103 comments

[ 0.36 ms ] story [ 178 ms ] thread
It doesn't really comes as a surprise, but it's good to see the news coming out. Now we need a legal framework to ensure this form of power isn't abused.
We need a legal framework to ensure this form of power doesn't exist.
We the west, or America?
We humans?

edit: aside from that utopic reply, what I mean is "any country that has cellphones and want to protect their citizen should implement a legal framework to prevent abuse"

Richard from Privacy International pointed me at these: http://www.amazon.co.uk/dp/B00RRL4XLW It's a faraday cage for you phone. Pop it in and you disappear instantly.
I'd have thought simply switching the phone off would be easier? Much better on your battery life too, if the phone turns the transmit power up to try and reach a base station.
I wouldn't feel safe until the battery is removed (which unfortunately isn't possible on most phones anymore)

The baseband still has access to your battery when your phone is off.

> The baseband still has access to your battery when your phone is off.

Citation needed?

Because the definition of off, for most phones, is exactly that.

Snowden didn't want to be in a room with a phone, no matter the state of the phone.
Good point, asking for a citation. It's an extraordinary claim and so requires something to back it up. A quick search turns up this quote from a 2013 Washington Post story "By September 2004, a new NSA technique enabled the agency to find cellphones even when they were turned off. JSOC troops called this “The Find,” and it gave them thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq, according to members of the unit." Source: https://www.washingtonpost.com/world/national-security/nsa-g...
That WaPo news has been debunked:

http://blog.erratasec.com/2013/07/no-nsa-cant-track-phones-e...

There is NSA method called 'implant', but it requires installation of software (possibly in the firmware). It's not so easy and it can't be used in large scale.

Reading the blog post, it definitely does not 'debunk' the Washington Post report. All it does is take issue with Snowden's blanket claim that all mobiles are vulnerable (which is a good point and is one I'm inclined to agree with).
Let's not confuse mass surveillance and targeted surveillance of small number of people. They are two different things.

Snowden is right when he says that every phone is vulnerable for targeted surveillance. For people like him, every phone is dangerous even when they are closed.

Mass surveillance is different. NSA can't just pick random person and remotely track their phone when it's turned off.

(comment deleted)
This was one of the things revealed by the Snowden leaks.

'Dreamy Smurf handles power management, which according to The Guardian includes "an ability to stealthily activate a phone that is apparently turned off"'

https://en.wikipedia.org/wiki/WARRIOR_PRIDE

This capability has been known for many years. From 2006:

>"The FBI can access cell phones and modify them remotely without ever having to physically handle them," James Atkinson, a counterintelligence security consultant, told ABC News. "Any recently manufactured cell phone has a built-in tracking device, which can allow eavesdroppers to pinpoint someone's location to within just a few feet," he added.

Source: http://blogs.abcnews.com/theblotter/2006/12/can_you_hear_me....

I believe (but cannot cite) that this capability became mainstream when E911 & GPS was mandated.

This stuff is a big reason why BlackBerry was so critical to regulated industries and public company execs. PIN messaging on legacy BlackBerry was secure between devices on the same BES, and there wasn't a direct linkage to the user's identity, which made it easy to lower the value of metadata collection.

The fact that BlackBerry designed around this early on leads me to suspect (as an outside observer with an imagination) that mass metadata collection was known by folks in industry back in the 90s.

> The fact that BlackBerry designed around this early on leads me to suspect (as an outside observer with an imagination) that mass metadata collection was known by folks in industry back in the 90s.

Wouldn't a simpler explanation be that it was just over-designed for 90s-era threats in a way that hardened it to some more recent threats?

It is definitely a simpler explanation.

Consider however that none of their US based competitors managed to do address those threats in a meaningful way.

If your phone is lying to you about being switched off, then it's already compromised (and you're probably under some highly targeted surveillance already). If I had any evidence this had happened to me, I'd get rid of the phone instead of trusting it under any circumstances.

For the example of a protest march, if you're a participant or even a bystander walking home wanting to avoid being caught up in a surveillance dragnet, turning your phone off should be sufficient. You'd probably want to take stronger measures if you were involved in organising the protest, though.

Any number of phones over the years have/had functionality separate from the main OS (and in some cases backed with a small secondary battery) to trigger the phone to wake up to play alarms etc.. Given that the baseband code is totally closed and has total control over the phone, if the physical capability is there all it takes is a suitable vulnerability.

I would not trust that any modern smartphone is fully off without yanking the battery.

>without yanking the battery //

Are you sure they don't have a backup battery or similar that can continue broadcasting your location after you pull the battery. That would be an ideal countermeasure as pulling the battery would be a great indication you may be about to do something "naughty" and you'd likely do such things shortly after too ...

> stronger measures if you were involved in organising the protest, though.

Burner phones bought in cash from one of the little independent shops we have all over (here in the UK anyway) with pre-paid sims - not a new idea I saw it cropping up in fiction 20 or more years ago but still effective, used for a day or two and then dumped.

Isn't it tragic that the way you have to protect yourself from the state when organising a legal protest is pretty much the same way you would do it if you where a drug dealer or a terrorist (at least a reasonably smart one).

If your phone doesn't have a removable battery, how do you know if it's really off?
Not entirely relevant but note that if a power switch does not have a mechanical difference between the off and on state then there must be an active component that at the very least must monitor the power button to detect presses. I don't really know, but it seems likely that in a smart phone the SOC is used to monitor the power button and it is therefore only ever in a very low power state (sans battery removal). That doesn't of course mean that any radio components are receiving power.
I think you could do that in a passive way as well, where the act of pressing the button powers up a circuit that holds the power on.
low power devices now exist that can live of small traces of power. Even with the battery removed, how can you be sure it's still not listening?...
This is why you should never take phones into any kind of sensitive meeting or at least put it into a faraday bag.
Government officials have data mining algorithms that detect patterns in cellphone disappearances.

Big city with millions of people. Two or more cellphones disappear when they approach the same part of the city. When this happens few times, you might get flagged.

Good luck separating the signal from the noise of people disappearing into the Tube / buildings / running out of battery.
(comment deleted)
wouldn't that make your phone get hot and then blaze through the battery as it desperately boosts power in order to reach a base station?
> Richard from Privacy International pointed me at these: http://www.amazon.co.uk/dp/B00RRL4XLW It's a faraday cage for you phone. Pop it in and you disappear instantly.

That's not a great solution if I want people to be able to call me.

Interestingly enough, during last trip to London, my phone (Nexus 5 running Cyanogenmod 12.1) was able to somehow detect something fishy and warned me several times "Network may be monitored by an unknown 3rd party". Among others, I've seen this warning two times out of two when passing by Cheapside/St Martin's corner - next to the St Paul's Cathedral.

At the time I just dismissed this as some tinfoil hat developer adding some nonsensical warnings to the firmware, but in retrospect, after reading this article - this matches perfectly, chances are - phone was indeed detecting Stingrays. Still no idea how it managed to do it.

EDIT: I had no data/IP connection of any kind at and around the time of seeing this, so this is clearly unrelated to TLS interception.

I'm not getting these warning on my Nexus 4 running the default Android build. The only time I see them is when I use my own VPN connection.

Do you think it might get triggered on your phone by the presence of the anti-porn filter that UK mobile provider have? For instance, when trying to access "adult" website (I use quotes as sometimes, even non porno website gets filtered out) you end up on your mobile provider page blocking you from the actual website your looking for.

(comment deleted)
This is not the message I've seen. There was nothing about TLS, trusted CA installation, emails, apps, or websites.

I wish I've taken a screenshot of it!

In the US, most mobile traffic is proxied, and filtering/rate limiting is implemented there.

No exotic measures are required to do this.

Could this be caused by the phone surveillance that's set up in One New Change? There are (small) notices at the entrances to One New Change that inform you of phone tracking equipment there.
Check your certificates. I saw this when I installed a Fiddler root certificate.
(comment deleted)
There's apps that can read Qualcomm debugging to detect GSM encryption has changed like SnoopSnitch maybe CM has their own built in version but last I heard their kernel removed many proprietary drivers needed for the Nexus 5 to access Qualcomm DIAG.
Is it completely legal to warn users of suspicious network activity like this? If for example Apple built detection into iOS and gave all users a warning that could do a lot for raising awareness and maybe some support for change. "The network you are using is likely being surveilled. Your identity, online activity, and phone calls may be monitored by government or criminal equipment"
Can you stifle free speech when it's informed by public information and not knowledge of secret activities? That is, if all it's doing is flagging signals it's antenna receives, is it even possible for that to be illegal?

Also, how do laws treat waves in public (radio, light) - do they get the same "privacy" treatment as people (that is, no expectation of if in public)?

Edit: actually since joining/browsing an open WIFI network can be considered criminal...

> Also, how do laws treat waves in public (radio, light) - do they get the same "privacy" treatment as people (that is, no expectation of if in public)?

I believe this area is legally fuzzy but courts have determined that police cannot drive around with say, a thermal imager and observe en-mass people in their homes. One could argue that it's just thermal radiation you are viewing from public space.

Frequently on my town's facebook page, somebody will post "speed trap near the elementary school, better slow down there", and people jump all over the poster about helping people get away with speeding.

It seems to me that if you really want people to slow down near the elementary school (as opposed to just issuing tickets and collecting fines), this is EXACTLY what you want to have happen. If you put a cop there, and people warn others of it so they all slow down... mission accomplished!

By analogy, if you've got a target very valuable to the enemy (maybe a stadium for a high-profile sporting event), having phones alert users that they're being monitored might help to ensure that nobody tries anything during the event.

With that in mind, maybe the government should seek to warn us that we're being monitored, even if/when we aren't in reality. Just to keep us on our toes.

To be really effective, it would be seem specific and personal: text messages that say things like "We can see you. We know what you're up to." Stuff like that.

Check certificates, some app added its own certificate.

I installed my own certificate on Android and it warns me about it each time after it boots. It's quite annoying, because there doesn't seem to be a way to disable it (without modifying /system) and I trust my own certificate much more than any other the phone comes with.

Watched the documentary last night.

Given that these things are cheap, would any fellow Brits be interested in clubbing together and acquiring one and installing it in or around parliament? I'm sure there would be plenty of buyers for the call records of MPS.

Isn't it illegal to have one and run one in the UK if not licensed?
Well, as they're officially not used at all in the UK, there's been no need to create any legislation around them, so while this could be an offence under the communications act, you could argue (probably unsuccessfully) that you're actually providing a service to customers by taking their data to protect them from themselves, as they may be terrorists and not yet know it.
I am sure that is how the courts will look at it :)
Do IMSI catchers have any way of verifying the intercepted IMSIs are legitimate? If not, would it be possible to build a device to flood them with fake/spoofed IMSIs?
"IMSI catcher" is a device:

https://en.wikipedia.org/wiki/IMSI-catcher

It doesn't have to "verify" what it collects.

Yes, but the value of the collected data is much reduced if you can't distinguish between legitimate IMSIs and spoofed IMSIs of devices that were never actually there.
If you attach to a network successfully, it means the its secret key stored in the SIM card matches that of the network.

Since your IMSI catcher is basically just a proxy between the mobile phone and the real network, you can therefore easily detect that the IMSI is who it says it is.

No, because he who collects isn't interested in random mobile phones, and whoever tries to spoof "other" phones doesn't know the phones of interest of the collector. And the collector is interested not in knowing the presence but in the whole traffic, so the spoofing is even more obvious.
>If not, would it be possible to build a device to flood them with fake/spoofed IMSIs?

Technical ability wise, yes.

Legally, no. The Mobile Telephones (Re-Programming) Act 2002 [0] makes spoofing IMSI, even that of your own, illegal in the UK.

[0] https://www.staffordshire.police.uk/info_advice/crime_preven...

Disclaimer: I am not a lawyer.

I fail to see how re-programming is related to spoofing?
> (1) A person commits an offence if:

> he changes a unique device identifier,

Technically, IMSI is not a device identifier. MT has IMEI and SIM (or more precisely ICC) has ICCID (which is normally never transmitted over the network). And the legislation probably specifically targets spoofing the IMEI, as spoofing IMSI does not gain you anything other than absence of service (on normal GSM/3GPP network).
The fact the Government is using it as an identifier likely means they can argue legally you are attempting to change the identifier.

Technically correct for technical discussions is not the same as contextually correct in a court room.

IMSI is not a mobile phone identifier, it literally means International Mobile Subscriber Identity and is provisioned in the SIM card.

You will change your IMSI by simply changing the SIM card.

And to be somewhat more pedantic, it even is not "unique device identifier" of the SIM, as SIM is not an device, but software application (typically one of applications) running on some hardware platform (usually an ICC, which is what is colloquially called "SIM card")
No you won't, IMSI provisioning is mostly done today remotely. The SIM card will have an empty IMSI partition and once you've "activate" it with the parent network the network will provision an IMSI on that card. If you have an account with a cell provider you'll carry the same IMSI number when you switch devices and SIM cards.

If you use pre-paid sim cards then those usually have thin provisioning of IMSI numbers they network buys a certain amount and activates them when the SIM card is activated and deactivates them once the SIM card has been inactive or not been topped off for a certain period of time (usually around 90 days).

When some one has your IMSI they can tie it directly to your personal details, phone number and various other details if they have sufficient access to the global cell system they can also get your location and what tower you are connected to. Historical log data will give them any tower you've been connected too from the first tower during the initial activation and provisioning to the last tower you've been connected too. Depending on the network and device most phones also send out nice diagnostic information about other towers and networks they see all the time regardless of what tower they are connected too at the time that with a given IMSI number will allow some one to triangulate the position of the device to under 10M in most urban areas if some one knows your IMSI they can pretty much pin point what room you are in at your house (give your house have several rooms pointing at different directions ;)).

That's why I prefixed that with "technically". :)

From legal standpoint, device that spams IMSI catcher with registrations with random IMSIs is mostly same thing as the IMSI catcher itself, ie. device that requires it's own broadcast license to operate, as such device certainly does not meet legal (and technical) requirements for it to be an cellular phone.

On the other hand, generating random IMSI, burning that into ICC and thus producing unusable SIM is probably perfectly legal even when you put that inside normal GSM phone (from network standpoint it will behave mostly same as phone without any SIM). In practice SIMs with completely made-up IMSIs are even commercially available (idea there is that some phones will not fully boot without SIM).

and the guys with the IMSI catchers, would complain about the fake IMSI's, right?... RIGHT?...
So we can safely say that IMSI catchers have been used as a matter of routine since 2002.
Like anything, it is technically possible to do this. As a defensive mechanism, I think it would make sense to perhaps hang out at city call and collects a bunch of IMSI's worth spoofing, and then rebroadcast those while you were being subject to surveillance, the goal being to force the adversary to follow down a bunch of leads which are bogus.

That said, this is completely illegal (unlike the actual surveillance which has been made legal by a series of unfortunate events). So I would not advise anyone to do this. Not to mention that unless you design your own cellular baseband radio circuit (so that you have access to all the docs) building something like this with "off the shelf" parts is quite expensive.

SDRs are no longer that expensive - even an Ettus or BladeRF device is within the range of the average middle-class engineer - and can be programmed completely in software to act as a cellular baseband device.
Same thing found in Oslo about a year ago. Police Security Service denied they existed though. If I remember correctly these were mostly located around parliament and other government institutions as well as in the embassy area.

Report in english: http://www.aftenposten.no/nyheter/iriks/New-report-Clear-sig...

They denied they existed while showing no apparent concern before having had time to verify anything == they knew exactly who were doing what.

Given that Police Security Service has a decades long history of illegal political surveillance what shocked me is how muted the political reaction was.

Hopefully there will be some action on this in Norway. Unless they want to ignore unconstitutional police and agency activity, just like in .. so many other major countries.
It took 40+ years of illegal surveillance of left-wing politicians before they finally took the allegations seriously and investigated it, and the result of extensive evidence of breaking the law was renaming the agency and some slaps on the wrist, so I have no reason to believe they've improved.
> A VICE News investigation has found evidence that sophisticated surveillance equipment that spies on people's phones is being used across London

That the Met (and other police forces) regularly use IMSI catchers is not new information - here's a ~5 year old Guardian article on the subject:

http://www.theguardian.com/uk/2011/oct/30/metropolitan-polic...

I seem to recall a recent discussion where these devices are very hard to identify compared to a number of legit mobile phone amplification devises that many large buildings have for their employees in cities.

Is this the same technology?

I stayed in The City during the holidays and at one point walked close by the Police hq. After continuing on I enabled gps for a moment and even though I was half a mile a way my gps was showing me smack dab in the center of the police hq for about 15 minutes... I realized then what was happening and that I should have known better, but I had forgotten to ask a friend to take his faraday cage laptop bag and phone bag... I knew better and am still kicking myself for it.

The UK's level of surveillance is extremely unsetteling to me, and quite frankly I think a lot of Americans have forgotten all the reasons why the UK might not be as good of an ally as everyone thinks since the 47 USUK agreement. Thr point being that I really hope our politicians dont start adopting That level of surveillance just because they do it to.

It seems we have quietly been in a surveillance arms race, which isnt good for the population at all.

City is "special". While there are reasons to be concerned about surveillance elsewhere in the UK too, City has its own police force, and surveillance levels that makes even the rest of London seem like total anarchy.

In the rest of London there are certainly other buildings that are covered by extensive government surveillance, but most of the surveillance in London - and the rest of the UK - is privately owned, and rarely more than passively recording. The level of street level monitoring in the UK is often vastly exaggerated - police often can't be bothered even trying to check CCTV because getting hold of footage is a lot of effort and rarely is of much help.

GCHQ surveillance of networks is another matter.

It's not clear if the OP meant the City of London police HQ (Wood Street), or the Met HQ (Scotland Yard, not in the City)
Sorry if I'm being a bit slow here, but what was happening? Why was your gps showing you in the middle of the police hq?
A bug in the imsi catcher not properly relaying the info, so I was seeing the imsi catcher's location data temporarily instead of my own.
Isn't the phone just displaying its location based on the GPS signal? I don't get how intercepting your phone's transmissions would cause it to report an incorrect location.
If a technology exists, and can feasibly be leveraged by a party to its advantage, then you should assume that it is happening.
Are prices so high in order to prevent private use or are they really that expensive? What keeps anyone from building their own?
The UK is a perfect example of a surveillance state. V for Vendetta had it right. The future is now and we're all slaves to the security state.
I've read in the past that phone tapping produces an audible echo, is this the case with imsi-catchers as well or has the technology advanced far enough it's not possible to detect being tapped?