Stung by the Stingray?

This is an old draft I had sitting around and is probably relevant only to cellular technology mostly extinct in the wild, but some may remain applicable.

The tools I used to view the site locations included AIMSICD which may not be in active development anymore.

Part two of Urban Police State Week!

Note: This is very CDMA-centric. CDMA is used by Verizon and Sprint. Only reason for this? I don’t have a GSM phone. Sorry!

Welcome to the creepy, mysterious, bizarre world of covert wireless phone surveillance.

Stingray 1 and 2 - from Ars Technica
Stingray 1 and 2 – from Ars Technica

Please note that even though I’m using the name “Stingray” here, there are a lot of different devices, apparently — some obsolete, some completely mysterious… What’s common to all of them is that little to no documentation on them has been made public. For quite a while the FBI wanted these entirely secret, but now they’re starting to waffle on their policies since evidence of illegal warrantless surveillance by local law enforcement agencies has leaked.

Here’s a late 2013 article on the devices – this predates widespread LTE rollout on Sprint, so there may be new stuff in place (as I may have personally observed, if I can make sense of these damn tcpdump captures).

Anyway… “Stingray” is kind of vague. It appears to be software upgradeable to gain different capabilities. Its most basic functionality is as an IMSI catcher – it mimics a valid cell site momentarily with a good strong signal, and it causes phones to try to register with it. When the do, it logs their IMSI number, which is a unique hardware ID. It appears that there’s another component or two of the system that can perform radio direction finding to track down a single user, likely in conjunction with traffic being used to fake the handset into transmitting a lot.

So here are my personal observations of devices that have been used around here in South Florida. Since I do not, and probably never will, know what actual devices or software versions are in use I’m gonna make up my own stupid classification system! Bear with me now, my writing style is unique and silly.

The Miami Heat Special – Primitive, Clear As Mud!! (2008 – 2013)

This one first showed up intermittently during Miami Heat games leading up to the NBA playoffs before finally just coming online during almost any major event at the American Airlines Arena in downtown Miami.
Range: Short. Only covers a block or two around the west side of the AA Arena. Exact deployment location unknown, but unscientifically narrowed down to Marina Blue, possibly in a nearby vehicle.

Noticeable behavior on user handset: Almost nothing works! Phone calls will drop whenever the IMSI catcher wakes up, every minute or so. Mobile data connections drop out (“Data Call Failed” messages possible). Outgoing SMS tends to get lost without a trace. Symptoms seem almost identical to severe network overload – HOWEVER, if you look at the SID, it will be an oddball one that never appears otherwise. It seems like a random SID got picked out of a hat each time this one is deployed. Unit reports no location or bad location (0, 0 in East Atlantic Ocean).

No Data For You! Smart Yet Dumb And Dumber. (2009-present)

This variant shows up at random and I’m not entirely sure just what it is. It does appear, however, to be the first variant I’d seen that was actually smart enough to properly fake the SID and coordinates of the host site. However, one thing it seems to noticeably do wrong is that it will not relay a site’s wildly incorrect position!! If it’s put up near a host site that would otherwise report 0,0 or something equally dumb, IT WILL ACTUALLY TRANSMIT ITS OWN LOCATION OVER THE AIR!!! Usually, it neatly reveals itself as being run out of a parked van. Its behavior if deployed out of range of host networks is unknown to me.

Noticeable symptoms: On some handsets, CONSTANT “Data Call Failed…” messages. Others suppress these messages as they’re like the worst game of whac-a-mole. Mobile data connections may work momentarily, but will usually cut off before you can do anything useful. Text and voice still work. Presumably, this is also the first IMSI catcher that does not break 911/emergency calls AND tries its damn best to provide valid geographical info for E911/GPS assist — it’s… the kinder, gentler IMSI catcher.

Monkey In The Middle – Nice try, log it on off. (2010-present)

This one is actually smart enough, so it seems, to pass through some mobile data with manipulation. However, the data it sends is complete corrupted bunk and causes applications to logout and crash. As this happens, the flow of useful information and traffic from the device slows to a crawl or stops entirely. This one seems to destroy SSL sessions in most cases but doesn’t affect unencrypted connections (may sniff traffic?).

Noticaeble symptoms: Applications fail. No “data call failed” message, traffic flows okay, but nothing can usefully communicate or login. Voice tends to suffer dropouts. SMS ok. Location of host tower is relayed including invalid tower locations. Randomized bunk SID.

The Blip (2006-present) – Blink and you miss it

This one is really, REALLY hard to figure out. See, with Sprint, so much is utterly and completely broken that it’s hard to tell if you’re looking at manipulation or just the network’s inherent brokenness.

Noticeable symptoms: Very brief dropout/stall in voice or data calls. Infrequent. Weird SID seen in logging tools.

OH NO NOT THE BLOCK EDITOR

everything’s all updated and happy and fresh on the server now but oh no i got the wordpress block editor because i forgot to re-enable the classic editor plugin thanks i hate it

also I apparently get enough traffic or something that if I turn off akismet I get big flowery comment spam at a rate of about 0.2 hz, WOW!!! they like me! they really really like me—- or something

Coming up next, Error. Error error pungent burning smell fnord

Sometimes things just hit the wall behind the scenes but the show must go on. In this post… Teleprompter Troubles!

At some point an executive decision was made that we need to not have a prompter operator and instead the people on set should control the prompter’s scrolling. These dumb “gas pedal” controllers were installed at great effort (like, long runs of Ethernet and USB Ethernet extenders had to be installed) and it worked for, oh, about a day.

Then it started just running away

I found the problem. Springs. Why did it have to be springs?

Why I wish I never had to— oh no wait no I’d better not do that!

Noooooo springs! Heh heh heh

The coil spring around the pot shaft that returns it to zero when you let go of the pedal, which has two springs to pop itself back up, was binding up and causing the pot not to return. I coated the pot spring with grease to fix it, and coated the pedal springs as well to eliminate loud crunching sounds that’d get into Tina’s mic because she prefers to leave the pedal on the desk and press it with her hands. This worked fine and left Tina to concentrate on things like presenting the news and making adorable snack handbags for hamsters. You think I’m kidding?

Please stand by, your engineer is trying to avoid death by laughter

A few days after I’d gotten rid of the pedal problems, the system just seemed to be hitting the wall completely with increasing frequency and vigor. First it started occasionally losing the pedals; the USB com port devices would vanish and that pedal would lose control. If it had been pressed when it happened the scroll would run away unrecoverably and you’d just have to exit and restart. On one of its more spectacular crashes it pissed off the QBox, which crashed. I power cycled it and it didn’t come back with video. Show-stopping oopsie…

This particular system from Autocue uses two parts. A Windows based PC reads the stories out of Avstar/INews or a text file and provides the user interface, and the QBox generates the actual video for the monitors.

The QBox is a Mini-ITX computer in a solid little metal box with a handle on it. It boots Linux out of a weird solid state disk module in the ATA socket and there’s a strange little three port video distribution amp bodged onto the composite video out connector from behind. I added a fan, it originally didn’t have one.

I got very anxious seeing one popped capacitor right away but that didn’t seem to be holding it back.

The issue was just a dead CMOS battery and lost settings.

Press F1 on *what exactly*?

After the machine going to fsck itself a minute, it came right back.

Been a hot minute since they’ve called it /dev/hda. I was there, man… I saw things… I even ran 2.4.15-greased-turkey on Thanksgiving day…

Then it just started crashing entirely, which was new and awful. On Friday it decided it was done for good and would not last through an entire show, so I started trying to get a backup image of the system to run on a newer computer. Cue four hours of massaging the drivers into Windows including loss of the USB controller entirely and having to dig up PS2 input devices….

So why did this thing put us through such acrobatics?

I opened up the PC in the control room and was greeted by this.

The SMSC chip is a “Super I/O” that lives on the pci bus and priovides serial, parallel, SMbus, GPIO, and a lot of other interface functions. Adjacent to it is an Intel chipset debug/jtag port with no connector soldered to it, just lots of corrosion. I don’t know what the substance is. I don’t want to know. It didn’t smell like anything and was pretty much solid like cement. Ew.

The other contestant earlier in the week was the WSI Max weather workstation. It’d been getting flakier and flakier for months and is due for replacement, just not soon enough.

did that buttmunch just lose one of its

Long story short, the video card was rotting out. I suspect the capacitors in the buck converter at the end of the card are failing as it basically ran just fine until you made the system render graphics at which point it’d just start melting down with weird memory looking issues.

This is a 12 gig Quadro card that originally cost over $4000

In the end this was one of those “this system is discontinued, out of support, out of warranty, go source your own parts and pound sand” cases so I put an old Quadro 5600 card we had as a spare from an older generation of WSI system into the traffic computer that only renders things in 2D and liberated its monster card too revive the weather machine that does 3d…..

… just in time for us to get an ugly new graphics package company-wide with terrain that looks like dirty crumpled paper. Ewwwww!!

At least engineering can go home.

The hell was THAT?

At 06:15:06Z the MySQL server on this host shut down. When it came back up, it didn’t recognize the password for my database user.

 

Going back in there and resetting the password restored everything.

 

There are… pretty much no clues as to what happened in there. I’m not seeing any signs of intrusion or anything (for once!)… I’m thinking…. gremlins.

 

Carry on then.

Y A W W W W N N N N