How the Police Intercept, Locate, Listen To, and even Jam Cell Phone Communication

Formaldehyde

Both Fair And Balanced
Joined
Jan 29, 2003
Messages
33,999
Location
USA #1
What is a "stingray" other than a creature you have to be careful not to step on while in Florida?

Stingray phone tracker

The StingRay is an IMSI-catcher (International Mobile Subscriber Identity), a controversial cellular phone surveillance device, manufactured by the Harris Corporation.[1] Initially developed for the military and intelligence community, the StingRay and similar Harris devices are in widespread use by local and state law enforcement agencies across the United States and possibly covertly in the United Kingdom. Stingray has also become a generic name to describe these kinds of devices.[2]

Technology

The StingRay is an IMSI-catcher with both passive (digital analyzer) and active (cell site simulator) capabilities. When operating in active mode, the device mimics a wireless carrier cell tower in order to force all nearby mobile phones and other cellular data devices to connect to it.[3][4][5]

The StingRay family of devices can be mounted in vehicles,[4] on airplanes, helicopters and unmanned aerial vehicles.[6] Hand-carried versions are referred to under the trade name KingFish.[7]

Active mode operations

Extracting stored data such as International Mobile Subscriber Identity ("IMSI") numbers and Electronic Serial Number ("ESN"),[8]

Writing cellular protocol metadata to internal storage

Forcing an increase in signal transmission power,[9]

Forcing an abundance of radio signals to be transmitted

Interception of communications content

Tracking and locating the cellular device user,[3]

Conducting a denial of service attack

Encryption key extraction.[10]

radio jamming for either general denial of service purposes[11] or to aid in active mode protocol rollback attacks

Passive mode operations

conducting base station surveys, which is the process of using over-the-air signals to identify legitimate cell sites and precisely map their coverage areas

Active (cell site simulator) capabilities

In active mode, the StingRay will force each compatible cellular device in a given area to disconnect from its service provider cell site (i.e., operated by Verizon, AT&T, etc.) and establish a new connection with the StingRay.[12] In most cases, this is accomplished by having the StingRay broadcast a pilot signal that is either stronger than, or made to appear stronger than, the pilot signals being broadcast by legitimate cell sites operating in the area.[13] A common function of all cellular communications protocols is to have the cellular device connect to the cell site offering the strongest signal. StingRays exploit this function as a means to force temporary connections with cellular devices within a limited area.

Extracting data from internal storage

During the process of forcing connections from all compatible cellular devices in a given area, the StingRay operator needs to determine which device is a desired surveillance target. This is accomplished by downloading the IMSI, ESN, or other identifying data from each of the devices connected to the StingRay.[8] In this context, the IMSI or equivalent identifier is not obtained from the cellular service provider or from any other third-party. The StingRay downloads this data directly from the device using radio waves.

In some cases, the IMSI or equivalent identifier of a target device is known to the StingRay operator beforehand. When this is the case, the operator will download the IMSI or equivalent identifier from each device as it connects to the StingRay.[14] When the downloaded IMSI matches the known IMSI of the desired target, the dragnet will end and the operator will proceed to conduct specific surveillance operations on just the target device.[15]

In other cases, the IMSI or equivalent identifier of a target is not known to the StingRay operator and the goal of the surveillance operation is to identify one or more cellular devices being used in a known area.[16] For example, if visual surveillance is being conducted on a group of protestors,[17] a StingRay can be used to download the IMSI or equivalent identifier from each phone within the protest area. After identifying the phones, locating and tracking operations can be conducted, and service providers can be forced to turn over account information identifying the phone users.

Just as a person shouting drowns out someone whispering, the boost in RF watts of power into the cell telephone system can overtake and control that system—in total or only a few, or even only one, conversation. This strategy only requires more RF watts of power, and thus it is more simple than other types of clandestine controls. Power boosting equipment can be installed anywhere there can be an antenna, including in a vehicle, perhaps even in a vehicle on the move. Once a clandestine boosted system takes control, any manipulation is possible from simple recording of the voice or data to total blocking of all cell phones in the geographic area.

Usage by law enforcement

In the United States

The use of the devices has been frequently funded by grants from the Department of Homeland Security.[25] The Los Angeles Police Department used a Department of Homeland Security grant in 2006 to buy a stingray for "regional terrorism investigations". However, according to the Electronic Frontier Foundation, the "LAPD has been using it for just about any investigation imaginable."[26]

In addition to federal law enforcement, military and intelligence agencies, StingRays have in recent years been purchased by local and state law enforcement agencies. According to the American Civil Liberties Union, 42 law enforcement agencies in 17 states own StingRay technology. In November 2014, Slate reported that at least 46 state and local police departments, from Sunrise, Florida, to Hennepin County, Minnesota, use cell-site simulators, with a price-tag of US$16,000 to more than US$125,000 for each unit.[27] In 2015, it was reported that the Baltimore Police Department's frequency in using the device was "inexplicably high".[28] In some states, the devices are made available to local police departments by state surveillance units. The federal government funds most of the purchases with anti-terror grants.

In 2006, Harris employees directly conducted wireless surveillance using StingRay units on behalf the Palm Bay Police Department — where Harris has a campus[29] — in response to a bomb threat against a middle school. The search was conducted without a warrant or Judicial oversight.[30][31][32][33]

Criticism

In recent years, legal scholars, public interest advocates, legislators and several members of the judiciary have strongly criticized the use of this technology by law enforcement agencies. Critics have called the use of the devices by government agencies warrantless cell phone tracking, as they have frequently been used without informing the court system or obtaining a warrant.[1] The Electronic Frontier Foundation has called the devices “an unconstitutional, all-you-can-eat data buffet.”[45]

Scientific American: What Is the Big Secret Surrounding Stingray Surveillance?

State and local law enforcement agencies across the U.S. are setting up fake cell towers to gather mobile data, but few will admit it

By Larry Greenemeier | June 25, 2015

Given the amount of mobile phone traffic that cell phone towers transmit, it is no wonder law enforcement agencies target these devices as a rich source of data to aid their investigations. Standard procedure involves getting a court order to obtain phone records from a wireless carrier. When authorities cannot or do not want to go that route, they can set up a simulated cell phone tower—often called a stingray—that surreptitiously gathers information from the suspects in question as well as any other mobile device in the area.

These simulated cell sites—which collect international mobile subscriber identity (IMSI), location and other data from mobile phones connecting to them—have become a source of controversy for a number of reasons. National and local law enforcement agencies closely guard details about the technology’s use, with much of what is known about stingrays revealed through court documents and other paperwork made public via Freedom of Information Act (FOIA) requests.

One such document recently revealed that the Baltimore Police Department has used a cell site simulator 4,300 times since 2007 and signed a nondisclosure agreement with the FBI that instructed prosecutors to drop cases rather than reveal the department’s use of the stingray. Other records indicate law enforcement agencies have used the technology hundreds of times without a search warrant, instead relying on a much more generic court order known as a pen register and trap and trace order. Last year Harris Corp., the Melbourne, Fla., company that makes the majority of cell site simulators, went so far as to petition the Federal Communications Commission to block a FOIA request for user manuals for some of the company’s products.

The secretive nature of stingray use has begun to backfire on law enforcement, however, with states beginning to pass laws that require police to obtain a warrant before they can set up a fake cell phone tower for surveillance. Virginia, Minnesota, Utah and Washington State now have laws regulating stingray use, with California and Texas considering similar measures. Proposed federal legislation to prevent the government from tracking people’s cell phone or GPS location without a warrant could also include stingray technology.

Scientific American recently spoke with Brian Owsley, an assistant professor of law at the University of North Texas Dallas College of Law, about the legal issues and privacy implications surrounding the use of a stingray to indiscriminately collect mobile phone data. Given the invasive nature of the technology and scarcity of laws governing its use, Owsley, a former U.S. magistrate judge in Texas, says the lack of reliable information documenting the technology’s use is particularly troubling.

[An edited transcript of the interview follows.]

When and why did law enforcement agencies begin using international cell site simulators to intercept mobile phone traffic and track movement of mobile phone users?

Initially, intelligence agencies—CIA and the like—couldn’t get local or national telecommunications companies in other countries to cooperate with U.S. surveillance operations against nationals in those countries. To fill that void companies like the Harris Corp. started creating cell site simulators for these agencies to use. Once Harris saturated the intelligence and military markets [with] their products, they turned to federal agencies operating in the U.S. So the [Drug Enforcement Administration], Homeland Security, FBI and others started having their own simulated cell sites to use for surveillance. Eventually this trickled down further to yet another untapped market: state and local law enforcement. That’s where we are today in terms of the proliferation of this technology.

Under what circumstances do U.S. law enforcement agencies use cell site simulators and related technology?

There are three examples of how law enforcement typically use stingrays for surveillance: First, law enforcement officials may use the cell site simulator with the known cell phone number of a targeted individual in order to determine that individual's location. For example, officials are searching for a fugitive and have a cell phone number that they believe the individual is using. They may operate a stingray near areas where they believe that the individual may be, such as a relative's home.

Second, law enforcement officials may use the stingray to target a specific individual who is using a cell phone, but these officials do not know the cell phone number. They follow the targeted individual from a site to various other locations over a certain time period. At each new location, they activate the stingray and capture the cell phone data for all of the nearby cell phones. After they have captured the data at a number of sites they can analyze the data to determine the cell phone or cell phones used by the targeted individual. This approach captures the data of all nearby cell phones, including countless cell phones of individuals unrelated to the criminal investigation.

Third, law enforcement officials have been known to operate stingray at political rallies and protests. Using the stingray at these types of events captures the cell phone data of everyone in attendance.

How does law enforcement get permission to perform this type of surveillance?

Federal law enforcement agencies typically get courts to approve use of something like stingray through a pen register application [a pen register is a device that records the numbers called from a particular phone line]. With that type of application, essentially the government says, we want this information. We think it’s going to be relevant to an ongoing criminal investigation. As you can imagine, that’s a pretty low bar for them to satisfy in the eyes of the court. Just about anything could fit into that description. You don’t even have to show that such an investigation would lead to an arrest or prosecution. Law enforcement is telling the court, look, we’re in the middle of this investigation. If we get this information, we think it might lead to some other important information.

Different court orders have different standards for approval. The highest standard would be for a wiretap. A search warrant likewise has a much higher standard than a pen register, requiring law enforcement to prove probable cause before a judge will grant permission to use additional means of investigation. The problem that I have with a pen register to justify use of something like a stingray is that the standard for a pen register is much too low, given the invasive nature of a pen register. Instead, I think the use of a stingray should be consistent with the Fourth Amendment of the Constitution and pursuant to a search warrant.

Why not explicitly state the type of technology being used and its specific purpose when filing for a court order?

[When] law enforcement agencies seek to obtain judicial authorization through a pen register, they do not directly indicate that they are applying for authorization to use a stingray. Doing so might cause some courts to question whether the pen register statute [as opposed to some higher standard] is the appropriate basis for authorizing a stingray. In addition, law enforcement agencies typically have to sign nondisclosure agreements with Harris Corp. in order to receive the federal Homeland Security funding needed to purchase the technology. So there’s this concern, at least at the local law enforcement level, about revealing any information about it because that would violate the agreement with Harris and maybe subject them to losing the equipment or some other consequences.

Why would law enforcement agencies sign a nondisclosure agreement with a technology company?

I’m not sure whether the agreements are being driven by the FBI or by Harris, but these agreements seem to be getting less relevant insofar as [there is less] need to keep the public unaware of the existence of this technology. In the last three or so years there’s been a lot more awareness about the technology and its use. When agencies were first signing these agreements years ago, use of this technology wasn’t widely known. Now you are getting situations where criminal defense attorneys learn about stingray and similar technologies and the role they may be playing in the arrests of some of their clients. Defense teams are starting to ask questions and require the government to produce documentation such as court orders, and that’s creating the confrontation you’re now seeing.

Why have law enforcement agencies kept their use of cell site simulators so secretive?

Some of it is the cloudy legal issues surrounding the legitimate uses of this technology. Law enforcement agencies will also argue that the more information that’s available about this technology, the harder it is for them to use these devices to fight crime. Yet there’s a growing knowledge of this technology, and a serious criminal enterprise is already aware of it. People are already using prepaid disposable phones [sometimes referred to as “burner phones”] to some extent to defeat this technology. Sophisticated criminals are aware that there’s electronic surveillance out there in myriad ways, and so they’re going to take precautions. From a technology perspective, it’s sort of a cat-and-mouse game. There’s also a device that locates cell site simulators, something referred to as an IMSI catcher. There’s an arms race back and forth to get the best technology and to get the edge.

What does it say to you about the whole process that a prosecutor or a law enforcement agency is willing to sacrifice a conviction in order to keep their methods a secret?

I think it’s a very odd approach. You are throwing away some convictions or potential convictions for the sake of secrecy. But it’s even harder to understand now that knowledge of the technology is becoming so common. There have been documented cases in Baltimore and Saint Louis where stingray has supposedly been used. The use of stingray and related technologies is a roll of the dice in the sense that law enforcement is hoping that either the defense attorneys don’t have enough savvy or wherewithal to find out about the technology and ask the right questions or, even if that does happen, they’re hoping that the judge that they have is favorable to their approach and not going to order them to reveal information about its use. In the rare occasions when things go against them, they just dismiss it.

You yourself denied a law enforcement application three years ago to use a stingray. Under what circumstances would you approve its use?

I want to make clear: I don’t have a problem with stingray itself—I understand that this can be a valuable tool in law enforcement’s arsenal. My problem is that I want it to be used pursuant to a high standard of proof that it’s needed, and that I want the approval process to be more transparent. One of the reasons I’d like to see some more documentation of stingray applications and orders is because I have this suspicion—but there’s no way of confirming it one way or another—that some judges are signing approvals to use this technology thinking that they’re just signing a pen register. If a judge thinks it’s [just] another pen register application, they’re just going to sign it without giving it much pause.

Now that the use of this stingrays and related technologies has been made public, where will this issue be a year or a few years from now?

A year from now I think we’re in the same position. You’re dealing with outdated statutes concerning new and very different technology. It’s possible in five years maybe that Congress will step in and do something. More likely, state legislatures will take most of the action to monitor this type of surveillance. Washington State, California [and others] have already acted, and Texas is evaluating the standards for approving stingray use.

ACLU: Stingray Tracking Devices: Who's Got Them?

What do you think?

Do you think the US and state governments will eventually respond to this gross invasion of privacy?

Is it safe to even walk around with your cell phone given that the police may decide you are a suspect in a crime for merely being in the vicinity of where a Stingray is being used?

Do you think it is being used to determine the names and addresses of many protesters by the police in a number of states already? Do you think it is a coincidence that many such individuals involved in peaceful protest have already reported that their cell phone batteries were mysteriously low? That their cell phones were not usable for some odd reason while they were at the protest?
 
I think there's a reason that I don't carry a cell phone.
 
It's not good, but cell networks have never been secure, this simply lowers the bar required to eavesdrop from "warrant" to "nothing".

Do you think it is a coincidence that many such individuals involved in peaceful protest have already reported that their cell phone batteries were mysteriously low?

Probably, I can't think of any likely mechanism by which a stingray would do that. If they're overpowering real cell towers and providing better signal, you'd typically increase battery lives of phones.
 
That isn't going to do a thing to stop it. It just means they can command your cell phone to produce a strong signal for a greater period of time.

Cell phone conversations are supposed to be secure, unlike other types of radio transmission. That is why the conversation is encrypted. But the methodology the cell phone providers decided to use was apparently designed so it could easily be circumvented by the authorities.

Also, who knows how many Stingrays Harris Corp has decided to sell to corporations and private individuals.
 
That isn't going to do a thing to stop it. It just means they can command your cell phone to produce a strong signal for a greater period of time.

I can't tell what you're saying.

You can't remotely control cell phone signal strength, it's automatic based on signal strength the phone gets from the tower. Stronger tower signal = longer battery life.
 
It is from part of the wiki entry I didn't post:

Cellular telephones are radio transmitters and receivers much like a walkie-talkie. However, the cell phone only communicates with a "repeater" inside a nearby cell tower installation. At that installation, the devices take in all cell calls in its geographic area and repeat them out to other cell installations which repeat the signals onward to their destination telephone (either by radio or land-line wires). Radio is used also to transmit a caller's voice/data back to the receiver's cell telephone. The two-way duplex phone conversation then exists via these interconnections.

To make all that work correctly, the system allows automatic increases and decreases in transmitter power (for the individual cell phone and for the tower repeater, too) so that only the minimum transmit power is used to complete and hold the call active, "on," and allows the users to hear and be heard continuously during the conversation. The goal is to hold the call active but use the least amount of transmit power, mainly to conserve batteries and be efficient. The tower system will sense when a cell phone is not coming in clearly, and will order the cell phone to boost transmit power. The user has no control over this boosting; it may occur for a split second or for the whole conversation. If the user is in a remote location, the power boost may be continuous. In addition to carrying voice or data, the cell phone also transmits data about itself automatically, and that is boosted or not as the system detects need.

Coding of all transmissions allows two nearby cell user users no cross talk or interference between the two (this coding is not encryption, which is another, different coding). The boosting of power, however, is limited by the design of the devices to a maximum setting. The standard systems are not "high power" and thus can be overpowered by clandestine systems using much more boosted power that can then take over a user's cell phone. If overpowered that way, a cell phone will not indicate the change due to the clandestine radio being programmed to hide itself from normal detection. The ordinary user can not know if their cell phone is captured via overpower boosts or not. (There are other ways of clandestine capture that need not overpower, too.)
This is supposedly why cell phone users at protests have found their batteries depleted. The Stingray is increasing the transmit power from the cell phones so it can better capture the user data and the conversations despite not having a large antenna like a cell phone tower has.
 
I can't tell what you're saying.

You can't remotely control cell phone signal strength, it's automatic based on signal strength the phone gets from the tower. Stronger tower signal = longer battery life.

I think the concept you are being presented with is off the tracks, but the results do fit the concern. I think the entire "upping the signal" part is urban legend.

An idle cell phone pings the nearest tower intermittently. If that idle cell phone is made active by someone with this device so that it can be used as an eavesdropping unit it isn't just pinging, it is in continuous use. So if you are somewhere for two or three hours and not making any calls, but your phone charge looks like you were on a two hour phone call (ie, it is dead), that would make sense in this context, yes?
 
What is a "stingray" other than a creature you have to be careful not to step on while in Florida?

Stingray phone tracker









Scientific American: What Is the Big Secret Surrounding Stingray Surveillance?



ACLU: Stingray Tracking Devices: Who's Got Them?

What do you think?

Do you think the US and state governments will eventually respond to this gross invasion of privacy?

Is it safe to even walk around with your cell phone given that the police may decide you are a suspect in a crime for merely being in the vicinity of where a Stingray is being used?

Do you think it is being used to determine the names and addresses of many protesters by the police in a number of states already? Do you think it is a coincidence that many such individuals involved in peaceful protest have already reported that their cell phone batteries were mysteriously low? That their cell phones were not usable for some odd reason while they were at the protest?

I think they should be required to get a warrant and need to specifically target people or things covered by the aforementioned warrant.
 
I think the concept you are being presented with is off the tracks, but the results do fit the concern. I think the entire "upping the signal" part is urban legend.

An idle cell phone pings the nearest tower intermittently. If that idle cell phone is made active by someone with this device so that it can be used as an eavesdropping unit it isn't just pinging, it is in continuous use. So if you are somewhere for two or three hours and not making any calls, but your phone charge looks like you were on a two hour phone call (ie, it is dead), that would make sense in this context, yes?

My thought to burn battery was the stingray getting the phone registered on its cell network, and then deliberately knocking it off, then registering it again, then knocking it off, over and over again.
 
Top Bottom