Moscow Metro says new tracking system is to find stolen phones; no one believes them

Tue Jul 30 01:56:38 PDT 2013

http://arstechnica.com/tech-policy/2013/07/moscow-metro-says-new-tracking-system-is-to-find-stolen-phones-no-one-believes-them/

Moscow Metro says new tracking system is to find stolen phones; no one
believes them

Experts: Russians are probably using fake cell tower devices for
surveillance.

by Cyrus Farivar - July 29 2013, 11:10pm +0200

On Monday, a major Russian newspaper reported that Moscow’s metro system is
planning what appears to be a mobile phone tracking device in its metro
stations—ostensibly to search for stolen phones.

According to Izvestia (Google Translate), Andrey Mokhov, the operations chief
of the Moscow Metro system’s police department, said that the system will
have a range of five meters (16 feet). “If the [SIM] card is wanted, the
system automatically creates a route of its movement and passes that
information to the station attendant,” Mokhov said.

Many outside experts, both in and outside Russia, though, believe that what
local authorities are actually deploying is a “stingray,” or “IMSI catcher”—a
device that can fool a phone and SIM into reading from a fake mobile phone
tower. (IMSI, or an International Mobile Subscriber Identity number, is a
15-digit unique number that sits on every SIM card.) Such devices can be used
as a simple way to see what phone numbers are being used in a given area or
even to intercept the audio of voice calls.

The Moscow Metro did not immediately respond to our request for comment.

“Many surveillance technologies are created and deployed with legitimate aims
in mind, however the deploying of IMSI catchers sniffing mobile phones en
masse is neither proportionate nor necessary for the stated aims of
identifying stolen phones,” Eric King of Privacy International told Ars.

“Likewise the legal loophole they claim to be using to legitimize the
practice—distinguishing between tracking a person from a SIM card—is
nonsensical and unjustifiable. It's surprising it's being discussed so
openly, given in many countries like the United Kingdom, they refuse to even
acknowledge the existence of IMSI catchers, and any government use of the
technology is strictly national security exempted.”

These devices are in use, typically by law enforcement agencies worldwide,
including some in the United States. Portable, commercial IMSI catchers are
made by Swiss and British companies, among others, but in 2010, security
researcher Chris Paget announced that he built his own IMSI catcher for only
$1,500. Still, mobile security remains spy-versus-spy to some degree, each
measure matched by a countermeasure. In December 2011, Karsten Nohl, another
noted mobile security researcher, released "Catcher Catcher"—a piece of
software that monitors network traffic and looks at the likelihood an IMSI
catcher is in use.

Keir Giles, of the Conflict Studies Research Centre, an Oxford-based Russian
think tank, told Ars that Russian authorities are claiming a legal
technicality.

"They are claiming that although they are legally prohibited from
indiscriminate surveillance of people, the fact that they are following SIM
cards which are the property of the mobile phone operators rather than the
individuals carrying those SIM cards makes the tracking plans perfectly
legal," he said, adding that this reasoning is "weaselly and ridiculous."

The Russian newspaper also quoted Alexander Ivanchenko, executive director of
the Russian Security Industry Association, who pointed out that even to be
effective, such a system would need these devices every 10 meters (32 feet).

“It is obvious that the cost of the system is not commensurate with the value
of all the stolen phones,” he said. “Also, effective anti-theft technology is
already known: in the US, for example, the owner of the stolen phone knows
enough to call the operator—and the stolen device stops working, even if
another SIM-card is inserted.”

Two major Russian mobile providers, Beeline and Megafon, have told Russian
media (Google Translate) that they are unaware of this supposed anti-theft
measure. On the other hand, BBC Russian reports (Google Translate) that the
system is due to come online in late 2013 or early 2014.