New App Detects Government Stingray Cell Phone Trackers

HughPickens.com writes IMSI catchers, otherwise known as stingrays, are those surveillance tools that masquerade as cell towers and trick mobile phones into connecting, spewing private data in the process. Law-enforcement agencies have been using them for almost two decades, but there's never been a good way for individuals to detect them. Now Lily Hay Newman reports that SnoopSnitch scans for radio signals that indicate a transition to a stingray from a legitimate cell tower. "SnoopSnitch collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates." say German security researchers Alex Senier, Karsten Nohl, and Tobias Engel, creators of the app which is available now only for Android. The app can't protect people's phones from connecting to stingrays in the first place, but it can at least let them know that there is surveillance happening in a given area. "There's no one set of information, taken by itself, that allows you to detect an IMSI catcher," says Nohl. "But we do stream analysis of everything that happens on your phone, and can come out with a warning if it crosses a certain threshold."

Stingrays have garnered attention since a 2011 Arizona court case in which one agent admitted in an affidavit that the tool collaterally swept up data on "innocent, non-target devices" (U.S. v. Rigmaiden). The government eventually conceded in this case that the "tracking operation was a Fourth Amendment search and seizure," meaning it required a warrant. But given that the Justice Department has continued to claim that cellphone users have no reasonable expectation of privacy over their location data, it may take a Supreme Court judgement to settle the Stingray issue countrywide.

Re:Oh, an app you say

JFGI

https://opensource.srlabs.de/projects/snoopsnitch/repository

requires root access and will only run on Qualcomm

[kipple]

"This app requires root access and will only run on devices with Qualcomm chipset."

That's not "for android". That's playing a Qualcomm trick with the baseband.

I also wonder if a better way might be (but I'm speculating here) to use the measured distance from the nearest cell tower (called Timing Advance), as in http://stackoverflow.com/a/137... - and couple it with a public database of known celltowers locations to spot recent "additions".

Re:Oh, an app you say

Here
git clone --recursive https://opensource.srlabs.de:/git/snoopsnitch.git

Re:requires root access and will only run on Qualc

[spacefight]

It's still better than having nothing at hand.

Re:requires root access and will only run on Qualc

[kipple]

In fact, there's already something similar: http://wiki.opencellid.org/wik... and probably https://github.com/SecUpwN/And...

Re:Why is this allowed in the first place?

[Xicor]

you are talking about the government here... all they would have to do is strong-arm the carrier to add their towers to the list.

Re:Why is this allowed in the first place?

[wierd_w]

A better approach would be to keep a triangulation map of available towers over time.

The point of stingrays is that they are mobile. Cell towers are NOT.
Similar to older war-driving apps, the app looks for tower broadcast signals, even when it does not intend to hop. It keeps a record of the GPS coordinates of the handset (Seriously, a smartphone without a gps these days?) and the detected signal levels of all towers it sees.

It then builds a virtual geographical map of cellular towers based on its own radio data over time. The sudden, mysterious appearance of a new tower where there previously was not one, (and also where there does not seem to be capacity reason for one to be added, or one with a suspiciously small radius of service) would get flagged, and should get blacklisted by the phone until the user specifically says "No, it's OK to connect" (It may be a microcell at a crowded event or something)

That should allow creation of a stable whitelist over time.

Re:requires root access and will only run on Qualc

[wierd_w]

One still needs a way to prevent the cellular device from being pushed to the "New" tower.

Sadly, handset makers and mobile OS makers have not been able to give a "Blacklist tower" feature, or have not been willing to give such a feature. The towers MUST be uniquely identifiable for the tower mesh network to communicate reliably-- so, a means of uniquely identifying and refusing to play ball with a specific "Tower" should absolutely be possible.

Google and Apple should step up to the plate on that.

Re:Why is this allowed in the first place?

[wierd_w]

I know. the problem is that it is impossible to tell a legit microcell from a totally not legit stingray.

the default should be "suspicious: do not use", with an option to manually enable.

the user will know if they are at a major civic event or not, and hopefully will know when they are under a major emergency situation.

Re:requires root access and will only run on Qualc

[anagama]

I just looked at one of the apps using opencellid -- and I'm not sure how clean the data will be. The default is to upload the position of any cell tower it sees, which means it would be uploading the position of Stingrays too. Then when a user connects to a Stingray listed in the database of towers, well, they've been given a false sense of security.

Re:FCC?

[wierd_w]

You havent been following the stories on stingray use, have you?

Law enforcement agencies use them to eavesdrop on multiple cellular devices in the espionage radius, hoping to catch thier perps. the data of innocent civilians driving past also gets logged. this has been reported on. it is not handset specific.

the illegality of the practice does not seem to matter much except when the triale judge demands to know the source of the evidence. Even then, law enforcement frequently LIES about using stingrays.

a community method of tracking and recording stingray deployments in large urban centers that is public domain would open the doors to some serious FOIA request hilarity.

"hello, NYPD? yes, according to OpenTowerMap.Org, it appears that a new cell tower with unique ID XXXXXXXX went into operation in the area near to where your investigation into Nicky the Nose was going on, suspiciously consistent with the length of your investigation. Since your investigation agrainst Mr Nose has concluded, there should be no reason whatsoever to deny my request for any information you have on the use of a cellular monitoring device during that period at that location. Specifically, we want to know how many non-suspects accessed the device, and what the current status of thier records is, and also what degree or level of transparency your agency has taken to inform those innocent citizens that thier data was collected as part of your investigation."

etc.

IMSI Catchers are Wiretaps, usually illegal

[billstewart]

No, the 4th Amendment bans "unreasonable" searches and seizures. The warrant kicks in when a court thinks a search or seizure *would* be reasonable, and has a lot of limitations like particularly describing what's being searched for, and the court's supposed to kick the prosecutors out if the search wouldn't be reasonable. (Yeah, right, don't hold your breath too long.)

Wiretapping a phone requires a warrant, and it's not clear whether broad general wiretaps like IMSI catchers violate the 4th Amendment even if they can get a court to rubber-stamp them. (It's clear to me that they're not, but I'm not in charge of policy, and with Roberts in charge of the Supreme Court, he's presumably just fine with them.)