Mobile Phones From Apple, Google And Samsung, etc. Send Your Private Information To “Fake” Cell Phone Towers
This is strange. Mobile Phones From Apple, Google And Samsung, etc. Send Your Private Information To “Fake” Cell Phone Towers
I called Apple today to find out what Apple was doing to prevent their (my smart phones) cellphones from communicating with “fake” cell phone towers as mentioned in this blog.
However, even though I took the advice of the person I spoke to today (1-14-2015 12:18pm) over the phone and went to “discussions.apple.com” and posted my concern about my phone’s security or lack-there-of, I was told by one person “roaminggnome” (his reply was “so”), and another person “Lawrence Finch” replied, ” This forum is for people seeking help and people providing help.
I’m not sure why you thought it necessary to post a story that has been in every newspaper in the US for the past few weeks and most news sources in the rest of the world.”
I guess “Lawrence Finch” figured that just because the matter had been published in newspapers, etc. already that that someone meant the problem had been fixed or even addressed?
Silly me. I guess my hard-earned money spent on these devices means absolutely nothing in terms of me getting what I paid for!
It seems to me that Apple has instructed me to interact with people who seem to think my investment in my Apple phones, laptops, desktops, etc. is such a trivial issue that I should not be concerned about asking and being concerned about whether or not my phones are sending my supposedly “secure” data to “Dirtboxes” on a plane or planes.
Now I wonder what other critical flaws are allowed to be passed off as trivial matters?
Again, I followed the instructions of the phone rep. (and Apple can check the logs: (1-14-2015 12:18pm)) and this is what I get, condescending, belittling and complete ignorance from “fanboys” who have no clue of the severity of the issues I’m (and the Wall Street Journal) are and have raised!
And to add insult to injury. They (the people who manage the “discussion forums”) removed my posts and banned me from the discussion forums!!
Let this be a lesson to anyone willing to even elude to the prospect that the emperor might not have clothes on!
The bottom-line is this. I was told (I read in the “Wall Street Journal) that Apple, Google and Samsung were touting their latest smart phones for their NSA-proof encryption.
However, I’m not quite sure what good that is if anyone can fool the phones into sending and communicating with “fake” cell phone towers. Why should we feel anymore comfortable with these new smart phones as compared to some of the oldest phones ever sold?
It appears that we (those who want actual security and privacy) will have to stick with third-party companies that have experience in this area and actually provide security and encryption (certificates) where the hardware and operating system is developed from the ground-up and not an after-thought.
I also (as instructed by the same phone rep.) went to “Apple.com/feedback” to let them know about this issue as well. I can’t wait to hear how they will choose to gloss-over this serious security matter.
Monty Henry, security expert and owner of:
Dirtboxes On A Plane
Fake Cellphone Towers on Planes Used to Target Criminals, but Also Sift Through Thousands of Other Phones.
WASHINGTON—The Justice Department is scooping up data from thousands of cellphones through fake communications towers deployed on airplanes, a high-tech hunt for criminal suspects that is snagging a large number of innocent Americans, according to people familiar with the operations.
The U.S. Marshals Service program, which became fully functional around 2007, operates Cessna aircraft from at least five metropolitan-area airports, with a flying range covering most of the U.S. population, according to people familiar with the program.
Planes are equipped with devices—some known as “dirtboxes” to law-enforcement officials because of the initials of the Boeing Co. unit that produces them—which mimic cell towers of large telecommunications firms and trick cellphones into reporting their unique registration information.
The technology in the two-foot-square device enables investigators to scoop data from tens of thousands of cellphones in a single flight, collecting their identifying information and general location, these people said.
People with knowledge of the program wouldn’t discuss the frequency or duration of such flights, but said they take place on a regular basis.
A Justice Department official would neither confirm nor deny the existence of such a program. The official said discussion of such matters would allow criminal suspects or foreign powers to determine U.S. surveillance capabilities. Justice Department agencies comply with federal law, including by seeking court approval, the official said.
The program is the latest example of the extent to which the U.S. is training its surveillance lens inside the U.S. It is similar in approach to the National Security Agency’s program to collect millions of Americans phone records, in that it scoops up large volumes of data in order to find a single person or a handful of people.
The U.S. government justified the phone-records collection by arguing it is a minimally invasive way of searching for terrorists.
Christopher Soghoian, chief technologist at the American Civil Liberties Union, called it “a dragnet surveillance program. It’s inexcusable and it’s likely—to the extent judges are authorizing it—[that] they have no idea of the scale of it.”
Cellphones are programmed to connect automatically to the strongest cell tower signal. The device being used by the U.S. Marshals Service identifies itself as having the closest, strongest signal, even though it doesn’t, and forces all the phones that can detect its signal to send in their unique registration information.
Even having encryption on one’s phone, such as Apple Co. ’s iPhone 6 now includes, doesn’t prevent this process.
The technology is aimed at locating cellphones linked to individuals under investigation by the government, including fugitives and drug dealers, but it collects information on cellphones belonging to people who aren’t criminal suspects, these people said.
They said the device determines which phones belong to suspects and “lets go” of the non-suspect phones.
The device can briefly interrupt calls on certain phones. Authorities have tried to minimize the potential for harm, including modifying the software to ensure the fake tower doesn’t interrupt anyone calling 911 for emergency help, one person familiar with the matter said.
The program cuts out phone companies as an intermediary in searching for suspects. Rather than asking a company for cell-tower information to help locate a suspect, which law enforcement has criticized as slow and inaccurate, the government can now get that information itself.
People familiar with the program say they do get court orders to search for phones, but it isn’t clear if those orders describe the methods used because the orders are sealed.
Also unknown are the steps taken to ensure data collected on innocent people isn’t kept for future examination by investigators. A federal appeals court ruled earlier this year that over-collection of data by investigators, and stockpiling of such data, was a violation of the Constitution.
The program is more sophisticated than anything previously understood about government use of such technology. Until now, the hunting of digital trails created by cellphones had been thought limited to devices carried in cars that scan the immediate area for signals.
Civil-liberties groups are suing for information about use of such lower-grade devices, some of them called Stingrays, by the Federal Bureau of Investigation.
New York Police Department officials sought to clarify the department’s use of specialized surveillance technology Thursday after a report detailed the degree to which the NYPD used so-called stingray devices to track cellphones.
The documents cited by the New York Civil Liberties Union showed that police deployed the technology more than 1,000 times since 2008 with no public debate and a lower legal standard than a warrant, which is typically required for searches.
Until Thursday, the NYPD hadn’t publicly acknowledged that it used stingrays.
The NYPD called the NYCLU report “misleading,” saying that it relied on a higher legal standard than the advocates claimed and restricted the information it collected through the technology.
Stingrays mimic a cellphone tower, tricking phones into making a connection. They enable officers to pinpoint the location of a subject and can intercept data like phone numbers, texts and emails. The technology also can pick up information from all cellphones in the area, not just the target.
The NYPD said it didn’t intercept contents of communication, including text messages or phone conversations.
“We get the number and that’s it,” said Chief Kerry Sweet, the commanding officer of the NYPD’s legal bureau. “We do not pick up information from other people standing by, innocent bystanders, passersby. This does not lock on their phone or pick any information from their phones.”
Chris Dunn, the NYCLU’s associate legal director, was skeptical. “To the extent they claim to limit use of their stingrays, that’s their claim,” Mr. Dunn said. “The documents they produced do not establish any limits on their use.”
Stingrays have proliferated in police departments across the U.S. in recent years, resulting in a patchwork of policies and raising new questions over whether technology is outpacing privacy laws written in an analog age.
In response to the scrutiny, the NYPD said it was writing down its policies for using the devices.
Privacy advocates called the absence of public discussion to date over these issues “striking and troubling.”
“We’re talking about powerful equipment that can locate people even inside their homes and sweep up information from innocent bystanders,” said Mariko Hirose, senior staff attorney at NYCLU. “The public needs to have a way to analyze or evaluate whether the benefits outweigh the costs.”
In many cases, police departments have hidden their use of the devices, signing nondisclosure agreements with the companies that build the surveillance equipment or even directly with the federal government.
The NYPD signed a nondisclosure form with Harris Corp. in 2011, according to the documents.
As a result, the public has frequently learned its police force is using stingrays only after lawsuits or public information requests, concerning privacy advocates.
Since the terrorist attacks of Sept. 11, 2001, police agencies increasingly have been “asking for forgiveness rather than permission,” said Neil Richards, law professor at Washington University in St. Louis, who specializes in privacy issues.
“What they’re doing is very aggressive and it has the potential to really fundamentally reshape the balance of civil liberties that we spent a long time fighting for.”
The Supreme Court hasn’t ruled on whether deploying stingrays without a warrant violates the Fourth Amendment, which protects against unreasonable search and seizure. Still, last year the federal government began requiring a warrant for its use in most federal cases, Mr. Richards said.
From the NYCLU’s perspective, the collection by stingrays of locations and other information amounts to a search and seizure, and therefore the use of stingrays should require a warrant.
Instead of a warrant, the NYPD has used the lower legal standard used known as a “pen register order.”
Under New York state law, authorities only need to have a reasonable suspicion to apply for a court-ordered subpoena, but the NYPD requires investigators to have probable cause before it submits an application, said Lawrence Byrne, the head of the NYPD’s legal bureau.
“The judge has to decide if we have shown that there is probable cause,” Mr. Byrne said.
If the NYPD does have probable cause, “they should get a warrant, which is what’s required by the Fourth Amendment,” Ms. Hirose said.
The documents released Thursday show the NYPD used the technology primarily to make arrests for serious crimes including murder, rape, robbery and kidnapping.
The NYPD wouldn’t give examples of how it uses the technology, but did cite its use to save a woman who was trying to commit suicide last week when they located her in her car in upper Manhattan by tracking her cellphone.
By taking the program airborne, the government can sift through a greater volume of information and with greater precision, these people said. If a suspect’s cellphone is identified, the technology can pinpoint its location within about three meters, down to a specific room in a building.
Newer versions of the technology can be programmed to do more than suck in data: They can also jam signals and retrieve data from a target phone such as texts or photos. It isn’t clear if this domestic program has ever used those features.
Similar devices are used by U.S. military and intelligence officials operating in other countries, including in war zones, where they are sometimes used to locate terrorist suspects, according to people familiar with the work.
In the U.S., these people said, the technology has been effective in catching suspected drug dealers and killers. They wouldn’t say which suspects were caught through this method.
The scanning is done by the Technical Operations Group of the U.S. Marshals Service, which tracks fugitives, among other things. Sometimes it deploys the technology on targets requested by other parts of the Justice Department.
Within the Marshals Service, some have questioned the legality of such operations and the internal safeguards, these people said.
They say scooping up of large volumes of information, even for a short period, may not be properly understood by judges who approve requests for the government to locate a suspect’s phone.
Some within the agency also question whether people scanning cellphone signals are doing enough to minimize intrusions into the phone system of other citizens, and if there are effective procedures in place to safeguard the handling of that data.
It is unclear how closely the Justice Department oversees the program. “What is done on U.S. soil is completely legal,” said one person familiar with the program. “Whether it should be done is a separate question.”
Referring to the more limited range of Stingray devices, Mr. Soghoian of the ACLU said: “Maybe it’s worth violating privacy of hundreds of people to catch a suspect, but is it worth thousands or tens of thousands or hundreds of thousands of peoples’ privacy?”
The existence of the cellphone program could escalate tensions between Washington and technology companies, including the telecom firms whose devices are being redirected by the program.
If a suspect is believed to have a cellphone from Verizon Inc., for example, the device would emit a signal fooling Verizon phones and those roaming on Verizon’s network into thinking the plane is the nearest available Verizon cell tower.
Phones that are turned on, even if not in use, would “ping’’ the flying device and send their registration information. In a densely populated area, the dirtbox could pick up data of tens of thousands of cellphones.
The approach is similar to what computer hackers refer to as a “man in the middle’’ attack, in which a person’s electronic device is tricked into thinking it is relaying data to a legitimate or intended part of the communications system.
A Verizon spokesman said the company was unaware of the program. “The security of Verizon’s network and our customers’ privacy are top priorities,’’ the spokesman said. “However, to be clear, the equipment referenced in the article is not Verizon’s and is not part of our network.”
An AT&T Inc. spokeswoman declined to comment, as did a spokeswoman for Sprint Corp.
For cost reasons, the flights usually target a number of suspects at a time, rather than just a single fugitive. But they can be used for a single suspect if the need is great enough to merit the resources, these people said.
The dirtbox and Stingray are both types of what tech experts call “ISMI catchers,’’ named for the identification system used by networks to identify individual cellphones.
The name “dirtbox’’ came from the acronym of the company making the device, DRT, for Digital Recovery Technology Inc., people said. DRT is now a subsidiary of Boeing. A Boeing spokeswoman declined to comment.
“DRT has developed a device that emulates a cellular base station to attract cellphones for a registration process even when they are not in use,’’ according to a 2010 regulatory filing Boeing made with the U.S. Commerce Department, which touted the device’s success in finding contraband cellphones smuggled in to prison inmates.
A Justice Department official on Friday defended the legality of a program to scoop up data from thousands of mobile phones as the secret operation came under scrutiny from lawmakers and caught the federal agency that regulates the nation’s airwaves by surprise.
The Justice Department, without formally acknowledging the existence of the program, defended the legality of the operation by the U.S. Marshals Service, saying the agency doesn’t maintain a database of everyday Americans’ cellphones.
DPL-Surveillance-Equipment.com on Thursday revealed the program, in which Cessna aircraft are outfitted with devices—some known as “dirtboxes’’ to law-enforcement officials—that mimic cell towers of large telecommunications companies and trick cellphones into reporting identifying information in a hunt for criminal suspects.
The technology enables investigators to scoop data from tens of thousands of phones in a single flight, collecting the number and general location, according to people familiar with the program.
On Friday, the Federal Communications Commission, which regulates the nation’s airwaves, said it had no idea about the program.
“We were not aware of this activity,’’ said Kim Hart, a spokeswoman for the FCC, which licenses and regulates cell-service providers.
Democratic lawmakers also began looking for answers.
“Americans are rightfully disturbed by just how pervasive collection of mobile-phone information is, even of innocent individuals,’’ said Sen. Edward Markey (D., Mass.). “While this data can be an important tool for law enforcement to identify and capture criminals and terrorists, we must ensure the privacy rights of Americans are protected….
The collection of American’s personal information raises significant legal and privacy concerns, particularly for innocent consumers.’’
Sen. Al Franken (D., Minn.), said he was “concerned by recent reports about the Justice Department’s collection of cellphone data from aircraft, and we need to find out more details about this program.” Mr. Franken said “while law-enforcement agents need to be able to track down and catch dangerous suspects, that should not come at the expense of innocent Americans’ privacy.”
A Justice Department official on Friday refused to confirm or deny the existence of such a program, because doing so would allow criminals to better evade law enforcement.
But the official said it would be “utterly false’’ to conflate the law-enforcement program with the collection of bulk telephone records by the National Security Agency, a controversial program already being challenged in the courts and by some members of Congress.
The official didn’t address the issue of how much data, if any, is held on the dirtboxes by law-enforcement officials but said the agency doesn’t maintain any databases of general public cellphone information and said any activity is legal and “subject to court approval.’’
The Marshals’ investigative techniques are deployed “only in furtherance of ordinary law-enforcement operations, such as the apprehension of wanted individuals, and not to conduct domestic surveillance or intelligence gathering,’’ the official said.
The program’s defenders say it has been an effective way of catching fugitives, including drug suspects and suspected killers, but they declined to provide specific examples in which it was used.
Frederick Joyce, an attorney specializing in communications law, said the program raises legal questions beyond just the privacy issues that concern civil libertarians.
“In my experience, the only folks authorized to transmit on those channels are licensed carriers, period,’’ said Mr. Joyce. The phone companies, he said, “are adamant about protecting their customers against any kind of harmful interference, and this to me is harmful interference.’’
People familiar with the program say it is designed to be minimally disruptive to cellular networks.
The program operates from at least five metropolitan-area airports, with a flying range covering most of the U.S. population, according to people familiar with the program.
The name dirtbox came from the acronym of the company making the device, DRT, for Digital Recovery Technology Inc., people familiar with the matter said. DRT is now a wholly owned subsidiary of Boeing Co. A Boeing spokeswoman declined to comment.
The Central Intelligence Agency played a crucial role in helping the Justice Department develop technology that scans data from thousands of U.S. cellphones, part of a little-known high-tech alliance between the spy agency and domestic law enforcement, according to people familiar with the work.
Together, the CIA and the U.S. Marshals Service, an agency of the Justice Department, developed technology to locate specific cellphones in the U.S. through an airborne device that mimics a cellphone tower, these people said.
Today, the Justice Department program, whose existence was first reported by us last year, is used to hunt criminal suspects. The same technology is used to hunt terror suspects and intelligence targets overseas, the people said.
The Justice Department program operates specially equipped planes that fly from five U.S. cities, with a flying range covering most of the U.S. population.
Planes are equipped with devices—some past versions were dubbed as “dirtboxes” by law-enforcement officials—which trick cellphones into reporting their unique registration information.
In that way, the surveillance system briefly identifies large numbers of cellphones belonging to citizens unrelated to the search. The practice can also briefly interfere with the ability to make calls, these people said.
Some law-enforcement officials, however, are concerned the aerial surveillance of cellphone signals inappropriately mixes together traditional police work with the tactics and technology of overseas spy work that is constrained by fewer rules.
Civil liberties groups say the technique amounts to a digital dragnet of innocent Americans’ phones.
The CIA has a long-standing prohibition that bars it from conducting most types of domestic operations, and officials at both the CIA and the Justice Department said they didn’t violate those rules.
The cooperation between the CIA and the Justice Department on this technology began a decade ago, when the spy agency arranged for the Marshals Service to receive more than $1 million in gear to conduct such surveillance, said people familiar with the program.
In total, more than $100 million went into research and development of the devices.
For years, the U.S. Marshals’ Technical Operations Group worked with the CIA’s Office of Technical Collection to develop the technology. In the early days it was the CIA that provided the most resources, said the people familiar with the matter.
The CIA gave the Marshals Service the ability to conduct what officials called “silent stimulation” of cellphones. By using a device that mimics a cell tower, all phones in range of that tower send in their identifying information.
When the device finds the target phone it is seeking in that sea of information, the plane circles over the phone until the device can locate it to within about 3 yards.
Some versions of the technology can do more than just identify and locate the phone. They can also be used to intercept signals and conversations coming from the phone, these people said.
U.S. military and intelligence agencies have used the technology in Afghanistan, Iraq, and elsewhere to hunt terrorists, and map the use of cellphones in such places, according to people familiar with the work.
The cooperation between technical experts at the CIA and the Marshals Service, which law-enforcement officials have described as a “marriage,” represents one way criminal investigators are increasingly relying on U.S. intelligence agencies for operational support and technical assistance in the wake of the Sept. 11, 2001, terror attacks.
Within the Justice Department, many officials support the joint effort with the CIA as having made valuable contributions to both domestic and overseas operations.
A CIA spokesman declined to comment on whether the CIA or any other agency uses the devices. Some technologies developed by the agency “have been lawfully and responsibly shared with other U.S. government agencies,” the spokesman said.
“How those agencies use that technology is determined by the legal authorities that govern the operations of those individual organizations—not CIA.”
He also said the relationship between the Marshals Service and the CIA’s tech experts couldn’t be characterized as a marriage.
The Justice Department, which oversees the Marshals Service, would neither confirm nor deny the existence of such technology, saying that doing so would tip off criminals. A Justice Department spokesman said Marshals Service’s techniques are “carried out consistent with federal law, and are subject to court approval.”
The agency doesn’t conduct “domestic surveillance, intelligence gathering, or any type of bulk data collection,” the spokesman said, adding that the agency also doesn’t gather any intelligence on behalf of U.S. spy agencies.
To civil libertarians, the close involvement of America’s premier international spy agency with a domestic law-enforcement arm shows how military and espionage techniques are now being used on U.S. citizens.
“There’s a lot of privacy concerns in something this widespread, and those concerns only increase if we have an intelligence agency coordinating with them,’’ said Andrew Crocker of the Electronic Frontier Foundation, which has filed a lawsuit seeking more details about the program and its origins.
The Marshals Service program is now the subject of congressional inquiries. The top Republican and Democrat on the Senate Judiciary Committee have raised concerns about possible invasion of privacy and legal oversight of the operations.
The head of the Senate Judiciary Committee, Charles Grassley, (R., Iowa) said the Justice Department must provide answers about its use of the technology, “including the legal authority agencies obtain prior to deploying these tools, the specific information they are giving to judges when requesting to use them, and what policies are in place to ensure the civil liberties of innocent Americans are protected.”
Concerns about how the Marshals Service use the equipment grew among some officials last year after an incident in the Sinaloa area of Mexico.
In that operation, several U.S. Marshals personnel were dressed as Mexican marines and carrying Mexican weapons as a Marshals plane circled overhead, searching for a suspect’s cellphone signal, according to people familiar with the operation.
As the men on the ground moved toward their target, they were fired on by drug cartel suspects, and one of the Americans was badly wounded and airlifted to a hospital.
The incident underscored for some law-enforcement officials the risks of such operations—that their personnel could be killed or possibly imprisoned while doing something that could be viewed as a crime in a foreign country.
People familiar with the work say the agency conducts such operations roughly every few months, though each one is based on specific intelligence and needs.
According to people familiar with the early years of the technology cooperation, the CIA and Marshals Service began field-testing one version of the device in 2004.
That device worked on AT&T and T-Mobile phones, as well as most cellphones in foreign countries.
As part of the joint work with the CIA, the Marshals Service received more than one of the devices at no cost. At the time, each unit had a price tag of more than $300,000, these people said.
In 2005, the CIA gave the Marshals Service technology to conduct “silent stimulation” of those types of cellphones, both for identifying them and, with a court order, intercepting the communications, these people said.
The following year, the CIA and Marshals Service began field testing a way of cracking a different cellphone system used widely in the U.S., giving them the ability to identify phones on the Verizon and Sprint/Nextel networks.
A Sprint spokeswoman declined to comment while the other phone companies didn’t respond to requests for comment.
In 2008, the CIA arranged for the Marshals Service to receive without charge one of the new devices, which were priced at about half a million dollars each, these people said.
That same year, the CIA and Marshals Service began field testing a new version of the device that would work against the next generation of cellphones, according to people familiar with the work.
FBI Demands Apple, Samsung And Google Weaken The Security/Encryption On All Phones, iPads, etc.
James Comey warns privacy protections could aid terrorists
James Comey, director of the Federal Bureau of Investigation, said Monday the country needs to have a “robust debate” about the use of message encryption by technology firms, warning that Islamic State militants and other terrorist groups could use this method to recruit “troubled Americans to kill people.”
Mr. Comey’s warnings, made in a blog post he wrote for the national security and legal blog Lawfare, come two days before he testifies on the matter to the Senate Intelligence Committee amid concerns from technology firms that the government could interfere with its security processes.
In June, a large coalition that includes tech firms wrote to President Barack Obama to voice concern about any new policy that would allow the government to weaken the security of encrypted text messages or emails.
“We appreciate that, where appropriate, law enforcement has the legitimate need for certain information to combat crime and threats,” said the June 8 letter, which was signed by trade groups whose members include Apple Inc. and Google Inc.
“However, mandating the weakening of encryption or encryption ‘work-arounds’ is not the way to address this need.”
Mr. Comey said Monday he is “worried we are talking past each other with respect to ‘going dark,’ ” referring to the idea that communications could be orchestrated in a way that makes them completely inaccessible to law enforcement.
“Universal strong encryption will protect all of us—our innovation, our private thoughts, and so many other things of value—from thieves of all kinds,” he wrote. “We will all have lock-boxes in our lives that only we can open and in which we can store all that is valuable to us. There are lots of good things about this.”
But he added that “there are many costs to this.” He said, for example, that it could mean law enforcement would be unable to track the communications of terrorist recruiters.
“There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption,” he wrote.
Technology companies have made great strides in the transmission of encrypted information.
Google reported that 80% of messages from its Gmail program to non-Gmail addresses were encrypted in the past month, up from around 75% a year ago.
Apple, meanwhile, has said it uses “end-to-end” encryption on its iMessage and FaceTime communications that is so secure even the company can’t decrypt these messages. Only the sender and receiver can obtain the content.
The extent to which the government is able to “work around” new encryption tools at technology companies is a closely held secret.
Many technology firms felt burned by some of the revelations made by former National Security Agency contractor Edward Snowden in 2013 about a number of U.S. spying programs that included efforts to sweep up the digital records of millions of Americans.
They have strongly opposed Mr. Comey’s warnings about the use of encryption, saying they provide a service to their customers that protects civil liberties.
Mr. Comey said Monday that this trade-off must be discussed in public.
“It may be that, as a people, we decide the benefits here outweigh the costs and that there is no sensible, technically feasible way to optimize privacy and safety in this particular context, or that public safety folks will be able to do their job well enough in the world of universal strong encryption,” he wrote in his Lawfare blog post.
“Those are decisions Americans should make, but I think part of my job is make sure the debate is informed by a reasonable understanding of the costs,” Mr. Comey wrote.
StingRay Device Intercepts Cell Phone Calls On Most Any Network
When Daniel Rigmaiden was a little boy, his grandfather, a veteran of World War II and Korea, used to drive him along the roads of Monterey, California, playing him tapes of Ronald Reagan speeches.
Something about the ideals of small government and personal freedom may have affected him more deeply than he realized.
By the time Rigmaiden became a disaffected, punk-rock-loving teenager, everything about living in America disappointed him, from the two-party system to taxes.
“At that age, everybody’s looking for something to rebel against,” he tells me over Mexican food in Phoenix—where, until recently, he was required to live under the conditions of his parole.
“I thought, ‘I either have to fight the rigged system, or I have to opt out completely.’ ”
Rigmaiden is 35 and slender, quiet with a sardonic smile and thick shock of jet-black hair. Speaking softly and rapidly, he tells the story of how he evolved from a bottom-feeding Internet outlaw to one of the nation’s most prescient technological privacy activists.
Rigmaiden left home in 1999 after graduating high school and spent almost a decade knocking around college towns in California, living under a series of assumed names. “I didn’t want to be constrained by all the rules of society,” he says.
“It just didn’t seem real to me.” He’d spend weeks living in the woods, scrounging for food and water, testing his limits; then he’d find a place to crash for a while and make a little money on the Internet—first selling fake IDs, then moving on to more serious crimes.
In 2006 he wrote software to mine information from databases on the Internet—names, birthdates, Social Security numbers, and the employer identification numbers of businesses.
Then he filed fake tax returns, hundreds of them, collecting a modest refund with each.
He bought gold coins with cash, built a nest egg of about $500,000, and planned to move to South America when the time was right.
Then, in 2008, an FBI, IRS, and U.S. Postal Service task force grabbed Rigmaiden at his apartment in San Jose and indicted him on enough wire fraud and identity theft charges to put him away for the rest of his life.
Only after he was caught did the authorities learn his real name.
The mystery, at least to Rigmaiden, was how they found him at all. He’d been living completely off the grid. The only thing connecting him to the world outside his apartment, he knew, was the wireless AirCard of his laptop.
To find him, he reasoned, the people who caught him would have had to pluck the signal from his particular AirCard out of a wilderness of other signals and pinpoint his location. To do that, they’d need a device that, as far as he knew, didn’t exist.
Rigmaiden made it his mission to find out what that device was. He was jailed but never tried; he slowed down the process by filing endless motions contesting his arrest, insisting he’d been essentially wiretapped without a warrant. In the prison library, he became a student of telecommunications.
Among the most important things he learned was that whenever a cell phone communicates with a cell tower, it transmits an International Mobile Subscriber Identity, or IMSI.
His AirCard, like a cell phone, had an IMSI. He reasoned that the government had to have a gadget that masqueraded as a cell tower, tricking his AirCard into handing over its IMSI, which was then matched up to the IMSI connected to all his online phony tax filings.
It was all inference, at first, but if it was true, that would be enough for him to make the case that what was done to his AirCard was an illegal search.
It took two years before Rigmaiden found the first real glimmer of proof. He was plowing through a stash of records the Electronic Frontier Foundation had unearthed in the files of the FBI’s Digital Collection System Network—the bureau’s technological communications monitoring program—and noticed a mention of a Wireless Intercept and Tracking Team, a unit set up specifically for targeting cell phones.
He connected what he found there to an agenda he’d found from a city council meeting in Florida in which a local police department was seeking permission to buy surveillance equipment. The attachment gave the equipment a name: StingRay, made by Harris Corp.
The StingRay is a suitcase-size device that tricks phones into giving up their serial numbers (and, often, their phone calls and texts) by pretending to be a cell phone tower.
The technical name for such a device is IMSI catcher or cell-site simulator.
It retails for about $400,000. Harris and competitors like Digital Receiver Technology, a subsidiary of Boeing, sell IMSI catchers to the military and intelligence communities, and, since 2007, to police departments in Los Angeles, New York, Chicago, and more than 50 other cities in 21 states.
The signals that phones send the devices can be used not just to locate any phone police are looking for (in some cases with an accuracy of just 2 meters) but to see who else is around as well.
IMSI catchers can scan Times Square, for instance, or an apartment building, or a political demonstration.
Rigmaiden built a file hundreds of pages thick about the StingRay and all its cousins and competitors—Triggerfish, KingFish, AmberJack, Harpoon. Once he was able to expose their secret use—the FBI required the police departments that used them to sign nondisclosure agreements—the privacy and civil-liberties world took notice.
In his own case, Rigmaiden filed hundreds of motions over almost six years until he finally was offered a plea deal—conspiracy, mail fraud, and two counts of wire fraud—in exchange for time served. He got out in April 2014, and his probation ended in January.
Now Rigmaiden is a free man, a Rip Van Winkle awakening in a world where cell phone surveillance and security is a battleground for everyone.
In the ongoing scrum over cell phone privacy, there are at least two major fields of play: phone-data encryption, in which, right now, Apple is doing its best not to share its methods with the government; and network security, in which the police and the military have been exploiting barn-door-size vulnerabilities for years.
And it’s not just the government that could be storming through. The same devices the police used to find one low-rent tax fraudster are now, several years later, cheaper and easier to make than ever.
“Anybody can make a StingRay with parts from the Internet,” Rigmaiden tells me, citing a long litany of experiments over the years in which researchers have done just that. “The service provider is never going to know. There’s never any disruption. It’s basically completely stealth.”
In the coming age of democratized surveillance, the person hacking into your cell phone might not be the police or the FBI. It could be your next-door neighbor.
In February, on a snowy morning in Annapolis, Md., a panel of three judges is hearing arguments in the first StingRay case to make it to an appeals court. It’s the case of Kerron Andrews, a 25-year-old man arrested two years ago in Baltimore for attempted murder.
His court-appointed lawyer did what a lot of court-appointed lawyers in Baltimore have been doing in recent years: Inspired by the Rigmaiden case, she contested his arrest on Fourth Amendment grounds, arguing that the technology used to apprehend the suspect was not specified in the court order allowing the police to search for him at a particular house.
At first, prosecutors said they could not confirm that any technology was used at all—those nondisclosure agreements have kept more than one police department quiet—but eventually they conceded that the police found Andrews with a Hailstorm, a next-generation version of the StingRay, also built by Harris.
When a judge tossed out most of the evidence in the case, the state appealed, making Maryland v. Andrews the first IMSI catcher case to potentially make sweeping case law at the appellate level.
During arguments, at least two of the three appellate judges on the panel appear skeptical of the state’s case. Judge Daniel Friedman seems exasperated that the police and prosecutors didn’t seem to understand the Hailstorm well enough to know if it was intruding on the privacy of suspects.
Judge Andrea Leahy suggests that this case fits tidily into the Supreme Court’s 2012 decision USA v. Jones, which ruled that the police could not install a GPS device on someone’s car without a warrant. “Wiretaps require warrants,” she says.
Then Daniel Kobrin, the appellate lawyer representing Andrews, argues, in a way that would make Tim Cook proud, that Hailstorm violates everyone’s reasonable expectation of privacy. Unlike, say, the garbage you’d leave outside your house, Kobrin says, there’s nothing about a phone that is thought of as fair game for the police.
“When I have my phone and I’m walking down the street, I’m not telling my phone to let Verizon or Sprint or T-Mobile know where I am,” the lawyer says. “Phones are not tracking devices.
Nobody buys them for that reason. Nobody uses them for that reason.” A few weeks later, the panel would affirm the lower court’s decision to suppress evidence seized as a result of the use of the Hailstorm.
Soon, Maryland may have to go the way of Washington state and require explicit language in its warrants about the use of any cell-site simulator to catch clients.
Watching the proceedings from the gallery is Christopher Soghoian, the principal technologist for the American Civil Liberties Union.
He, even more than Rigmaiden, may be the person most responsible for exposing the vulnerability of the telecommunications system to surveillance and goading the states, one by one, to regulate its use.
A bearded, long-haired Ph.D. from Indiana University, Soghoian has been raising the alarm about the StingRay for five years—ever since he got a message sent by Rigmaiden from prison saying he could prove the police hacked his phone.
“I remembered seeing it in The Wire,” Soghoian says, “but I thought that was fictional.”
(Phone-tracing gadgets are a television staple, also popping up in Homeland.) Soghoian’s colleagues educated dozens of public defenders in Maryland about the police’s favorite toy; in one case last summer, a detective testified that the Baltimore police have used a Hailstorm some 4,300 times.
“That’s why there are so many StingRay cases in Baltimore,” Soghoian tells me. “Because the defense lawyers were all told about it.”
Harris is a publicly traded Florida-based defense contractor with a $9.7 billion market cap and 22,000 employees. In the 1970s, Harris built the first secured hotline between the White House and the Kremlin; later it branched out into GPS, air traffic management, and military radios.
Harris’s first visible foray into cell-site simulation was in 1995, when the FBI used the Harris-made Triggerfish to track down the notorious hacker Kevin Mitnick, who, in his time, seized proprietary software from some of the nation’s largest telecom companies.
The StingRay arrived a few years later—an update of Triggerfish designed for the new digital cellular networks. The first clients were soldiers and spies.
The FBI loves IMSI catchers—“It’s how we find killers,” Director James Comey has said—even if last fall, under pressure after Rigmaiden’s case and others became public, the Justice Department announced that the FBI would, in most cases, need warrants before using them.
Most local police departments, though, still aren’t bound by that directive. Neither are foreign governments, which are widely suspected to be using IMSI catchers here (as we are no doubt doing elsewhere).
And so, amid the publicity over the StingRay, a marketplace has opened up for countermeasures. On the low end, there’s SnoopSnitch, an open source app for Android that scans mobile data for fake cell sites.
On the high end, there’s the CryptoPhone, a heavily tricked-out cell phone sold by ESD America, a boutique technology company out of Las Vegas.
The $3,500 CryptoPhone scans all cell-site signals it’s communicating with, flagging anything suspicious. Even though the CryptoPhone cannot definitively verify that the suspect cell is an IMSI catcher, “we sell out of every CryptoPhone we have each week,” says ESD’s 40-year-old chief executive officer, Les Goldsmith, who has marketed the phone for 11 years.
“There are literally hundreds of thousands of CryptoPhones globally.”
ESD’s dream clients are nations. Last year the company debuted a $7 million software suite called OverWatch, developed with the German firm GSMK. OverWatch, ESD says, can help authorities locate illegal IMSI catchers using triangulation from sensors placed around a city. “Right now, it’s going into 25 different countries,” Goldsmith says.
On a parallel track to the defense market, hobbyists and hackers have gone to work on the cell networks and found they can do a lot of what Harris can. In the early days of cell phones, when the signals were analog, like radio, DIY phone-hacking was a cinch.
Anyone could go to a RadioShack and buy a receiver to listen in on calls. Congress grew concerned about that and in the 1990s held hearings with the cellular industry.
It was an opportunity to shore up the networks. Instead, Congress chose to make it harder to buy the interception equipment.
The idea was that when digital mobile technology took hold, intercepting digital signals would be just too expensive for anyone to bother trying. That turned out to be more than a little shortsighted.
For as long as you’ve been using a phone on a 2G (also called GSM) network or any of its digital predecessors, your calls, texts, and locations have been vulnerable to an IMSI catcher.
In 2008 researcher Tobias Engel became the first to demonstrate a crude homemade IMSI catcher, listening to calls and reading texts on a pre-2G digital cell network.
Two years later, at a DEF CON hacking conference in Las Vegas, researcher Chris Paget monitored calls made on 2G with a gadget built for just $1,500.
What made it so cheap was “software-defined radio,” in which all the complicated telecommunications tasks aren’t pulled off by the hardware but by the software. If you couldn’t write the software yourself, someone on the Internet had probably already done it for you.
Phones now operate on more sophisticated 3G and 4G (also known as LTE) networks. In theory, IMSI catchers can pinpoint only the location of these phones, not listen to calls or read texts. But none of that matters if the IMSI catcher in question can just knock a phone call back down to 2G.
Enter Harris’s Hailstorm, the successor to StingRay. “It took us a while to stumble onto some documents from the DEA to see that the Hailstorm was a native LTE IMSI catcher,” the ACLU’s Soghoian says. “It was like, ‘Wait a second—I thought it’s not supposed to work on LTE. What’s going on?’ ”
They found a hint to the answer last fall, when a research team out of Berlin and Helsinki announced it had built an IMSI catcher that could make an LTE phone leak its location to within a 10- to 20-meter radius—and in some cases, even its GPS coordinates.
“Basically we downgraded to 2G or 3G,” says Ravishankar Borgaonkar, a 30-year-old Ph.D. who has since been hired at Oxford. “We wanted to see if the promises given by the 4G systems were correct or not.” They weren’t.
The price tag for this IMSI catcher: $1,400. As long as phones retain the option of 2G, calls made on them can be downgraded. And the phone carriers can’t get rid of 2G—not if they want every phone to work everywhere.
The more complex the system becomes, the more vulnerable it is.
“Phones, as little computers, are becoming more and more secure,” says Karsten Nohl, chief scientist at Security Research Labs in Berlin. “But the phone networks? They’re rather becoming less secure. Not because of any one action but because there’s more and more possibility for one of these technologies to be the weakest link.”
The device Borgaonkar’s team built is called a “passive receptor,” a sort of budget StingRay.
Instead of actively targeting a single cell phone to locate, downgrade to 2G, and monitor, a passive receptor sits back and collects the IMSI of every cell signal that happens by.
That’s ideal for some police departments, which, the Wall Street Journal reported last summer, have been buying passive devices in large numbers from KEYW, a Hanover, Md., cybersecurity company, for about $5,000 a pop.
One Florida law enforcement document described the devices as “more portable, more reliable and ‘covert’ in functionality.” If all you want to do is see who’s hanging out at a protest—or inside a house or church or drug den—these passive receptors could be just the thing.
A programmer I spoke with who has worked for Harris is of two minds about what the hobbyists are up to. “There’s a giant difference between do-it-yourself IMSI catchers and something like the Harris StingRay,” he says proudly. That said, he’s taken with how fast the amateurs are catching up.
“I’d say the most impressive leap is the advancement of LTE support on software-defined radio,” he says. “That came out of nowhere. From nothing to 2G took, like, 10 years, and from 2G to LTE took five years. We’re not there yet. But they’re coming. They’re definitely coming.”
You don’t have to look far to see what a world of cheap and plentiful IMSI catchers looks like. Two years ago, China shut down two dozen factories that were manufacturing illegal IMSI catchers.
The devices were being used to send text-message spam to lure people into phishing sites; instead of paying a cell phone company 5¢ per text message, companies would put up a fake cell tower and send texts for free to everyone in the area.
Then there’s India. Once the government started buying cell-site simulators, the calls of opposition-party politicians and their spouses were monitored. “We can track anyone we choose,” an intelligence official told one Indian newspaper.
The next targets were corporate; most of the late-night calls, apparently, were used to set up sexual liaisons.
By 2010 senior government officials publicly acknowledged that the whole cell network in India was compromised.
“India is a really sort of terrifying glimpse of what America will be like when this technology becomes widespread,” Soghoian says. “The American phone system is no more secure than the Indian phone system.”
In America, the applications are obvious. Locating a Kardashian (in those rare moments when she doesn’t want the media to locate her) is something any self-respecting TMZ intern would love to be able to do.
“What’s the next super Murdoch scandal when the paparazzi are using a StingRay instead of hacking into voicemail?” Soghoian says.
“What does it matter that you can build one for $500 if you can buy one for $1,500? Because at the end of the day, the next generation of paparazzi are not going to be hackers. They’re going to be reporters with expense accounts.”
Over coffee after court in Annapolis, Soghoian and I peruse the Alibaba.com marketplace on his smartphone. He types in “IMSI catcher,” and a list materializes. The prices are all over the place, as low as $1,800.
“This one’s from Nigeria. … This one’s $20,000. … This one’s from Bangladesh.” I note that the ones on sale here seem to work only on 2G, unlike the Hailstorm. “You can get a jammer for like 20 bucks,” Soghoian says. With that, you roll any call back to 2G. Pair the signal jammer with a cheap old IMSI catcher, and you’ve got a crude facsimile of a Hailstorm.
Every country knows it’s vulnerable, but no one wants to fix the problem—because they exploit that vulnerability, too. Two years ago, Representative Alan Grayson (D-Fla.) wrote a concerned letter to the Federal Communications Commission about cellular surveillance vulnerabilities.
Tom Wheeler, the former industry lobbyist who now runs the regulatory agency, convened a task force that so far has produced nothing.
“The commission’s internal team continues to examine the facts surrounding IMSI catchers, working with our federal partners, and will consider necessary steps based on its findings,” says FCC spokesman Neil Grace.
Soghoian isn’t optimistic. “The FCC is sort of caught between a rock and a hard place,” he says. “They don’t want to do anything to stop the devices that law enforcement is using from working. But if the law enforcement devices work, the criminals’ devices work, too.”
Unlike the battle between the FBI and Apple, the network-vulnerability struggle doesn’t pit public sector against private; it’s the public sector against itself.
From his apartment in central Phoenix, Rigmaiden consulted with the Washington state branch of the ACLU when it helped draft the state law requiring a warrant for the use of IMSI catchers.
He’s suing the FBI for more StingRay documents, and recently the court shook loose a few more. And now that his parole is over and he can travel, he’d like to lecture across the country about fighting surveillance.
“Everything that I thought was wrong back then is even worse today,” he says, chuckling softly. “The only thing that’s changed is now I’m going to do the other route—which is participate and do what I can to try to change it.”
As improbable a privacy standard bearer as Rigmaiden may be, his ability to draw inferences and connect dots proved useful once; maybe it will again. He has dug up the specs of some KEYW passive devices, and he sees no reason the big companies like Harris aren’t already miles beyond that now.
“Every beat cop, every police car on every police force is going to have one of these passive interceptors in the car or on their utility belt,” Rigmaiden says.
For surveillance to become truly democratized, he reasons, “it has to be as easy as installing an app on your phone. I think somebody somewhere would have to decide, I’m going to make this easy for people to do. And then they’d do it.”
He’s hardly alone in this view. “The next step for the technology is to go into the hands of the public, once it gets cheap enough,” says Jennifer Lynch, a staff attorney at the Electronic Frontier Foundation.
“Companies are always going to try to find new markets for their technologies. And there are lots of people who want to spy on their neighbors or their spouses or their girlfriends.”
Meanwhile, apart from IMSI catchers, a whole other vulnerability has been exposed: Companies such as Verint Systems and Defentek have produced devices that exploit a huge security hole in SS7 (short for Signaling System 7), the network that interconnects every cellular provider around the world.
Using SS7, researchers on laptops have been able to pinpoint the location of a particular cell phone anywhere in the world—and even intercept calls. The attacker does leave an IP address as a trace.
“But if that IP address leads somewhere like Russia or China,” says Tobias Engel, who cracked SS7 in a 2014 demonstration in Hamburg, “you really don’t know much more.” The industry lobbying group CTIA–The Wireless Association maintains that SS7 is more secure in America than in Europe.
“Outside the U.S., the networks are more fragmented, not as homogeneous,” says John Marinho, who runs the group’s cybersecurity working group.
One company which has developed another multimillion-dollar software package, called Oversight, aimed at warding off SS7 attacks—disagrees. “That’s comical,” he says. “I can tell you we performed tests on U.S. carriers, and they’re just as vulnerable as anyone else.”
What fascinates Rigmaiden the most—and what sometimes makes him want to go live in the woods again—is how no matter what happens with Apple’s battle, the cell phone network problem may be with us for as long as there are networks.
“This isn’t something that can really be fixed,” he says. “It’s just built into the way communications work.
You can always zero into one signal among many signals, if you have enough data. You don’t need to hack anything—just analyze the signals in the air.”
The Latest Released Documents Concerning Cellphone Surveillance
Newly released documents show a group of federal agents using cellphone surveillance technology called some of their work “classified,” even though Justice Department officials have said that such methods are normal court-approved law enforcement, not spying or intelligence tactics.
The classified designation suggests a mingling of law enforcement with national-security and espionage work—two areas usually kept distinct in order to protect Americans’ privacy.
It also raises fears about the secrecy surrounding a form of digital surveillance that has drawn criticism from civil-liberties groups.
The documents were provided by the U.S. Marshals Service, an arm of the Justice Department, in response to a Freedom of Information Act request from the American Civil Liberties Union.
A Justice Department spokesman declined to comment. A Marshals spokesman didn’t respond to a request for comment.
The documents show the Marshals Service paid more than $10 million from 2009 to 2014 to buy machines known as cell-site simulators, also called Stingrays or “dirtboxes,’’ that scan surrounding cellphones to hunt for suspects.
The devices act as fake cellphone towers, pulling in the identifying information of cellphones within range as they search for a suspect’s phone.
The mechanism quickly disconnects from phones it isn’t seeking, but the process can briefly interrupt service for people whose phones are scanned, according to people familiar with the technology.
When the device does locate the suspect’s phone, the operator in the airplane can direct agents on the ground to a general area, where a similar, less-powerful device can more precisely track down the location of the cellphone.
The Wall Street Journal reported in 2014 that the Marshals use such devices mounted in small airplanes to scan large numbers of phones when they are searching for a fugitive.
The airborne devices, operated out of five airports in the U.S., can scan the technical identifying information of tens of thousands of phones per flight as they search for a suspect’s cellphone signal.
The Marshals have also conducted operations in Mexico using the airborne devices to catch high-value drug suspects. In one such operation in 2014, a Marshals inspector was shot in a gunfight with cartel suspects, according to people familiar with the matter.
The Journal has also reported that, according to people familiar with the work, the Marshals developed the surveillance technology with help from the Central Intelligence Agency.
Until 2015, federal law-enforcement officials refused to discuss details of the technology or its use. After the Journal and other media reported on the technology, Justice Department officials have defended its use as a legal method approved by judges and have said the Marshals aren’t engaged in spying or intelligence activity.
The new documents, however, show that within the Marshals’ Technical Operations Group, or TOG, some of the techniques are classified.
“Because much of the TOG’s capabilities, methods and resources are classified or are otherwise ‘law enforcement sensitive,’ this section sets forth only general guidelines, policies and procedures governing TOG’s function and role within the USMS,’’ according to an undated document titled, “Special Services and the Nature of Technical Operations.’’
Classified information generally isn’t used in criminal trials, so it is notable that the Marshals, a law-enforcement organization, call some of their technology and techniques classified.
Nathan Freed Wessler, an ACLU lawyer, said the government should provide more information for the sake of transparency.
“The government has gone to great lengths to hide its surveillance activities from the public, thereby frustrating judicial oversight and democratic accountability,” he said.
“It should not be this difficult to uncover basic facts about surveillance programs that should have been voluntarily revealed to courts and subjected to public scrutiny.”
The House Oversight and Government Reform Committee has repeatedly complained the Justice Department is too secretive about its use of the technology.
It is possible that the document’s mention of classified capabilities is a reference to the agency’s work in Mexico and other countries, although the language refers to techniques, not operations.
“Law enforcement sensitive” is a legal term used to describe secret methods of police work that help gather evidence surreptitiously. Such secrecy is often used to protect the technology and methods by which agents use small listening devices, tap phone lines, or otherwise monitor suspects without being noticed.
Classified capabilities and resources are in a different category, referring to national-security secrets or espionage techniques, not police tactics.
A related document, titled “Security and Protection,’’ discusses the degree to which the Marshals want to protect their methods from becoming known to the public, and by extension, to suspects.
“The compromise of those techniques may later become necessary to the production of evidence and successful prosecution at trial,’’ the document states. ”It is imperative that investigators understand that they must minimize, to the greatest extent legally possible, any testimony by TOG personnel or the disclosure of TOG techniques throughout the judicial process.’’
Last year, the Justice Department said it was creating new legal safeguards on its use of the technology, including a requirement that agents get a search warrant when using the devices.
The policy has a number of exceptions, however, including that the new restrictions don’t apply to Justice Department operations outside the U.S.
Monty Henry, Owner