fyi https://techcrunch.com/2017/06/02/who-catches-the-imsi-catchers-researchers-... Who catches the IMSI catchers? Researchers demonstrate Stingray detection kit Posted Jun 2, 2017 by Devin Coldewey Next Story Storyzy is a quote verifier that wants to skewer fake news Who catches the IMSI catchers? Researchers demonstrate Stingray detection kit IMSI catchers, devices used to spoof cell towers and intercept communications, are one of the most resented open secrets of law enforcement. Strict non-disclosure agreements prevent them from being acknowledged as existing, let alone being used — but researchers think they’ve found a way to spot the shady signal-snatchers. The devices, colloquially called Stingrays after a common model, work by sending out signals much like cell towers do; cell phones connect, identify themselves and send information like texts and calls through the fake tower, creating a sort of mobile wiretap. Critics have argued that innocent people’s data is caught up in this dragnet, but law enforcement has been less than forthcoming owing to gag orders from the companies that provide the devices. What’s needed is an independent method of identifying IMSI catchers in the wild. That’s what University of Washington researchers Peter Ney and Ian Smith have attempted to create with SeaGlass. “Up until now the use of IMSI-catchers around the world has been shrouded in mystery, and this lack of concrete information is a barrier to informed public discussion,” explained Ney in a UW news release. “Having additional, independent and credible sources of information on cell-site simulators is critical to understanding how — and how responsibly — they are being used.” The team put together a sort of super-powered wardriving setup that uses a “bait phone,” GSM modem, GPS unit, Wi-Fi hotspot and other wireless doodads packed into a single box. These devices monitor and record the wireless signals they encounter. In order to cover as much area as possible, boxes were attached to 15 vehicles being used by rideshare drivers in Seattle and Milwaukee. The baseline map shown as it grew; red signals are stronger and more reliable Over a period of two months, the kits collected a baseline of wireless activity, including known towers, private signals and so on. But sifting through the data revealed some suspicious outlier signals. One signal source, for instance, changed six times over the two months the frequencies on which it transmitted — unlike 96 percent of sources detected. Five of those frequencies were only able to be detected within 1,500 feet of the building. One might write this off as a test or nanocell, except for the fact that this particular source happens to be located in or around an immigration services building run by Homeland Security. Could that be a Stingray, in position to target recent immigrants? The data is consistent with that hypothesis, but more data is needed to be sure. The building in question, indicated by a diamond, produced many normal signals (green), but suspicious ones at close range (other colors) “We want to be careful about our conclusions,” cautioned Smith. “We did find weird and interesting patterns at certain locations that match what we would expect to see from a cell-site simulator, but that’s as much as we can say from an initial pilot study.” At the very least it also provides advocates and journalists with something to work with. In attempting last year to discover whether Seattle police were using Stingrays, I found myself lacking in pointed questions to ask: although I received an unequivocal “no,” rather than a brush-off, it would have been nice to have something specific in mind, like a location or operation. I may just ask DHS about the suspicious signal mentioned above. Unfortunately, the team wasn’t able to get their hands on an actual IMSI catcher to ground-truth these findings — the devices are jealously guarded by their keepers and information about them is really only available through leaked documents and the occasional missed redaction. Smith told me in an email that they did, however, roll their own Stingray-esque device based on what they know of how the things work. Researchers Peter Ney (left) and Ian Smith The detection kits contained around $500 worth of parts, all of which are specified in the paper describing the work. Smith suggested the cost could come down with scale, though. “We’re eager to push this out into the community and find partners who can crowdsource more data collection and begin to connect the dots in meaningful ways,” he said. Transparency advocates would love to have a working system like this, certainly, though it must also be said that the criminal element would find it useful too. But that’s the case with any tool, including IMSI catchers. You can find out more about the tool or explore the data the team has collected at the SeaGlass site. On 11/17/2017 07:39 PM, John Newman wrote:
On 2017-11-17 12:35, juan wrote:
On Fri, 17 Nov 2017 08:47:13 -0500 John Newman <jnn@synfin.org> wrote:
On Thu, Nov 16, 2017 at 09:46:55PM +0000, jim bell wrote:
Judge rules NYPD needed a warrant before using cell-site simulator
https://www.yahoo.com/newsroom/vibes/news/v-dd323ebb-416a-3b40-b6ef-7e9c677f...
Speaking of stingrays, does anyone on the list have any good resources to point to on building a DIY "stingray-like" device using OpenBTS? For research only, of course!
Do those things still work by forcing the phone to use an outdated unencrypted mode, or is the Amazing Secure Protocol used by phones broken? Or maybe the cops simply have the keys?
I'm not sure, but a very brief look at the OpenBTS website showed that there is a branch of the code that does support 3G these days.
The wikipedia article on "Stingray Phone Tracker" is actually pretty interesting -
https://en.wikipedia.org/wiki/Stingray_phone_tracker
Relevant excerpt:
Interception of communications content[edit]
By way of software upgrades,[16][29] the StingRay and similar Harris products can be used to intercept GSM communications content transmitted over-the-air between a target cellular device and a legitimate service provider cell site. The StingRay does this by way of the following man-in-the-middle attack: (1) simulate a cell site and force a connection from the target device, (2) download the target device's IMSI and other identifying information, (3) conduct "GSM Active Key Extraction"[16] to obtain the target device's stored encryption key, (4) use the downloaded identifying information to simulate the target device over-the-air, (5) while simulating the target device, establish a connection with a legitimate cell site authorized to provide service to the target device, (6) use the encryption key to authenticate the StingRay to the service provider as being the target device, and (7) forward signals between the target device and the legitimate cell site while decrypting and recording communications content.
The "GSM Active Key Extraction"[16] performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider.[30] While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device.[31] Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail.
GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1.[32] However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time.[30] While A5/1 and A5/2 use different cypher strengths, they each use the same underlying encryption key stored on the SIM card.[31] Therefore, the StingRay performs "GSM Active Key Extraction"[16] during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key.[33] Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.[33]
I don't know if modern phones are still vulnerable to the "GSM Active Key Extraction" - haven't had more than a few moments to look at it.
The last I recall, OpenBTS did not support 3G or above, and of course has some fairly specific hardware requirements.. but I think there are patches out there, maybe? I need to do some more current research I suppose..
-- GPG fingerprint: 17FD 615A D20D AFE8 B3E4 C9D2 E324 20BE D47A 78C7