http://arstechnica.com/tech-policy/2013/07/moscow-metro-says-new-tracking-sy... Moscow Metro says new tracking system is to find stolen phones; no one believes them Experts: Russians are probably using fake cell tower devices for surveillance. by Cyrus Farivar - July 29 2013, 11:10pm +0200 On Monday, a major Russian newspaper reported that Moscow’s metro system is planning what appears to be a mobile phone tracking device in its metro stations—ostensibly to search for stolen phones. According to Izvestia (Google Translate), Andrey Mokhov, the operations chief of the Moscow Metro system’s police department, said that the system will have a range of five meters (16 feet). “If the [SIM] card is wanted, the system automatically creates a route of its movement and passes that information to the station attendant,” Mokhov said. Many outside experts, both in and outside Russia, though, believe that what local authorities are actually deploying is a “stingray,” or “IMSI catcher”—a device that can fool a phone and SIM into reading from a fake mobile phone tower. (IMSI, or an International Mobile Subscriber Identity number, is a 15-digit unique number that sits on every SIM card.) Such devices can be used as a simple way to see what phone numbers are being used in a given area or even to intercept the audio of voice calls. The Moscow Metro did not immediately respond to our request for comment. “Many surveillance technologies are created and deployed with legitimate aims in mind, however the deploying of IMSI catchers sniffing mobile phones en masse is neither proportionate nor necessary for the stated aims of identifying stolen phones,” Eric King of Privacy International told Ars. “Likewise the legal loophole they claim to be using to legitimize the practice—distinguishing between tracking a person from a SIM card—is nonsensical and unjustifiable. It's surprising it's being discussed so openly, given in many countries like the United Kingdom, they refuse to even acknowledge the existence of IMSI catchers, and any government use of the technology is strictly national security exempted.” These devices are in use, typically by law enforcement agencies worldwide, including some in the United States. Portable, commercial IMSI catchers are made by Swiss and British companies, among others, but in 2010, security researcher Chris Paget announced that he built his own IMSI catcher for only $1,500. Still, mobile security remains spy-versus-spy to some degree, each measure matched by a countermeasure. In December 2011, Karsten Nohl, another noted mobile security researcher, released "Catcher Catcher"—a piece of software that monitors network traffic and looks at the likelihood an IMSI catcher is in use. Keir Giles, of the Conflict Studies Research Centre, an Oxford-based Russian think tank, told Ars that Russian authorities are claiming a legal technicality. "They are claiming that although they are legally prohibited from indiscriminate surveillance of people, the fact that they are following SIM cards which are the property of the mobile phone operators rather than the individuals carrying those SIM cards makes the tracking plans perfectly legal," he said, adding that this reasoning is "weaselly and ridiculous." The Russian newspaper also quoted Alexander Ivanchenko, executive director of the Russian Security Industry Association, who pointed out that even to be effective, such a system would need these devices every 10 meters (32 feet). “It is obvious that the cost of the system is not commensurate with the value of all the stolen phones,” he said. “Also, effective anti-theft technology is already known: in the US, for example, the owner of the stolen phone knows enough to call the operator—and the stolen device stops working, even if another SIM-card is inserted.” Two major Russian mobile providers, Beeline and Megafon, have told Russian media (Google Translate) that they are unaware of this supposed anti-theft measure. On the other hand, BBC Russian reports (Google Translate) that the system is due to come online in late 2013 or early 2014.