Something’s Fishy With Your Cellphone

image courtesy of Seattle Municipal Archives

In the United States, there are somewhere in the neighborhood of 325 million cellular devices in use (15), comprising phones, tablets, notebooks, hotspots, and, most recently, vehicles. We are generating a lot of data on these devices, and these devices are generating a lot of data—about us. At any given point in time and geography, there is a chance that that data generated by your devices is being captured and analyzed. How much of a chance? We don’t know.

THE BASICS

The process is made possible using a device most commonly called a StingRay, sold by Harris Corporation headquarted in Melbourne, Florida. (Some names of the company’s similar devices are AmberJack, KingFish, Harpoon, and RayFish; for simplicity, I’ll refer to all of them as StingRay, because the purpose of each device is the same: to capture data about mobile device and their users.) The StingRay is a mobile device that presents itself to cellular devices as a cell tower. Today most of these devices are used in a police surveillance vehicle, but that’s starting to change, as you’ll see later. The device inside the vehicle communicates with antennas on the police vehicle, which determine the distance and direction of the targeted device in relation to the StingRay and in relation to other cell towers. (1)

image courtesy of Pug50

You would expect that when a call is active on your phone, it would be constantly seeking out the nearest tower. However, in anticipation of activity, mobile devices are doing that constantly. Because the StingRay presents itself as a cell tower, your phone will connect to it when it is nearby, and certain data will be routed through the StingRay just as it would a cell tower. The device and its associated software collect data from all the cellular devices that connect to it. The data is then relayed to a connected computer, which displays the collected data and translates it for the operators of the device. At that point, the traffic is passed on to the cell tower, and the user of the phone never knows. (1)

image courtesy of miheco

When I spoke of the data collected, what exactly would that be? Specifically, your phone has an identifier, but I was not able to find out if that would be the phone’s serial number or its MAC address; both of those are unique identifiers. Whichever it is, it is collected, along with the telephone number for all connecting devices, and all telephone numbers dialed out to other devices, including those for text messages. The approximate location of the phone as determined using the antennas on the vehicle is also captured. At this time, law enforcement sources have said that the StingRay device as sold to law enforcement (police departments) is not configured to intercept the contents of calls and text messages.

THE TECHNOLOGY

At the Black Hat conference in 2011, Mike Tassey and Richard Perkins demonstrated their Wireless Areal Surveillance Platform (WASP). As far as we know, it was a proof-of-concept exercise that has not been mass-replicated. It was a prototype of a device that is capable of quite a bit of data mining. It is very significant that a device that cost no more to build than $6,200 was proven capable of wireless network sniffing and cracking, cell tower spoofing, cell phone tracking and call interception, data exfiltration (taking data out of its intended environment), and video surveillance. (10)

Harris’s StingRay costs considerably more than that, so it is reasonable to assume that the device build by Tassey and Perkins lacked some important capability or durability that exists in the StingRay. Some of Harris’s other devices can be used to conduct Denial-of-Service attacks on cell phones, monitor voice traffic, and amplify the range and power of the activity of the StingRays (7).

image courtesy of olympiacopwatch

Your cell phone will communicate with the tower using the latest and best protocol of which it is capable. Most current phones sold in the United States use at least 3G signals, and of course the newest ones use 4G. 3G and 4G communications are much more secure than the older 2G (EDGE network and networks that emerged around the same timeframe). When you are traveling and your phone can’t find a 3G or 4G network, if there is a 2G signal available, it will drop to the 2G network signal. On that signal, your handset or device will readily accept communication from some other device that is calling itself a cell tower (4). Carrier cell towers have certain names that your phone or other mobile devices recognize; rogue towers don’t have names in the range of recognizeability (14). The StingRay jams 3G and 4G signals, forcing nearby phones to use the less-secure 2G signal. Law enforcement agencies are beginning to get a little nervous because mobile carriers are planning shutdowns of the 2G network; AT&T is planning to shut its 2G network down in 2017 (4). I was unable to find out how exactly this will affect StingRay devices. Unless the phone receives some firmware update, it may still accept the 2G drop if the 3G and 4G signals are jammed, but as the agencies are scrambling to acquire updated hardware to replace the existing StingRay devices, there must be something that will stop working as these networks get shut down. Newer networks are still susceptible to location tracking, but not to the other forms of interception and data collection (4).

Harris isn’t the only company in this space. Other firms producing devices of this type include Verint, View Systems, Altron, Neo Soft, MMI, Ability, and Meganet (23). Meganet’s VME Dominator—available for sale only to government agencies—can capture calls and texts, can send text messages, and can even control the phone (14).

However, these companies’ offerings can only trace GSM/UMTS-based communications. The Harris devices can track CDMA2000, GSM, iDEN, and UMTS-based signals. Harris’s StingRay and KingFish can support up to three different signal types without requiring reconfiguration. (23)

If land-based collection isn’t getting the job done, Boeing’s Digital Receiver Technology (DRT for short) division is putting similar capability in the air. They’re called DiRTboxes, and they are very similar to the StingRay devices, mounted in Cessna planes. However, because planes move faster, the signal strength is greater and more data from untargeted phones as well as targeted phones can be collected. (24) A single flight might provide data and general location information on tens of thousands of phones. Unlike StingRays, DiRTboxes can interrupt calls, and the newer versions of the devices can even also jam signals and even scrape rich data like text messages and photos. (1)

All of these boxes work by exploiting the fundamental structure shared by all cell networks, and, most disturbing of all, no level of encryption is able to prevent collection at the 2G level. (1)

WHO USES THESE DEVICES?

There is no shortage of agencies interested in gaining this type of information. We know the FBI is using it, and sources suspect all of the three-letter federal-level investigative agencies are as well. Documentation confirms that at least 25 different local and state police departments from Florida to Alaska are using it. Many of these purchases have been made with federal grants from the Department of Homeland Security aimed at protecting cities from terror attacks, but we are finding that they are being used for far broader police work. (1)

The ACLU has produced a map showing which states have agencies using StingRay devices. Right-click on this link and select “Open in a new tab.” (18)

The city of Tacoma, Washington is seeking to upgrade its StingRay device to Harris’s newer and more capable HailStorm, which will be combined with data analysis software from various vendors. The HailStorm enables 4G LTE phone tracking (12). It also reportedly has the capability to capture cellphone conversations, but Harris says it does not include that functionality in the units it sells to local law enforcement agencies. Tacoma’s purchase and use seems to have had both positives and negatives. City Council members were not really aware of the technology they were approving. However, it does appear that the city is taking care to follow the rules of engagement when deploying the device. The police department was asked to produce documentation showing how the device has been used. Since 2009, they showed 168 cases where police sought judicial permission for surveillance using StingRays. In that same period of time, it was used 10 times under Emergency Orders, which do not require a court order or a search warrant. In those cases, StingRays were used to find people involved in the killing of four police officers, kidnappings, and people suspected of child prostitution (12).

Chesterfield, Virginia, has units that were purchased through grants to law enforcement agencies that were made possible by a multi-million-dollar settlement with Abbot Labs for Medicaid fraud. City officials say that their devices are only ever used with judicial oversight—that is, search warrants or court orders. They also state that they never record, keep, or share the information regarding non-targeted devices. The city was warned previously about possible repercussions for using license plate readers carelessly, so it appears they are following the letter of the law on this technology (6).

Baltimore, Maryland has used HailStorm devices 4,300 times since 2007. 4,300 times!! However, unlike Tacoma and Chesterfield, the Baltimore PD has been encouraged to dismiss charges rather than divulge details about the program. (5)

In Harris’s home state, the American Civil Liberties Union has suspected for a long while that Harris has been loaning its products to police departments for promotion and testing. Court documents in a 2008 case show that “the Tallahassee Police Department is not the owner of the equipment.”

Pontiac, Oakland County, Michigan has the only device in Michigan, and it was purchased with Homeland Security money (11).

The DRT planes are operated by the US Marshals Service, which often loans them out to local law enforcement and other agencies (19).

WHY IS IT BEING USED/HOW IS IT JUSTIFIED?

It’s not difficult to understand why law enforcement and other agencies would want these devices, and how they could be very useful in solving crimes, tracking fugitives or abducted children, and possibly foil terror attacks (the most common reason for DHS grants to local police agencies). (1) As reporter Joel Hruska described it, “Say a murder occurs on a particular street with an estimated time of death between 2 and 4 am. Local law enforcement would have an obvious interest in compelling cell phone companies to turn over the records of every cell phone that moved in and out of the area between those two time periods. [Author’s note: this is called a “cell tower dump, and it’s quite common, but requires a court order or a search warrant.] At rush hour, this kind of information would be useless – but if the cell phone network data shows a device in the same approximate area as the murder suddenly leaving the area at a high rate of speed, that cell phone owner is a potential suspect.” (7) I can see, certainly how that would be true; but in order for the device to be useful in this case, the StingRay would already need to be in place.

When Miami-Dade Police bought their StingRay, they told the City Council they needed it to monitor protestors at an upcoming World Trade conference (6), and that purpose is in itself problematic.

When Tacoma made its purchase, it was mostly funded with a Homeland Security grant. The police department indicated that the technology would be useful to its Explosive Ordinance detail. But the department’s records offer no indication as to how many explosive devices were disarmed, or even detected, using it. (3)

THE THORNS

If you’ve never heard of StingRays or HailStorms or KingFish, that’s by design. These devices were originally developed for use by the military and by spy agencies. Harris Corp. itself does not answer any questions about the devices, but refers reporters to police agencies. That is not very useful, as Harris requires its customers to sign a non-disclosure agreement. (1) Agreements of that type are not uncommon, but they are usually required when a product is placed for testing or during the development process.

You can read one example of this agreement by clicking on this link and selecting “Open link in new tab.”

Law enforcement agencies have fought hard to keep from talking about the devices, and it was almost by accident that word is starting to get out. In a case of sexual battery and petit theft, the victim’s purse was stolen. Her purse contained her cell phone. Using a StingRay, and without a warrant, investigators were able to track the phone to a particular apartment. They forced their way inside, searched, and found the purse—and the phone. The device was not mentioned during discovery, and when pressed by the defendant’s attorney during the trial, the investigators refused to disclose the method used to track the defendant to the apartment. The judge finally forced the disclosure of the surveillance technique, but only after the law enforcement agency insisted that the court be closed, and that the proceedings of the case be closed as well. The defendant appealed his conviction based on the legality of the surveillance and the search. The appellate case and the resulting opinion were not sealed, and that’s how we finally found out about StingRays. (22)

Freedom of Information Act requests on these devices and activities surrounding them has proved mostly fruitless. Much of the useful information gets redacted prior to release. The ACLU has been digging into a particular set of uses in Sarasota, Florida and found itself brickwalled by the US Marshalls Service. The ACLU had set up a meeting with the Sarasota Police Department to view its StingRay files, as is required by Florida law. An assistant city attorney sent an email to the ACLU cancelling the meeting. He stated that the USMS had deputized the local officer; therefore, the records generated by that officer were the property of the federal government, and the Sarasota PD had not the authority to release them (2).

At issue is not whether the devices should exist, or even whether they should be used, but under what conditions, and how they should be used. The largest question that needs addressed is one of Due Process. In a case in Arizona, the legality of a search was questioned because civil liberties advocates say that the government was not honest in its explanation to the judge regarding the StingRay’s true capabilities.(17) The Justice Department contends that the tracking warrant was nothing out of the ordinary (17), and that argument gets a lot of mileage. But that argument is based on a comparison of StingRay and similar devices to pen-register and trap-and-trace devices (23), and to see the differences, I’m going to quote directly from legal dictionaries for the definitions of those two technologies:

Pen register – a device that decodes or records electronic impulses, allowing outgoing numbers from a telephone to be identified.

Trap device – used to identify originating number from which the wire or electronic communications were transmitted.

Neither device enables recording or listening of actual communication. (13)

You’ve seen these technologies used in the movies, where they’re trying to find out who the mobster is calling, or when they’re tracing a kidnapper’s incoming call. Case law – Smith v. Maryland – holds that it is not unconstitutional to install a pen register without a warrant. However, federal law now requires a court order for it, based on an investigating offer’s declaration that the information is relevant to an ongoing investigation (13).

The FBI says a warrant is not required for the use of StingRay and similar devices, because they don’t collect the content of phone calls and text messages and operate like pen-registers and trap-and traces, collecting the equivalent of header information. Additionally, the US government and other law enforcement agency spokesmen have asserted that the use of StingRay devices does not violate Fourth Amendment rights, and Americans don’t have a legitimate expectation of privacy for data sent from their mobile phones and other wireless devices to a cell tower. (21) “We’re not infringing on their rights, “[Richland, SC Sheriff Leon] Lott said, “When they use that phone, they understand that information is going to a tower.” (1) What we understand, though, is that the information is going to a tower owned and operated by a carrier with whom we have a contract for service. That information is not going out onto public airwaves to be picked up by the general population. An appropriate comparison is an agency setting up a blue box with the Postal Service logo on it, and a lot of people drop their mail into it. By monitoring the box and its contents over time they can determine if their target is in the immediate area during a given point in time. The agency looks at all the senders and recipients on each piece of mail, hoping to find one sent by their target. The agency’s fake box is also collecting pieces of mail being sent by people other than their target, and the agency has the capability to record or note non-targets sending mail to other recipients. Senders are not tossing their mail up into the air or leaving it out in the open for anyone to look at, they are depositing it into a receptacle that is trusted and chartered to deliver mail, and we all understand that tampering with the mail is a punishable offense.

It seems, also, that the city officers in Tacoma do not see the need for oversight of the police department’s actions. City Manger TC Broadnax told reporters, “I’m not in law enforcement, but it’s my impression that it assists them in doing their job more effectively, and that’s to protect the public.” Mayor Marilyn Strickland said, “If our law enforcement needs access to information to prevent crime or keep us safe, that’s a legitimate use of the technology. We are more focused on preventing crime and keeping our community safe than getting in people’s business.” The problem with that position is that these devices do not have the capacity to prevent crime or keep the community safe. They can catch the bad guys after the fact, but only well-known, widespread, real-time surveillance would have the effect the Mayor is hoping for. It also appears full disclosure of the equipment purchase was not part of Tacoma’s purchasing process. As Councilman David Boe put it, “I’ve got to find out what I voted on before I comment.” (3)

In the wake of the Snowden/Prism revelations, those whom we trust to protect us from overzealous intrusion appear to be taking this pretty seriously. In 2012 a magistrate judge in Texas refused to grant the federal Drug Enforcement Agency permission to use a StingRay, partly because the agency did not explain what the government would do with the cell phone numbers of innocent people and other information recorded on the equipment (12). In an affidavit submitted to court, the FBI disclosed that its policy requires agents to purge all data stored in the surveillance tool at the conclusion of an operation, so that the FBI is not collecting information about individuals who are not the subject of criminal or national security investigations. Government is telling a court for the first time that spoofing a legitimate wireless tower in order to conduct surveillance could be considered a search under the Fourth Amendment in the Arizona case, and that its use was legal, thanks to a court order and warrant that investigators used to get similar location data from Verizon’s own towers. (21) The unsettling part of the FBI policy covering StingRay use is that in addition to regular carve outs—immediate danger or tracking a fugitive—agency policy does not require judicial oversight in cases in which the technology is used in public places or other locations at which the FBI deems that there is no reasonable expectation of privacy (16).

The State Supreme Courts of Florida and Massachusetts have ruled that warrants are necessary for real-time cell phone tracking, and laws for the same have been passed in Colorado, Illinois, Indiana, Maryland, Tennessee, Utah, Virginia, and Wisconsin (9). It’s a start.

HOW CAN I KNOW IF IT’S BEING USED AROUND ME?

How would you know if this is occurring in your vicinity? ESD America develops and produces a phone called CryptoPhone500. It’s a pricey device (the developer wouldn’t divulge the price, but a third party site indicated around $3,500) and it detects and alerts when the phone’s encryption has been turned off by someone other than the user. According to ESD’s Les Goldsmith, “If you’ve been intercepted, in some cases it might show at the top that you’ve been forced from 4G down to 2G.” As an alternative to his CryptoPhone, he suggests “burner phones” if you absolutely must not be tracked. (14)

image courtesy of Jeff Schuler

MY TAKEAWAY

Several times I have looked down at my phone and noticed that where the 4G LTE should have been, it indicated EDGE. This tells me that I can probably, if I’m diligent, know when my data is being passed to a phony tower. I’m not in the market for a very expensive phone. It is important to pay attention to judicial decisions regarding surveillance. The next generation of these devices is capable of not only capturing the phone’s identifying data, but the contents of those devices. The due process concept so carefully articulated in the Constitution of the United States is to protect us against fishing expeditions of the type made possible by these fish-named technologies. It’s up to us to make sure the people in decision-making capacities know what they’re deciding.

WORKS CITED

1. Campbell, Mikey. “DOJ reportedly spies on mobile phone owners using fake airplane-mounted cell towers.” Apple Insider. 23 November 2014. 9 June 2014.<http://appleinsider.com/articles/14/11/13/doj-reportedly-spies-on-mobile-phone-owners-using-fake-airplane-mounted-cell-towers>
2. Cushing, Tim. “US Marshals Step In to Keep Florida Police Department’s StingRay Documents Out of the Hands of the ACLU.” TechDirt. 4 June 2014. 4 June 2015. <https://www.techdirt.com/articles/20140604/08245927455/us-marshals-step-to-keep-florida-police-departments-stingray-documents-out-hands-aclu.shtml>
3. Cushing, Tim. “Washington Law Enforcement Hides StingRay Purchase and Use From Everyone, But It’s Okay Because They’re Fighting Crime.” Tech Dirt. 28 August 2014. 9 June 2014. <https://www.techdirt.com/articles/20140828/09564828349/washington-law-enforcement-hides-stingray-purchase-use-everyone-its-ok-because-theyre-fighting-crime.shtml>
4. Farivar, Cyrus. “Cities scramble to upgrade “StingRay” tracking as end of 2G network looms.” Ars technica. 1 Sept 2014. 4 June 2014. <http://arstechnica.com/tech-policy/2014/09/cities-scramble-to-upgrade-stingray-tracking-as-end-of-2g-network-looms/>
5. Gillum, Jack, and Linderman, Juliet. “Baltimore police often surveil cellphones amid US secrecy.” The Washington Times. 8 April 2015. 8 June 2015. <http://www.washingtontimes.com/news/2015/apr/8/baltimore-police-often-surveil-cellphones-amid-us-/?page=all#pagebreak>
6. Hinkle, A. Barton. “Cellphone Tracking Means They Can Hear You Now.” Reason.com. 18 August 2014. 4 June 2014. <http://reason.com/archives/2014/08/18/cellphone-tracking-means-they-can-hear-y>
7. Hruska, Josh. “Stingray, the fake cell phone tower cops and carriers use to track your every move.” Extreme Tech. 17 June 2014. 6 June 2015. <http://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-tower-cops-and-providers-use-to-track-your-every-move>
8. Kelly, John. “Cellphone data spying: It’s not just the NSA.” USAToday.com 13 June 2014. 11 May 2015. <http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa-police/3902809/>
9. Kravets, David. “FBI says search warrants not needed to use ‘StingRays’ in public places.” Ars technica. 5 January 2015. 8 June 2015. <http://arstechnica.com/tech-policy/2015/01/fbi-says-search-warrants-not-needed-to-use-stringrays-in-public-places/>
10. Kumar, Sunny. “Wi-Fi, Phone Hacking Plane is Terrifying, Inspiring, and Wardriving Evolves Into Warflying.” H4XORIN’ T3H WORLD. 2011. 11 May 2015. <http://kingofdkingz99.blogspot.com/2011/08/wi-fi-phone-hacking-plane-is-terrifying.html>
11. Kurth, Joel. “Secret military device lets Oakland deputies track cell phones.” The Detroit News. 4 April 2014. 9 June 2015. <http://www.detroitnews.com/article/20140404/SPECIAL/304040043>
12. Martin, Kate. “Documents: Tacoma Police using surveillance device to sweep up cellphone data.” The News Tribune. 26 Aug 2014. 4 June 2014. <http://www.thenewstribune.com/2014/08/26/3347665_documents-tacoma-police-using.html?rh=1>
13. “Pen Register.” West’s Encyclopedia of American Law, edition 2. 2008. The Gale Group. 11 January 2005. 11 June 2015. <http://legal-dictionary.thefreedictionary.com/Pen+Register>
14. Rosenblum, Andrew. “Mysterious Phony Cell Towers Could be Intercepting Your Calls.” Popular Science. 27 August 2014. 6 June 2015. <http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-be-intercepting-your-calls>
15. Russia Today, youtube channel: https://www.youtube.com/watch?t=47&v=X84gRGgFBxk
16. Scola, Nancy. “Senators question FBI’s legal reasoning behind cell-tower spoofing.” The Washington Post. 2 Jan 2015. 8 June 2015. <http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/02/senators-question-fbis-legal-reasoning-behind-cell-tower-spoofing/>
17. Sledge, Matt. “Judge in StingRay Cell Tower Spoofing Case Puts Government on Notice.” Huffington Post, HuffPost Politics. 19 March 2013. 30 March 2015. <http://www.huffingtonpost.com/matt-sledge/judge-in-stingray-cell-to_b_2910635.html>
18. “Stingray Tracking Devices: Who’s Got Them?” American Civil Liberties Union. 9 June 2015. <https://www.aclu.org/map/stingray-tracking-devices-whos-got-them?redirect=maps/stingray-tracking-devices-whos-got-them>
19. Swanner, Nate. “US DOJ accused of stealing cellphone data via “dirtyboxes.” Slash Gear. 13 November 2014. 9 June 2015. <http://www.slashgear.com/us-doj-accused-of-stealing-cellphone-data-via-dirtyboxes-13355476/>
20. “Trap and Trace Device Law and Legal Definition.” US Legal.com. 11 June 2015. <http://definitions.uslegal.com/t/trap-and-trace-device/>
21. Zetter, Kim. “Feds’ Use of Fake Cell Tower – Did It Constitute a Search?” Wired. 30 March 2015. 3 June 2015. <http://www.wired.com/2011/11/feds-fake-cell-phone-tower/>
22. Zetter, Kim. “Florida Cops’ Secret Weapon: Warrantless Cellphone Tracking.” Wired. 3 March 2014. 8 June 2015. <http://www.wired.com/2014/03/stingray/>
23. Zetter, Kim. “Secrets of FBI Smart Phone Surveillance Tool Revealed in Court Fight.” Wired. 9 April 2013. 8 June 2015. <http://www.wired.com/2013/04/verizon-rigmaiden-aircard/all/>
24. Zetter, Kim. “The Feds are Now Using ‘StingRays’ in Planes to Spy on our Phone Calls.” Wired. 11 November 2014. 9 June 2015. <http://www.wired.com/2014/11/feds-motherfng-stingrays-motherfng-planes/>