“Typically constructed with a laptop, hard drive (to handle encryption tables), and a cell phone or commercial cell radio with external antenna.”

Your phone may not be safe at protests / 07/05/2012

“Ever wondered why your cell phone reception suddenly becomes terrible at protests? Ever worried that police could use electronic spoofing devices to suck up your mobile data because you are in the streets exercising your rights? You might have been onto something. Mobile “IMSI catchers”, currently on the market and being pushed to police and intelligence agencies worldwide, enable these creepy, stealth spying tactics. And if they build it and hawk it, history tells us police will buy it and deploy it.

On Tuesday, July 3, 2012, electronic privacy advocate and technology researcher Chris Soghoian tweeted a link to a photograph of a talk he gave at TED in Scotland in late June. Behind him in the photograph is another image, this one taken by privacy researcher Eric King at a surveillance trade show. (King’s Twitter bio contains a quote from a representative of the notorious ISS World — a global surveillance trade firm that often hosts such trade shows: the rep called him an “Anti-lawful interception zealot blogger.” High praise.)  Look at the slide behind Soghoian; that’s the photo in question. It shows an IMSI catcher strapped onto a model, under the model’s shirt.

IMSI stands for “International Mobile Subscriber Identity”. The technology is essentially a mobile phone tower with “a malicious operator”. It mimics the behavior of a cell tower and tricks mobile phones into sending data to it, instead of to the tower.

As such it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones.

Once it has made a connection with the phone and tricked it into thinking it is a mobile tower, the IMSI catcher forces the phone to drop its encryption, enabling easy access to the contents of the device. The tool then lets the attacker listen in on mobile conversations and intercept all data sent from a mobile phone, remaining undetected. In some cases the tool also allows the operator to manipulate messages.

Here’s a creepy video that a purveyor of IMSI catchers made to advertise its product:

Police in the United States claim they do not need a warrant to use an IMSI catcher or other spoofing device to track your location. A case to determine whether or not the courts agree is working itself through the system. Privacy International’s Eric King took the photo on the slide behind Soghoian at a surveillance trade show, where he says the tool was “pitched to me as being perfect for covert operations in public order situations.” In other words, at protests. 

The FBI uses IMSI catchers and claims it does so legally, even though it says it doesn’t need a warrant to deploy them. The Electronic Privacy Information Center is currently pursuing FOIA litigation to find out exactly how the bureau uses the “Stingray” (a brand name IMSI catcher); unsurprisingly, the FBI wasn’t forthcoming with documents to reveal its legal standard or other information about how it uses the tool. Stay tuned for more information as that case makes its way through the courts.

Meanwhile, how can you protect yourself against IMSI catchers? Unfortunately, you probably can’t. And the threats are not just from government. As Soghoian and others warned in a friend of the court brief,

Finally, the communications privacy of millions of law-abiding Americans is already threatened by the use of this and similar interception technologies by non-US government entities, such as stalkers, criminals, and foreign governments engaged in espionage. As such, the public interest is best served by greater public discussion regarding these tracking technologies and the security flaws in the mobile phone networks that they exploit, not less.

Yet again, we are faced with a situation in which our technology has outpaced our law reform. It’s time for Congress to change that.

To get a more detailed sense of how the technology actually works, watch this excellent talk from DefCon 2011, with Chris Paget: “Practical Cellphone Spying”. He spoofs the phones of the people in the audience during the talk; it’s well worth watching if you have some time.

For more on IMSI catchers and the state of the law, click here.

Christopher Soghoian

by Christopher Parsons  /  February 4, 2012

Security, surveillance, and privacy researchers alike have been watching how authorities exploit cellular communications devices – often in secret, or absent sufficient oversight – for years. Research to-date has been performed by security researchers and hackers, social scientists, advocates, activists, and the curious, with contributions spanning hundreds of discreet investigations into technical capabilities and their social implications. Of late, a considerable amount of attention has been devoted to IMSI Catchers, which are devices that establish false mobile phone towers for the purpose of monitoring and tracking mobile phones without their users’ awareness.

Given the use of IMSI catchers by American authorities, a group of researchers and academics submitted an Amici Curiae (in their individual capacities) January 17, 2012 concerning the catchers. Specifically, the brief is in support of a defendant’s motion for disclosure of all relevant and helpful evidence withheld by the government based on a claim of privilege. The government, in this particular case, has admitted that the surveillance technologies used simulated a cell site but have refused to provide specific details of how this surveillance was conducted. We argue that a substantial amount of information surrounding IMSI catchers is already public and that, as a result, the secrets that the government is attempting to protect are already in the public domain. Moreover, the public interest is best served by “greater public discussion regarding these tracking technologies and the security flaws in the mobile phone networks that they exploit, not less.”

I want to thank the primary draftees of the brief for their (as always) excellent work and for the opportunity to sign on to it. Bringing transparency to government surveillance systems – especially when the government tries to limit public attention after information about these systems is publicly available – is critical if we are to foster serious and critical discussions about authorities’ capacity, and potential, to monitor and track citizens. Democratic systems work best when all branches of government – including law enforcement – cannot inappropriately hide their actions from the public. With an awareness of their government’s actions, the public can drive how their government functions as opposed to things happening the other way around.

I would note that IMSI catchers are of particular importance to Canadians. If forthcoming lawful access legislation is passed, in a format similar or identical to its last drafting, then Canadian police, intelligence, and security officers would be permitted to collect IMSI numbers, using catchers, and subsequently compel subscriber information from Canadian mobile phone providers. All of this would happen without a warrant. It cannot be stated enough that legalizing this level of unsupervised surveillance would have significant chilling speech and association implications. Moreover, it would significantly expand what constitutes ‘legitimate’ government surveillance while simultaneously undermining key privacy rights and expectations. Thus, while this particular Amici Curiae was sent to an American court, citizens in the Canada and UK would all be well served if our respective governments were transparent about their (stated and intended) usage of surveillance equipment, such as IMSI catchers, to surreptitiously monitor citizens.

To download the Amici Curiae, click here.

“A directional antenna is set up for a demonstration by security researcher Chris Paget, center. (Photo: Dave Bullock)”

Hacker Spoofs Cell Phone Tower to Intercept Calls
by Kim Zetter / July 31, 2010

“A security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear. The device tricks the phones into disabling encryption and records call details and content before they’re routed on their proper way through voice-over-IP. The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area. “If you have the ability to deliver a reasonably strong signal, then those around are owned,” Paget said. Paget’s system costs only about $1,500, as opposed to several hundreds of thousands for professional products. Most of the price is for the laptop he used to operate the system. Doing this kind of interception “used to be a million dollars, now you can do it with a thousand times less cost,” Paget said during a press conference after his attack. “If it’s $1,500, it’s just beyond the range that people can start buying them for themselves and listening in on their neighbors.” Paget’s device captures only 2G GSM calls, making AT&T and T-Mobile calls, which use GSM, vulnerable to interception. Paget’s aim was to highlight vulnerabilities in the GSM standard that allows a rogue station to capture calls. GSM is a second-generation technology that is not as secure as 3G technology.

Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. “Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers,” Paget said. The system captures only outbound calls. Inbound calls would go directly to voicemail during the period that someone’s phone is connected to Paget’s tower. The device could be used by corporate spies, criminals, or private investigators to intercept private calls of targets. “Any information that goes across a cell phone you can now intercept,” he said, except data. Professional grade IMSI catchers do capture data transfers, but Paget’s system doesn’t currently do this. His setup included two RF directional antennas about three feet long to amplify his signal in the large conference room, a laptop and open source software. The system emitted only 25 milliwatts, “a hundred times less than your average cell phone,” he said.

Paget received a call from FCC officials on Friday who raised a list of possible regulations his demonstration might violate. To get around legal concerns, he broadcast on a GSM spectrum for HAM radios, 900Mhz, which is the same frequency used by GSM phones and towers in Europe, thus avoiding possible violations of U.S. regulations. Just turning on the antennas caused two dozen phones in the room to connect to Paget’s tower. He then set it to spoof an AT&T tower to capture calls from customers of that carrier. “As far as your cell phones are concerned, I am now indistinguishable from AT&T,” he said. “Every AT&T cell phone in the room will gradually start handing over to my network.” During the demonstration, only about 30 phones were actually connecting to his tower. Paget says it can take time for phones to find the signal and hand off to the tower, but there are methods for speeding up that process.

To address privacy concerns, he set up the system to deliver a recorded message to anyone who tried to make a call from the room while connected to his tower. The message disclosed that their calls were being recorded. All of the data Paget recorded was saved to a USB stick, which he destroyed after the talk. Customers of carriers that use GSM could try to protect their calls from being intercepted in this manner by switching their phones to 3G mode if it’s an option. But Paget said he could also capture phones using 3G by sending out jamming noise to block 3G. Phones would then switch to 2G and hook up with his rogue tower. Paget had his jammer and an amplifier on stage but declined to turn them on saying they would “probably knock out all Las Vegas cell phone systems.”


Leave a Reply