Saturday, May 21, 2016
A better way to detect Stingray use: crowdsource transient cell tower appearances
Functioning as a so-called “cell-site simulator,” the Stingray is a sophisticated portable surveillance device. The equipment is designed to send out a powerful signal that covertly dupes phones within a specific area into hopping onto a fake network. The feds say they use them to target specific groups or individuals and help track the movements of suspects in real time, not to intercept communications. But by design Stingrays, sometimes called “IMSI catchers,” collaterally gather data from innocent bystanders’ phones and can interrupt phone users’ service—which critics say violates a federal communications law.—Slate Future Tense, 1/10/2013
by Larry Geller
I learned this morning about an app that has the potential to impact the controversial use of cell tower simulation devices used to spy on our communications.
The use of false mobile towers. a surveillance technology also known as “Stingray,” to capture cellphone traffic has become commonplace. If the police (or hackers!) are operating a device that tricks nearby cellphones into sending it their traffic, everyone’s data is swept up. The cellphone user is unaware that everything said or transmitted as data is being captured.
If the user accesses a bank account, for example, the user name, password and the answer to that secret challenge question designed to enhance security, is all captured. If you believe that browser encryption saves you, fine. I’m not confident that it does, and not all access information is encrypted. Phone calls are typically not encrypted. They’ll have that. And the metadata identifies where everyone is and who they are communicating with, encrypted or not.
The use of these devices creates a “man-in-the-middle” attack that the smartphone user can’t defend against, especially since there’s no indication shown that the cell connection has been compromised. The only countermeasure? Leave your cellphone at home, with the battery removed. Of course, that’s not at all practical.So far, the main approach to detecting the use of Stingrays and their ilk by government agencies has been to file Freedom of Information Act requests. For example, here is a snip from an ACLU web page:
Last year, the ACLU sent public records [requests] to three dozen police and sheriffs’ departments in Florida seeking information about their use of Stingrays. Stingrays, also known as “cell site simulators,” or “IMSI catchers,” are invasive cell phone surveillance devices that mimic cell phone towers and force phones in the area to broadcast information that can be used to identify and locate them. Even when used to track a particular suspect's cell phone, they also gather information about the phones of countless bystanders who happen to be nearby. Numerous law enforcement agencies across the country possess Stingrays, but it’s often difficult to tell how much and how often they are used.
[ACLU, Florida Stingray FOIA]
While I’m glad that the ACLU and others are aiming to increase transparency, that alone will not prevent the violation of innocent citizens’ privacy rights. It could be the beginning of something, but I’ve thought that the road is likely to be long, hard and uncertain.
Why not, I thought, crowdsource the detection of these devices? It ought to be simple. Smartphones can tell which towers they are communicating with. New cell towers are seldom erected, so if a new cell tower ID appears, watch out, it might be a Stingray (or a hacker parked outside your house trying to steal your bank account access data).
Apps like Llama use tower ID information to find your location even when the phone GPS is off or the user is indoors. So, for example, I might be reminded of shopping I need to do in the Manoa Longs when the app detects that I’m in Manoa. Back home, there are an entirely different set of towers seen by the app.
So why not create an app to detect a new tower in a place you’ve already been? In other words, the phone keeps a database of cell towers and notes (and reports) the sudden appearance of a new cell tower. Perhaps transmission via a newly-discovered cell tower could even be blocked somehow, or at least, the user could be warned.
I let that thought die and wither away, since I don’t know how to develop the kind of app it would take to detect a new tower.
Fortunately, great minds think alike. An app is under development that does this, and it appears it can upload and download cell tower data to a central database.
So ACLU Florida: please have a look at it.
Check Tower Information Consistency
Check LAC/Cell ID Consistency
Check Neighboring Cell Info
Prevent silent app installations
Monitor Signal Strength
Detect silent SMS
That first part, detecting cell tower consistency, is the bit I mused on. The rest, to be honest, I have no idea what they are talking about. There are links, so I could eventually learn what a FemtoCell is…
So although I’ve just discovered this app, I have a suggestion for the ACLU and other privacy organizations:
Keep up your FOIA efforts, but at the same time, consider working with this or other app developers to create a public database of Stingray use.
I think the transparency question might be resolved more quickly, and a robust, production-quality app could be used to possibly protect also against hackers and this kind of surveillance.
Still not convinced this is needed? If you live in a city where there is a peace demonstration or perhaps even a Bernie Sanders rally, and even if you are not a participant, you could end up in a police database.
Or, if the technology should spread unchecked, a vehicle parked outside your condo or office building could pick up all the access info for everyone inside. Instead of police, the vehicle could belong to a hacker.
So I hope this kind of app—one that crowdsources observed Stingray usage—might be supported and that a national database can be created. It could be the fastest route to transparency, at least as far as knowing where the surveillance is taking place. Then bring on the FOIA to find out who is doing it.
At the very least we’ll learn who is being watched and how many of us are being watched.