Slashdot Mirror

← Back to Stories (view on slashdot.org)

NYPD Says Talking About Its IMSI Catchers Would Make Them Vulnerable To Hacking (vice.com)

Posted by BeauHD on from the breach-of-security dept.

An anonymous reader quotes a report from Motherboard: Typically, cops don't like talking about IMSI catchers, the powerful surveillance technology used to monitor mobile phones en masse. In a recent case, the New York Police Department (NYPD) introduced a novel argument for keeping mum on the subject: Asked about the tools it uses, it argued that revealing the different models of IMSI catchers the force owned would make the devices more vulnerable to hacking. The New York Civil Liberties Union (NYCLU), an affiliate of the ACLU, has been trying to get access to information about the NYPD's IMSI catchers under the Freedom of Information Law. These devices are also commonly referred to as "stingrays," after a particularly popular model from Harris Corporation. Indeed, the NYCLU wants to know which models of IMSI catchers made by Harris the police department has. "Public disclosure of this information, and the amount of taxpayer funds spent to buy the devices, directly advances the Freedom of Information Law's purpose of informing a robust public debate about government actions," the NYCLU writes in a court filing. The group has requested documents that show how much money has been spent on the technology. After the NYPD withheld the records, the FOI request was escalated to a lawsuit, which is where the NYPD's strange argument comes in (among others). "Public disclosure of the specifications of the CSS [cell site simulator] technologies in NYPD's possession from the Withheld Records would make the software vulnerable to hacking and would jeopardize NYPD's ability to keep the technologies secure," an affidavit from NYPD Inspector Gregory Antonsen, dated August 17, reads. Antonsen then imagines a scenario where a "highly sophisticated hacker" could use their knowledge of the NYPD's Stingrays to lure officers into a trap and ambush them.

28 of 53 comments (clear)

  1. because it hurts the feelings by turkeydance · · Score: 1

    of the elephant in the room if you talk about it

  2. We used to say this about wiretaps too by WillAffleckUW · · Score: 3, Insightful

    That was unconstitutional and illegal as well.

    Admit the crime and stop covering it up.

    --
    -- Tigger warning: This post may contain tiggers! --
  3. Can't be that great a tool by Opportunist · · Score: 4, Informative

    If your security is dependent on you not talking about the technology altogether, it is a pretty insecure and unreliable system altogether and should not be used, especially not in a situation where gathering evidence is critical. How easily could said evidence be thrown out if the tool you use to gather it is so insecure, unreliable and in a generally sorry state that you cannot even TALK about it lest it breaks?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Can't be that great a tool by somenickname · · Score: 4, Interesting

      My thoughts as well. How can this be admissible in court if you can't publicly defend how/what/why you did what you did. If the technology is so vulnerable to hacking, that seems like it has "reasonable doubt" written all over it.

    2. Re:Can't be that great a tool by fred911 · · Score: 2

      Because the law enforcement advises it's agents to use parallel construction when they've got tainted evidence as the basis for a prosecution.

      https://en.wikipedia.org/wiki/...

      --
      09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    3. Re:Can't be that great a tool by somenickname · · Score: 2

      Sure, I understand that. And, presumably, what law enforcement is worried about is IMSI catcher catchers. Basically, a device that can detect when a spoofed cell phone tower is in play. If such a device were reliable enough that it could be presented as evidence, it could potentially stop stingray based parallel construction in its tracks.

    4. Re:Can't be that great a tool by Fjandr · · Score: 2

      A distributed app collecting signal strength and cell site hardware data could rapidly expose any portable IMSI device. Just needs to be built and publicized by someone with the time, interest, and skill.

    5. Re:Can't be that great a tool by wbr1 · · Score: 1
      It may not be admissible in court. But you can bet the parallel construction story given to defense during discovery and at trial is.

      I solemnly testify that I Officer Green saw the defendant driving with a failed indicator lamp. That i when I discovered 20 kilograms of cocaine.

      --
      Silence is a state of mime.
    6. Re:Can't be that great a tool by meerling · · Score: 1

      What they said is BS, they've been watching too many hollywood movies and tv shows, and are hoping the judge is too stupid to understand the difference between that and reality.

    7. Re:Can't be that great a tool by AmiMoJo · · Score: 1

      It's only used for parallel construction. No need to test it in court.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Can't be that great a tool by BlueStrat · · Score: 3, Insightful

      A distributed app collecting signal strength and cell site hardware data could rapidly expose any portable IMSI device. Just needs to be built and publicized by someone with the time, interest, and skill.

      I'm an R.F. engineering tech. I even worked for Harris (the manufacturer) back in the early '80s.

      I'll bet just comparing phase to obtain directional data and comparing locational data to actual cell site locations should be enough to alert to shenanigans.

      With a bit more sophistication the location could be narrowed to within ~10-15ft. Program a consumer hobby drone with the location, attach about a pound of HE to that drone, and IMSI goes bye-bye.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  4. Novel excuse by JustNiz · · Score: 1

    Hacking? Wow thats a new one. They normally find a way to justify whatever removal of freedoms they are currently inflicting with the good old standby of somehow making it about child porn or child abuse.

  5. First rule of IMSI club by rsilvergun · · Score: 3, Funny

    Do not talk about IMSI club. Second rule: it this is your first night you have to violate someone's rights.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  6. Not to mention by fred911 · · Score: 4, Informative

    The acknowledgement would also at a minimum be an admission of multiple violations of section 301 of the Communications Act.

    https://www.law.cornell.edu/us...

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  7. I can also imagine scenarios... by caladine · · Score: 3, Insightful

    ... where the police having this technology use it on a whim, without a warrant, and with absolutely no oversight.
    Oh, wait. That's already happening and doesn't require a "sophisticated hacker".

  8. Comprehensive defense testing by Fjandr · · Score: 2

    Taking a page from the State actors comprehensively exposing the defensive capabilities of the Internet core, there needs to be a distributed network setup to calculate and correlate all physical cell site information. When shared between a large number of users, it would be trivial to map all permanent physical infrastructure such that any IMSI catcher would light up like a bullseye the second it was turned on. Then that hardware could be targeted for comprehensive testing and exploitation. It wouldn't surprise me to see a future cellular botnet set up to do something just like that if it's not done for more above-board accountability reasons first.

    1. Re:Comprehensive defense testing by Xochil · · Score: 3, Informative

      AIMSICD has been working well for me in this regard.

      https://github.com/CellularPri...

    2. Re:Comprehensive defense testing by AHuxley · · Score: 1

      The next gen will not drop the telco generation or need to swamp an area with different power settings to be the new cell tower.
      Its getting hard to map out. Unless all telco towers are visible/distant and a van/truck/car is also a very powerful new telco tower.
      Gov and mil sites usually mask it with their very own "real" big normal looking cell tower or some very normal looking telco extender or standard contractor decorative private sector cell network.
      The Greek wiretapping case https://en.wikipedia.org/wiki/...–05 showed at the mil and gov level its all done via any telco network :)
      also (Sep. 29 2015) https://theintercept.com/2015/...
      SISMI-Telecom scandal https://en.wikipedia.org/wiki/...
      From the UK (09 June 2015) http://news.sky.com/story/fake...

      --
      Domestic spying is now "Benign Information Gathering"
  9. How about you audit and secure your code? by sandbagger · · Score: 2

    I'm very sorry you did not take security into account to the degree that you should have, and probably did no QA, but the facts are you have to in order to establish the credibility of your system and its data. Everyone else has to.

    --
    ---- The above post was generated by the Turing Institute. Maybe.
  10. Astoundingly stupid... by laird · · Score: 2

    Revealing which models of devices they bought doesn't reduce their security, unless they're using units with widely known security flaws that they leave open.

    Either they're really, really stupid or they think we are. Perhaps both?

    --
    Enable 3D printed prosthetics!
    1. Re:Astoundingly stupid... by currently_awake · · Score: 1

      Tapping phones requires a judicial warrant. If we know the model of IMSI catcher then we'd know if they have the ability to tap our phones without a warrant. Providing that information to a judge might result in a judicial order requiring a judges warrant to use it.

  11. A completely neophyte non-hacker... by KitFox · · Score: 1

    ...could also get their completely non-hacked, normal phone implicated in a crime, knowing that stingrays will be deployed to track it, and then lead them into an ambush.

    --

    @Whee

    1. Re:A completely neophyte non-hacker... by sir-gold · · Score: 2

      Its easier than that.

      Just grab a phone out of one of those recycling bins they have at some electrics stores, and call 911 (all phones can call 911, even if not activated). You don't even have to talk, just make muffled sounds, and the police will eventually show up.

      The police don't even need to have a stingray, they already know where the phone is though e-911

  12. Re:New legal defense? by meerling · · Score: 1

    I have some pretty good ideas on a few ways to figure that out, and I'm not even a phreak!

  13. Re: New legal defense? by meerling · · Score: 1

    Actually they have, but when it's provenance has been questioned, they've withdrawn it so they don't have to admit they used a stingray to get the info in an illegal and unconstitutional invasion of privacy.

  14. translation by Tom · · Score: 2

    revealing the different models of IMSI catchers the force owned would make the devices more vulnerable to hacking.

    In other words: There is at least one audit report giving them very bad marks on security and they don't have the time, budget or expertise to fix the problem. Basically, they should be treated as if they are already hacked by an unknown party or two.

    You are not afraid of disclosing basic information unless you cover up known vulnerabilities.

    --
    Assorted stuff I do sometimes: Lemuria.org
  15. Re: New legal defense? by sir-gold · · Score: 2

    Or they just drop the charges entirely and walk away.

    http://arstechnica.com/tech-po...

  16. Re:RDF by plover · · Score: 1

    Only as long as you know which transmitter to measure. In a cell system, the subscribers aren't transmitting the phone's IMEI or the SIM card's IMSI, nor are they sending out the owner's name and number. They just send a temporary mobile ID, which is a randomly generated number that changes frequently. So which signal do you lock on to? Since 90+% of the population is carrying a cell phone, your $40 directional finder would point at everyone. Even a $40,000 direction finder would point at everyone if it can't tel them apart.

    No, you need to know exactly which signal belongs to the subscriber you're tracking. How? The StingRay works by transmitting like a cell tower so it can trick the suspect's phone into giving up its true identity. Once you can identify a response as coming from the subscriber you're following, those responses can then be measured using a traditional DF. (The StingRay says "ping", and the subscriber's phone replies "pong".) Harris sells the 'AmberJack' DF antenna accessory for use with the StingRay line. It pings the phone for a while, as it rotates the DF antenna. It then shows the average bearing to the strongest received signal, and the approximate distance in meters.

    --
    John