
Not sure what good those answers would be, if I had them. The police are above the law, more often than not. What is a crime for someone not in a blue uniform is just another day at the office for cops, most of the time.

--
There's no time like the present. Well, the past used to be.
Greenline+Simcard Initiative Framework Treasure by Anonymous Coward · 2015-01-06 18:44 · Score: 0

http://www.videocontelecom.com
Greenline+Simcard Initiative Framework Treasure From Videocon Telecom
http://www.videocontelecomcom/prepaid-services.php
SIM CARD PREPAID SERVICES
https://vselfcare.infotelconnect.com:444
SIM CARD POSTPAID SERVICES
http://www.videocontelecom.com/roaming-services_m.php
SIM CARD ROAMING SERVICES
Diligent Initiative Gern Inherit Telecom : Videocon GSM Network