58 comments

[ 3.4 ms ] story [ 73.5 ms ] thread
This is cool!

Of course, it will only be a matter of time before the stingray-users figure out how to fool them...

Maybe we get enough time to finally make it illegal to use one. If this isn't mass surveillance then what is?
"a matter of national security" - there are endless interfaces into the network (by law) for lawful interception and some of them are designed in such a way that Interceptor E1 cannot see what Interceptor E2 is trying to read.

Still, some 'other' interested parties that have reasons not to use the standardised interfaces.

For 5G at lot of additional security measures CAN be enabled, but you can guess who started to complain about that.

I fear the same. This research will drive stingray to be more stealth.
Right, that is highly probable and the fact that it's likely to happen will drive nefarious operators to illegally change IMSI numbers,etc., that is, if it's not already happening on a grand scale. This could lead to a technology war between law enforcement and crooks where the main victims will be innocent people.

The bigger and more important issues are that (a) our police forces are becoming more militaristic and are acting more like invading armies without themselves conforming to the law not to mention the fact that they are also acting underhandedly and by stealth (which leads the citizenry to distrust them), and (b) the issue of citizens' right to privacy has not been properly or adequately addressed by legislators.

The fact that our governments have precious little oversight of and exercise even less control over their various agencies is also of great concern.

Seems like that would maybe be a game of cat-and-mouse, but fundamentally these IMSI catchers have to have an identifiable signature. That is, in order to work they need to mimic an existing cell tower as much as possible, but it is exactly because of that mimicry that they can be detected over time (e.g. because the signal is coming from a different location).
Using more than one antenna will expose a phase difference and drifting in time can't be avoided either unless they waste millions of tax money on ultra expensive TCXO's. Herefore I suspect that they'll passively identify a signal and order the service provider to decrypt it at their backbone. If France/the GSM foundation could pull of that encryption is to be downgraded in strategic countries; surely some other powerhungry nationstate will beat that record.
Partnering with rideshare drivers to maximize coverage of the mobile units is quite clever.

Glad things like these are being done

Paying rideshare drivers to carry bruner android phones for wigle.net data collection is also a common tactic amongst the high ranking participants.
Is this open source? Would love to run it in DC. Would imagine quite a few hits.
> Would love to run it in DC.

You will probably find a lot, but mostly from SMS spammers

https://m.alibaba.com/product/1600220614935/detail.html

IMSI catchers are pretty much freely available for everybody to use, and now closing on becoming tiny, and portable: https://m.alibaba.com/product/1600226966011/detail.html

P.S. The company has quite an interesting list of buyers: https://www.exporthub.com/shenzhen-thinkwell-digital-co-ltd-... . Including one "eternal friend" of US who has recently been caught red handed stingraying the state department, and the whitehouse.

What... is the price of these again ? Im on mobile and the price in my currency shows this specific one in upwards of us $ 18k+? Is it that expensive or is alibaba somehow showing me wrong price
Not a wrong price, $18k USD is downright cheap for what it does for the intended customer base.
There used to be a very handy Android app, now booted off the Google Market, called "GSM Spy Finder" which worked on MediaTek SoCs.

https://apkplz.net/app/kz.galan.antispy

You can also use SnoopSnitch from F-droid for this.

https://f-droid.org/packages/de.srlabs.snoopsnitch

since some years already any app based solutions are useless in practice since they yield a huge amount of false positives or no results at all. The talk on crocodile hunter (an EFF software) goes into why that is so: https://www.pcmag.com/news/police-spying-on-your-phone-ask-c...

edit: if you've ever spent some time sitting on a plane (non domestic) and your phone was on during the time-window when boarding is ongoing and just before the aircraft taxis to the runway, then there is a very good chance that you've connected to one of these before. It's a way to match known cell numbers of individuals where an arrest warrant has been issued (or otherwise individuals that are monitored) against actual passengers phones (who might be traveling with a fake ID). If somebody on your flight was ever lifted off the plane by LEA (but obviously has made it through security into the plane) they are very likely the target of such a dirtbox intercept.

>If somebody on your flight was ever lifted off the plane by LEA (but obviously has made it through security into the plane) they are very likely the target of such a dirtbox intercept.

You'd think fugatives won't bring their phones with them, turn them off unless absolutely necessary, or use burners.

yeah one would think so!

in reality huge number of arrests are made due to incredibly dumb mistakes (and not because LEO's used some super newsworthy hack).

Most criminals aren't particularly forward-thinking. Those that are, usually don't get caught as often, so the ones you see are those that aren't. I used to break a lot of drug laws when I was an addict (I'll leave which ones up to your imagination, for obvious reasons) -- I used to be called paranoid by those I associated with as I refused to travel with phones, changed number and phone once a month, among other things.

Unlike them, I was never caught and have no record. A lot of that is down to lucky, obviously, but the ones I know of who are still active and not in prison do similar things (burners, never have a device on them if possible, rotate burner SIMs constantly, use encrypted messaging, etc.).

Anyway, its been years, but it's a lot less stressful to be sober and law abiding!

There was another one in f-droid (or at least it was named differently at the time) that I had installed and running by curiosity a few years ago. I more or less forgot it until one day while I was driving on the highway and got forcibly directed out because of a blockade set by protesters (nation-wide protests by farmers occurring at that time). Once in the vicinity of said blockade I got notified unequivocally that something weird was happening to the cellular network. I guess law enforcement people were using IMSI catchers to monitor protesters.

Just anecdotal evidence, however, while I almost never got false positive alerts from this app (once at the arrival of an international flight), the one time it triggered a notification, it was in a highly probable situation.

Communication between our devices and these base stations being so opaque (closed-source baseband processors/OS not helping there) and sensible, I'm glad these projects exist and I just installed this one, blaming myself for not doing so earlier.

I had used "Tower Collector". Def going to try this one.
I cannot find anything on it - does anyone know the reason it was booted out by Google?
Google will boot things that use APIs that they don't want app developers using, or apps that "abuse" the APIs they are allowed to use.
(comment deleted)
Now we just need a few of these on coordinating drones to triangulate in real-time and snap some pictures of the transmission source.
You could do it with a couple of KerberosSDR units.
Is it just me that looks at the equipment photo, and thinks - you're using an inverter to convert 12VDC to 120VAC, then a couple of wall plug transformers to convert that back down to low-voltage DC - why don't you just use a DC regulator?
Car 12v systems can be really noisy. The inverter and power bricks are pretty much guaranteed to filter all that out.

Besides that, this way doesn't need any soldering, which is nice.

Inverters and power bricks are noisy too.
> Car 12v systems can be really noisy.

A 12 V lead acid battery ranges from around 12.7 volts when fully charged down to around 12.2 at 50% (the minimum recommended charge level for typical car batteries). When starting the car, the voltage will drop below that. When the alternator is running to charge the battery it is around 14 V.

Is there any regulation or filtering on the 12 V ports on cars, or do devices plugged into them see it all--the alternator voltage when it is running, a big drop when starting, and 12.7-12.7 at other times?

No filtering, it goes directly to the general power rails in the car, with all the noise included. Devices are responsible for filtering/protection as needed.
Not necessarily, and there is way worse stuff on that power source than that. For example, you have to guard against things like “load dump” where voltage can spike up to rather high voltages momentarily (80V or so, don’t know the actual spec right now).

Chances are that a modern car has more regulation and protection between battery/alternator and the 12V plug, but you don’t usually know what, and the spec doesn’t (or at least didn’t when i looked into it) require it.

There's no standardized regulation or filtering; devices typically see it all. And it's much more than the alternator voltage; a device might see transient 24V or more, and as little as 9V.

See https://en.wikipedia.org/wiki/Automobile_auxiliary_power_out... for more.

Modern chargers tend to be really forgiving, and they're often powering a device that has its own battery, so there are multiple levels of regulation between the car and the device.

On the other hand, I've used automotive adapters that do a simple DC-DC conversion with no regulation, and pass through to a barrel connector to a device that would otherwise be powered by standard alkaline disposable batteries. Those aren't nearly as robust, and I've seen devices fail or power-cycle due to undervolting.

Everything is off-the-shelf: you can find 12DC to 120AC at Walmart, but a DC/DC regulator is harder to find and more difficult to configure and setup correctly.
BOM from the paper:

Telit GT-864 QUAD/PY GSM modem $65

External antenna $25

Raspberry Pi 2B+2 $35

GPS (GlobalSat BU-353) $30

Bait Phone (Motorola Moto-G 4G LTE) $95

4G Hotspot (ZTE Z917) + 3 month plan $100

DC/AC inverter $26

Powered USB Hub $17

Pi accessories $15

SD Card (32 GB) $17

Modem accessories $30

Cables $35

Box $12

Total $502

https://seaglass-web.s3.amazonaws.com/SeaGlass___PETS_2017.p...

While the project has largely languished lately, I reimplemented a sensor with similar capabilities to Project Seaglass with the goal of a lower BOM cost and easier purchase - the particular Telit module they used is discontinued and hard to obtain. My BOM is around $160 and could be lowered. See here: https://github.com/jcrawfordor/cellscan
In case anyone else is wondering what an IMSI-Catcher is, let me save you a google:

"An international mobile subscriber identity-catcher, or IMSI-catcher, is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users."

1 - https://en.wikipedia.org/wiki/IMSI-catcher

The Stingray is a commercially available model that you may have heard of.
They're also cheap, easy to use and deployed all over the country by local law enforcement. It isn't just three letter agencies using them, it's your local police department, too. No warrants needed, either.
No warrants? Because they intercept only the phone's identity (and therefore your location?) and not voice/text traffic, presumably.

Not that it's not still egregious but it's described in this thread as an "eavesdropping" device so it would be helpful if we could be explicit.

If my supposition above is accurate then the rationale is likely the fact that you are traveling in public is not considered protected against unreasonable search.

It's because they use the devices for eavesdropping. If they want to use data they collected from eavesdropping in court, then they need a warrant.

For example, if they're spying on a drug dealer, they can determine the right time to pull them over for a traffic violation and also catch them in the act of transporting drugs. If law enforcement doesn't submit evidence obtained from spying, it looks like whoever pulled them over was just in the right place at the right time[1].

[1] https://en.wikipedia.org/wiki/Parallel_construction

I see. Do newer 3gpp/ETSI standards take this kind of surveillance into account? Surely this must not work for intercepting VoLTE or 5g voice calls?
Can’t they see the content of text messages. If so that blows my mind that they can be used without a warrant.
Ooh. New project for today. Deploy this locally and figure out how to make this a public service where people can run their devices and the data is uploaded to a central database in real-ish time so people can see suspect changes.

EDIT: This should have a 2017 tag, as the code is 4 years old and I assume the same is true for the website.

http://wigle.net/ app collects cell tower locations, I bet with some clever searching of their dataset you could find these. Likely not in as real of time though.
(comment deleted)
The German government has just published a paper on the requirement for telecom operators to ensure LEA continue to be able to _covertly_ intercept traffic in 5G: "Ensuring Undetected use of the IMSI Catcher", the paper which is in German (https://posteo.de/FormulierungshilfeBMI.pdf) reads:

" > Mobile network operators must ensure security authorities can use IMSI Catchers without the end user becoming aware of this. According to the TKG-E, mobile operators must continue to allow IMSI catchers in accordance with statutory investigative measures. Until now, it's unnecessary for operators to act so that members of the Security authorities can use IMSI-Catchers, as they "simply" pretend to be a base station. In new mobile networks, devices brought into the network must be actively "accepted" by the network and otherwise cannot be used. As a result, it will no longer be possible to insert IMSI catchers of "previous design" into the new networks. We acknowledge that in the future unauthorised persons, such as foreign intelligence services can no longer use them. At the same time, it will no longer be possible for German security authorities to use an IMSI catcher without the cooperation of the mobile operator. The necessary regulations for the participation of the mobile operator are already included in the draft TKG, but the necessary addition is missing that the introduction of an IMSI catcher by security authorities may not be known to the end user."

Most people will think this is a fringe scenario which will never affect them. But they are very common in international airports:

> At Trudeau airport, Radio-Canada detected the catcher's presence through the use of a CryptoPhone — a cellphone look-alike that emits red alerts when a fake antenna tries to catch its signal. Several red alerts were received, throughout the afternoon and early evening, in the section of the airport for U.S. departures.

https://www.cbc.ca/news/canada/montreal/trudeau-airport-spyi...

> For two months last year, researchers at the University of Washington paid drivers of an unidentified ridesharing service to keep custom-made sensors in the trunks of their cars, converting those vehicles into mobile cellular data collectors. They used the results to map out practically every cell tower in the cities of Seattle and Milwaukee—along with at least two anomalous transmitters they believe were likely stingrays, located at the Seattle office of the US Customs and Immigration Service, and the Seattle-Tacoma Airport.

https://www.wired.com/2017/06/researchers-use-rideshares-sni...

> The devices are operated out of at least five U.S. airports, "covering most of the U.S. population". It is unclear whether the U.S. Marshals Service requests court orders to use the devices.

source: https://en.wikipedia.org/wiki/Dirtbox_(cell_phone)

For a "modern" take on this subject (info relevant to 3G is outdated unless they do a downgrade attack on you first), see this article and the linked videos that go into the issues LEO face with 4G/5G and the "crocodile hunter" software that is an EFF project to identify them: https://www.pcmag.com/news/police-spying-on-your-phone-ask-c...

A descriptive title would be better.

SeaGlass: City-wide cell-tower-spoofing detection

It is much easier (and more often done) to implement a solution for a static position. Many embassies and other highly sensitive locations have these, commercially available, installations.

We used to build them for fun (no profit) many moons ago.

Basically what you do is place a couple of (1, 2 or whatever) sensors (we used to use these Motorola C123 with osmocom) and just keep taps on signal strength and antenna ID over time, and inspect changes.