My guess would be that the situation isn't that they can't find the stringrays but that they can't distinguish between "hostile" and "friendly" stringrays. After all, each agency deploying such devices does so as secretly as possible, naturally not alerting other agencies, and so there's no list of friendly stingrays.
It's all very Kim Stanley Robinsonesque in his climate-change trilogy where there are so many US Shadow agencies that they are constantly getting in each other's way.
I'm more under the impression that there are several people who tweet using that account (you'll remember one of his lawyers claiming they did one time he really screwed up) using different platforms
I can't find the link on mobile right now, but there was an article I read a while back (on HN, actually, I think) where someone did statistical analysis on the speech patterns of Trumps tweets and correlated those with times he was known to have been using his phone (or something like that) and deduced that there were two primary parties responsible for his Twitter account: Trump himself and a PR person/team. Any politically-minded (in the classical sense) or campaign tweet was almost always by the PR team, and every inflammatory, grammatically incorrect, etc. tweet was by him (presumably).
I was thinking of the same article, and found it, I think [1]? There was a higher-rated link also posted around the same time with the same post content [2]. I also found a follow up post [3] while looking for [1].
Hmm, then you need a super-mega-amplifier tacked on to boost the signal over the cable (AFAIK, the frequencies used really like short antenna runs).
So that then means a super-thick faraday cage around the actual device, and probably somewhat noteworthy power consumption (a battery certainly wouldn't be enough).
Probably meant transmitter (antennae + encoder/decoder) separated from actual BTS hardware & operatives.
So after counter-side finds your camouflaged BTS, it is only disposable and relatively cheap part and doesn’t lead to whole operation uncover.
That probe part then would connect to starbucks wi-fi and interact with BTS software somewhere far from physical location, so you can’t quickly trace channel between probe and spy team.
This is old news to anyone living here and paying attention. I've been tracking suspicious cell sites for the past three years in my DC metro neighborhood with an old Android phone and some prosumer software.
Some of the sites are mobile, but most of the ones I found were stationarity, and could be easily identified once you know what to look for. I'm pretty sure some of them are seriously degrading cell data/vocie quality.
I stopped once I realized there was nothing you could do once you found them. there are only a couple of options for who is deploying them none of which I want to screw with.
Honestly, I don't want to be on the radar of any entity that is deploying this type of gear in the DC metro area.
I am under no illusion that I can protect myself if targeted by a state based actor. Better to be lost in the crowd.
Best case scenario is it's a legitimate LEO operation.
Worse, it's a federal national security operation.
Worse still, it's a criminal, or foreign national security operation.
Only in the first scenario would the FCC even remotely have the chance to do anything. Even then it might be a legitimate operation, and they do nothing.
It was the responsibility of the FCC to have never allowed these devices to manufactured, but as typical they fell for the police exemption excuse. Now they'll be abused more and more.
The protocol should have required enough authentication to make it impossible to manufacture these devices without also having a blessed, revocable key from the carrier you're snooping on.
The FCC could have easily had their police exemption without also providing access to your average HAM, any reasonably competent hobbyist, and the security services of every other nation on the planet.
Security on cellular networks is even more of a joke than on consumer-grade wifi... it's basically a pinky promise not to look at stuff you're not supposed to look at. No fucking wonder there's a mountain of stingray clones in DC. Are they planning to fix this on 5g networks? Because there's no reason to be so concerned over backdoors in Chinese cellular modems as long as we're happily letting them in through the front door.
Does that mean network quality will significantly go down if we shut down the stingrays? I mean when you have 5 nation states deploying a network of stingrays in DC, all trying to compete on being the relay nodes, that does add quite a lot of bandwidth.
Even repeater is not really accurate. Like you say, in normal operation these systems are not working in collaboration with a wireless provider for the data passthrough/handoff. In my experience running these, it's more like the user briefly connects with a service with no connectivity and IMSI/IMEI connection logging only.
So in practice it would look like briefly, usually imperceptibly, losing cell service.
Control of 'manufacturing' was never going to happen. They would literally have to prohibit the sale of high-speed DACs and ADCs to civilians. If you think the War on Drugs was an expensive boondoggle, try keeping LTC2216s out of my hands. :-P
However, it is the responsibility of the FCC to not throw up their hands and say "Duh, we don't know how to find 'em." They have one job -- regulating the use of the RF spectrum -- and that's it.
Or have private-key encoding. That’s the case for HDMI: No-one can manufacture devices that aren’t approved.
Of course the funny part is, it’s designed so pirates can only send HDMI output to approved screens (=not recording devices), but for backwards comparibility, they has to allow HDMI-to-SVGA adapter with decoding, so the breach is wide open. But you get the intent: HDMI was supposed to bea fully-encrypted standard with only preapproved devices.
> SnoopSnitch offers tests to assess whether a device is exposed to attacks or surveillance from the mobile network. Here, the primary goal is to help mobile users detect network originated attacks, such as via SS7, SMS, or ISMI catchers. Our secondary goal is to provide a fact-based incentive to Mobile Network Operators to better improve the security of their networks.
> GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen “in the wild”. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.
Bah, looks like SnoopSnitch requires root access (and a Qualcomm chipset in the phone) for most/all of the interesting mobile network tests, which is a shame.
Heh. You know what I found most hilarious about this article? I went to it with my iPhone in safari and got asked to share my location. Who needs potential spy devices when all you need to do is compromise your local news site!
I don't understand the assertion that the US Gov't can't do anything to prevent the foreign governments from doing this... The FCC has broad powers to regulate the public airwaves. This technology clearly disturbes authorized and licensed utilizaton of the airwaves OUTSIDE of the bounds of the Embassies. FCC should have the power to prevent this.
The situation discussed in the article was with regard to Stingray-type devices placed at foreign embassies which are considered foreign soil. The FCC doesn't regulate embassies any more than it regulates Beijing or Moscow.
The Stingrays found on K Street (far from Embassy Row) and some bridges were more likely US government operations.
So the question comes back to are there non-embassy, non-US government Stingrays deployed and how to find them.
Embassies are not "foreign soil". The Russian Embassy in London, for example, is not a Russian place, it's a British place that just happens to have a Russian Embassy building on it. Russians there are not magically exempt from British law.
However, in practice diplomacy is impossible without affording Ambassadors, their staff, the places where they live and work and so on, broad immunity to normal civil law enforcement. Eventually this was formalised as the Vienna Convention, and the current iteration of that convention is the state of the art as far as relations between most countries are concerned.
As a result Convention signatories do NOT on the whole search embassies of other signatories in their country. But it's not because the embassy in any sense isn't in their country.
For example the US government absolutely could tell the Russian mission to all shove off back home, they would be entitled to a "reasonable" amount of time to leave, and then the Ambassador (if he has foolishly remained) is just a Russian citizen in the US without immigration papers, the same for all staff and families. The embassy, the homes, and other facilities are all just ordinary buildings able to be searched by police, parcels sent to the embassy become just ordinary parcels which may be opened, examined, redirected or destroyed as appropriate by the USPS. The Americans would never choose to do this, because diplomatic contact with Russia remains essential, in anything short of total war, but legally they absolutely could.
> diplomacy is impossible without affording Ambassadors, their staff, the places where they live and work and so on, broad immunity to normal civil law enforcement.
Because not every place is a shining example of liberal democracy like the United States.
Diplomacy requires representing your country, which sometimes requires advocating against the preferred policies of your negotiating partners. In some places, if you were subject to their laws, that would get you killed.
To track who (or at least what devices) are in the immediate vicinity of the embassy and when. Patterns in that could easily be useful for catching physical surveillance at the least, as well as catching placed/planted devices that check in that way.
Edit:
To expand on that, some examples:
If a new device shows up and is always present, particularly if it always has about the same signal strength or doesn't appear to move, that indicates a connected IoT device of some sort, and if you're concerned about espionage you may want to take steps to identify it.
If a particular device shows up for 8-12 hour shifts at varying times, but there are no businesses, etc. that would have that kind of attendance pattern, who's carrying that device? An investigator on-site who's also brought a personal device along?
Heck, if you're in an OnStar-equipped vehicle even if you don't have service, your vehicle may show up as always on, or at least may ping regularly.
I'm sure appropriate data mining techniques could pull a surprising amount of information out of the kind of info gathered from these devices.
The loud music would draw a political rebuke / protest response, and then after if it didn't cease, it would plausibly draw some kind of tit for tat response in the other nation. The US can expel diplomats and isolate an embassy (eg cut power, water, etc), essentially making it non-maintainable (inhospitable) as a position. It could also surround it literally, effectively sealing it off to access, preventing the ability to leave (with predictable consequences).
The strong microwaves would be treated as an act of war: an attack on Americans, on American soil, by a foreign power. If it didn't immediately stop, the US would invade that foreign soil and do whatever it decided was required.
> I don't understand the assertion that the US Gov't can't do anything to prevent the foreign governments from doing this...
There has been zero evidence presented so far that it is in fact foreign governments doing any of this. More likely it's the vast cabal of Federal agencies in the greater DC area all disregarding the law because nobody in the US Congress has the will to rein them in. And of course for all we know, the espionage may be entirely legal courtesy of some clandestine national security FISA sign-off.
The US Government system is made up of dozens of extremely powerful agencies, and they are at war with each other at all times for power, information and budget. Sometimes that war is cold, sometimes it's warm.
Simply put, they're all spying on each other and all aspects of the system that is meant to control them (while they attempt to control the system instead).
I wouldn't go so far as to say that there's no federal agencies in the DC Stingray soup, but how can you say it's more likely to be federal agencies in DC of all places?
If there was a single city in the US that foreign agencies would target, it would undoubtedly be DC. The abundance of embassies in the city make it a very easy target.
True, but at least they have to ask in order to get your location. Rather than just getting the information 24/7 without asking you. Slight difference there.
When I was living in DC, I would frequently find that my phone would have a signal but not functioning service, and I'd have to restart it to get service back. I always suspected Stingray devices.
I know journalism is severely challenged these days, but I wonder if anyone has done or is doing investigations in other cities outside of that region? It would be a surprise if it was limited to just that (admittedly interesting, and yes we already know why) geographic area.
This is likely the tip of the iceberg: devices with active transmission that are easy to find with some effort. I bet there are a lot of passive listeners (cheap SDR is probably all you need) sprinkled around as well that would be very hard to find.
> Turner said cell carriers can't completely secure our phones because they have to allow for law enforcement access.
The key sentence in the article. The reason there isn’t a fix is that our (U.S.) government prefers spying on its citizens over being protected from other powers’ spying.
When an encryption algorithm is no longer secure, it gets phased out and any protocol that uses that algorithm eventually gets denied.
Can someone explain why older protocols like 2g with inadequate encryption can't be phased out? Or why there isn't even an effort or attempt or option to disable it?
It’s not just the ciphers that were weak to begin with. It’s also the lack of mutual authentication: the network checks if the phone is entitled to service but the phone never checks if it’s a legitimate base station.
Telcos do not care about technical means of security. As long as the average person can’t eavesdrop it’s good enough. When it comes to protecting their economic interest (preventing free calls) they use smart cards and strong encryption. 800MHz scanners have been illegal for decades.
Legacy support and reliability are very important (in the context of cellular service which still is inferior to fixed telecommunications). Customers will get angry if you tell them their phone is obsolete. Or encryption incompatibility causes failed calls. The FCC takes a dim view on 911 failures, so phones must have a fallback no enciphering mode to maximize 911 call success. Compatibility with roaming host networks must be maintained.
AT&T shut down their GSM network Jan 1 2017 but UMTS has plenty of vulnerabilities too. The SS7 protocol underpinning the PSTN lacks authentication.
They can't listen to your calls without cracking the keys shared between the phone company and your phone...though I do remember reading a while back that "someone" managed to steal the list from sim card manufacturers on more than one occasion.
That is not true. Stingray's are cell towers and phones trust them. The device just downgrades to A5/2 (export grade) encryption, or broadcasts that it does not support encryption at all.
Seems like a huge oversight to not let SIM cards disable certain types of encryption (that it knows the home network will never use). IIRC this is how downgrade attacks are prevented in EMV - the chip card will reject known-broken auth methods.
The FCC takes a dim view on 911 call failures. All phones must support disabling GSM encryption as a fail safe. Never disabling encryption would be “fail secure” (like door locks that remain locked during a power outage).
Emergency calls already have a bunch of exceptions that don't apply to regular traffic (e.g. you can use any network, heck you don't even need a SIM card) so allowing only those to be unencrypted shouldn't be too much of a stretch
> though I do remember reading a while back that "someone" managed to steal the list from sim card manufacturers on more than one occasion.
To avoid getting folks too worried about it being a widespread issue, this occurred for specifically targeted MENA-based cellular carriers, as I recall.
I know almost nothing about the systems and protocols involved here, but aren't these cell systems hackable? Why has no one tried to connect to one and then compromise it to learn more about what (and who) makes them tick?
Encryption protocols are hard. Two stories, one public and one from my current job:
HTTPS is secured using SSL/ TLS. SSLv1 is so bad it didn't survive the laugh test when it was explained to actual cryptographers, I can't find any records of what it did. SSLv2 is also pretty bad. SSLv3 is at last good enough that actual cryptographers spent time finding holes in it and today it's considered so broken as to be useless.
TLSv1.0 went to the IETF. More eyeballs will fix it right? Note if they're all engineers. Finally in TLSv1.2 the cryptographers were called in, but only after it was finished. "Hey, is this finished thing secure? Yes or No answers only"
Only in TLS 1.3 which is finished but yet to be official, did they _start_ with cryptographers and do the engineering problems later after the cryptographers had baked in the security.
At work, after a system being in use for several years, I was told we couldn't put more key-value pairs into the session information, it was "full". So I went to see how this could possibly be true. All the session information is turned into a JSON blob, which is turned into a few hundred bytes, and then those bytes are encrypted with RSA with the results stored in a Cookie. RSA is only designed to encrypt small quantities of data, which isn't a problem because it's supposed to be used to move a symmetric key. But far, far more importantly - even if this particular _method_ of doing so is crazy why are we encrypting all this data and hiding it in a Cookie at all? That's crazy.
I agree encryption is hard, but phone encryption protocols are intentionally weak for the wrong reasons. In the past the parameters have been picked low enough that domestic intelligence agencies can purposely hack them, while exporting even worse versions so that foreign adversaries are dead simple to hack. The protocols have changed over time, but this hasn't.
Also the examples you cite it's not clear of those standards bodies were infiltrated by the same agencies implicated above. They very much do run private cover operations and "plant" people or acquire companies that allow them to weaken these protocols or standards.
[0]: https://arstechnica.com/tech-policy/2018/04/dhs-to-senator-m...
[1]: https://news.ycombinator.com/item?id=16748971