Smartphones carried by most people depend on cell site or cell tower for their operation. A cell site or cell tower is a cellular telephone site where antennae and electronic communications equipment are placed — typically on a radio mast, tower, or other raised structure — to create a cell (or adjacent cells) in a cellular network.
Smartphones are constantly sending signals to nearby cell towers, even when it’s not being used. And wireless carriers store data about your device, from where it’s been to whom you’ve called and texted, some of it for years. Police have been using this data dump a vast data net as a cutting-edge crime-fighting tool. Police maintain that cellphone data can help solve crimes, track fugitives or abducted children or even foil a terror attack.
Police departments of many states in US have been quietly using a highly secretive technology developed for the military that can obtain tower dumps bypassing the real cell towers. The StingRay is an IMSI-catcher, a controversial cellular phone surveillance device, manufactured by Harris Corporation. These devices are cell site simulators that can mimic the cell towers and intercept data from all phones within a mile, or farther, depending on terrain and antennas. Police can determine the location of a phone without the user even making a call or sending a text. Some versions of the technology can even intercept texts and calls, or pull information stored on the phones.
Initially developed for the military and intelligence community, the StingRay and similar Harris devices are in widespread use by local and state law enforcement agencies across Canada, the United States,and in the United Kingdom. Stingray has also become a generic name to describe these kinds of devices
With the mobile Stingray, police can get a court order to grab some of the same data available via a tower dump with two added benefits. The Stingray can grab some data from cellphones in real time and without going through the wireless service providers involved. Neither tactic — tower dumps or the Stingray devices — captures the content of calls or other communication, according to police.
Civil liberties and privacy groups are increasingly raising objections to these suitcase-size devices. Part of the problem, privacy experts say, is the devices can also collect data from anyone within a small radius of the person being tracked. “The use of a cell site simulator intrudes upon an individual’s reasonable expectation of privacy, acting as an instrument of eavesdropping and requires a separate warrant supported by probable cause,” wrote state Supreme Court Judge Martin Murphy.
Stingrays go by a number of different names, including cell-site simulator, triggerfish, IMSI-catcher, Wolfpack, Gossamer, and swamp box, according to the documents. They can be used to determine the location of phones, computers using open wireless networks, and PC wireless data cards, also known as air cards. The cell-tracking systems cost as much as $400,000, depending on when they were bought and what add-ons they have. The latest upgrade, code-named “Hailstorm,” is spurring a wave of upgrade requests.
Initially developed for military and spy agencies, the Stingrays remain a guarded secret by law enforcement and the manufacturer, Harris Corp. of Melbourne, Fla. The company would not answer questions about the systems, referring reporters to police agencies. Most police aren’t talking, either, partly because Harris requires buyers to sign a non-disclosure agreement.
In active mode, the StingRay will force each compatible cellular device in a given area to disconnect from its service provider cell site (e.g., operated by Verizon, AT&T, etc.) and establish a new connection with the StingRay. In most cases, this is accomplished by having the StingRay broadcast a pilot signal that is either stronger than, or made to appear stronger than, the pilot signals being broadcast by legitimate cell sites operating in the area.
A common function of all cellular communications protocols is to have the cellular device connect to the cell site offering the strongest signal. StingRays exploit this function as a means to force temporary connections with cellular devices within a limited area. Once a mobile device connects, the phone reveals its unique device ID, after which the stingray releases the device so that it can connect to a legitimate cell tower, allowing data and voice calls to go through.
During the process of forcing connections from all compatible cellular devices in a given area, the StingRay operator needs to determine which device is the desired surveillance target. This is accomplished by downloading the IMSI, ESN, or other identifying data from each of the devices connected to the StingRay. In this context, the IMSI or equivalent identifier is not obtained from the cellular service provider or from any other third-party. The StingRay downloads this data directly from the device using radio waves.
Assistance from a cell phone carrier isn’t required to use the technology, unless law enforcement doesn’t know the general location of a suspect and needs to pinpoint a geographical area in which to deploy the stingray.
Once a phone’s general location is determined, investigators can use a handheld device that provides more pinpoint precision in the location of a phone or mobile device—this includes being able to pinpoint an exact office or apartment where the device is being used.
In addition to the device ID, the devices can collect additional information. “If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site simulator/triggerfish would include the cellular telephone number (MIN), the call’s incoming or outgoing status, the telephone number dialed, the cellular telephone’s ESN, the date, time, and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected),” the documents note.
In order for the kind of stingray used by law enforcement to work for this purpose, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.
Disruption can also occur from the way stingrays force-downgrade mobile devices from 3G and 4G connectivity to 2G if they are being used to intercept the concept of communications. It’s not known how quickly stingrays release devices that connect to them, allowing them to then connect to a legitimate cell tower. During the period that devices are connected to a stingray, disruption can occur for anyone in the vicinity of the technology.
By way of software upgrades, the StingRay and similar Harris products can be used to intercept GSM communications content transmitted over-the-air between a target cellular device and a legitimate service provider cell site.
The StingRay does this by way of the following man-in-the-middle attack: (1) simulate a cell site and force a connection from the target device, (2) download the target device’s IMSI and other identifying information, (3) conduct “GSM Active Key Extraction” to obtain the target device’s stored encryption key, (4) use the downloaded identifying information to simulate the target device over-the-air, (5) while simulating the target device, establish a connection with a legitimate cell site authorized to provide service to the target device, (6) use the encryption key to authenticate the StingRay to the service provider as being the target device, and (7) forward signals between the target device and the legitimate cell site while decrypting and recording communications content