Stung by the Stingray?

This is an old draft I had sitting around and is probably relevant only to cellular technology mostly extinct in the wild, but some may remain applicable.

The tools I used to view the site locations included AIMSICD which may not be in active development anymore.

Part two of Urban Police State Week!

Note: This is very CDMA-centric. CDMA is used by Verizon and Sprint. Only reason for this? I don’t have a GSM phone. Sorry!

Welcome to the creepy, mysterious, bizarre world of covert wireless phone surveillance.

Stingray 1 and 2 - from Ars Technica
Stingray 1 and 2 – from Ars Technica

Please note that even though I’m using the name “Stingray” here, there are a lot of different devices, apparently — some obsolete, some completely mysterious… What’s common to all of them is that little to no documentation on them has been made public. For quite a while the FBI wanted these entirely secret, but now they’re starting to waffle on their policies since evidence of illegal warrantless surveillance by local law enforcement agencies has leaked.

Here’s a late 2013 article on the devices – this predates widespread LTE rollout on Sprint, so there may be new stuff in place (as I may have personally observed, if I can make sense of these damn tcpdump captures).

Anyway… “Stingray” is kind of vague. It appears to be software upgradeable to gain different capabilities. Its most basic functionality is as an IMSI catcher – it mimics a valid cell site momentarily with a good strong signal, and it causes phones to try to register with it. When the do, it logs their IMSI number, which is a unique hardware ID. It appears that there’s another component or two of the system that can perform radio direction finding to track down a single user, likely in conjunction with traffic being used to fake the handset into transmitting a lot.

So here are my personal observations of devices that have been used around here in South Florida. Since I do not, and probably never will, know what actual devices or software versions are in use I’m gonna make up my own stupid classification system! Bear with me now, my writing style is unique and silly.

The Miami Heat Special – Primitive, Clear As Mud!! (2008 – 2013)

This one first showed up intermittently during Miami Heat games leading up to the NBA playoffs before finally just coming online during almost any major event at the American Airlines Arena in downtown Miami.
Range: Short. Only covers a block or two around the west side of the AA Arena. Exact deployment location unknown, but unscientifically narrowed down to Marina Blue, possibly in a nearby vehicle.

Noticeable behavior on user handset: Almost nothing works! Phone calls will drop whenever the IMSI catcher wakes up, every minute or so. Mobile data connections drop out (“Data Call Failed” messages possible). Outgoing SMS tends to get lost without a trace. Symptoms seem almost identical to severe network overload – HOWEVER, if you look at the SID, it will be an oddball one that never appears otherwise. It seems like a random SID got picked out of a hat each time this one is deployed. Unit reports no location or bad location (0, 0 in East Atlantic Ocean).

No Data For You! Smart Yet Dumb And Dumber. (2009-present)

This variant shows up at random and I’m not entirely sure just what it is. It does appear, however, to be the first variant I’d seen that was actually smart enough to properly fake the SID and coordinates of the host site. However, one thing it seems to noticeably do wrong is that it will not relay a site’s wildly incorrect position!! If it’s put up near a host site that would otherwise report 0,0 or something equally dumb, IT WILL ACTUALLY TRANSMIT ITS OWN LOCATION OVER THE AIR!!! Usually, it neatly reveals itself as being run out of a parked van. Its behavior if deployed out of range of host networks is unknown to me.

Noticeable symptoms: On some handsets, CONSTANT “Data Call Failed…” messages. Others suppress these messages as they’re like the worst game of whac-a-mole. Mobile data connections may work momentarily, but will usually cut off before you can do anything useful. Text and voice still work. Presumably, this is also the first IMSI catcher that does not break 911/emergency calls AND tries its damn best to provide valid geographical info for E911/GPS assist — it’s… the kinder, gentler IMSI catcher.

Monkey In The Middle – Nice try, log it on off. (2010-present)

This one is actually smart enough, so it seems, to pass through some mobile data with manipulation. However, the data it sends is complete corrupted bunk and causes applications to logout and crash. As this happens, the flow of useful information and traffic from the device slows to a crawl or stops entirely. This one seems to destroy SSL sessions in most cases but doesn’t affect unencrypted connections (may sniff traffic?).

Noticaeble symptoms: Applications fail. No “data call failed” message, traffic flows okay, but nothing can usefully communicate or login. Voice tends to suffer dropouts. SMS ok. Location of host tower is relayed including invalid tower locations. Randomized bunk SID.

The Blip (2006-present) – Blink and you miss it

This one is really, REALLY hard to figure out. See, with Sprint, so much is utterly and completely broken that it’s hard to tell if you’re looking at manipulation or just the network’s inherent brokenness.

Noticeable symptoms: Very brief dropout/stall in voice or data calls. Infrequent. Weird SID seen in logging tools.