Monday, June 19, 2017

Searching For Stingrays With Ride-Sharing

That's the provocative idea behind an experiment documented in Wired on June 2ndStingrays, of course, are the boxes law enforcement uses to spoof cellphones into connecting with them (LE) instead of the real, desired tower.  Once connected, the LE agencies can intercept communications, track a suspect's location, and even inject malware onto a target phone.
For two months last year, researchers at the University of Washington paid drivers of an unidentified ridesharing service to keep custom-made sensors in the trunks of their cars, converting those vehicles into mobile cellular data collectors. They used the results to map out practically every cell tower in the cities of Seattle and Milwaukee—along with at least two anomalous transmitters they believe were likely stingrays, located at the Seattle office of the US Customs and Immigration Service, and the Seattle-Tacoma Airport.

Beyond identifying those two potential surveillance operations, the researchers say their ridesharing data-collection technique could represent a relatively cheap new way to shed more light on the use of stingrays in urban settings around the world. "We wondered, how can we scale this up to cover an entire city?" says Peter Ney, one of the University of Washington researchers who will present the study at the Privacy Enhancing Technology Symposium in July. He says they were inspired in part by the notion of "wardriving," the old hacker trick of driving around with a laptop to sniff out insecure Wi-Fi networks. "Actually, cars are a really good mechanism to distribute our sensors around and cast a wide net."
Police at all levels have been very reluctant to provide information on what they're doing with these devices or the devices called "IMSI Catchers", which use cellular phones' International Mobile Subscriber Identity (IMSI) as a way to identify a targeted phone.  They've even dropped charges against suspects rather than discuss what they do in open (non-classified) courtrooms.  Nevertheless, most states still don't require a search warrant to approve use of these tricks.
In the absence of publicly available stingray information, the University of Washington researchers tried a new technique to find out more. Starting in March of 2016, they paid $25 a week to 15 rideshare-service drivers to carry a suitcase-sized device they called SeaGlass. That sensor box contained about $500 worth of gear the team had assembled, including a GPS module, a GSM cellular modem, a Raspberry Pi minicomputer to assemble the data about which cell towers the modem connects to, a cellular hotspot to upload the resulting data to the group's server, and an Android phone running an older program called SnoopSnitch, designed by German researchers to serve as another source of cell-tower data collection. The sensor boxes ... were designed to boot up and start collecting data as soon as the car started.
The UW researchers then collected detailed data about every radio transmitter that connected to the SeaGlass modems and Android phones as they moved through the two cities for two months. This allowed them to identify and map out roughly 1,400 cell towers in Seattle, and 700 in Milwaukee. Then they combed that data for anomalies, like cell towers that seemed to change location, appeared and disappeared, sent localized weaker signals, appeared to impersonate other towers nearby, or broadcast on a wider range of radio frequencies than the typical cellular tower.  For instance:
Around the Seattle office of the US Customs and Immigration Service, the researchers pinpointed an apparent cell tower that frequently changed the channel on which it broadcast, cycling through six different kinds of signal. That's far more than any other tower they tested—96 percent of their data showed towers transmitting on just one channel—and represents a telltale sign of a stingray.
Attempting to correlate their findings with police agencies so they could determine just how well their approach worked was just not gonna happen, and to be honest, limits the utility of this study.   
A Port of Seattle police spokesperson said the airport police "don't have one of those," and a Seattle Police Department spokesperson said "it’s not one of ours." The FBI didn't respond to requests for comment, but an ICE spokesperson wrote that ICE agents "use a broad range of lawful investigative techniques in the apprehension of criminal suspects. ...” A DEA spokesperson refused to confirm or deny any specific operations, but noted that stingrays are a "lawful investigative tool that can be utilized in the dismantlement of criminal organizations."
Despite this, for a relatively modest $500 investment in hardware, and about twice that per month, the researchers were able to get a fairly good map of operations in their areas.  That part is probably where savings can be had, by having students or team members drive their own cars themselves. 
The Stingray finder hardware box.  University of Washington photo.  The study paper at UW is rather interesting if you're into that geeky stuff.


  1. Usually, the only law enforcement that does this is the FBI - and on occasions, DEA. Obtaining Title 3 warrants are a simple thing in the federal judicial system, not so with the state judiciary. It can be done by State/County/Municipal police/sheriffs but it's not as common.

  2. I've got the earlier version of the Stingray, called the Triggerfish. The box has 10 of the RF modules in it, along with some support hardware, like the USB interface, power distribution, etc.

    I suppose one of these days I'll eBay it, as it has zero functionality without the software.....

  3. Should law enforcement act to either prevent crime or to actively search for criminals? Or should they just show up after the murder/rape/robbery and try to figure out who did it? IMHO it would have been awesome if our law enforcement had caught the 9-11 high jackers before they flew the planes into the twin towers. But... we live in a democracy so it is reasonable that we choose to hamstring or handcuff law enforcement and do everything after the fact with no intent to prevent crime or find law breakers. If some criminal happens to wander into the police station and identify themselves that's OK but to actively look for them that's off limits.

    The question I have is; is it illegal for you or me to look at the information in the cell phone airwaves??? Is it illegal for the police to look without a warrant???

    1. The last paragraph is a bit easier. I believe the answer is that is illegal for you or me to listen to cell phone conversations or look at metadata, or basically anything we haven't been invited to share. That would be under the Electronics Communications Privacy Act of 1986 and amended. The ECPA is why radio scanners don't cover the old analog cellphone bands, called AMPS - if you've ever looked at scanners you'll find they block out roughly 824-849 and 869-894 MHz. It is unique to the US. Scanner hobbyists argued that those signals are not just on our property, they're going through our bodies, and since they're putting their conversations in our private space they had no expectation of privacy. The argument was that the solution wasn't law, it was encryption.

      As for whether it's illegal for the police to look without a warrant, I don't have an easy answer. I think it's illegal. It's supposedly easy to get warrants to do that, but I also keep hearing they don't.

      The principle that the privacy groups (EFF and such) advocate is that cellphone monitoring should be like any other law enforcement: it's different to monitor suspects> than to just suck up all the data in all the conversations from all the phones/devices in the world and try to find suspects. To borrow your 9/11 analogy, there was airport security and screening on 9/11 and the hijackers went through it. Just because Law Enforcement can pick up all the cellphone traffic doesn't mean they'll do anything worthwhile with it. How many of these terrorist attacks in the last few months have come from "known wolves"? LE knew the person was probably a terrorist, they chose to do nothing.

    2. I have a radio and a scanner that covers cell phone frequencies. Bought them years ago when those crazy paranoid conspiracy theorists wildly claimed that the government would make it illegal.

      BUT my point was not to listen to the content of the cal but simply to look at the metadata. You are aware I'm sure that the phone companies look at it and use it and every employee can access it and god knows how many other people can. So the question is can the police simply look at the metadata (which as I understand is the argument that the NSA makes that they don't listen in to conversation but merely collect data).

      As for 9/11 the airport security is more about scaring children, frisking little old ladies and preventing cancer victims from flying to their chemo treatments. But imagine smart people who put 2 + 2 together and figure out that those 19 high jacker's were up to no good IF they had access to more information.

  4. " But... we live in a democracy so it is reasonable that we choose to hamstring or handcuff law enforcement"

    You are making a mistake in thought or in expression. We live in a free society so we set limits on what law enforcement can do. Has nothing to do with democracy.

    Starting with the Constitution of the United States (and the prior documents it is based on) we set limits on the power of the government. The Bill of Rights is the foundation for us in the US, but the Magna Carta worked fine in a NOT democracy...

    We don't allow a lot of things that would make the job of the police easier. We don't DNA type kids at birth and maintain a database of DNA. That would surely make solving some crimes easier. Or it would make framing someone for a crime easier. Stopping every person on a street and searching them down to their body cavities on any Friday night would certainly identify some crimes and "find law breakers." Stopping every car on the freeway and searching the car and occupants might "find law breakers." So would randomly entering peoples' homes and tossing their stuff out into the yard. There are plenty of examples from history, and unfortunately plenty from contemporary US policing too. Do you want to live in such a society? I don't.

    The end stage for this sort of thinking has the entire population either in an actual prison or in a virtual one, only allowed to do what 'law enforcement' and the government deign to allow.

    Our freedom from arbitrary search and seizure is one of the bedrock foundational concepts of our country, as are the other protections in the Constitution and the Bill of Rights, and especially the right not to be forced to provide testimony against yourself. Use of a Stingray device violates both of those provisions.

    If it were all reasonable and above board, instead of being of shaky and dubious legal authority, they wouldn't be working so hard to avoid having some light shone on their odious mess.


    1. IF what you say were true THEN we would not need to apply/beg for a concealed carry permit because the constitution is crystal clear that we all have the inalienable right to keep and bear arms. But yet a 51% of voters can elect and openly anti-gun legislator/congressman and voila suddenly the constitutional rights mean nothing.
      So yes! we live in a democracy (a democratic republic) where 51% of the people can decide to do pretty much anything they want to.

      But I agree with your point, that the end stage of allowing the police to "look" for trouble will not end well. That was my point. Either we actively look for possible horrible crimes or criminals or we do not? I take it you would prefer that the police simply sit around eating doughnuts or issuing speeding tickets until something happens and then they write a report. So be it. We get the government we deserve.

  5. I'm surprised that the researchers didn't start with public information like that on to map FCC listed antennas and towers as a starting point for what should be present; it would also be a good way to use ground truth to check the hardware is working right with known targets before looking for unknown targets.

    1. They're probably not "radio guys" who would know to do that.

      I see this a lot. People who don't know much about radio, but know how to code, will get an idea, and code up something using a USB dongle receiver controlled by a Raspberry Pi, and then wonder why it doesn't work very well, if at all.

      I just spent several weeks tutoring some guys that were trying to get one of the ADSB applications working. The code ran fine, but the radio aspect of it just killed them until I took the time to explain why the radio part of it wasn't working.

  6. --cut into two parts--

    "But imagine smart people who put 2 + 2 together and figure out that those 19 high jacker's were up to no good IF they had access to more information. "

    It couldn't have been more clear. The plan was well known from a laptop captured in Yemen. They had 2 years to look out for and put the pieces together and failed. Lots of smart people saw pieces. They were intentionally siloed and kept apart. Several ordinary Americans REPORTED the murdering scumbags and despite all that, 'law enforcement' couldn't prevent the attacks. That failure led to the creation of Homeland Security and one overall org chart for the whole apparatus. This is why we now have "Fusion Centers." They still don't work to prevent terror attacks, as they are (typically) fighting the last war. Current attacks have not come from traditional networks of well financed international terror organizations-- the kind of thing you find when you sift meta-data doing traffic analysis. They come from self-radicalized people who are already in place, given a nudge or a lesson when needed. Doing all the traffic analysis in the world won't find the guy who meets a guy at the coffee shop or mosque and rents a truck. And in the mean time, you violate the hell out of innocent peoples rights.

    " I take it you would prefer that the police simply sit around eating doughnuts or issuing speeding tickets until something happens and then they write a report. So be it. We get the government we deserve."

    And again, you are conflating things. The police are not the government. The police do not investigate or prevent terror unless it's happening right in front of them. The police mission is not the prevention of crime. The police have used 'anti-terror' as an excuse to get Stingray and pursue ordinary crimes with this extra-ordinary tool, because it's easier. Here's just one of dozens of articles about it:

    --end of part one--

    1. "The police do not investigate or prevent terror"

      That may be true. BUT they could!!
      Imagine (hum the John Lennon song) that we deported people who came here illegally and overstayed their Visas. Imagine that we didn't allow colleges to set immigration policy. (I have never understood why we let colleges that our tax payers pay for put 20% foreigners in slots that are denied to citizens, when will we smarten up). Imagine that they required all aliens to register every year just like they did 30 years ago and we actually knew who was in our country. Imagine that visitors to this country got their names put into a computer system and it was checked when they left so we would know if they left. Imagine that all of this could easily be accomplished by immigration police, border patrol and even city and state police. YES police could prevent terror.

  7. This comment has been removed by the author.

  8. --begin part two--

    I'd prefer the police investigate the ORDINARY CRIMES which occur every day in every jurisdiction. I don't want them rolled up and navel gazing, you can see the result of that in Chicago. There is no shortage of crime to investigate. They don't have to go looking for it. There are other agencies who take an active role, especially wrt terror, and you are unlikely to ever end up on their wrong side. This is not true of your local cops.

    Cops/police don't prevent crime except possibly by their presence. They investigate it after it happens. They LEGALLY can't act until a crime has been committed. Heck, the courts have ruled on this and decided that they DON'T have any kind of duty to even protect you. People wrongly believe that the cops prevent crime and protect people in some active way. They don't. They encourage crime prevention as it decreases their workload and is a general good.

    And finally you are confusing a democracy with a republic. Except possibly in local issues, and in places where there is a mechanism for it (like the proposition system, or a direct referendum), 51% of voters don't EVER vote on issues of law, they only ever vote to elect one of the people chosen to be presented to them. Even in those places with direct voting on props and referendums, they quickly discover that if they vote "wrong" the entrenched interests and special interest groups will engage in pretty much any kind of trick to avoid enacting the will of the people into law. And finally (finally) our founding fathers were rightly wary of and skeptical of direct democracy. I absolutely don't want the citizens (and voting non-citizens) of Chicago, NYC, and LA to determine every political question in the country. THAT'S what we'd get with a direct democracy.

    In a free society (even if it remains one in name only- and we're not quite there yet) there need to be limits on what the police can do. The rights of the people NEED to be respected, both by the people and by the 'authorities.' Where that fails, it is a FAILURE, and should not be accepted or held up as a good example. The pendulum will eventually swing back in the direction of rights and freedoms. I just don't know if I'll live long enough to see it.


    --end of file--

    1. You have never heard of stings? Prostitution, child porn, internet soliciting of contacts usually with under age girls. Cops do all of this presumably to prevent crime.

      I clearly stated that we are a Democratic Republic (not a Republic). True we don't vote on issues of law BUT the politicians tells us what he is for and 51% of the voters vote based on the hope/belief that he will do exactly what he said and vote on issues of law (hence a democratic republic).

      Absolutely police should/must adhere to the constitution. BUT they ARE allowed to open their eyes and observe/see/hear what is there to be seen and heard. Imagine the LEO staying within their constitutional limitations AND finding criminals thus preventing more crime. Ask yourself why in NY City a policeman can no longer go into a mosque? I or you or any policeman could go into almost any church and listen and look around but not a mosque. Why? Because people have used exactly YOUR argument to convince left leaning judges to stop it. Should they be able to go into a mosque?

      You might think I don't agree with your point about the possibility/reality of abuse of power. But in fact I'm right there with you. But we (the civilized world) is in deep trouble and 'mostly' because of special interests who have pushed their agenda on civilized populations who have laws intended for civilized populations but which make us terribly vulnerable to these ruthless aggressors. We better get smarter sooner. Pretty soon this theoretical discussion won't even be allowed by the invading winners of this war. What then? You say, gee maybe we should have done more and enforced our laws!

  9. "Cops do all of this presumably to prevent crime."

    Cops do this in response to crime. They KNOW a crime is being committed, they are aware of people committing the crime, but they are having trouble developing evidence, or they want to get to MORE of the criminals than the one they came across. Otherwise, it's entrapment.

    1. Yes and when they do this and catch someone who is committing these crimes they prevent further crime, right???

  10. So would shooting the criminals when found, without benefit of a trial and conviction. We don't allow that because we know it will be abused.

    We have something called 'entrapment' which isn't allowed, because we know it will be abused.

    We have rules of evidence and all the rest of the restrictions because we know that the state and it's agents will abuse the citizenry every chance they can.

    Again, we WANT limits on the power of the police and the .gov Yes, even if it makes their jobs harder.

    Strong limits.

    We used to profess to believe the quote “For the law holds, that it is better that ten guilty persons escape, than that one innocent suffer.”

    and we should.


    1. You failed to mention the major abuse today and that is monetary fines/confiscations. 40 miles from me is a tiny town on the interstate that supports 50% of their city government by catching speeders on the half mile of interstate in their jurisdiction. And of course we have all heard of the abuse by police/DA's of confiscating a persons money because, well because they had too much in their possession when the police stopped them. Arguably a lot of those caught in this trap are drug traffickers but just as true a lot are simply citizens with some cash.

      That quote "better that ten guilty persons escape, than that one innocent suffer.” makes perfect sense unless you are a victim of one of those ten set free by a technicality. How about we make all guilty suffer and no innocent suffer.

      But this all begs the question. Everyone who works for the phone company has access to the metadata of cell phones. That same data is available on the air waves if you want to look at it. It is likely that our foreign enemies accesss this data all the time. Should thhe police be able to look at this? Would you change your mind if it would have prevented 9/11 or the next 9/11?