An introduction to STINGRAY. One of the crazy cop toys you may have heard about.

Over the past few years you may have heard about the secretive device used by the FBI, DEA and various state and local law enforcement agencies called "StingRay". StingRay is essentially a portable fake cell phone tower that can be deployed anywhere to track people and to intercept data, messages and phone calls. Law enforcement have a standing policy to keep all details on StingRay hidden from the public, at almost any cost.

StingRays can come in many sizes, designed for a car, or plane; for small mobile deployments or large scale towers. There are even cases of StingRays that can be worn or carried by hand to assist in the short-range location of suspects.

Perhaps one of the more worrying uses of the StingRay is the practice of using it on a large aircraft flying over an entire city or across the country by the FBI and other law enforcement agencies. When using a plane or other large size StingRays they can intercept cell phone signals for entire cities.

It works by simulating a cell tower. When a cell phone detects this tower it attempts to connect to it and the device forwards the calls/texts/etc to another separate but real tower. This is known as a "Man in the middle" attack or MITM for short.

Man in the middle attacks work by intercepting and possibly even tampering with messages and data going in between two points.

For example:

When you turn on your cell phone to make a call, your phone will search for a tower to connect to. It will attempt to connect to whatever tower is closest. It will find the StingRay device (simulating an AT&T/Verizon/T-Mobile/etc. tower) and will make contact. The StingRay will accept the connection and route it to the nearest real tower.

In the meantime, it gets to intercept all data going back and forth and potentially tamper with it if desired by the StingRay operator.

/-\             /-----\        ( ( (  ------- ) ) )
| |             |Sting|                  |
| |   ------>   | Ray |  ----->          |
\-/   <------   \-----/  <-----      Cell|Tower

Outgoing call: Cell phone ----> StingRay ----> Real Cell Tower Incoming call: Cell phone <---- StingRay <---- Real Cell Tower

All incoming and outgoing calls/data/messages are intercepted by the StingRay.

Many cell phones incorporate encryption to prevent such attacks but the encryption used is very weak. Also, most phones include a "rollback" feature which allows the cell phone to revert to its most weak form of encryption in order to function with old cell towers. This is the primary mechanism by which the Stingray operates. See this technical paper for additional information:

(Warning: Clearnet PDF) http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf

Once the encryption is broken, it's a trivial matter to intercept all calls and messages sent and received by the cell phone.

Another troubling way StingRay can be used is to identify members of a protest or group. Imagine being with a group of people protesting a new law, or protesting police brutality. Meanwhile, the identities of everyone in the crowd at the time are being recorded by StingRay and could be added to a "Watch List".

How can I protect myself?

At this time, there are no foolproof, easily deployable ways to deal with this. That being said, there are a few options...

  1. If you don't need to use your cell phone, turn it off. Leave it at home. Or turn it to Airplane mode. This will disconnect it completely from the cell phone networks and any StingRay devices.

  2. If you accept that you can be physically tracked while the phone is ON, but don't want someone to be able to listen in on your phone calls or text messages, use encrypted programs like: ChatSecure - https://chatsecure.org/ RedPhone - https://whispersystems.org/

  3. Use experimental software like Android IMSI-Catcher Detector. This is highly experimental and may not work as you expect. But it's leading the way (at the time this article was written) in software detection of StingRay devices and other major security issues with modern smart phones. It's worth having a look, but understand it is not 100% and may not work.

Android ISMI-Catcher Detector: https://github.com/SecUpwN/Android-IMSI-Catcher-Detector


Comments


[40 Points] Febbraio2468:

I heard one of these killed Steve Irwin.


[10 Points] meesohorny76532:

Whats the point of this i thought the telcos were logging everyones texts, voicemails, pictures, contacts and locations anyways as part of their normal operation, why couldnt leo just request all of that from them.


[9 Points] None:

[deleted]


[2 Points] heapofjelly:

The point is that you don't need a court order or permission from the telco to use a Stingray to gather full voice/text/data from cellphones, any local law enforcement agency can set them up and eavesdrop at their leisure. They aren't supposed to though, so even though they can easily stomp on our civil rights without us ever knowing about it, they never would. After all, LE are famously ethical, right? :)

Anyone can set up a small scale stingray type device using a cheap cell booster though, which means that someone could be watching the watchers too, just not on the same enormous scale.


[2 Points] jseanbrooks:

Someone's been reading Rainbow Six I see


[2 Points] None:

Its illegal for me to do this. Why is it OK for the cops??


[2 Points] hacksec:

Update on Stingrays:

Law enforcement and the NSA must NOW get a warrant.

http://arstechnica.com/tech-policy/2015/09/fbi-dea-and-others-will-now-have-to-get-a-warrant-to-use-stingrays/