Meet the Stingray

by
in hardware on (#3RY)
story imageAre you the proud owner of a snazzy, new smartphone? Thrilled with the convenience and utility of having this clever device in your pocket, connecting you to friends, colleagues, and information? Guess who else is excited about your purchase? Law enforcement. Meet the Stingray, essentially a honey pot, fake cell tower. Your phone connects to it, and you're done.
A stingray is a false cell phone tower that can force phones in a geographical area to connect to it. Once these devices connect, the stingray can be used to either hone in on the target's location or, with some models, actually eavesdrop on conversations, text messages, and web browser activity. It's not clear how much the police cooperate with the cell phone carriers on this - in at least some cases, the police have gone to carriers with requests for information, while in others they seem to have taken a brute-force approach, dumping the data of every single user on a given tower and then sorting it to find the parties they're interested in tracking. Stingrays can be used to force the phone to give up its user details, making it fairly easy for the police to match devices and account holders.
[Ed. note: Time to give up your cellphone and go back to using public phone booths? Oh, wait "]

Re: Higher level of user control reqd (Score: 3, Interesting)

by kerrany@pipedot.org on 2014-07-28 20:29 (#2PB)

Last I looked (and I might be wrong, IANACellTowerEngineer), the software wouldn't matter. This is about the "nearest tower" being replaced with a virtually identical tower for a MITM attack. They're not only legal (for now), they're a hardware commodity. How do you think people get cell service inside a big metal office building? They put the hardware up at the location. It's even available as a rentable device - having a big event in the middle of nowhere and want cell access? Get a truck to come by and put up a mobile cell tower. The LEO version just happens to have a "oh, and also record everything that's going through this tower while you're transmitting" function, plus some software that lets them sort out the massive pile of unrelated data they've just sucked out of the air.

No, what we need is device-level end-to-end in-call encryption. Quite a few projects are working on this or have already implemented it; this is a known vulnerability that corporations and TLAs already attempt to address. (After all, if they can "sting" normal citizens, they need to make sure some foreign spy isn't doing it to them.) Encrypted phone calls are certainly possible, though expensive when I last looked into it, and were common years ago. Of course, that doesn't save you from the location triangulation problem - but then, better not to use cellphones at all if you're worried about being physically found.

Is this just now coming to people's attention somehow? Or have I missed something new about this story? This is a nice writeup, though, kudos for that. I guess it's good that the issue is getting more attention no matter what - this sort of thing needs to end.
Post Comment
Subject
Comment
Captcha
What is Steven's name?