26 comments

[ 27.5 ms ] story [ 261 ms ] thread
Additional context: https://san.com/cc/exclusive-evidence-of-cell-phone-surveill...

>At 8:58 a.m., just before the protest began, SAN began monitoring eight LTE bands present in the area and found no anomalous behavior. At 9:06 a.m., however, a burst of 57 IMSI-exposing commands was detected.

>Other bursts, present on four of the LTE frequency bands, appeared roughly every 10 minutes over the next hour, causing Marlin to issue numerous real-time alerts. A post-scan analysis confirmed the detection of 574 IMSI-exposing messages.

>It also flagged two “attach reject” messages, a type of cellular rejection sent when a cell phone tries to connect to a network. Attach rejects can occur for valid reasons, such as when a phone with an expired SIM card tries to connect to a network but such messages are rare on properly configured networks. IMSI catchers may use attach reject messages to block or downgrade connections and obtain an IMSI before it is encrypted. SAN observed the two suspicious messages at 9:55 a.m. and 10:04 a.m. at the height of the protest but did not encounter others before or after the demonstration ended.

>SAN conducted a follow-up scan during the same time period, the following day, when no protesters were present. Unlike the day prior, Marlin did not issue real-time alerts.

The article describes a search conducted with a warrant. Given the brazen criminality ICE agents are acting with, I’d like to see evidence of malpractice before risking diluting the message.
Could folks share more accessible methods for developing counter-Stingray type activities described in this paper, or rather, which ones they themselves have used with varying degrees of success?

https://www.cise.ufl.edu/~butler/pubs/ndss25-tucker-marlin.p...

Ideally, this is something I could hack together in the next few days since ICE is prepping to invade my city.

Wasn't this thought impossible with LTE, I thought older bands were only susceptible to this attack.
>In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G. [1]

>In its most basic functionality, the [LTE] IMSI catcher receives connection/attach request messages from all mobiledevices in its vicinity. These attach messages are forced to disclose the SIM’s IMSI, thus allowing the IMSI catcher to retreive the IMSI for all devices in its vicinity... a fully LTE-based IMSI catcher is possible, very simple and very cheap to implement without requiring to jam the LTE and 3G bands to downgrade the service to GSM. [2]

Exploits on 5G to retrieve the IMSI. [3]

[1] https://theintercept.com/2016/09/12/long-secret-stingray-man...

[2] https://arxiv.org/abs/1607.05171

[3] https://arxiv.org/abs/1809.06925

Every bus stop and billboard with a CBS logo on it is doing the same thing and has been for a long time. They map your movements by presenting as a cell tower and record the IMEIs of passers by. Forbes won't write a story about that though.
Lots of retail does this with Bluetooth™ beacons (whether just at entry/exits, or at high-trafficked areas).

Which is another reason I simply just stopped carrying a cell phone a few years ago. Absolute freedom.

----

I paid my vehicle off early just so I could disable the infotainment's cell-link. My city has OCR cameras on every 4-lane highway (so I'm still tracked) but it sure is wild how important locations are these days.

It would be amazing if an authoritarian government like that in Venezuela could just "facilitate" (such a funny word these days) getting a single convicted murderer into the US and then turn the US into the same kind of authoritarian government.

Whoops, I hope no other country in conflict with the US gets this idea, that pool has expanded significantly lately!

I recall reading about the people who slammed planes into the World Trade Center towers. They were not hell bent on destroying buildings, they were hell bent on destroying society of the US, destroying buildings was just a stepping stone. And, sure seems like they succeeded.

How would one go about detecting the IMSI commands? Would an advanced radio receiver be able to see these? I know pretty much nothing about SIGINT but been contemplating spending some time learning about it.
Just wanted to advertise that the EFF recently released an open source tool for detecting cell-site simulators. The hardware is like $20 and it's pretty easy to setup yourself. Worth having around to stay aware of what's out there, especially if you live in one of the places recently targeted by the administration.

https://github.com/EFForg/rayhunter/

I don’t know why your cellphone can’t do this. For example, It “knows” which towers are around your home. If all the sudden there’s a new one, pop up an alert.
[flagged]
> ICE used such a cell-site simulator in an attempt to track down an individual in Orem, Utah. The suspect had been ordered to leave the U.S. in 2023, but is believed to still be in the country. Investigators learned last month that before going to Utah, he’d escaped prison in Venezuela where he was serving a sentence for murder, according to the warrant. He’s also suspected of being linked to gang activity in the country, investigators said.

Sounds like a real cool guy.

Wiretaps have always been a tool in law enforcement's hands, and if it's subject to a warrant, which the article goes on to say it was, I am completely fine with this. If the ability to tap phone conversations 75 years ago didn't cause us to descend into fascism, I don't automatically think this is scary.

Am I wrong for suspecting that the policy that colors the current Administration’s tyranny has its roots in those prior (Bush II, Obama)? Were we not warned of the possible consequences when less sensational or consenting news broke back then?
the president's power has expanded far too much over the past 30 years. The supreme court and congress are really failing at their jobs.
(comment deleted)
This seems like it would be more useful as an Android app you can side load rather than a rust app.

If I am understanding correctly, I would need a mobile device?

Would this work using the phone as a hotspot? If so, then I guess my previous comment is moot.

If your cell phone is connected to cell towers, almost anyone can buy your location.

Only option is stay in airplane mode and use wifi.

The Forbes article says ICE acquired mobile cellular surveillance equipment and services under the Biden administration, and there have been IMSI catchers detected at demonstrations for a long time, for example at the Dakota Access Pipeline demonstrations in November, 2016[1]. It's not a new thing.

[1] https://www.justsecurity.org/34449/investigating-surveillanc...

isn’t this essentially a warrantless search of any bystander who happens to connect to the tower? basically random, digital stop-and-frisk?
"In a recently-unsealed search warrant reviewed by Forbes, ICE used such a cell-site simulator in an attempt to track down an individual in Orem, Utah. The suspect had been ordered to leave the U.S. in 2023, but is believed to still be in the country. Investigators learned last month that before going to Utah, he’d escaped prison in Venezuela where he was serving a sentence for murder, according to the warrant. He’s also suspected of being linked to gang activity in the country, investigators said."

slippery slope, I know...

Really wish Apple would allow us to lock our phones to 5g standalone so we can choose to make fake cell towers a thing of the past.

Update: I quickly searched this to see if it was available on the latest version of iOS and you can mostly use it on T-mobile USA with ios 17+. As they have enable support for 5g SA nationwide. if your SIM card has enabled 5G SA provisioning and if you set the iPhone to 5G On, it will not fall back in any area that has good T-mobile reception meaning they would have to turn off T-mobiles towers or you to be in a deadspot for the IMSI catcher to work. If you enter field test mode you can confirm that you are provisioned for NR SA in area that T-mobile has it’s own good towers with good reception. If it shows up you are provisioned. If not you can call t-mobile and ask that they provision it but many newer sims are provisioned with 5g SA by default and you can use 5G On setting instead of auto to only be vulnerable to downgrade attacks in weak signal areas and deadzones. I’m not an expert on this so if I’m wrong please comment.

What is the baseline spying by ALL agencies? For non experts this would be useful to know. Just heard something suggesting most comms are fully infiltrated anyway for certain foreign actors but have no idea how to validate those claims myself.