Tuesday, April 21, 2015

Techy Tuesday - Catching Stingrays - The Cell Phone Monitor Kind

By now, the Stingray cellphone monitoring devices have been pretty well documented online.  Supposedly so secret that the FBI would prefer prosecutors drop a case rather than provide details on their Stingray operations, they are very well known about by the people who are targeted by them - or are concerned about being targeted by them. 

Stingrays are not the only problem out there.  There are malicious cellular base stations called "IMSI catchers", which use cellular phones' International Mobile Subscriber Identity (IMSI) as a way to identify a targeted phone.  Once targeted, the operators can execute a "man in the middle" attack against it, acting as an intermediary between the phone and a legitimate cell tower in order to intercept and record conversations.  There are other sorts of rouge towers, big ones, not temporary setups by a signal monitoring van, that gather cellphone traffic.   Just last summer ('14) there was a report by a crypto communications provider of finding "more than a dozen" rogue towers in the Washington DC area.  One has to wonder with 15 rogue towers in the DC area if they're foreign intelligence services.  One thing's for sure.  It's not just the NSA.  For example, if a company is trying to prevent personal cell phone usage within a facility through passive means, an employee might plug a femtocell base station in at their desk to make outbound calls that aren't through the company's call logging system. This also introduces the potential threat of cellular jamming by someone seeking to block service for malicious reasons.

Tonight we go back to ARS Technica, which reports:
At the RSA Conference in San Francisco today, the network penetration testing and monitoring tool company Pwnie Express will demonstrate its newest creation: a sensor that detects rogue cellular network transceivers, including "Stingray" devices and other hardware used by law enforcement to surreptitiously monitor and track cell phones and users.
The thing is, it doesn't require a Stingray or "law enforcement-grade" hardware.  Anyone with a HackRF  or other software-defined radio kit and open-source software can turn a laptop computer into a cellular network transceiver—or even a cellular jammer.

Pwnie Express'  technology isn't new; what's new is selling it to non-government groups.
"It's actually real easy to make something that can do this but can only be used by government or law enforcement," said Farina. "But so many people have these problems and no way to solve them. If you've got a good sized company, you're absolutely a target for somebody setting up a small base station and grabbing your data, pretty cheaply."

Pwnie's cellular threat detection capability is based on FCC-certified cellular transceiver hardware, and it will be integrated into the company's Pwn Pro network sensor line (the corporate version of the Pwn Plug). A 4G cellular transceiver is integrated directly into the device.

"What we're focusing on is the malicious use of cellular—a handful of specific things we can detect passively now," said Porcello. "And there will be a lot more by the time we ship." He added that the rule sets used for identifying some of the potentially malicious behaviors "are pretty rudimentary at this point," and additional work will be required to tune out false positive alerts.
There are already some alternatives out there to detect IMSI catchers such as SnoopSnitch, an Android application that can warn a phone user of suspicious cell tower signals that might indicate an IMSI catcher or rogue base station.   While it appears that Pwnie's Pulse with these features added won't be available real soon, it pays the technically inclined to dig into the ways this works.  It sounds like detecting Stingray and other malicious devices is not out of the realm of the determined home hobbyist.


  1. I've been considering buying a HackRF for sometime now.

    This might just push me over the edge.

    Years ago, somebody "gifted" me a Harris Triggerfish unit, the precursor to the Stingray.

    It's completely useless without the software to run it, but had a lot of useable components I stripped out of it.

  2. Just ordered a HackRF.

    I'll probably do some posts on it after I've played with it a while.....

  3. Where did you get it? I've been looking through the vendors on that list and never seen it in stock.

    Guess it's been a while since I clicked on every one...

  4. Nooelec has them for $299 plus shipping.

    I've bought things from him on eBay, and they ship fast, and sell decent things.

    I bought a "Bag 'O Dongles" for my radio club to give out as door prizes.

  5. DrJIM, If someone "gifts you" a GOSSAMER let me know, I'm interested :)


  6. Sold the HackRF.

    Unless you really want to use LinRad or GNURadio, you're stuck with whatever canned software that's out there, which basically gives it the same functionality as a $10 dongle.

    It also only does 8-bit conversion, so the dynamic range isn't any better than a dongle.

    And while it's capable of transmitting (half-duplex only), you'll have to write your own software to do it.

    Just wasn't worth having $300 tied up in it.....