Stingrays are not the only problem out there. There are malicious cellular base stations called "IMSI catchers", which use cellular phones' International Mobile Subscriber Identity (IMSI) as a way to identify a targeted phone. Once targeted, the operators can execute a "man in the middle" attack against it, acting as an intermediary between the phone and a legitimate cell tower in order to intercept and record conversations. There are other sorts of rouge towers, big ones, not temporary setups by a signal monitoring van, that gather cellphone traffic. Just last summer ('14) there was a report by a crypto communications provider of finding "more than a dozen" rogue towers in the Washington DC area. One has to wonder with 15 rogue towers in the DC area if they're foreign intelligence services. One thing's for sure. It's not just the NSA. For example, if a company is trying to prevent personal cell phone usage within a facility through passive means, an employee might plug a femtocell base station in at their desk to make outbound calls that aren't through the company's call logging system. This also introduces the potential threat of cellular jamming by someone seeking to block service for malicious reasons.
Tonight we go back to ARS Technica, which reports:
At the RSA Conference in San Francisco today, the network penetration testing and monitoring tool company Pwnie Express will demonstrate its newest creation: a sensor that detects rogue cellular network transceivers, including "Stingray" devices and other hardware used by law enforcement to surreptitiously monitor and track cell phones and users.The thing is, it doesn't require a Stingray or "law enforcement-grade" hardware. Anyone with a HackRF or other software-defined radio kit and open-source software can turn a laptop computer into a cellular network transceiver—or even a cellular jammer.
Pwnie Express' technology isn't new; what's new is selling it to non-government groups.
"It's actually real easy to make something that can do this but can only be used by government or law enforcement," said Farina. "But so many people have these problems and no way to solve them. If you've got a good sized company, you're absolutely a target for somebody setting up a small base station and grabbing your data, pretty cheaply."There are already some alternatives out there to detect IMSI catchers such as SnoopSnitch, an Android application that can warn a phone user of suspicious cell tower signals that might indicate an IMSI catcher or rogue base station. While it appears that Pwnie's Pulse with these features added won't be available real soon, it pays the technically inclined to dig into the ways this works. It sounds like detecting Stingray and other malicious devices is not out of the realm of the determined home hobbyist.
Pwnie's cellular threat detection capability is based on FCC-certified cellular transceiver hardware, and it will be integrated into the company's Pwn Pro network sensor line (the corporate version of the Pwn Plug). A 4G cellular transceiver is integrated directly into the device.
"What we're focusing on is the malicious use of cellular—a handful of specific things we can detect passively now," said Porcello. "And there will be a lot more by the time we ship." He added that the rule sets used for identifying some of the potentially malicious behaviors "are pretty rudimentary at this point," and additional work will be required to tune out false positive alerts.