Slashdot Mirror
New App Detects Government Stingray Cell Phone Trackers
HughPickens.com writes IMSI catchers, otherwise known as stingrays, are those surveillance tools that masquerade as cell towers and trick mobile phones into connecting, spewing private data in the process. Law-enforcement agencies have been using them for almost two decades, but there's never been a good way for individuals to detect them. Now Lily Hay Newman reports that SnoopSnitch scans for radio signals that indicate a transition to a stingray from a legitimate cell tower. "SnoopSnitch collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates." say German security researchers Alex Senier, Karsten Nohl, and Tobias Engel, creators of the app which is available now only for Android. The app can't protect people's phones from connecting to stingrays in the first place, but it can at least let them know that there is surveillance happening in a given area. "There's no one set of information, taken by itself, that allows you to detect an IMSI catcher," says Nohl. "But we do stream analysis of everything that happens on your phone, and can come out with a warning if it crosses a certain threshold."
Stingrays have garnered attention since a 2011 Arizona court case in which one agent admitted in an affidavit that the tool collaterally swept up data on "innocent, non-target devices" (U.S. v. Rigmaiden). The government eventually conceded in this case that the "tracking operation was a Fourth Amendment search and seizure," meaning it required a warrant. But given that the Justice Department has continued to claim that cellphone users have no reasonable expectation of privacy over their location data, it may take a Supreme Court judgement to settle the Stingray issue countrywide.
Stingrays have garnered attention since a 2011 Arizona court case in which one agent admitted in an affidavit that the tool collaterally swept up data on "innocent, non-target devices" (U.S. v. Rigmaiden). The government eventually conceded in this case that the "tracking operation was a Fourth Amendment search and seizure," meaning it required a warrant. But given that the Justice Department has continued to claim that cellphone users have no reasonable expectation of privacy over their location data, it may take a Supreme Court judgement to settle the Stingray issue countrywide.
JFGI
https://opensource.srlabs.de/projects/snoopsnitch/repository
Lots of 4A searches do not require warrants -- searches incident to arrest, custodial searches, searches with consent, and probably more. The warrant requirement only kicks in when a warrantless search would be "unreasonable" (violate a reasonable expectation of privacy, and such expectation is narrower than most non-lawyers would believe).
That's one thing. But these are ILLEGAL devices being used without even so much as warrants.
"This app requires root access and will only run on devices with Qualcomm chipset."
That's not "for android". That's playing a Qualcomm trick with the baseband.
I also wonder if a better way might be (but I'm speculating here) to use the measured distance from the nearest cell tower (called Timing Advance), as in http://stackoverflow.com/a/137... - and couple it with a public database of known celltowers locations to spot recent "additions".
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
Here
git clone --recursive https://opensource.srlabs.de:/git/snoopsnitch.git
It's still better than having nothing at hand.
Can't we add support to Android so that e.g. I can load a carrier cert into a special store used only for the cell radio operations and then have an option to authenticate towers before connecting to them? Is there any way for a carrier to publish a whitelist of tower info that can't be easily cloned? How do we have this infrastructure where anyone can start broadcasting and sweep up everyone's traffic and very little is being done about it?
In fact, there's already something similar: http://wiki.opencellid.org/wik... and probably https://github.com/SecUpwN/And...
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
One still needs a way to prevent the cellular device from being pushed to the "New" tower.
Sadly, handset makers and mobile OS makers have not been able to give a "Blacklist tower" feature, or have not been willing to give such a feature. The towers MUST be uniquely identifiable for the tower mesh network to communicate reliably-- so, a means of uniquely identifying and refusing to play ball with a specific "Tower" should absolutely be possible.
Google and Apple should step up to the plate on that.
I'd say that depends on the cellular technology in question.
Most likely the signals will be in the 700-850mhz band, or the 1700-2100mhz band, depending on the technology and carrier.
I Do think that this is technically inside the RTL-SDR dongle's reception capabilities.
What is the frequency range of your cell phone?
CLI paste? paste.pr0.tips!
Instead of just spotting recent additions, also looking for timing advance shifts over a certain margin while the tower/antenna ID remain the same. I am not cellular engineer, but it would see that would be a possible indicator of a spoofed tower.
Silence is a state of mime.
I just looked at one of the apps using opencellid -- and I'm not sure how clean the data will be. The default is to upload the position of any cell tower it sees, which means it would be uploading the position of Stingrays too. Then when a user connects to a Stingray listed in the database of towers, well, they've been given a false sense of security.
What changed under Obama? Nothing Good
You havent been following the stories on stingray use, have you?
Law enforcement agencies use them to eavesdrop on multiple cellular devices in the espionage radius, hoping to catch thier perps. the data of innocent civilians driving past also gets logged. this has been reported on. it is not handset specific.
the illegality of the practice does not seem to matter much except when the triale judge demands to know the source of the evidence. Even then, law enforcement frequently LIES about using stingrays.
a community method of tracking and recording stingray deployments in large urban centers that is public domain would open the doors to some serious FOIA request hilarity.
"hello, NYPD? yes, according to OpenTowerMap.Org, it appears that a new cell tower with unique ID XXXXXXXX went into operation in the area near to where your investigation into Nicky the Nose was going on, suspiciously consistent with the length of your investigation. Since your investigation agrainst Mr Nose has concluded, there should be no reason whatsoever to deny my request for any information you have on the use of a cellular monitoring device during that period at that location. Specifically, we want to know how many non-suspects accessed the device, and what the current status of thier records is, and also what degree or level of transparency your agency has taken to inform those innocent citizens that thier data was collected as part of your investigation."
etc.
Isn't the tower handoff stuff all handled in the baseband firmware, though? I'd think that there would be memory limitations in current designs to prohibit that being feasible. And I'd also think that adding more memory wouldn't be feasible because handset manufacturers want tiny, low power components, and more memory and more complicated firmware logic might "blow their budget" so to speak.
Rawr
I would assume they operate in the same frequencies as any given carrier, so potentially and of these frequencies depending on the carrier you're targeting.
I don't think so. If I understand it right, the way this detector works is by spotting discrepancies in the handoff between your carrier's tower and the IMSI catcher. Since your SDR isn't connected to the carrier there is no handoff. So the IMSI catcher would be indistinguishable from any other fixed tower, mobile tower, or microcell, as it is designed to be.
Rawr
All you need is a few kilobytes of storage. Most phones have this already in the underlying hardware for use with things like the region ID and the like.
Seriously, each entry in the blacklist needs only the UUID of the blacklisted tower. That's it. Hell, this could live in the damned SIM card.
Everything else can live in the app.
RTLSDR has pisspoor dynamic range (8 bit ADC), sure you can do some triangulation, but it will be very inaccurate & unreliable. Also current generation technology has a bandwidth of ~10MHz, RTLSDR can only do about ~3MHz max. (example of triangulating a VHF signal here : http://www.rtl-sdr.com/triangu...) There's plenty of cheap SDR projects out there nowadays, much, much better than the RTLSDR. And if you're serious, really advanced hardware will only set you back a few thousand $$$. (http://www.ettus.com/product/details/E310-KIT)
The primary methods of detecting IMSI-Catchers and Fake BTS's is described here (pdf), and due to the variety of manufacturers' baseband interfaces, there wasn't an easy way to uniformly detect these devices.
IMSI-Catcher doesn't seem to work on my old, non-GSM Android, but I've also found OsmocomBB to be interesting; it's an open source GSM broadband implementation that seems to work on some older, cheap phones, like some motorola candy bars; check out Catcher Catcher for more info.
In terms of the IMSI Catcher devices themselves, I've seen estimations of $20 to $1500 to make one, from using cheap RTL-SDR devices to a full SDR (~$400-1500) to run a full fake GSM BTS.
The legal usage of IMSI-Catchers doesn't seem clear to me. It is essentially a MiTM attack, which at least android devices seem to go out of their way to ignore. The law enforcement usage seems worded in ways that would just confuse 50+ year old judges. And they have to go far out of the way to make sure that you don't notice an interruption in service, by forwarding any on-going communications to their intended recipients and tunneling them back, if they go are run over time and don't disassociate.
I haven't seen any estimation on how often these things are used. Besides, hacked femtocell's are probably also responsible for a lot of these rogue BTS's; I wonder if that would be discovered with such detection methods?
If you're interested in facts I'll tell you what they are and I'll give you sources - Chomsky on The Big Idea
Seems to run fine on my rooted Galaxy Note 3.
Even without baseband support, if your OS/platform of choice exposes the cell tower ID to the main processor and gives you APIs to trigger it you could have an app that looks for the towers you dont like and when it finds one, switches the phone to airplane mode and gives you a warning. Apple does not provide the relavent APIs (although anyone concerned enough about privacy that they are worried about rogue cell towers shouldn't be using a crApple phone anyway)
Android appears to provide APIs for getting the cell tower ID. Switching airplane mode on cant be done by apps as of Android 4.2 (it was made a protected setting, presumably for valid reasons) but if you root your device you can overcome that limitation.
If you have an N900, you can easily get access to the cell tower ID AND toggle airplane mode via dbus calls.
Unfortunately, that will primarily give false positives. Cell companies bring in COWs to serve in temporary situations, such as county fairs, sporting events, concerts, and disasters. A COW is indistinguishable from a StingRay.
John
You seem to know more than I do,however, the COW, being a device inserted into the carriers network by said carrier, I would think would have a different ID for whatever loadbalancing/handoff protocols occur on that network. This may not be true, as it may be easier to just copy an existing base station ID than provision all the backend hoo haw for a temporary device. But if it is true, my scheme should not produce as many false positives as thought.
By their nature (unless willingly installed by the carrier), a stingray would be spoofing its identity and therefore slightly easier to detect. Combined with a crowdsourced map to create a basic whitelist, you could do quite a bit I wager.
Silence is a state of mime.
No, the 4th Amendment bans "unreasonable" searches and seizures. The warrant kicks in when a court thinks a search or seizure *would* be reasonable, and has a lot of limitations like particularly describing what's being searched for, and the court's supposed to kick the prosecutors out if the search wouldn't be reasonable. (Yeah, right, don't hold your breath too long.)
Wiretapping a phone requires a warrant, and it's not clear whether broad general wiretaps like IMSI catchers violate the 4th Amendment even if they can get a court to rubber-stamp them. (It's clear to me that they're not, but I'm not in charge of policy, and with Roberts in charge of the Supreme Court, he's presumably just fine with them.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What I'd really like for an application like this is something that can run on a $50 burner phone, most of which run Android 2.3 because they don't have the CPU horsepower for 4.x (or more realistically, something I can run on my old Android 2.1 phone :-) There are starting to be
This is mainly because I'm not interested in rooting my main phone, but would like to try it anyway, but also, if I were doing the kinds of protests where cops are hauling around IMSI catchers to track people, I'd want to be using a burner phone.
(Yes, I realize that here in the San Francisco Bay Area, a "Burner Phone" can just as well mean a propane-powered phone with a steam whistle and an MDMA dispenser in the back that only runs on the Playa.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Some time ago I have worked with a cellular modem. The cellular modem has lots of AT commands including the ones that show the actual frequency, base IDs, power and all this stuff. I also have looked at cellular modules for Arduino, and they have such commands too. I've seen no cellphones that have such functions (I don't count smartphones since nobody knows what kind of malware are there).
In every location there is a fixed set of visible bases. There may be some bases visible intermittently but such bases would have a low power level (Stingrays have a high power level by definition). And this is the one of lots of methods of stingray detection.
What does it mean? That it's possible to assemble the Arduino or PIC with such module and make a simple cellphone with Stingray detector and everything else you like (including the scrambler). Since you need a programmer to load a program such device would be absolutely immune to malware, too.
There are some interesting chips, i mean Silicon Laboratories EzRadioPro Si4464 and the similar ones. They receive a GMSK and I think it's possible to tune them to 900-MHz GSM band. Unfortunately I have no idea about 1800 MHz bands. The specialized GSM modules look more interesting and require less work.
I looked at GSM modules on Ebay. They are small enough to fit in a watch and they have all the needed features in their only firmware. They only need a battery, mike, speaker and something that would give them AT-commands to connect. And they are cheap enough.
I recently purchased and starting playing with the one plus one. It's easily rooted (this is my first non-apple mobile phone) and I've already have many apps that track tower ID's, but...
For someone like myself who doesn't travel all that often, I look at these apps every now and then to remember where my towers are. This is so that when I do need to do something I want private, I can simply recall if the tower I'm connected to is what I remember.
Not hard to do
But they're not, as I understand it, circumventing the encryption. They're simply using it to track you by your cellular signal, as opposed to some other method that would require installing a program on your phone and activating GPS. It's closer to radio direction finding than snooping in on your phone calls (which is already easy enough to do, just get a warrant for a tap on your line).
My point was, though, since there are numerous examples of weaknesses in the phone system that no one should simply assume it's secure, or that any data transmitted across it is private. You're carrying a portable radio tower in your pocket, for crying out loud, broadcasting each and every bit for everyone in a certain area to hear. What's to stop anyone from setting up an unlicensed device and snooping in on your signals?
I never said they should be doing it, only that within the context of existing laws the devices themselves are legal, and that because of known problems with cellular phones no one should expect anything done with them to be private. It's like complaining that someone abused a security vulnerability on Facebook and leaked some private stuff: Facebook has a long history of privacy snafus, putting private information on there and expecting it to stay private and nothing to ever go wrong is the act of a dum-dum.
Rawr
Say you're an ordinary person, and you got ahold of one of these Stingrays, and started gathering data? Would you be breaking any laws?
What if you were interested in blackmailing the people you snooped on? Would you have to actually threaten to reveal the information you had gathered to get arrested, or is possession of the device and the gathered information enough?
Not sure what good those answers would be, if I had them. The police are above the law, more often than not. What is a crime for someone not in a blue uniform is just another day at the office for cops, most of the time.
There's no time like the present. Well, the past used to be.