July 31, 2020 | By Kim Zetter | The Intercept | Link
“How Cops Can Secretly Track Your Phone
“SINCE MAY, AS protesters around the country have marched against police brutality and in support of the Black Lives Matter movement, activists have spotted a recurring presence in the skies: mysterious planes and helicopters hovering overhead, apparently conducting surveillance on protesters. A press release from the Justice Department at the end of May revealed that the Drug Enforcement Agency and U.S. Marshals Service were asked by the Justice Department to provide unspecified support to law enforcement during protests. A few days later, a memo obtained by BuzzFeed News offered a little more insight on the matter; it revealed that shortly after protests began in various cities, the DEA had sought special authority from the Justice Department to covertly spy on Black Lives Matter protesters on behalf of law enforcement.
Although the press release and memo didn’t say what form the support and surveillance would take, it’s likely that the two agencies were being asked to assist police for a particular reason. Both the DEA and the Marshals possess airplanes outfitted with so-called stingrays or dirtboxes: powerful technologies capable of tracking mobile phones or, depending on how they’re configured, collecting data and communications from mobile phones in bulk.
Stingrays have been used on the ground and in the air by law enforcement for years but are highly controversial because they don’t just collect data from targeted phones; they collect data from any phone in the vicinity of a device. That data can be used to identify people — protesters, for example — and track their movements during and after demonstrations, as well as to identify others who associate with them. They also can inject spying software onto specific phones or direct the browser of a phone to a website where malware can be loaded onto it, though it’s not clear if any U.S. law enforcement agencies have used them for this purpose.
Although law enforcement has been using the technologies since the 1990s, the general public learned about them only in the last decade, and much about their capabilities remains unknown because law enforcement agencies and the companies that make the devices have gone to great lengths to keep details secret. Stingrays are routinely used to target suspects in drug and other criminal investigations, but activists also believe the devices were used during protests against the Dakota Access pipeline, and against Black Lives Matter protesters over the last three months. The Justice Department requires federal agents to obtain a probable cause warrant to use the technology in criminal cases, but there is a carve-out for national security. Given that President Donald Trump has referred to protesters as “terrorists,” and that paramilitary-style officers from the Department of Homeland Security have been deployed to the streets of Portland, Oregon, it’s conceivable that surveillance conducted at recent demonstrations has been deemed a national security matter — raising the possibility that the government may have used stingray technology to collect data on protesters without warrants.
To better understand the kind of surveillance that may be directed at protesters, here’s a breakdown of what we know and still don’t know about stingrays, and why their use is so controversial.
What is a stingray?
Stingray is the generic name for an electronic surveillance tool that simulates a cell phone tower in order to force mobile phones and other devices to connect to it instead of to a legitimate cell tower. In doing so, the phone or other device reveals information about itself and its user to the operator of the stingray. Other common names for the tool are “cell-site simulator” and “IMSI catcher.”
Why is it called a stingray?
The name stingray comes from the brand name of a specific commercial model of IMSI catcher made by the Florida-based Harris Corporation. That company’s StingRay is a briefcase-sized device that can be operated from a vehicle while plugged into the cigarette lighter. Harris also makes products like the Harpoon, a signal booster that makes the StingRay more powerful, and the KingFish, a smaller hand-held device that operates like a stingray and can be used by a law enforcement agent while walking around outside a vehicle. About a dozen other companies make variants of the stingray with different capabilities. The surveillance equipment is pricey and often sold as a package. For example, in documents obtained by Motherboard in 2016, Harris offered a KingFish package that cost $157,300 and a StingRay package that cost $148,000, not including training and maintenance. Documents obtained this year by the American Civil Liberties Union indicate that Harris has upgraded the StingRay to a newer device it calls a Crossbow, though not a lot of information is known about how it works. Separately, a classified catalog of surveillance tools leaked to The Intercept in 2015 describes other similar devices.
StingRay II, a cellular site simulator used for surveillance purposes manufactured by Harris Corporation, of Melbourne, Fla.
Photo: U.S. Patent and Trademark Office via AP
How does the stingray work?
Phones periodically and automatically broadcast their presence to the cell tower that is nearest to them, so that the phone carrier’s network can provide them with service in that location. They do this even when the phone is not being used to make or receive a call. When a phone communicates with a cell tower, it reveals the unique ID or IMSI number (International Mobile Subscriber Identity) associated with the SIM card in the phone. The IMSI number identifies that phone and its owner as a paying customer of a cell carrier, and that number can be matched by the carrier to the owner’s name, address, and phone number.
A stingray masquerades as a cell tower in order to get phones to ping it instead of legitimate cell towers, and in doing so, reveal the phones’ IMSI numbers. In the past, it did this by emitting a signal that was stronger than the signal generated by legitimate cell towers around it. The switch to 4G networks was supposed to address this in part by adding an authentication step so that mobile phones could tell if a cell tower is legitimate. But a security researcher named Roger Piqueras Jover found that the authentication on 4G doesn’t occur until after the phone has already revealed its IMSI number, which means that stingrays can still grab this data before the phone determines it’s not communicating with an authentic cell tower and switches to one that is authenticated. That vulnerability still exists in the 5G protocol, says Jover. Though the 5G protocol offers a feature that encrypts the IMSI when it’s disclosed during pre-authentication communication, law enforcement would simply be able to ask phone carriers to decrypt it for them. And a group of researchers from Purdue University and the University of Iowa also found a way to guess an IMSI number without needing to get a carrier to decrypt it.
Because a stingray is not really a tower on the carrier’s network, calls and messages to and from a phone can’t go through while the phone is communicating with the stingray. So after the stingray captures the device’s IMSI number and location, the stingray “releases” the phone so that it can connect to a real cell tower. It can do this by broadcasting a message to that phone that effectively tells the phone to find a different tower.
What can law enforcement do with the IMSI number?
Law enforcement can use a stingray either to identify all of the phones in the vicinity of the stingray or a specific phone, even when the phones are not in use. Law enforcement can then, with a subpoena, ask a phone carrier to provide the customer name and address associated with that number or numbers. They can also obtain a historical log of all of the cell towers a phone has pinged in the recent past to track where it has been, or they can obtain the cell towers it’s pinging in real time to identify the user’s current location. By catching multiple IMSI numbers in the vicinity of a stingray, law enforcement can also potentially uncover associations between people by seeing which phones ping the same cell towers around the same time.
If law enforcement already knows the IMSI number of a specific phone and person they are trying to locate, they can program that IMSI number into the stingray and it will tell them if that phone is nearby. Law enforcement can also home in on the location of a specific phone and its user by moving the stingray around a geographical area and measuring the phone’s signal strength as it connects to the stingray. The Harris StingRay can be operated from a patrol vehicle as it drives around a neighborhood to narrow a suspect’s location to a specific cluster of homes or a building, at which point law enforcement can switch to the hand-held KingFish, which offers even more precision. For example, once law enforcement has narrowed the location of a phone and suspect to an office or apartment complex using the StingRay, they can walk through the complex and hallways using the KingFish to find the specific office or apartment where a mobile phone and its user are located.
Does the device only track mobile phones?
No. In 2008, authorities used a StingRay and a KingFish to locate a suspect who was using an air card: an internet-connectivity device that plugs into a computer and allows the user to get online through a wireless cellular network. The suspect, Daniel Rigmaiden, was an identity thief who was operating from an apartment in San Jose, California. Rigmaiden had used a stolen credit card number and a fake name and address to register his internet account with Verizon. With Verizon’s help, the FBI was able to identify him. They determined the general neighborhood in San Jose where Rigmaiden was using the air card so they could position their stingray in the area and move it around until they found the apartment building from which his signal was coming. They then walked around the apartment complex with a hand-held KingFish or similar device to pinpoint the precise apartment Rigmaiden was using.
What is a dirtbox?
A dirtbox is the common name for specific models of an IMSI catcher that are made by a Boeing subsidiary, Maryland-based Digital Receiver Technology — hence the name “DRT box.” They are reportedly used by the DEA and Marshals Service from airplanes to intercept data from mobile phones. A 2014 Wall Street Journal article revealed that the Marshals Service began using dirtboxes in Cessna airplanes in 2007. An airborne dirtbox has the ability to collect data on many more phones than a ground-based stingray; it can also move more easily and quickly over wide areas. According to the 2006 catalog of surveillance technologies leaked in 2015, models of dirtboxes described in that document can be configured to track up to 10,000 targeted IMSI numbers or phones.
Do stingrays and dirtboxes have other capabilities?
Stingrays and dirtboxes can be configured for use in either active or passive mode. In active mode, these technologies broadcast to devices and communicate with them. Passive mode involves grabbing whatever data and communication is occurring in real time across cellular networks without requiring the phone to communicate directly with the interception device. The data captured can include the IMSI number as well as text messages, email, and voice calls.
If that data or communication is encrypted, then it would be useless to anyone intercepting it if they don’t also have a way to decrypt it. Phones that are using 4G employ strong encryption. But stingrays can force phones to downgrade to 2G, a less secure protocol, and tell the phone to use either no encryption or use a weak encryption that can be cracked. They can do this because even though most people use 4G these days, there are some areas of the world where 2G networks are still common, and therefore all phones have to have the ability to communicate on those networks.
The versions of stingrays used by the military can intercept the contents of mobile communications — text messages, email, and voice calls — and decrypt some types of this mobile communication. The military also uses a jamming or denial-of-service feature that prevents adversaries from detonating bombs with a mobile phone.
In addition to collecting the IMSI number of a device and intercepting communications, military-grade IMSI catchers can also spoof text messages to a phone, according to David Burgess, a telecommunications engineer who used to work with U.S. defense contractors supporting overseas military operations. Burgess says that if the military knows the phone number and IMSI number of a target, it can use an IMSI catcher to send messages to other phones as if they are coming from the target’s phone. They can also use the IMSI catcher for a so-called man in the middle attack so that calls from one target pass through the IMSI catcher to the target phone. In this way, they can record the call in real time and potentially listen to the conversation if it is unencrypted, or if they are able to decrypt it. The military systems can also send a silent SMS message to a phone to alter its settings so that the phone will send text messages through a server the military controls instead of the mobile carrier’s server.
Can the devices be used to infect phones with malware?
Versions of the devices used by the military and intelligence agencies can potentially inject malware into targeted phones, depending on how secure the phone is. They can do this in two ways: They can either redirect the phone’s browser to a malicious web site where malware can be downloaded to the phone if the browser has a software vulnerability the attackers can exploit; or they can inject malware from the stingray directly into the baseband of the phone if the baseband software has a vulnerability. Malware injected into the baseband of a phone is harder to detect. Such malware can be used to turn the phone into a listening device to spy on conversations. Recently, Amnesty International reported on the cases of two Moroccan activists whose phones may have been targeted through such network injection attacks to install spyware made by an Israeli company.
U.S. law enforcement use of stingrays domestically is more curtailed, given that they, unlike the military, need to obtain warrants or court orders to use the devices in federal investigations. But there is little transparency or oversight around how the devices are used by federal agents and local police, so there is still a lot that is unknown: for example, whether they’ve ever been used to record the contents of mobile phone communications or to install malware on phones.
News stories suggest that some models of stingrays used by the Marshals Service can extract text messages, contacts, and photos from phones, though they don’t say how the devices do this. Documents obtained by the ACLU in 2015 also indicate such devices do have the ability to record the numbers of incoming and outgoing calls and the date, time, and duration of the calls, as well as to intercept the content of voice and text communications. But the Justice Department has long asserted publicly that the stingrays it uses domestically do not intercept the content of communications. The Justice Department has stated that the devices “may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III [wiretapping] order.”
As for jamming communications domestically, Dakota Access pipeline protesters at Standing Rock, North Dakota, in 2016 described planes and helicopters flying overhead that they believed were using technology to jam mobile phones. Protesters described having problems such as phones crashing, livestreams being interrupted, and issues uploading videos and other posts to social media.
Why are stingrays and dirtboxes so controversial?
The devices don’t just pick up data about targeted phones. Law enforcement may be tracking a specific phone of a known suspect, but any phone in the vicinity of the stingray that is using the same cellular network as the targeted phone or device will connect to the stingray. Documents in a 2011 criminal case in Canada showed that devices used by the Royal Canadian Mounted Police had a range of a third of a mile, and in just three minutes of use, one device had intercepted 136 different phones.
Law enforcement can also use a stingray in a less targeted way to sweep up information about all nearby phones. During the time a phone is connecting to or communicating with a stingray, service is disrupted for those phones until the stingray releases them. The connection should last only as long as it takes for the phone to reveal its IMSI number to the stingray, but it’s not clear what kind of testing and oversight the Justice Department has done to ensure that the devices release phones. Stingrays are supposed to allow 911 calls to pass through to a legitimate cell tower to avoid disrupting emergency services, but other emergency calls a user may try to make while their phone is connected to a stingray will not get through until the stingray releases their phone. It’s also not clear how effective the devices are at letting 911 calls go through. The FBI and DHS have indicated that they haven’t commissioned studies to measure this, but a study conducted by federal police in Canada found that the 911 bypass didn’t always work.
Depending on how many phones are in the vicinity of a stingray, hundreds could connect to the device and potentially have service disrupted.
How long has law enforcement been using stingrays?
The technology is believed to have originated in the military, though it’s not clear when it was first used in combat zones or domestically in the U.S. The earliest public mention of a stingray-like device being used by U.S. law enforcement occurred in 1994, when the FBI used a crude, jury-rigged version of the tool to track former hacker Kevin Mitnick; authorities referred to that device as a Triggerfish. In a case in Utah in 2009, an FBI agent revealed in a court document that cell-site simulators had been in use by law enforcement for more than a decade. He also said they weren’t just used by the FBI but also by the Marshals Service, the Secret Service, and other agencies. Recent documents obtained by the ACLU also indicate that between 2017 and 2019, the Department of Homeland Security’s Homeland Security Investigations unit has used stingrays at least 466 times in investigations. BuzzFeed News had previously obtained records showing that from 2013 to 2017, HSI had used the technology 1,885 times.
Aside from the potential for widespread surveillance, are there other problems with the technology?
The other controversy with stingrays involves secrecy and lack of transparency around their use. Law enforcement agencies and the companies that make the devices have prevented the public from obtaining information about their capabilities and from learning how often the technology is deployed in investigations. Agencies sign nondisclosure agreements with the companies, which they use as a shield whenever journalists or others file public records requests to obtain information about the technology. Law enforcement agencies claim criminals could craft anti-surveillance methods to undermine the technology if they knew how it worked. The companies themselves cite trade secrets and proprietary information to prevent the public from obtaining sales literature and manuals about the technology.
For years, law enforcement used the devices without obtaining a court order or warrant. Even when they did seek approval from a court, they often described the technology in misleading terms to make it seem less invasive. They would often refer to stingrays in court documents as a “pen register device,” passive devices that sit on a network and record the numbers dialed from a certain phone number. They withheld the fact that the devices force phones to connect to them, that they force other phones that aren’t the target device to connect to them, and that they can perform more functions than simply grabbing an IMSI number. Most significantly, they withheld the fact that the device emits signals that can track a user and their phone inside a private residence. After the FBI used a stingray to track Rigmaiden (the identity thief in San Jose) in his apartment, Rigmaiden’s lawyers got the Justice Department to acknowledge it qualified as a Fourth Amendment search that would require a warrant.
Law enforcement agents have not only deceived judges, however; they’ve also misled defense attorneys seeking information about how agents tracked their clients. In some court documents, law enforcement officials have indicated that they obtained location information about the defendant from a “confidential source,” when in truth they used a stingray to track them.
To address this deception, the Justice Department in 2015 implemented a new policy requiring all federal agents engaged in criminal investigations to obtain a probable cause search warrant before using a stingray. It also requires agents and prosecutors to tell judges when the warrant they are seeking is for a stingray; and it requires them to limit the use of the stingray’s capabilities to tracking the location of a phone and logging the phone numbers for calls received and made by the phone. They cannot collect the contents of communication, such as text messages and emails. And agents are required to purge the data they collect from non-targeted phones within 24 hours or 30 days, depending on the circumstances.
The problem, however, is that Justice Department policy is not law. And although the policy includes state and local law enforcement agencies when they are working on a case with federal agents and want to use the devices, it does not cover those agencies when they are working on cases alone. To address this loophole, lawmakers would need to pass a federal law banning the use of stingrays without a warrant, but efforts to do so have so far been unsuccessful.
One bigger issue with the Justice Department policy is that, as noted above, it only applies to criminal investigations, not national security ones, and it also includes a carve-out for “exigent circumstances” that are not clearly defined. Federal agents are not required to seek a warrant to use the technology in cases involving such circumstances. Whether the government has used the technology against Black Lives Matter protesters without a warrant is likely something that will remain a secret for some time.”