The US Marshals are not the only federal law enforcement agency doing something like this. According to documents I obtained through a FOIA in 2012, ICE has purchased an airbourne mounting kit and paid for airbourne training for their Stingray II cell phone tracking gear.
See: https://www.documentcloud.org/documents/479397-#document/p44
In all seriousness, when police circumvent the existing legal methods for gaining access to information, and when they spy on people without warrants, why should the "normal channels" be left open?
Isn't it about time to repeal things like CALEA, or to accept that the cost of having a system like this is that it should be the only system?
"But we're afraid bad guys would act like they live in a surveillance state if they actually knew they lived in a surveillance state!" I... I just don't know how to understand that mindset.
I know there are evil criminals in the world, and I'll bet that having power and dominion over everyone is a fun trip, but it's also corrosive to what the US has always pretended to be.
Thinking aloud in terms of a "solution" - is it possible to build crowdsourced blocklists that can be subscribed to by users, and will refuse to let their phones connect to "fake" celltowers?
P.S. I'm not a wireless guy, so I don't know if there's any kind of a digital giveaway that can distinguish a fake cell tower versus the real one it is spoofing. If there isn't, then perhaps the fault lies with existing wireless comm. standards.
Not until the baseband processor is proprietary. And even then nothing prevents feds from just giving the towers new ids or just manipulating the blacklists.
Here are some excerpts from the WSJ paywalled article:
Cellphones are programmed to connect automatically to the strongest cell tower signal. The device being used by the U.S. Marshals Service identifies itself as having the closest, strongest signal, even though it doesn’t, and forces all the phones that can detect its signal to send in their unique registration information. Even having encryption on one’s phone, such as Apple Co. ’s iPhone 6 now includes, doesn’t prevent this process...
The program cuts out phone companies as an intermediary in searching for suspects. Rather than asking a company for cell-tower information to help locate a suspect, which law enforcement has criticized as slow and inaccurate, the government can now get that information itself. People familiar with the program say they do get court orders to search for phones, but it isn’t clear if those orders describe the methods used because the orders are sealed.
Also unknown are the steps taken to ensure data collected on innocent people isn’t kept for future examination by investigators. A federal appeals court ruled earlier this year that over-collection of data by investigators, and stockpiling of such data, was a violation of the Constitution.
And another blog post from 2013 saying "Immigration and Customs Enforcement (ICE) purchased $3 million worth of Stingrays over several years, and are purchasing airborne mounting kits for both drones and manned aircraft":
http://gritsforbreakfast.blogspot.com/2013/03/bypassing-tele...
An earlier FOIA response from 2012:
http://s3.documentcloud.org/documents/479397/stingrayfoia.tx...
"The training will cover all of Harris Stringray ll operations from an airborne platform.-Specifically, four students are to attend this special training on three different software packages GSM, and CDM mobile handsets) for the Program... The schedule is more unpredictable due to a large portion of the training taking place in an aircraft."
To summarize: if you live in the U.S.[1], your cell phone info (IMSI etc.) has been slurped up by flying FedGov "dirtboxes" without your knowledge, stored in perpetuity, without any law passed by Congress explicitly authorizing this, in violation of the Constitution's Fourth Amendment, and at best authorized by a secret court order from a secret court. Sigh.
[1] I presume most of the HN US readers live in or near metro areas, and the WSJ article says the program covers "most of the U.S. population." Obviously if you're in Idaho or Alaska, you're less likely to be caught in this particular data vacuum cleaner.
In addition to the egrigious complaints citizens could make, wouldn't telecoms and cellphone manufacturers have grounds to sue over this? It sounds like these boxes are actively disrupting or reducing cell-phone service reliability by tricking devices to connect to them, despite not being a good tower.
Ultimately, it's the government that mediates the dispute. They're the government's airwaves and you (the cell phone provider) receive a license to use them. I haven't read the relevant FCC regulations, but they can easily say "cell phone service is secondary; law enforcement is primary".
There is precedent: amateur radio operators can use any means available to them to transmit life-critical messages when licensed methods/frequencies don't work. If that was to set up a fake cell phone tower and get phones to connect, then one could argue that one was using the frequencies legally. (IANAL; don't do this and say I said it was OK. The usual case is something like using your amateur radio to contact the coast guard if your ship is sinking.)
IIRC, most phones will talk to multiple towers at the same time. They mention attempting to keep disruption to a minimum. One would assume they care about not tipping someone off if their phone was acting funny.
While these active MitM attacks are important (the methods seem to be similar to ARP-poisioning), we shouldn't leave out the passive capabilities. These may not even be listed as a feature, if it is a different tool that parses the already-captured traffic as a deferred job.
As we see mentioned here on HN all the time, there is a massive amount interesting data that can be pulled out of large datasets. The original WP publication[1] about COTRAVELER gives a very nice example of the power in just knowing very-inaccurate (cell-sized) location data. You probably don't even need any particular cell-network identifying number, given how easy it is to correlate this kind of data to other identifiers.
And I assume the "USA Freedom Act", which has been drastically watered down already and Democrats are now pretending to want to revive it (after losing Senate...) so they look good at the next elections, doesn't even cover this sort of surveillance.
There are two ways in which the "USA Freedom Act" could cover flying dirtboxes: regulation and reporting. I've been working on http://recent.io/ rather than following this closely but I'm not aware of any effect the bill would have on dirtboxes (love that term!).
At a certain point, everyone will realize this has to stop. I've started to wonder though, if the way to beat the government at this is not to try and stop them, but to encrypt things in such a way that they can no longer use technology like this.
Personally, one thing I like about open source software, is I can host pretty much whatever I want, whenever I want. If this development path continues, I'd imagine that eventually, if there might be some entrepreneuring cell company[0] that would simply encrypt it all anonymously.
Obviously, this would mean a few changes to the way we do things. For example, maybe instead of triangulating your cellular position in an emergency, iOS and Android could create a 'distress' api that would allow for emergency services to access your location, and then alert you with the status. To be honest, it would end up working in a similar way as Emergency and Amber alerts on your device[1].
Realistically, it probably won't happen like this, but if privacy won't be given to us, we need to take it.
It's already fixed (I think) from UMTS upwards. In GSM (2G) the tower authenticated the handset but not vice versa. In UMTS+ the authentication is mutual. To impersonate a cell tower you would therefore need to be able to sign with the carriers signing keys.
One of the most interesting and unreported aspects of these Stingray boxes is how they handle the 2G/3G divergence here. In the USA there's also CDMA to think about and I don't know how that handles authentication, if at all. I suspect such IMSI catchers emulate a GSM base station and possibly jam 3G frequencies to try and force phones to downgrade. I don't think there's any way to tell phones to never use GSM even if it's the only option, but if there was, I suspect that'd "fix" things (except most people wouldn't know about or use them). Ultimately the only thing that can stop this is a phasing out of 2G entirely but that won't happen any time soon, and even once it's done, by that point law enforcement will have got used to the ability to just follow everyone around all the time and would insist that they MUST be able to use these devices otherwise chaos and anarchy would follow, so they'd probably mount a vigorous lobbying campaign to get the signing keys.
discusses police departments purchasing equipment that will work with phones that can't be forced to 2G (partly in anticipation of carriers switching 2G off).
We, the free people, can build drones and we can also put wifi repeaters on them and we can - instead of sniffing things - actively participate in the construction and maintenance of wide open communication systems, for all to use. Everyone.
That is the other end of the scale of all this secrecy and control - there is another end of the NSA conundrum, and its all about open source. So, you know: getting your own local network started, and stop just 'consuming it' from the powers that be, is sort of a priority folks. If you don't want to have a secret oppressor, push to have fewer secrets kept in the world. Its a fact that the corruption of all governments begin with their secrets.
So .. as someone who has a fleet of small drones above his head right now, albeit sleeping while the lipo's charge, here is a technology I think should be pointed out that is a little less prone to snooping, and with the right kind of neighborhood, gives us all a great amount of freedom to communicate, nevertheless:
My new kickstarter, a cell tower locator and a high power green laser pointer. When ever the device detects a cell tower above 500' AGL it activates the green laser pointer and directs it at the detected tower signal. :-)
> A Justice Department official would neither confirm nor deny the existence of such a program. The official said discussion of such matters would allow criminal suspects or foreign powers to determine U.S. surveillance capabilities.
This is the go-to defense for surveillance secrecy. However, not discussing such matters allows criminal officials to abuse these powers without repercussion.
>The official said discussion of such matters would allow criminal suspects or foreign powers to determine U.S. surveillance capabilities.
Not to mention U.S. citizens!
I mean, if they want to use that argument, then they should actually limit their surveillance to "criminal suspects" and "foreign powers".
>This is the go-to defense for surveillance secrecy.
Indeed. And note how it used to be terrorism that provided the tidy justification for sweeping up large numbers of random U.S. citizens in these operations. Now, just plain ol' criminal suspects and foreign powers provide enough justification for domestic spying.
The goalposts are moving. We will all be accustomed to the surveillance state soon enough. Nothing to see here.
A $9,000 per machine. Is it possible for a civilian to purchase it?
Knowing this is unconstitutional and if there are no government laws (shouldn't be right?) forbidding you from purchasing it, can I sue them if they refuse to sell me one?
Correct me if I'm wrong but putting this machine around Wall Street (given you know how to sell and buy stocks) would probably get you $9k back in less than a day, hm?
I still wonder though, if cellphones technology is secure and traffic encrypted, then how come can they listen to it? Wouldn't it be that Verizon or Apple had to give them some sort of keys to open the traffic and read it? (serious question)
It's illegal for you to do something like this. Very illegal. They would likely arrest you for attempting to purchase one, even if you had done nothing wrong. You could try to sue them, but then you can do that at any time; trying is never the problem, the consequences are.
It's not a situation where they were granted permission to do it, in a Constitutionally friendly sort of way.
These are extra-legal programs, where nobody will get in trouble regardless of the context, and they're simply saying: just try to stop us.
These aren't passive devices. They have to "stomp" on AT&T's signal to get your phone to associate with them, then spoof as the carrier.
There is a loophole though - if you target a phone with the correct bands, one of the european bands is a ham radio band in the US, so licensed operators can play around that way.
No, and you can't sue any company for refusing to sell you their product. In some cases you can sue if they refuse to serve you based on discrimination (i.e. a restaurant or hotel) under the Federal Civil Rights Act, or even a state-level civil rights act or charter, but that's a different set of circumstances. There are all manner of businesses who refuse to sell their goods directly to the consumer and sell to distributors only, and they aren't getting sued over it.
There's also the issue that using the device, period, is against Federal law, yet our Federal government is doing it anyway. They get away with it because they can[1], but you would likely end up in prison, possibly without a public trial.
[1]I think what they are doing is wrong and illegal, but until a judge puts a stop to it they will continue to get away with it.
Let's say they're flying a Cesna 1,500 feet over a metro area, that could easily be millions of cellphone connections. A regular cell tower can't handle that many. I'm wondering how this could work.
They could try, but they might not get it, and the carriers wouldn't like it - better to ask forgiveness than permission, right? I think it says this in the article.
Last year a Cessna (a Skylane or Stationair) orbited the around central SF for several hours over 3 or 4 days. The edge of the track was right over my block. It would drone by every few minutes. It did not have a removed door or anything that would indicate camera platform. The constant orbit wouldn't make sense as an photographic mapping platform.
It was not on flighttrack, no ADS-B info, and too high to see the N number.
The application OS is basically irrelevant when talking about cell communications. They'd have to design their own boards to even have a chance at isolating the "baseband" processor - to say nothing of controlling its behavior, especially as carriers want to keep its workings secret for "security"
Most phones (anything CDMA, or most everything LTE) use a Qualcomm SOC, with both the baseband and application processor sharing the same memory space. This is a recipe for anything on the application processor being pwned beyond recognition.
The last time I played with Qualcomm/CDMA (around 2007), I used proprietary software (QPST) to do undocumented incantations to clone an ESN from one phone to another. When I called the number, both rang. Picking both up led to hearing the conversation in both. This tells you precisely how good their idea of "encryption" is.
The entire Qualcomm ecosystem is a black box, and is there even a remote chance they don't have a partnership with the NSA? I'm sure San Diego is seen as a key national security interest - if it weren't "secured" by the NSA, then China/Russia intelligence would do so (or an uppity colony looking for a leg up).
I'll happily eat these words when there's an open source GSM or CDMA stack, portable hardware to run it, and the ability to pay for network access anonymously. But fr now, I see Wifi/Mifi as the only plausible way forward.
Can you provide some technical documentation that supports your assertion that the baseband and the application processor are sharing memory space? I thought they use different processors that are supporting essentially independent operating systems.
They're independent operating environments, but that doesn't mean their memories are isolated.
It's commonly accepted that most mobile SoCs operate this way. See the diagram/text on page 2 of https://www.usenix.org/system/files/conference/woot12/woot12... . To the extent that a specific Qualcomm processor might avoid such a design, it's impossible to know due to their longstanding culture of security through obscurity.
AFAIK, the Raspberry Pi is setup the same way, with the black box GPU being the master of the CPU that is commonly used to run Linux. This setup is only less problematic because the GPU lacks an unobservable network link.
Models like the Samsung i9300 have the modem chipset as an independent unit, although I've seen a block diagram indicating that the eMMC flash and modem RAM are in the same package, which is worrying.
Modern Qualcomm basebands are restricted by an MMU and isolated from the main OS. Carriers wanted this because baseband exploits were such a common way for phones to get rooted. Additionally they have been hardened considerably in recent times, apparently modern Qualcomm basebands are much, much harder to hack than they once were. And they run now on a proprietary CPU design called, I think, Hexagon, which makes even just disassembling the thing a bit tricky.
I can believe this, because they do have an interest in preventing any random party from taking over a phone. Unfortunately, there is a large gap between being resistant to exploits, and convincing the world that you're resistant to exploits through open review.
BTW do you mean "rooting" in the longstanding sense of general exploitation, or in the recent narrow sense of the owner of a device obtaining control of it? There's of course an overlap between these two, but insight into the specific business motivation would be interesting.
being from San Diego, i can state that SAIC is right physically down the street from any number of qualcomm campus buildings. also note, that while i am not a conspiracy guy, the security community there has always been fairly tight, a lot of the top feeders know each other, and there are a lot of interworking groups, guilds, clubs, that would easily lend themselves to partnerships, cooperations, things like that. i am just saying not to rule it out.
with T-mobile and iOS, I have wifi calling. I would not be opposed if it turned off the cell antenna whenever I could instead make and receive calls over wifi.
I understand that you can sniff IMSI without being a recognized carrier. But to actually get a cell phone to join your tower – don't you need the carrier's keys to be able to authenticate during the tower handshake? (iOS 5+ warns about unencrypted tower connections, so presumably these have to be authenticated UMTS?)
If so, should we expect that the carriers surrendered their keys to law enforcement to allow them to run fake cell towers that authentically emulate their networks?
That's how IMSI catchers work, your phone joins their network. The network determines the level of encryption, if any. And last I remember there were basically no handsets out there that would even report missing encryption, so I'm not too sure on the iOS 5+ part, but unless you are staring at your screen all the time you would probably miss any such warning anyway.
(Not to mention that A5/1 is broken, but since Stingrays have been around forever and companies don't like investing into something thats not broken, I don't think they even do that. Certainly not at 9k bucks.)
These are all still using GSM, which doesn't authenticate the network right? I really wish I could disable GSM on the iPhone like I could on my Android - none of the networks I regularly use have usable GSM networks. It's a waste of battery and a wide open security hole. Plain old classic GSM needs to die. Bring on the UMTS/LTE future.
This makes me wonder if the government has or is working on drones that hone in on a specific cellphone signal with a specific id after being trained.
Not just for tracking but an "icbm" kind of drone. First for military use, then for domestic use like how the police always get military weapon, iris scanners, etc.
The US is "at war" with the entire world, even their so-called friends. You don't spy on your friends, you spy on your enemies. You don't do secret raids and secret bombings on third parties, you do that to your enemies. We've always been at war with <fill in the blank>.
My bad. I read the article this morning, then posted the link now. I didn't see the correction before, and now reading it, you're right. Deleting the parent.
Its tragic to see the self-inflicted damage that out-of-control surveillance has caused to the international reputation of the US and its tech industry. Sad.
I think cell antennas have unique identifiers. If true, can you detect when you connect to a tower that isn't your usual tower in your usual geographic location (assuming you're being targeted at home, for example).
And if there is indeed a unique id, can the fake cell take the id of a real cell and still work with the cellphone company, or would it need the cooperation of the cellphone company? (for example, the cell company would look at hops?)
I guess it's too much to hope that the cellphone companies would try to protect our privacy.
Maybe someday we'll have police running things similar to license scanners but for cellphone conversations. They'll drive around the city recording conversations to detect keywords for illegal activity (herb, drug, murder of crows, etc)
EDIT: actually, I don't think they need to hijack cellphone connections. They can just listen in - at least they used to be able to. We determined the identities of the bombers of our embassies in Africa in the late-90s through cellphone conversations through RC-135s flying along the Africa coast from Diego Garcia, and an intelligence gathering satellite that drags an antenna behind it.
GSM contains half-baked kludge to make passive tracking of phones impractical. Phone transmits it's IMSI only when network asks it to (eg. when connecting to network) and then uses random session identifier ("TMSI") for normal traffic. So if you want to reliably identify and track particular phone or subscriber without assistance from network, you have to actively MitM the network.
Anyone interested in learning more about IMSI catchers and their use by US law enforcement agencies might be interested in this law review article I wrote. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678