For two months last year, researchers at the University of Washington paid drivers of an unidentified ridesharing service to keep custom-made sensors in the trunks of their cars, converting those vehicles into mobile cellular data collectors. They used the results to map out practically every cell tower in the cities of Seattle and Milwaukee—along with at least two anomalous transmitters they believe were likely stingrays, located at the Seattle office of the US Customs and Immigration Service, and the Seattle-Tacoma Airport.Police at all levels have been very reluctant to provide information on what they're doing with these devices or the devices called "IMSI Catchers", which use cellular phones' International Mobile Subscriber Identity (IMSI) as a way to identify a targeted phone. They've even dropped charges against suspects rather than discuss what they do in open (non-classified) courtrooms. Nevertheless, most states still don't require a search warrant to approve use of these tricks.
Beyond identifying those two potential surveillance operations, the researchers say their ridesharing data-collection technique could represent a relatively cheap new way to shed more light on the use of stingrays in urban settings around the world. "We wondered, how can we scale this up to cover an entire city?" says Peter Ney, one of the University of Washington researchers who will present the study at the Privacy Enhancing Technology Symposium in July. He says they were inspired in part by the notion of "wardriving," the old hacker trick of driving around with a laptop to sniff out insecure Wi-Fi networks. "Actually, cars are a really good mechanism to distribute our sensors around and cast a wide net."
In the absence of publicly available stingray information, the University of Washington researchers tried a new technique to find out more. Starting in March of 2016, they paid $25 a week to 15 rideshare-service drivers to carry a suitcase-sized device they called SeaGlass. That sensor box contained about $500 worth of gear the team had assembled, including a GPS module, a GSM cellular modem, a Raspberry Pi minicomputer to assemble the data about which cell towers the modem connects to, a cellular hotspot to upload the resulting data to the group's server, and an Android phone running an older program called SnoopSnitch, designed by German researchers to serve as another source of cell-tower data collection. The sensor boxes ... were designed to boot up and start collecting data as soon as the car started.The UW researchers then collected detailed data about every radio transmitter that connected to the SeaGlass modems and Android phones as they moved through the two cities for two months. This allowed them to identify and map out roughly 1,400 cell towers in Seattle, and 700 in Milwaukee. Then they combed that data for anomalies, like cell towers that seemed to change location, appeared and disappeared, sent localized weaker signals, appeared to impersonate other towers nearby, or broadcast on a wider range of radio frequencies than the typical cellular tower. For instance:
Around the Seattle office of the US Customs and Immigration Service, the researchers pinpointed an apparent cell tower that frequently changed the channel on which it broadcast, cycling through six different kinds of signal. That's far more than any other tower they tested—96 percent of their data showed towers transmitting on just one channel—and represents a telltale sign of a stingray.Attempting to correlate their findings with police agencies so they could determine just how well their approach worked was just not gonna happen, and to be honest, limits the utility of this study.
A Port of Seattle police spokesperson said the airport police "don't have one of those," and a Seattle Police Department spokesperson said "it’s not one of ours." The FBI didn't respond to requests for comment, but an ICE spokesperson wrote that ICE agents "use a broad range of lawful investigative techniques in the apprehension of criminal suspects. ...” A DEA spokesperson refused to confirm or deny any specific operations, but noted that stingrays are a "lawful investigative tool that can be utilized in the dismantlement of criminal organizations."Despite this, for a relatively modest $500 investment in hardware, and about twice that per month, the researchers were able to get a fairly good map of operations in their areas. That part is probably where savings can be had, by having students or team members drive their own cars themselves.
The study paper at UW is rather interesting if you're into that geeky stuff.