New App Detects Government Stingray Cell Phone Trackers

HughPickens.com writes IMSI catchers, otherwise known as stingrays, are those surveillance tools that masquerade as cell towers and trick mobile phones into connecting, spewing private data in the process. Law-enforcement agencies have been using them for almost two decades, but there's never been a good way for individuals to detect them. Now Lily Hay Newman reports that SnoopSnitch scans for radio signals that indicate a transition to a stingray from a legitimate cell tower. "SnoopSnitch collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates." say German security researchers Alex Senier, Karsten Nohl, and Tobias Engel, creators of the app which is available now only for Android. The app can't protect people's phones from connecting to stingrays in the first place, but it can at least let them know that there is surveillance happening in a given area. "There's no one set of information, taken by itself, that allows you to detect an IMSI catcher," says Nohl. "But we do stream analysis of everything that happens on your phone, and can come out with a warning if it crosses a certain threshold."

Stingrays have garnered attention since a 2011 Arizona court case in which one agent admitted in an affidavit that the tool collaterally swept up data on "innocent, non-target devices" (U.S. v. Rigmaiden). The government eventually conceded in this case that the "tracking operation was a Fourth Amendment search and seizure," meaning it required a warrant. But given that the Justice Department has continued to claim that cellphone users have no reasonable expectation of privacy over their location data, it may take a Supreme Court judgement to settle the Stingray issue countrywide.

Re:Oh, an app you say

[Anonymous Coward]

JFGI

https://opensource.srlabs.de/projects/snoopsnitch/repository

Re:

[Anonymous Coward]

Here
git clone --recursive https://opensource.srlabs.de:/git/snoopsnitch.git

Fourth amendment searches and warrants

[Entrope]

Lots of 4A searches do not require warrants -- searches incident to arrest, custodial searches, searches with consent, and probably more. The warrant requirement only kicks in when a warrantless search would be "unreasonable" (violate a reasonable expectation of privacy, and such expectation is narrower than most non-lawyers would believe).

IMSI Catchers are Wiretaps, usually illegal

[billstewart]

No, the 4th Amendment bans "unreasonable" searches and seizures. The warrant kicks in when a court thinks a search or seizure *would* be reasonable, and has a lot of limitations like particularly describing what's being searched for, and the court's supposed to kick the prosecutors out if the search wouldn't be reasonable. (Yeah, right, don't hold your breath too long.)

Wiretapping a phone requires a warrant, and it's not clear whether broad general wiretaps like IMSI catchers violate the 4th Amendment ev

Re:

[Entrope]

You are just addressing a different part of the 4A's limits than I am. Some things are not 4A searches. The government theory here is probably that Smith v. Maryland (1979) makes an IMSI catcher not a 4A search. Some things are 4A searches, but do not require a warrant to be reasonable -- if the police say "mind if I search your car?" and you say that's okay with you, they don't need a warrant. Other things are 4A searches, but require a warrant to be reasonable -- non-consensual searches of a home, abs

No reasonable expectation of privacy...

[Anonymous Coward]

That's one thing. But these are ILLEGAL devices being used without even so much as warrants.

Re: No reasonable expectation of privacy...

[Kichigai Mentat]

How are the devices illegal? The FCC has approved their use. The devices are legal. It's the use that can be illegal. There has never really been a reasonable assumption of privacy with cell phone communications, hasn't been since people were picking up phone calls with baby monitors. And it's been long known that the encryption used in signal encryption is weak. If you have a âoereasonable assumption of privacyâ while using a cell phone then I suggest you do some research and reconsider your assu

Re:

[Kichigai Mentat]

Well, the FCC has banned the sale of receivers capable of operating in cellular bands in the USA (never mind how trivially easy it is to bypass this feature).

No it hasn't. It regularly signs off on cellular equipment, it just requires a license to use it. They've also approved the use of IMSI catchers [npr.org]. It's unlicensed devices that the FCC has banned.

Now, that's not to say that the use of these devices is entirely appropriate, and there are examples of cases where their use has been potentially illegal [washingtonpost.com], bu

Re:

[Kichigai Mentat]

Thats an easy one: just invoke DMCA. If we are not allowed to "circumvent security measures" -- no matter how pathetic -- than others should not be allowed to circumvent ours.

But they're not, as I understand it, circumventing the encryption. They're simply using it to track you by your cellular signal, as opposed to some other method that would require installing a program on your phone and activating GPS. It's closer to radio direction finding than snooping in on your phone calls (which is already easy en

Re:

[xeoron]

And to detect it, you are going to need a root for Snoopsnitch to run.

requires root access and will only run on Qualcomm

[kipple]

"This app requires root access and will only run on devices with Qualcomm chipset."

That's not "for android". That's playing a Qualcomm trick with the baseband.

I also wonder if a better way might be (but I'm speculating here) to use the measured distance from the nearest cell tower (called Timing Advance), as in http://stackoverflow.com/a/137... [stackoverflow.com] - and couple it with a public database of known celltowers locations to spot recent "additions".

Re:

[spacefight]

It's still better than having nothing at hand.

Re:requires root access and will only run on Qualc

[kipple]

In fact, there's already something similar: http://wiki.opencellid.org/wik... [opencellid.org] and probably https://github.com/SecUpwN/And... [github.com]

Re:

[anagama]

I just looked at one of the apps using opencellid -- and I'm not sure how clean the data will be. The default is to upload the position of any cell tower it sees, which means it would be uploading the position of Stingrays too. Then when a user connects to a Stingray listed in the database of towers, well, they've been given a false sense of security.

Re:

[Kernel Kurtz]

Seems to run fine on my rooted Galaxy Note 3.

Too bad it needs that hefty a phone

[billstewart]

What I'd really like for an application like this is something that can run on a $50 burner phone, most of which run Android 2.3 because they don't have the CPU horsepower for 4.x (or more realistically, something I can run on my old Android 2.1 phone :-) There are starting to be
This is mainly because I'm not interested in rooting my main phone, but would like to try it anyway, but also, if I were doing the kinds of protests where cops are hauling around IMSI catchers to track people, I'd want to be using

Re:

[wierd_w]

One still needs a way to prevent the cellular device from being pushed to the "New" tower.

Sadly, handset makers and mobile OS makers have not been able to give a "Blacklist tower" feature, or have not been willing to give such a feature. The towers MUST be uniquely identifiable for the tower mesh network to communicate reliably-- so, a means of uniquely identifying and refusing to play ball with a specific "Tower" should absolutely be possible.

Google and Apple should step up to the plate on that.

Re: requires root access and will only run on Qual

[Kichigai Mentat]

Isn't the tower handoff stuff all handled in the baseband firmware, though? I'd think that there would be memory limitations in current designs to prohibit that being feasible. And I'd also think that adding more memory wouldn't be feasible because handset manufacturers want tiny, low power components, and more memory and more complicated firmware logic might "blow their budget" so to speak.

Re:

[wierd_w]

All you need is a few kilobytes of storage. Most phones have this already in the underlying hardware for use with things like the region ID and the like.

Seriously, each entry in the blacklist needs only the UUID of the blacklisted tower. That's it. Hell, this could live in the damned SIM card.

Everything else can live in the app.

Re:

[jonwil]

Even without baseband support, if your OS/platform of choice exposes the cell tower ID to the main processor and gives you APIs to trigger it you could have an app that looks for the towers you dont like and when it finds one, switches the phone to airplane mode and gives you a warning. Apple does not provide the relavent APIs (although anyone concerned enough about privacy that they are worried about rogue cell towers shouldn't be using a crApple phone anyway)

Android appears to provide APIs for getting the

Re:

[TFlan91]

I recently purchased and starting playing with the one plus one. It's easily rooted (this is my first non-apple mobile phone) and I've already have many apps that track tower ID's, but...

For someone like myself who doesn't travel all that often, I look at these apps every now and then to remember where my towers are. This is so that when I do need to do something I want private, I can simply recall if the tower I'm connected to is what I remember.

Not hard to do

Re:

[Thor Ablestar]

I looked at GSM modules on Ebay. They are small enough to fit in a watch and they have all the needed features in their only firmware. They only need a battery, mike, speaker and something that would give them AT-commands to connect. And they are cheap enough.

Re:

[wbr1]

Instead of just spotting recent additions, also looking for timing advance shifts over a certain margin while the tower/antenna ID remain the same. I am not cellular engineer, but it would see that would be a possible indicator of a spoofed tower.

Re:

[plover]

Unfortunately, that will primarily give false positives. Cell companies bring in COWs to serve in temporary situations, such as county fairs, sporting events, concerts, and disasters. A COW is indistinguishable from a StingRay.

Re:

[wbr1]

You seem to know more than I do,however, the COW, being a device inserted into the carriers network by said carrier, I would think would have a different ID for whatever loadbalancing/handoff protocols occur on that network. This may not be true, as it may be easier to just copy an existing base station ID than provision all the backend hoo haw for a temporary device. But if it is true, my scheme should not produce as many false positives as thought.
By their nature (unless willingly installed by the carr

Why is this allowed in the first place?

[DigitAl56K]

Can't we add support to Android so that e.g. I can load a carrier cert into a special store used only for the cell radio operations and then have an option to authenticate towers before connecting to them? Is there any way for a carrier to publish a whitelist of tower info that can't be easily cloned? How do we have this infrastructure where anyone can start broadcasting and sweep up everyone's traffic and very little is being done about it?

Re:

[Xicor]

you are talking about the government here... all they would have to do is strong-arm the carrier to add their towers to the list.

Re:

[DigitAl56K]

Yes, and then we'd have proof, somewhere, of how many there are and could track where they have been used and who was actually affected.

Re:Why is this allowed in the first place?

[wierd_w]

A better approach would be to keep a triangulation map of available towers over time.

The point of stingrays is that they are mobile. Cell towers are NOT.
Similar to older war-driving apps, the app looks for tower broadcast signals, even when it does not intend to hop. It keeps a record of the GPS coordinates of the handset (Seriously, a smartphone without a gps these days?) and the detected signal levels of all towers it sees.

It then builds a virtual geographical map of cellular towers based on its own radio data over time. The sudden, mysterious appearance of a new tower where there previously was not one, (and also where there does not seem to be capacity reason for one to be added, or one with a suspiciously small radius of service) would get flagged, and should get blacklisted by the phone until the user specifically says "No, it's OK to connect" (It may be a microcell at a crowded event or something)

That should allow creation of a stable whitelist over time.

Re:

[hidden]

Actually mobile cell towers (legit ones) are a thing. They're widely used to expand tower capacity near large events, as well in emergency response.

Re:

[wierd_w]

I know. the problem is that it is impossible to tell a legit microcell from a totally not legit stingray.

the default should be "suspicious: do not use", with an option to manually enable.

the user will know if they are at a major civic event or not, and hopefully will know when they are under a major emergency situation.

Re:

[billstewart]

The point of Stingrays is that they're controlled by the cops, not the phone company, and they can hijack cellphones whenever an "authorized" user wants, without the inconvenience of actually having to present documentation to somebody at the phone company claiming to have a warrant or equivalently warrant-like document.

By contrast, the point of COWs is to be mobile so you can deploy large additional cell capacity at locations that don't normally need it, and the point of femtocells is to be able to get pho

Re:

[wierd_w]

Yes. I KNOW.

If you had READ THE WHOLE THING, you would have seen the parenthetical comment at the end about how the micro cell could be at an event!)

For fuck's sake, this is the last comment like this I am going to respond to!

Re:

[PopeRatzo]

For fuck's sake, this is the last comment like this I am going to respond to!

Take it easy. You're getting all worked up for nothing.

It's a new year. Make the best of it and learn to deal with your stress level. You'll live a longer, healthier life.

Re:

[PopeRatzo]

Wasn't "passive-aggressive" at all. I'm genuinely concerned when I see someone get uncharacteristically upset over what may be a simple missed point.

I don't do passive-aggressive very much. I'm more the aggressive-aggressive type if I have reason to lash out. I also don't much care for sarcasm unless it can't be avoided.

Re:

[Kernel Kurtz]

I've been using a beta version of Spidey - it does triangulation. https://github.com/jtwarren/sp... [github.com]

Re: Why is this allowed in the first place?

[link-error]

Who cares if the towers are comprised. Never trust the carrier. Encrypted ip calls and messages.

Re:

[plover]

The point is not that the messages are being intercepted by the stingrays, the point is that the individual phones are being identified. If they have a stingray in downtown Ferguson when the protesters are marching, they can add you to that list of "troublemakers".

Re:

[Thor Ablestar]

Triangulation device with good resolution is by necessity much bigger than the wavelength since it uses directional antennas. And it requires you to rotate it (See the "Fox Hunt"). The trilateration device would be nicer but it works in well synchronized packs only and doesn't seem to be produced easily. And you need a stationary system that stores the history in order to suspect a new base.

http://en.wikipedia.org/wiki/T... [wikipedia.org]

Re:

[green1]

That's unlikley, if they were willing to simply strongarm the carriers, they wouldn't need the stingray in the first place as it can only gather the same information the cell tower already has available. The only reason to ever use a stingray is to bypass the (trivial) step of involving a carrier who might insist on something like a (rubber stamp) warrant.

SDR?

[Guy From V]

What is the frequency range of an IMEI snatcher...could the RTL-SDR (software defined radio) dongle with the correct firmware and antenna pinpoint these as well?

http://en.wikipedia.org/wiki/S... [wikipedia.org]

Re:

[wierd_w]

I'd say that depends on the cellular technology in question.

Most likely the signals will be in the 700-850mhz band, or the 1700-2100mhz band, depending on the technology and carrier.

I Do think that this is technically inside the RTL-SDR dongle's reception capabilities.

Re:

[fisted]

What is the frequency range of your cell phone?

Re: SDR?

[Kichigai Mentat]

What is the frequency range of an IMEI snatcher

I would assume they operate in the same frequencies as any given carrier, so potentially and of these frequencies [wikipedia.org] depending on the carrier you're targeting.

could the RTL-SDR (software defined radio) dongle with the correct firmware and antenna pinpoint these as well?

I don't think so. If I understand it right, the way this detector works is by spotting discrepancies in the handoff between your carrier's tower and the IMSI catcher. Since your SDR isn't connec

Re:

[thygate]

RTLSDR has pisspoor dynamic range (8 bit ADC), sure you can do some triangulation, but it will be very inaccurate & unreliable. Also current generation technology has a bandwidth of ~10MHz, RTLSDR can only do about ~3MHz max. (example of triangulating a VHF signal here : http://www.rtl-sdr.com/triangu... [rtl-sdr.com]) There's plenty of cheap SDR projects out there nowadays, much, much better than the RTLSDR. And if you're serious, really advanced hardware will only set you back a few thousand $$$. (http://www.ettus.

Re:

[Thor Ablestar]

There are some interesting chips, i mean Silicon Laboratories EzRadioPro Si4464 and the similar ones. They receive a GMSK and I think it's possible to tune them to 900-MHz GSM band. Unfortunately I have no idea about 1800 MHz bands. The specialized GSM modules look more interesting and require less work.

FCC?

[tompaulco]

Are these towers allowed by the FCC? I would think hijacking signals would be extremely illegal. Also, how do they make sure these stingers only allow connections from the person that they are tracking? If they are not narrowing it down to a single person and non-targeted persons are able to connect with it and are not covered by a warrant, then that would be extremely illegal.

Re:FCC?

[wierd_w]

You havent been following the stories on stingray use, have you?

Law enforcement agencies use them to eavesdrop on multiple cellular devices in the espionage radius, hoping to catch thier perps. the data of innocent civilians driving past also gets logged. this has been reported on. it is not handset specific.

the illegality of the practice does not seem to matter much except when the triale judge demands to know the source of the evidence. Even then, law enforcement frequently LIES about using stingrays.

a community method of tracking and recording stingray deployments in large urban centers that is public domain would open the doors to some serious FOIA request hilarity.

"hello, NYPD? yes, according to OpenTowerMap.Org, it appears that a new cell tower with unique ID XXXXXXXX went into operation in the area near to where your investigation into Nicky the Nose was going on, suspiciously consistent with the length of your investigation. Since your investigation agrainst Mr Nose has concluded, there should be no reason whatsoever to deny my request for any information you have on the use of a cellular monitoring device during that period at that location. Specifically, we want to know how many non-suspects accessed the device, and what the current status of thier records is, and also what degree or level of transparency your agency has taken to inform those innocent citizens that thier data was collected as part of your investigation."

etc.

Re detecting/creating

[terbo]

The primary methods of detecting IMSI-Catchers and Fake BTS's is described here [sba-research.org] (pdf), and due to the variety of manufacturers' baseband interfaces, there wasn't an easy way to uniformly detect these devices.

IMSI-Catcher doesn't seem to work on my old, non-GSM Android, but I've also found OsmocomBB [osmocom.org] to be interesting; it's an open source GSM broadband implementation that seems to work on some older, cheap phones, like some motorola candy bars; check out Catcher Catcher [srlabs.de] for more info.

In terms of the IMSI Catc

Stingray locator?

[Thor Ablestar]

Some time ago I have worked with a cellular modem. The cellular modem has lots of AT commands including the ones that show the actual frequency, base IDs, power and all this stuff. I also have looked at cellular modules for Arduino, and they have such commands too. I've seen no cellphones that have such functions (I don't count smartphones since nobody knows what kind of malware are there).

In every location there is a fixed set of visible bases. There may be some bases visible intermittently but such bases

And if you're not a cop?

[eric_harris_76]

Say you're an ordinary person, and you got ahold of one of these Stingrays, and started gathering data? Would you be breaking any laws?

What if you were interested in blackmailing the people you snooped on? Would you have to actually threaten to reveal the information you had gathered to get arrested, or is possession of the device and the gathered information enough?

Not sure what good those answers would be, if I had them. The police are above the law, more often than not. What is a crime for someone