Stingray warrant

[John Newman]

On November 18, 2017 5:04:36 AM EST, No <nonomos at mail.com> wrote:
>fyi
>
>https://techcrunch.com/2017/06/02/who-catches-the-imsi-catchers-researchers-demonstrate-stingray-detection-kit/
>
>Who catches the IMSI catchers? Researchers demonstrate Stingray
>detection kit
>Posted Jun 2, 2017 by Devin Coldewey
>
>Next Story
>Storyzy is a quote verifier that wants to skewer fake news
>Who catches the IMSI catchers? Researchers demonstrate Stingray
>detection kit
>
>IMSI catchers, devices used to spoof cell towers and intercept
>communications, are one of the most resented open secrets of law
>enforcement. Strict non-disclosure agreements prevent them from being
>acknowledged as existing, let alone being used — but researchers think
>they’ve found a way to spot the shady signal-snatchers.
>
>The devices, colloquially called Stingrays after a common model, work
>by
>sending out signals much like cell towers do; cell phones connect,
>identify themselves and send information like texts and calls through
>the fake tower, creating a sort of mobile wiretap. Critics have argued
>that innocent people’s data is caught up in this dragnet, but law
>enforcement has been less than forthcoming owing to gag orders from the
>companies that provide the devices.
>
>What’s needed is an independent method of identifying IMSI catchers in
>the wild. That’s what University of Washington researchers Peter Ney
>and
>Ian Smith have attempted to create with SeaGlass.
>
>“Up until now the use of IMSI-catchers around the world has been
>shrouded in mystery, and this lack of concrete information is a barrier
>to informed public discussion,” explained Ney in a UW news release.
>“Having additional, independent and credible sources of information on
>cell-site simulators is critical to understanding how — and how
>responsibly — they are being used.”
>
>The team put together a sort of super-powered wardriving setup that
>uses
>a “bait phone,” GSM modem, GPS unit, Wi-Fi hotspot and other wireless
>doodads packed into a single box. These devices monitor and record the
>wireless signals they encounter. In order to cover as much area as
>possible, boxes were attached to 15 vehicles being used by rideshare
>drivers in Seattle and Milwaukee.
>
>The baseline map shown as it grew; red signals are stronger and more
>reliable
>
>Over a period of two months, the kits collected a baseline of wireless
>activity, including known towers, private signals and so on. But
>sifting
>through the data revealed some suspicious outlier signals.
>
>One signal source, for instance, changed six times over the two months
>the frequencies on which it transmitted — unlike 96 percent of sources
>detected. Five of those frequencies were only able to be detected
>within
>1,500 feet of the building.
>
>One might write this off as a test or nanocell, except for the fact
>that
>this particular source happens to be located in or around an
>immigration
>services building run by Homeland Security. Could that be a Stingray,
>in
>position to target recent immigrants? The data is consistent with that
>hypothesis, but more data is needed to be sure.
>
>The building in question, indicated by a diamond, produced many normal
>signals (green), but suspicious ones at close range (other colors)
>
>“We want to be careful about our conclusions,” cautioned Smith. “We did
>find weird and interesting patterns at certain locations that match
>what
>we would expect to see from a cell-site simulator, but that’s as much
>as
>we can say from an initial pilot study.”
>
>At the very least it also provides advocates and journalists with
>something to work with. In attempting last year to discover whether
>Seattle police were using Stingrays, I found myself lacking in pointed
>questions to ask: although I received an unequivocal “no,” rather than
>a
>brush-off, it would have been nice to have something specific in mind,
>like a location or operation. I may just ask DHS about the suspicious
>signal mentioned above.
>
>Unfortunately, the team wasn’t able to get their hands on an actual
>IMSI
>catcher to ground-truth these findings — the devices are jealously
>guarded by their keepers and information about them is really only
>available through leaked documents and the occasional missed redaction.
>Smith told me in an email that they did, however, roll their own
>Stingray-esque device based on what they know of how the things work.
>
>Researchers Peter Ney (left) and Ian Smith
>
>The detection kits contained around $500 worth of parts, all of which
>are specified in the paper describing the work. Smith suggested the
>cost
>could come down with scale, though.
>
>“We’re eager to push this out into the community and find partners who
>can crowdsource more data collection and begin to connect the dots in
>meaningful ways,” he said.
>
>Transparency advocates would love to have a working system like this,
>certainly, though it must also be said that the criminal element would
>find it useful too. But that’s the case with any tool, including IMSI
>catchers.
>
>You can find out more about the tool or explore the data the team has
>collected at the SeaGlass site.
>


That's interesting.

There are a bunch of stingray-catcher apps for Android 
phones, like Snoop Snitch and  Cell Spy Catcher and
others... I'm not endorsing any of these, not sure how well
they work / if there are better alternatives. It's an interesting area, something I mean to play with more 
when I can find the time (particularly an OpenBTS or
OpenBTS + Asterisks setup).


>On 11/17/2017 07:39 PM, John Newman wrote:
>> On 2017-11-17 12:35, juan wrote:
>>> On Fri, 17 Nov 2017 08:47:13 -0500
>>> John Newman <jnn at synfin.org> wrote:
>>>
>>>> On Thu, Nov 16, 2017 at 09:46:55PM +0000, jim bell wrote:
>>>> >
>>>> > Judge rules NYPD needed a warrant before using cell-site
>simulator
>>>> >
>>>>
>https://www.yahoo.com/newsroom/vibes/news/v-dd323ebb-416a-3b40-b6ef-7e9c677f40d2_c-645869bc-ed23-32cb-b67d-15f65e240573_a-645869bc-ed23-32cb-b67d-15f65e240573
>>>>
>>>> Speaking of stingrays, does anyone on the list have any good
>resources
>>>> to point to on building a DIY "stingray-like" device using OpenBTS?
>>>> For research only, of course!
>>>
>>>
>>>     Do those things still work by forcing the phone to use an
>>>     outdated unencrypted mode, or is the  Amazing Secure Protocol
>>>     used by phones broken? Or maybe the cops simply have the keys?
>>>
>>>
>>
>> I'm not sure, but a very brief look at the OpenBTS website showed
>that
>> there is a branch of the code that does support 3G these days.
>>
>> The wikipedia article on "Stingray Phone Tracker" is actually pretty
>> interesting -
>>
>> https://en.wikipedia.org/wiki/Stingray_phone_tracker
>>
>> Relevant excerpt:
>>
>>
>>
>> Interception of communications content[edit]
>>
>> By way of software upgrades,[16][29] the StingRay and similar Harris
>> products can be used to intercept GSM communications content
>> transmitted over-the-air between a target cellular device and a
>> legitimate service provider cell site. The StingRay does this by
>> way of the following man-in-the-middle attack: (1) simulate a cell
>> site and force a connection from the target device, (2) download
>> the target device's IMSI and other identifying information, (3)
>> conduct "GSM Active Key Extraction"[16] to obtain the target device's
>> stored encryption key, (4) use the downloaded identifying information
>> to simulate the target device over-the-air, (5) while simulating
>> the target device, establish a connection with a legitimate cell
>> site authorized to provide service to the target device, (6) use
>> the encryption key to authenticate the StingRay to the service
>> provider as being the target device, and (7) forward signals between
>> the target device and the legitimate cell site while decrypting and
>> recording communications content.
>>
>> The "GSM Active Key Extraction"[16] performed by the StingRay in
>> step three merits additional explanation. A GSM phone encrypts all
>> communications content using an encryption key stored on its SIM
>> card with a copy stored at the service provider.[30] While simulating
>> the target device during the above explained man-in-the-middle
>> attack, the service provider cell site will ask the StingRay (which
>> it believes to be the target device) to initiate encryption using
>> the key stored on the target device.[31] Therefore, the StingRay
>> needs a method to obtain the target device's stored encryption key
>> else the man-in-the-middle attack will fail.
>>
>> GSM primarily encrypts communications content using the A5/1 call
>> encryption cypher. In 2008 it was reported that a GSM phone's
>> encryption key can be obtained using $1,000 worth of computer
>> hardware and 30 minutes of cryptanalysis performed on signals
>> encrypted using A5/1.[32] However, GSM also supports an export
>> weakened variant of A5/1 called A5/2. This weaker encryption cypher
>> can be cracked in real-time.[30] While A5/1 and A5/2 use different
>> cypher strengths, they each use the same underlying encryption key
>> stored on the SIM card.[31] Therefore, the StingRay performs "GSM
>> Active Key Extraction"[16] during step three of the man-in-the-middle
>> attack as follows: (1) instruct target device to use the weaker
>> A5/2 encryption cypher, (2) collect A5/2 encrypted signals from
>> target device, and (3) perform cryptanalysis of the A5/2 signals
>> to quickly recover the underlying stored encryption key.[33] Once
>> the encryption key is obtained, the StingRay uses it to comply with
>> the encryption request made to it by the service provider during
>> the man-in-the-middle attack.[33]
>>
>>
>>
>>
>>
>> I don't know if modern phones are still vulnerable to the "GSM Active
>> Key Extraction" - haven't had more than a few moments to look at it.
>>
>>
>>
>>
>>>
>>>>
>>>> The last I recall, OpenBTS did not support 3G or above, and of
>course
>>>> has some fairly specific hardware requirements.. but I think there
>>>> are patches out there, maybe? I need to do some more current
>research
>>>> I suppose..
>>>>
>>
>> -- 
>> GPG fingerprint: 17FD 615A D20D AFE8 B3E4  C9D2 E324 20BE D47A 78C7