Story 2014-07-27 3RY Meet the Stingray

Meet the Stingray

by
in hardware on (#3RY)
story imageAre you the proud owner of a snazzy, new smartphone? Thrilled with the convenience and utility of having this clever device in your pocket, connecting you to friends, colleagues, and information? Guess who else is excited about your purchase? Law enforcement. Meet the Stingray, essentially a honey pot, fake cell tower. Your phone connects to it, and you're done.
A stingray is a false cell phone tower that can force phones in a geographical area to connect to it. Once these devices connect, the stingray can be used to either hone in on the target’s location or, with some models, actually eavesdrop on conversations, text messages, and web browser activity. It’s not clear how much the police cooperate with the cell phone carriers on this — in at least some cases, the police have gone to carriers with requests for information, while in others they seem to have taken a brute-force approach, dumping the data of every single user on a given tower and then sorting it to find the parties they’re interested in tracking. Stingrays can be used to force the phone to give up its user details, making it fairly easy for the police to match devices and account holders.
[Ed. note: Time to give up your cellphone and go back to using public phone booths? Oh, wait …]
Reply 8 comments

NCIS LA (Score: 0)

by Anonymous Coward on 2014-07-28 06:21 (#2NY)

Inspired by a tv show.. or demonstrated use of by the Bad Guys?

Higher level of user control reqd (Score: 2, Insightful)

by hyper@pipedot.org on 2014-07-28 06:24 (#2NZ)

Just another example why why users need root access to their device by default. Also a good case for inbuilt firewall and permissions denied by default.

Re: Higher level of user control reqd (Score: 3, Informative)

by kerrany@pipedot.org on 2014-07-28 20:29 (#2PB)

Last I looked (and I might be wrong, IANACellTowerEngineer), the software wouldn't matter. This is about the "nearest tower" being replaced with a virtually identical tower for a MITM attack. They're not only legal (for now), they're a hardware commodity. How do you think people get cell service inside a big metal office building? They put the hardware up at the location. It's even available as a rentable device - having a big event in the middle of nowhere and want cell access? Get a truck to come by and put up a mobile cell tower. The LEO version just happens to have a "oh, and also record everything that's going through this tower while you're transmitting" function, plus some software that lets them sort out the massive pile of unrelated data they've just sucked out of the air.

No, what we need is device-level end-to-end in-call encryption. Quite a few projects are working on this or have already implemented it; this is a known vulnerability that corporations and TLAs already attempt to address. (After all, if they can "sting" normal citizens, they need to make sure some foreign spy isn't doing it to them.) Encrypted phone calls are certainly possible, though expensive when I last looked into it, and were common years ago. Of course, that doesn't save you from the location triangulation problem - but then, better not to use cellphones at all if you're worried about being physically found.

Is this just now coming to people's attention somehow? Or have I missed something new about this story? This is a nice writeup, though, kudos for that. I guess it's good that the issue is getting more attention no matter what - this sort of thing needs to end.

Re: Higher level of user control reqd (Score: 1, Insightful)

by Anonymous Coward on 2014-07-29 01:15 (#2PG)

I'd even be happy if my phone had encrypted text communication out of the box. It's quite sad how far behind mobile is in security.

Re: Higher level of user control reqd (Score: 2, Insightful)

by zafiro17@pipedot.org on 2014-07-30 01:16 (#2PY)

I think the nature of the engineering is what's at fault - the design of the cell tower model lends itself too easily to this sort of thing, and though I'm not working in the industry, I suspect it would be nearly impossible to fix.

[Ed. note: Time to give up your cellphone and go back to using public phone booths? Oh, wait …] (Score: 2, Funny)

by stderr@pipedot.org on 2014-07-29 08:35 (#2PK)

... and people call me crazy for carrying around a carrier pigeon all the time.

I also got enough kindling wood to make a small fire in case I need to use smoke signals for some broad- or multicasting.

Wireless too? (Score: 1)

by reziac@pipedot.org on 2014-07-30 21:17 (#2QB)

When I use my cellphone, I usually check local wireless just to see what's around. Twice now I've encountered signals for open wireless named something like "FBI Surveillance Van". If it was seen at a given location all the time (as most are) I'd think it was someone being a smartass, but each time it was only in the neighborhood once.