My bad. I read the article this morning, then posted the link now. I didn't see the correction before, and now reading it, you're right. Deleting the parent.
Here are some excerpts from the WSJ paywalled article:
Cellphones are programmed to connect automatically to the strongest cell tower signal. The device being used by the U.S. Marshals Service identifies itself as having the closest, strongest signal, even though it doesn’t, and forces all the phones that can detect its signal to send in their unique registration information. Even having encryption on one’s phone, such as Apple Co. ’s iPhone 6 now includes, doesn’t prevent this process...
The program cuts out phone companies as an intermediary in searching for suspects. Rather than asking a company for cell-tower information to help locate a suspect, which law enforcement has criticized as slow and inaccurate, the government can now get that information itself. People familiar with the program say they do get court orders to search for phones, but it isn’t clear if those orders describe the methods used because the orders are sealed.
Also unknown are the steps taken to ensure data collected on innocent people isn’t kept for future examination by investigators. A federal appeals court ruled earlier this year that over-collection of data by investigators, and stockpiling of such data, was a violation of the Constitution.
And another blog post from 2013 saying "Immigration and Customs Enforcement (ICE) purchased $3 million worth of Stingrays over several years, and are purchasing airborne mounting kits for both drones and manned aircraft":
http://gritsforbreakfast.blogspot.com/2013/03/bypassing-tele...
An earlier FOIA response from 2012:
http://s3.documentcloud.org/documents/479397/stingrayfoia.tx...
"The training will cover all of Harris Stringray ll operations from an airborne platform.-Specifically, four students are to attend this special training on three different software packages GSM, and CDM mobile handsets) for the Program... The schedule is more unpredictable due to a large portion of the training taking place in an aircraft."
To summarize: if you live in the U.S.[1], your cell phone info (IMSI etc.) has been slurped up by flying FedGov "dirtboxes" without your knowledge, stored in perpetuity, without any law passed by Congress explicitly authorizing this, in violation of the Constitution's Fourth Amendment, and at best authorized by a secret court order from a secret court. Sigh.
[1] I presume most of the HN US readers live in or near metro areas, and the WSJ article says the program covers "most of the U.S. population." Obviously if you're in Idaho or Alaska, you're less likely to be caught in this particular data vacuum cleaner.
And I assume the "USA Freedom Act", which has been drastically watered down already and Democrats are now pretending to want to revive it (after losing Senate...) so they look good at the next elections, doesn't even cover this sort of surveillance.
There are two ways in which the "USA Freedom Act" could cover flying dirtboxes: regulation and reporting. I've been working on http://recent.io/ rather than following this closely but I'm not aware of any effect the bill would have on dirtboxes (love that term!).
In addition to the egrigious complaints citizens could make, wouldn't telecoms and cellphone manufacturers have grounds to sue over this? It sounds like these boxes are actively disrupting or reducing cell-phone service reliability by tricking devices to connect to them, despite not being a good tower.
IIRC, most phones will talk to multiple towers at the same time. They mention attempting to keep disruption to a minimum. One would assume they care about not tipping someone off if their phone was acting funny.
Ultimately, it's the government that mediates the dispute. They're the government's airwaves and you (the cell phone provider) receive a license to use them. I haven't read the relevant FCC regulations, but they can easily say "cell phone service is secondary; law enforcement is primary".
There is precedent: amateur radio operators can use any means available to them to transmit life-critical messages when licensed methods/frequencies don't work. If that was to set up a fake cell phone tower and get phones to connect, then one could argue that one was using the frequencies legally. (IANAL; don't do this and say I said it was OK. The usual case is something like using your amateur radio to contact the coast guard if your ship is sinking.)
While these active MitM attacks are important (the methods seem to be similar to ARP-poisioning), we shouldn't leave out the passive capabilities. These may not even be listed as a feature, if it is a different tool that parses the already-captured traffic as a deferred job.
As we see mentioned here on HN all the time, there is a massive amount interesting data that can be pulled out of large datasets. The original WP publication[1] about COTRAVELER gives a very nice example of the power in just knowing very-inaccurate (cell-sized) location data. You probably don't even need any particular cell-network identifying number, given how easy it is to correlate this kind of data to other identifiers.
The US Marshals are not the only federal law enforcement agency doing something like this. According to documents I obtained through a FOIA in 2012, ICE has purchased an airbourne mounting kit and paid for airbourne training for their Stingray II cell phone tracking gear.
See: https://www.documentcloud.org/documents/479397-#document/p44
with T-mobile and iOS, I have wifi calling. I would not be opposed if it turned off the cell antenna whenever I could instead make and receive calls over wifi.
The application OS is basically irrelevant when talking about cell communications. They'd have to design their own boards to even have a chance at isolating the "baseband" processor - to say nothing of controlling its behavior, especially as carriers want to keep its workings secret for "security"
Most phones (anything CDMA, or most everything LTE) use a Qualcomm SOC, with both the baseband and application processor sharing the same memory space. This is a recipe for anything on the application processor being pwned beyond recognition.
The last time I played with Qualcomm/CDMA (around 2007), I used proprietary software (QPST) to do undocumented incantations to clone an ESN from one phone to another. When I called the number, both rang. Picking both up led to hearing the conversation in both. This tells you precisely how good their idea of "encryption" is.
The entire Qualcomm ecosystem is a black box, and is there even a remote chance they don't have a partnership with the NSA? I'm sure San Diego is seen as a key national security interest - if it weren't "secured" by the NSA, then China/Russia intelligence would do so (or an uppity colony looking for a leg up).
I'll happily eat these words when there's an open source GSM or CDMA stack, portable hardware to run it, and the ability to pay for network access anonymously. But fr now, I see Wifi/Mifi as the only plausible way forward.
Can you provide some technical documentation that supports your assertion that the baseband and the application processor are sharing memory space? I thought they use different processors that are supporting essentially independent operating systems.
They're independent operating environments, but that doesn't mean their memories are isolated.
It's commonly accepted that most mobile SoCs operate this way. See the diagram/text on page 2 of https://www.usenix.org/system/files/conference/woot12/woot12... . To the extent that a specific Qualcomm processor might avoid such a design, it's impossible to know due to their longstanding culture of security through obscurity.
AFAIK, the Raspberry Pi is setup the same way, with the black box GPU being the master of the CPU that is commonly used to run Linux. This setup is only less problematic because the GPU lacks an unobservable network link.
Models like the Samsung i9300 have the modem chipset as an independent unit, although I've seen a block diagram indicating that the eMMC flash and modem RAM are in the same package, which is worrying.
Modern Qualcomm basebands are restricted by an MMU and isolated from the main OS. Carriers wanted this because baseband exploits were such a common way for phones to get rooted. Additionally they have been hardened considerably in recent times, apparently modern Qualcomm basebands are much, much harder to hack than they once were. And they run now on a proprietary CPU design called, I think, Hexagon, which makes even just disassembling the thing a bit tricky.
I can believe this, because they do have an interest in preventing any random party from taking over a phone. Unfortunately, there is a large gap between being resistant to exploits, and convincing the world that you're resistant to exploits through open review.
BTW do you mean "rooting" in the longstanding sense of general exploitation, or in the recent narrow sense of the owner of a device obtaining control of it? There's of course an overlap between these two, but insight into the specific business motivation would be interesting.
being from San Diego, i can state that SAIC is right physically down the street from any number of qualcomm campus buildings. also note, that while i am not a conspiracy guy, the security community there has always been fairly tight, a lot of the top feeders know each other, and there are a lot of interworking groups, guilds, clubs, that would easily lend themselves to partnerships, cooperations, things like that. i am just saying not to rule it out.
I think cell antennas have unique identifiers. If true, can you detect when you connect to a tower that isn't your usual tower in your usual geographic location (assuming you're being targeted at home, for example).
And if there is indeed a unique id, can the fake cell take the id of a real cell and still work with the cellphone company, or would it need the cooperation of the cellphone company? (for example, the cell company would look at hops?)
I guess it's too much to hope that the cellphone companies would try to protect our privacy.
Maybe someday we'll have police running things similar to license scanners but for cellphone conversations. They'll drive around the city recording conversations to detect keywords for illegal activity (herb, drug, murder of crows, etc)
EDIT: actually, I don't think they need to hijack cellphone connections. They can just listen in - at least they used to be able to. We determined the identities of the bombers of our embassies in Africa in the late-90s through cellphone conversations through RC-135s flying along the Africa coast from Diego Garcia, and an intelligence gathering satellite that drags an antenna behind it.
GSM contains half-baked kludge to make passive tracking of phones impractical. Phone transmits it's IMSI only when network asks it to (eg. when connecting to network) and then uses random session identifier ("TMSI") for normal traffic. So if you want to reliably identify and track particular phone or subscriber without assistance from network, you have to actively MitM the network.
Let's say they're flying a Cesna 1,500 feet over a metro area, that could easily be millions of cellphone connections. A regular cell tower can't handle that many. I'm wondering how this could work.
A $9,000 per machine. Is it possible for a civilian to purchase it?
Knowing this is unconstitutional and if there are no government laws (shouldn't be right?) forbidding you from purchasing it, can I sue them if they refuse to sell me one?
Correct me if I'm wrong but putting this machine around Wall Street (given you know how to sell and buy stocks) would probably get you $9k back in less than a day, hm?
I still wonder though, if cellphones technology is secure and traffic encrypted, then how come can they listen to it? Wouldn't it be that Verizon or Apple had to give them some sort of keys to open the traffic and read it? (serious question)
It's illegal for you to do something like this. Very illegal. They would likely arrest you for attempting to purchase one, even if you had done nothing wrong. You could try to sue them, but then you can do that at any time; trying is never the problem, the consequences are.
It's not a situation where they were granted permission to do it, in a Constitutionally friendly sort of way.
These are extra-legal programs, where nobody will get in trouble regardless of the context, and they're simply saying: just try to stop us.
These aren't passive devices. They have to "stomp" on AT&T's signal to get your phone to associate with them, then spoof as the carrier.
There is a loophole though - if you target a phone with the correct bands, one of the european bands is a ham radio band in the US, so licensed operators can play around that way.
No, and you can't sue any company for refusing to sell you their product. In some cases you can sue if they refuse to serve you based on discrimination (i.e. a restaurant or hotel) under the Federal Civil Rights Act, or even a state-level civil rights act or charter, but that's a different set of circumstances. There are all manner of businesses who refuse to sell their goods directly to the consumer and sell to distributors only, and they aren't getting sued over it.
There's also the issue that using the device, period, is against Federal law, yet our Federal government is doing it anyway. They get away with it because they can[1], but you would likely end up in prison, possibly without a public trial.
[1]I think what they are doing is wrong and illegal, but until a judge puts a stop to it they will continue to get away with it.
In all seriousness, when police circumvent the existing legal methods for gaining access to information, and when they spy on people without warrants, why should the "normal channels" be left open?
Isn't it about time to repeal things like CALEA, or to accept that the cost of having a system like this is that it should be the only system?
"But we're afraid bad guys would act like they live in a surveillance state if they actually knew they lived in a surveillance state!" I... I just don't know how to understand that mindset.
I know there are evil criminals in the world, and I'll bet that having power and dominion over everyone is a fun trip, but it's also corrosive to what the US has always pretended to be.
They could try, but they might not get it, and the carriers wouldn't like it - better to ask forgiveness than permission, right? I think it says this in the article.
Thinking aloud in terms of a "solution" - is it possible to build crowdsourced blocklists that can be subscribed to by users, and will refuse to let their phones connect to "fake" celltowers?
P.S. I'm not a wireless guy, so I don't know if there's any kind of a digital giveaway that can distinguish a fake cell tower versus the real one it is spoofing. If there isn't, then perhaps the fault lies with existing wireless comm. standards.
Not until the baseband processor is proprietary. And even then nothing prevents feds from just giving the towers new ids or just manipulating the blacklists.
My new kickstarter, a cell tower locator and a high power green laser pointer. When ever the device detects a cell tower above 500' AGL it activates the green laser pointer and directs it at the detected tower signal. :-)
This makes me wonder if the government has or is working on drones that hone in on a specific cellphone signal with a specific id after being trained.
Not just for tracking but an "icbm" kind of drone. First for military use, then for domestic use like how the police always get military weapon, iris scanners, etc.
The US is "at war" with the entire world, even their so-called friends. You don't spy on your friends, you spy on your enemies. You don't do secret raids and secret bombings on third parties, you do that to your enemies. We've always been at war with <fill in the blank>.
I understand that you can sniff IMSI without being a recognized carrier. But to actually get a cell phone to join your tower – don't you need the carrier's keys to be able to authenticate during the tower handshake? (iOS 5+ warns about unencrypted tower connections, so presumably these have to be authenticated UMTS?)
If so, should we expect that the carriers surrendered their keys to law enforcement to allow them to run fake cell towers that authentically emulate their networks?
That's how IMSI catchers work, your phone joins their network. The network determines the level of encryption, if any. And last I remember there were basically no handsets out there that would even report missing encryption, so I'm not too sure on the iOS 5+ part, but unless you are staring at your screen all the time you would probably miss any such warning anyway.
(Not to mention that A5/1 is broken, but since Stingrays have been around forever and companies don't like investing into something thats not broken, I don't think they even do that. Certainly not at 9k bucks.)
Last year a Cessna (a Skylane or Stationair) orbited the around central SF for several hours over 3 or 4 days. The edge of the track was right over my block. It would drone by every few minutes. It did not have a removed door or anything that would indicate camera platform. The constant orbit wouldn't make sense as an photographic mapping platform.
It was not on flighttrack, no ADS-B info, and too high to see the N number.
72 comments
[ 6.8 ms ] story [ 207 ms ] threadhttp://thehill.com/policy/technology/224129-report-feds-usin...
http://www.foxnews.com/politics/2014/11/13/secret-us-spy-pro...
https://twitter.com/cellhacking/status/524562944928264192
And all over Washington DC:
https://twitter.com/esdamerica/status/512293117052334080
This one is the most promising: http://signup.spideyapp.com/
Cellphones are programmed to connect automatically to the strongest cell tower signal. The device being used by the U.S. Marshals Service identifies itself as having the closest, strongest signal, even though it doesn’t, and forces all the phones that can detect its signal to send in their unique registration information. Even having encryption on one’s phone, such as Apple Co. ’s iPhone 6 now includes, doesn’t prevent this process...
The program cuts out phone companies as an intermediary in searching for suspects. Rather than asking a company for cell-tower information to help locate a suspect, which law enforcement has criticized as slow and inaccurate, the government can now get that information itself. People familiar with the program say they do get court orders to search for phones, but it isn’t clear if those orders describe the methods used because the orders are sealed.
Also unknown are the steps taken to ensure data collected on innocent people isn’t kept for future examination by investigators. A federal appeals court ruled earlier this year that over-collection of data by investigators, and stockpiling of such data, was a violation of the Constitution.
This isn't exactly new. Harris' Stingray price list has AIRBRN-KIT-CONUS for sale for $9,000, dating back to 2008: https://info.publicintelligence.net/Harris-SurveillancePrice...
Here's a 2013 post on the so-called DRTBOX: http://electrospaces.blogspot.com/2013/11/drtbox-and-drt-sur...
And another blog post from 2013 saying "Immigration and Customs Enforcement (ICE) purchased $3 million worth of Stingrays over several years, and are purchasing airborne mounting kits for both drones and manned aircraft": http://gritsforbreakfast.blogspot.com/2013/03/bypassing-tele...
An earlier FOIA response from 2012: http://s3.documentcloud.org/documents/479397/stingrayfoia.tx... "The training will cover all of Harris Stringray ll operations from an airborne platform.-Specifically, four students are to attend this special training on three different software packages GSM, and CDM mobile handsets) for the Program... The schedule is more unpredictable due to a large portion of the training taking place in an aircraft."
To summarize: if you live in the U.S.[1], your cell phone info (IMSI etc.) has been slurped up by flying FedGov "dirtboxes" without your knowledge, stored in perpetuity, without any law passed by Congress explicitly authorizing this, in violation of the Constitution's Fourth Amendment, and at best authorized by a secret court order from a secret court. Sigh.
[1] I presume most of the HN US readers live in or near metro areas, and the WSJ article says the program covers "most of the U.S. population." Obviously if you're in Idaho or Alaska, you're less likely to be caught in this particular data vacuum cleaner.
There is precedent: amateur radio operators can use any means available to them to transmit life-critical messages when licensed methods/frequencies don't work. If that was to set up a fake cell phone tower and get phones to connect, then one could argue that one was using the frequencies legally. (IANAL; don't do this and say I said it was OK. The usual case is something like using your amateur radio to contact the coast guard if your ship is sinking.)
As we see mentioned here on HN all the time, there is a massive amount interesting data that can be pulled out of large datasets. The original WP publication[1] about COTRAVELER gives a very nice example of the power in just knowing very-inaccurate (cell-sized) location data. You probably don't even need any particular cell-network identifying number, given how easy it is to correlate this kind of data to other identifiers.
[1] http://apps.washingtonpost.com/g/page/world/how-the-nsa-is-t...
Anyone interested in learning more about IMSI catchers and their use by US law enforcement agencies might be interested in this law review article I wrote. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678
yep. The cell phone tracking has actively been used for tracking and targeting in Ukraine/Russia war on Donbass by both sides.
Maybe do something like what these guys did, but I'm sure they can come up with even more comprehensive protections:
http://www.wired.com/2014/09/cryptophone-firewall-identifies...
Given the above, I wonder if the airplanes are also listening to other stuff past cellular.
Most phones (anything CDMA, or most everything LTE) use a Qualcomm SOC, with both the baseband and application processor sharing the same memory space. This is a recipe for anything on the application processor being pwned beyond recognition.
The last time I played with Qualcomm/CDMA (around 2007), I used proprietary software (QPST) to do undocumented incantations to clone an ESN from one phone to another. When I called the number, both rang. Picking both up led to hearing the conversation in both. This tells you precisely how good their idea of "encryption" is.
The entire Qualcomm ecosystem is a black box, and is there even a remote chance they don't have a partnership with the NSA? I'm sure San Diego is seen as a key national security interest - if it weren't "secured" by the NSA, then China/Russia intelligence would do so (or an uppity colony looking for a leg up).
I'll happily eat these words when there's an open source GSM or CDMA stack, portable hardware to run it, and the ability to pay for network access anonymously. But fr now, I see Wifi/Mifi as the only plausible way forward.
It's commonly accepted that most mobile SoCs operate this way. See the diagram/text on page 2 of https://www.usenix.org/system/files/conference/woot12/woot12... . To the extent that a specific Qualcomm processor might avoid such a design, it's impossible to know due to their longstanding culture of security through obscurity.
AFAIK, the Raspberry Pi is setup the same way, with the black box GPU being the master of the CPU that is commonly used to run Linux. This setup is only less problematic because the GPU lacks an unobservable network link.
Even the i9100, with an independent modem, was found to be setup with shared memory for communication - http://redmine.replicant.us/projects/replicant/wiki/GalaxySI...
Models like the Samsung i9300 have the modem chipset as an independent unit, although I've seen a block diagram indicating that the eMMC flash and modem RAM are in the same package, which is worrying.
Modern Qualcomm basebands are restricted by an MMU and isolated from the main OS. Carriers wanted this because baseband exploits were such a common way for phones to get rooted. Additionally they have been hardened considerably in recent times, apparently modern Qualcomm basebands are much, much harder to hack than they once were. And they run now on a proprietary CPU design called, I think, Hexagon, which makes even just disassembling the thing a bit tricky.
BTW do you mean "rooting" in the longstanding sense of general exploitation, or in the recent narrow sense of the owner of a device obtaining control of it? There's of course an overlap between these two, but insight into the specific business motivation would be interesting.
Works on Intel xgold basebands by giving access to the event log
We have a long way to go in educating the general public about technology, its benefits, and its pitfalls.
And if there is indeed a unique id, can the fake cell take the id of a real cell and still work with the cellphone company, or would it need the cooperation of the cellphone company? (for example, the cell company would look at hops?)
I guess it's too much to hope that the cellphone companies would try to protect our privacy.
Maybe someday we'll have police running things similar to license scanners but for cellphone conversations. They'll drive around the city recording conversations to detect keywords for illegal activity (herb, drug, murder of crows, etc)
EDIT: actually, I don't think they need to hijack cellphone connections. They can just listen in - at least they used to be able to. We determined the identities of the bombers of our embassies in Africa in the late-90s through cellphone conversations through RC-135s flying along the Africa coast from Diego Garcia, and an intelligence gathering satellite that drags an antenna behind it.
Knowing this is unconstitutional and if there are no government laws (shouldn't be right?) forbidding you from purchasing it, can I sue them if they refuse to sell me one?
Correct me if I'm wrong but putting this machine around Wall Street (given you know how to sell and buy stocks) would probably get you $9k back in less than a day, hm?
I still wonder though, if cellphones technology is secure and traffic encrypted, then how come can they listen to it? Wouldn't it be that Verizon or Apple had to give them some sort of keys to open the traffic and read it? (serious question)
It's illegal for you to do something like this. Very illegal. They would likely arrest you for attempting to purchase one, even if you had done nothing wrong. You could try to sue them, but then you can do that at any time; trying is never the problem, the consequences are.
It's not a situation where they were granted permission to do it, in a Constitutionally friendly sort of way.
These are extra-legal programs, where nobody will get in trouble regardless of the context, and they're simply saying: just try to stop us.
http://www.wired.com/2014/04/threatlevel_0401_streetview/
There is a loophole though - if you target a phone with the correct bands, one of the european bands is a ham radio band in the US, so licensed operators can play around that way.
Also, the DIY version is about $1000.
No, and you can't sue any company for refusing to sell you their product. In some cases you can sue if they refuse to serve you based on discrimination (i.e. a restaurant or hotel) under the Federal Civil Rights Act, or even a state-level civil rights act or charter, but that's a different set of circumstances. There are all manner of businesses who refuse to sell their goods directly to the consumer and sell to distributors only, and they aren't getting sued over it.
There's also the issue that using the device, period, is against Federal law, yet our Federal government is doing it anyway. They get away with it because they can[1], but you would likely end up in prison, possibly without a public trial.
[1]I think what they are doing is wrong and illegal, but until a judge puts a stop to it they will continue to get away with it.
Isn't it about time to repeal things like CALEA, or to accept that the cost of having a system like this is that it should be the only system?
"But we're afraid bad guys would act like they live in a surveillance state if they actually knew they lived in a surveillance state!" I... I just don't know how to understand that mindset.
I know there are evil criminals in the world, and I'll bet that having power and dominion over everyone is a fun trip, but it's also corrosive to what the US has always pretended to be.
If this is legal, why can't they just subpoena carriers for the tower census data?
Hm, I see black market business potential here.
P.S. I'm not a wireless guy, so I don't know if there's any kind of a digital giveaway that can distinguish a fake cell tower versus the real one it is spoofing. If there isn't, then perhaps the fault lies with existing wireless comm. standards.
Not just for tracking but an "icbm" kind of drone. First for military use, then for domestic use like how the police always get military weapon, iris scanners, etc.
If so, should we expect that the carriers surrendered their keys to law enforcement to allow them to run fake cell towers that authentically emulate their networks?
(Not to mention that A5/1 is broken, but since Stingrays have been around forever and companies don't like investing into something thats not broken, I don't think they even do that. Certainly not at 9k bucks.)
It was not on flighttrack, no ADS-B info, and too high to see the N number.