StingRay and the cellphone surveillance
In a previous post, I detailed the technologies used to track mobile devices, with a specific reference to the StingRay IMSI-catcher (International Mobile Subscriber Identity).
An IMSI-catcher is a surveillance solution used by law enforcement, military and intelligence agencies for telephony eavesdropping, it is the technology used for intercepting mobile phone traffic and tracking movements of mobile phone users.
An IMSI catcher runs a Man in the Middle (MITM) attack acting as a bogus mobile cell tower that sits between the target mobile phone and the service provider’s real towers.
The only way to prevent being tracked by an IMSI catcher is using specific products that secure communication on mobile devices. Modern Sting Ray implements a large number of functionalities, they allow attackers to intercept calls and Internet traffic, send fake texts, locate the devices and also inject malware, typically spyware and mobile RAT, that allows to gain full control over the victim’s device an exfiltrate the data.
The use of the IMSI-catcher is condemned by privacy advocates, the StingRay and other IMSI surveillance systems are invasive and the principal problem related to their usage is that they operate a dragnet surveillance spying not only the targeted mobile, but concurrently also all nearby cellular devices.
Figure 1 – StingRay
How does StingRay work?
Stingray equipment could operate in both active and passive modes, in the first case the device simulates the behavior of a wireless carrier cell tower, in the second case it actively interferes with cellular devices performing operations like data exfiltration.
The Stingray system is typically installed in a vehicle in a way that agents can move it into any neighborhood, it tricks all nearby cellular devices into connecting to it and allowing data access by law enforcement. Recently law enforcement and intelligence agencies installed Geo-Locating systems also on aircraft and drones.
Let us see in detail the two operative modes implemented by the StingRay technology.
The Passive mode
A StingRay that is operating in passive mode is able to receive and analyze signals being transmitted by mobile devices and wireless carrier cell stations.
The term “passive” indicates that the equipment doesn’t communicate directly with cellular devices and does not simulate a wireless carrier cell site.
By adopting a passive mode technique, the attacker can extract information related to the cell phone, including identification numbers, signal strength, and signal coverage areas. The Stingray operates as a mobile phone and collect signals sent by cell stations near the equipment.
The Active mode
A StingRay equipment operating in “active mode” will force each cellular device in a predetermined area to disconnect from its legitimate service provider cell site and establish a new connection with the attacker’s StingRay system. StingRay broadcasts a pilot signal that is stronger than the signals sent by legitimate cell sites operating in the same area, forcing connections from the cellular device in the area covered by the equipment. The principal operations made by the StingRay are:
- Data Extraction from cellular devices – The StingRay collects information that identifies a cellular device (i.e. IMSI, ESN) directly from it using radio waves.
- Run Man in The Middle attacks to eavesdrop Communications Content
- Writing Metadata to the cellular device
- Denial of Service, preventing the cellular device user to place a call or access data services.
- Forcing an Increase in Signal Transmission Power
- Forcing an Abundance of Signal Transmissions
- Tracking and Locating
Figure 2 – StingRay case study
Tracking cellular devices, a prolific market
A growing number of actors are interested in the StingRay technology, not only law enforcement, but also foreign intelligence agencies use these devices to spy on their targets.
In this paragraph we will analyze in detail the solutions available on the market, at least the most popular ones.
Recently the news agency The Intercept has leaked online a secret catalog of cellphone spying devices used by the US intelligence, and not only. The document is a precious source of information that has been given to the online publication by someone inside the intelligence community.
The person who passed the document to The Intercept declared to be concerned about the growing militarization of domestic law enforcement.
“The Intercept obtained the catalogue from a source within the intelligence community concerned about the militarization of domestic law enforcement. (The original is here.)” states the post published on the Intercept.
“A few of the devices can house a “target list” of as many as 10,000 unique phone identifiers. Most can be used to geolocate people, but the documents indicate that some have more advanced capabilities, like eavesdropping on calls and spying on SMS messages. Two systems, apparently designed for use on captured phones, are touted as having the ability to extract media files, address books, and notes, and one can retrieve deleted text messages.”
There are some devices small enough to fit in a backpack such as the Blackfin that allows agents to eavesdrop nearby communications.
The document also includes many other cellphone spying devices that are less popular of the Stingray that could be used by law enforcement and intelligence agencies in various scenarios, including the deployment on drones and aircraft.
One of the spying devices is sold by the NSA, while another was designed for use by the CIA.
These systems are a long debated because they allow authorities to conduct dragnet surveillance, the cellphone spying devices have been used by local law enforcement agencies across the United States for a long time.
“The archetypical cell-site simulator, the Stingray, was trademarked by Harris Corp. in 2003 and initially used by the military, intelligence agencies, and federal law enforcement.” continues the post. “Another company, Digital Receiver Technology, now owned by Boeing, developed dirt boxes — more powerful cell-site simulators — which gained favor among the NSA, CIA, and U.S. military as good tools for hunting down suspected terrorists. The devices can reportedly track more than 200 phones over a wider range than the Stingray.”
The Intercept also reported the case of Marc Raimondi who was employed by the Harris company and that now is a Department of Justice spokesman who claims the agency’s use of Stingray cellphone spying devices is legal.
Jennifer Lynch, a senior staff attorney at the Electronic Frontier Foundation has repeatedly expressed its disappointment in the use of these devices in a domestic context.
“We’ve seen a trend in the years since 9/11 to bring sophisticated surveillance technologies that were originally designed for military use—like Stingrays or drones or biometrics—back home to the United States,” said Jennifer Lynch “But using these technologies for domestic law enforcement purposes raises a host of issues that are different from a military context.”
The Blackfin is a device produced by the Harris Corporation, the same that designed the StingRay. It has limited dimension that allow agents to worn it on the body, its main features are the eavesdropping capability (both voice and text) and possibility to use it to shut down nearby devices in a selective mode.
It costs $75,000, and implements a mobile controller via Bluetooth.
Figure 3 -Blackfin Device
DRT 1101B, aka dirt boxes
This surveillance device allows agents to monitor up to 10,000 mobile devices, making it ideal for monitoring during public events and political protests. It is able to target both analog and digital wireless devices, intercepting voice data.
Figure 4 – Dirty Box
These devices could be also mounted in an aircraft or a drone flying over the targeted people.
It is sold by Digital Receiver Technologies, a subsidiary of Boeing Integrated Defense Systems and costs $78,850.00.
The equipment belongs to a complete family of devices known as dirt boxes which includes DRT 1183, DRT 1201C, DRT 1301C, DRT1101B
The DRT 1301C and the DRT 4411B provide features similar to other tools of the family but they are characterized by a limited overall dimensions. They cost respectively $100,000 and $40,000.
Figure 5 – DRT 4411B DIRT Box
Typhon is a surveillance product designed by the experts of the TAO unit at the National Security Agency, it is able to capture data only from GSM mobile devices. It works only in the US, but won’t work on Sprint, Verizon, and U.S. Cellular phones in the United States. The device has an operative range of 30 kilometers in rural areas and 5 kilometers in urban ones. It cost $175,800.
Figure 6 – NSA Typhon
The Triggerfish is an eavesdropping equipment that allows law enforcement to intercept cellular conversations in real time. Its use extends the basic capabilities of StingRay, which are more oriented to device location monitoring and gathering metadata. The Triggerfish allows authorities to monitor up to 60,000 different phones at one time over the targeted area.
Figure 7 – Triggerfish
According a post published by the journalist Ryan Gallagher on Ars, its cost ranges between $90,000 and $102,000.
Cyberhawk is able to exfiltrate data off over 79 mobile devices, including SMS messages, phonebook, dialed numbers, and any other file stored in the phone. It is a privileged instrument for espionage and investigation, it can be used to track network of individuals analyzing the information on their mobile devices.
Figure 8 – Cyber Hawk
The Kingfish is a surveillance transceiver produced by the Harris Corporation that is used by law enforcement and intelligence agencies to track cellular devices and exfiltrate information from mobile devices over a targeted area. It could be concealed in a briefcase and allow to gather unique identity codes and show connections between phones and numbers being dialed. Its cost is slightly higher than $42433.
The device is able to locate a phone only when the phone is turned on and the owner isn’t involved in a conversation, it works with both GSM and CDMA phones.
Figure 9 – Kingfish
Stargrazer is a military device used to degrade or disrupt a targeted adversary’s command and control (C2) system on the satellite Thuraya Handsets (HS). The equipment is able to extract IMSI, IMEI and other metadata from the handset locating it, and jam the device when operates in “attack mode.”
Figure 10 – Stargrazer III
The Radiance is a fixed Wing Geo-Location system is able to capture, query and locate CDMA-2000 and IS-95 mobile devices.
Figure 11 -Radiance
Windjammer is a hand-held satellite simulator that can be used to geo-locate a handset or launch a denial of service attack on a given target. It tricks satellite terminals into thinking they are communicating with the legitimate network. It is manufactured by the SR Technologies Inc which offer it for sale at $192,000.00.
Figure 12 – Windjammer
The Amberjack is an important accessory for the surveillance systems like Stingray, Gossamer, and Kingfish. It is a direction-finding system antenna that is used for cellular device tracking. It costs nearly $35,015
The Harpoon is an “amplifier” (PDF) that can work in conjunction with both Stingray and Kingfish devices to track targets from a greater distance. Its cost ranges between $16,000 and $19,000.
Figure 13 – Harpoon
Hailstorm is a surveillance device that could be purchased as a standalone unit or as an upgrade to the Stingray or Kingfish. The system allows the tracking of cellular devices even if they are based on modern technology.
“Procurement documents (PDF) show that Harris Corp. Has, in at least one case, recommended that authorities use the Hailstorm in conjunction with software made by the Nebraska-based surveillance company Pen-Link. The Pen-Link software appears to enable authorities deploying the Hailstorm to directly communicate with cell phone carriers over an Internet connection, possibly to help coordinate the surveillance of targeted individuals.” states Ars in a blog post.
The cost of Hailstorm is $169,602 if it is sold as a standalone unit, and it could be cheaper if acquired as an upgrade of other surveillance devices.
Raven is one of the most powerful tools for surveillance of WCDMA, it is able to interrogate and geolocate target devices. It can operate from the air or from the ground. Among its limitations, it requires a separate network survey device and can cause Denial of Service (DOS) during operation of the UMTS network. It costs $800K.
Figure 14 – Raven
The Gossamer is a portable unit that is used to access data on cellular devices operating in a target area. Gossamer provides similar functionality of Stingray with the advantage of being a hand-held model. The Gossamer lets also law enforcement to run a DoS attack on a target blocking it from making or receiving calls, as explained in the marketing materials (PDF) published by a Brazilian reseller of the Harris equipment.
The Gossamer is sold for $19,696.
Figure 15 – The Gossamer
Garuda (g-box) and the Carman II
The G-Box a GSM airborne geo-location system that emulates a GSM network Base Station to trick victims’ devices to connect it. The device is able to spy only on those handsets whom IMSI (International Mobile Subscriber Identity) or IMEI (International Mobile Station Equipment Identity) is included in a target watch list.
When the targeted handset is registered to the box, a geo-location solution is calculated. Its cost is $185,000.00.
Figure 16 – Key-W G-Box
The same Key W company also produces the Carman II, aka C-Box II, which is a GSM BTS that operates in like the Garuda. It works in the 850/900/1800/1900 MHz GSM bands and cost $130,000.
Figure 17 – Carman II
Artemis and Artemis II
Artemis is a family of GSM Geo-location systems produced by the Martone Radio Technology (MRT) company that operate like the Carman and G-box devices. The principal limitation related to these equipment is that they cannot be mounted on an airplane and can be used exclusively as a ground system in coordination with Nemesis/Maximus.
Ethical Hacking Training – Resources (InfoSec)
The version Artemis “T” to be used for Thuraya in development. The cost for both Artemis and Artemis II devices is $83,333.00.
Figure 18 – Artemis
Maximus is a Ground GSM stimulation & geo-location device that simulates a BTS to STIM handset into RF TCH allowing for DF. The system incorporates the Artemis equipment to implement geo-location functionality.
It can operate from a ground distance ~1-4 Km, also in this case in order to capture the target the handset must be on and not engaged in a call. It is sold by the Martone Radio Technology, Inc. for $365,000.00
Figure 19 – Maximus
The DeepPark is a fixed Wing Geo Location manufactured by the Rincon IAW NRO and offered for sale at $250,000.
The surveillance equipment could target 450 sub-band A/C, 800, and 1900MHz CDMA-2000 & IS-95 mobile devices. It could be used to conduct both passive and active stimulation and geolocation of the. Differently from other similar devices, it cannot be used to launch a DOS attack on the system.
Figure 20 – DeepPark
The Nebula is another surveillance device developed by the experts at the NSA. Nebula is a geo-location system designed to monitor GSM (Multi-Band), CDMA, UMTS, and HSDPA. Currently can target HPCP, GSM, Inmarsat, Thuraya, CDMA-2000, HSDPA devices.
Nebula is able to lock and hold traffic from a distance of 12 miles and is able to GeoLocate a device within 200m. The catalogue disclosed by the Intercept revealed Nebula has high DC power requirements.
Figure 21 – Nebula
Spying from the Sky
In November 2014, the Wall Street Journal revealed a secret U.S. surveillance program leveraging on bogus cell phone towers installed in airplanes to scan Americans’ cell phones and syphon their data.
Figure 22 – WSJ about Dirtboxes on a Plane
“The boxes used by the program allow planes to pose as the nearest cell phone tower, which prompts cell phones under surveillance to disclose their location and identity information, even if a legitimate tower is closer than the plane overhead. The dirtboxes also have the ability to interrupt calls, though officials have reportedly tried to mitigate the harmful consequences of that function.” reported the Business Insider.
The technique was adopted by US law enforcement, the Justice Department used this method to collect huge amount of data to use in its investigations.
Security and privacy experts are contrary to this “insanely broad airplane data dragnet” because it affects people all over the country.
The program started in 2007 and U.S. Marshals used different aircrafts equipped with the spying technology, also referred as dirtboxes, to spy data from individuals on the entire US soil.
“The U.S. Marshals Service program, which became fully functional around 2007, operates Cessna aircraft from at least five metropolitan-area airports, with a flying range covering most of the U.S. population, according to people familiar with the program.
Planes are equipped with devices—some known as “dirtboxes” to law-enforcement officials because of the initials of the Boeing Co. unit that produces them—which mimic cell towers of large telecommunications firms and trick cellphones into reporting their unique registration information.”
The technique allows law enforcement to spy on tens of thousands of cellphones in a single flight, collecting their identifying information, metadata and many other information.
The catalogue disclosed by the Intercept provided more information on the equipment that could be mounted on Aircraft and drones to spy on mobile.
Below the list of the surveillance equipment:
|Icarus – NVDF||AST (Raytheon)||$1,5 Mil||Geolocation System|
|Twister Firescout APG||Northrop Grumman||N/A||Base Station Router|
|Traveler (EW-FOS)||BAE Systems||$750K||Active/passive GSM geo-location System|
|Guava G-POD/STE LOS||Northrop Grumman IS ICW General Atomics||N/A||GSM airborne (UAV) geo-location system|
|Garwind – Blos POD||N/A||N/A||GSM airborne (UAV) geo-location system|
|Gilgamesh||Sierra Nevada Corporation ICW NSA OTRS/DAED and General Atomics||N/A||Geo-location system|
|Airhandler||Sierra Nevada Corporation ICW NSA OTRS/DAED and General Atomics||N/A||Geo-location system|
The information disclosed by the Intercept and contained in the catalogue provided by an anonymous source in the US intelligence are very precious to understand the methods of investigation of the US intelligence and law enforcement. The Stingray technology raises serious privacy concerns because it is used in dragnet surveillance activities.
Anyway, the massive surveillance is prohibited in the US by the Fourth Amendment, and organizations for the defense of Civil Liberties request government to provide warrants to use surveillance technologies like the StingRay.
Organizations such as the American Civil Liberties Union and Electronic Privacy Information Center (EPIC) highlighted in many cases the risks related to the use of such method of investigation.
Despite the heated debate on the surveillance technology, such kind of devices still represents a privileged solution for the secret surveillance operations conducted by governments worldwide.