Catching the catchers

This article was authored by Stefan Hammond, and was originally posted on telecomasia.net.

We expect seamless connectivity with our portable mobile devices. We rarely give it a thought…unless the cute little icon on our smartphones’ menu bar drops from 4G to 3G, then we furrow our collective brow until it switches back.

We switch from one mobile access point to another as we move about. But what if your phone latches onto an IMSI-catcher: a bogus access point that intercepts transmissions from a handset? Could that happen?

“Essentially a ‘fake’ mobile tower acting between the target mobile phone(s) and the service provider’s real towers, it is considered a Man In the Middle (MITM) attack, and is usually undetectable for the users of mobile phones,” says Wikipedia. “IMSI-catchers are used in some countries by law enforcement and intelligence agencies, but based upon civil liberty and privacy concerns, their use is illegal in others.”

Ukrainian phonejacking
Sounds paranoid? It’s already happened. In January, an article from Ars Technicareported that Ukrainians protesting Ukrainian President Viktor Yanukovych saw the following text message appear on their smartphones: “Dear subscriber, you are registered as a participant in a mass disturbance.”

This sounds like the work of individuals who’d set up an IMSI-catcher, and it was (such devices are often called “stingrays” – more about that later). But according to the New York Times, a Ukrainian court formally ordered a telephone company to hand over location data from cellphones near the demonstration to pinpoint people for political profiling. Sometimes, the difference between hacker-activity and government-activity is a fine line.

Stung
Privacy groups have been fighting stingray surveillance for years. But why are IMSI-catchers often known by the generic term “stingray”?

According to a 2012 article by the Electronic Frontier Foundation, Stingray is the brand name of an IMSI-catcher made by US-based Harris Corporation which is targeted and sold to law enforcement. A Stingray (the Harris-made unit) works by masquerading as a cell phone tower – to which your mobile phone sends signals to every 7 to 15 seconds whether you are on a call or not – and tricks your phone into connecting to it, said the EFF.

According to Wired magazine, Harris-builds Stingray and Stingray II units that are designed to emit a signal stronger than nearby cell phone towers in order to force phones in the vicinity to connect to them.

Some stingrays have the ability to collect content as well, although what precisely is being collected (and by whom) is a mystery. Wired wrote: “A non-disclosure agreement [between US] police departments [and] the maker of a cell-phone spy tool explicitly prohibits the law enforcement agencies from telling anyone, including other government bodies, about their use of the secretive equipment, according to one of the agreements obtained by an Arizona journalist.”

This is likely a violation of the USA’s Fourth Amendment unreasonable search and seizure laws, but in these post-Snowden times, is that unexpected?

War-driving in Washington
In a September article, the Washington Post reported on driving around the US capital intended to sniff out IMSI-catchers. Aaron Turner, chief executive of mobile security Integricell, used a modified Samsung Galaxy SIII to search for stingrays – the handset is made by Berlin-based GSMK and marketed Stateside by ESD America as the GSMK CryptoPhone 500.

According to GSMK’s Web site: “All GSMK CryptoPhone secure mobile phones are based on a ‘hardened’ operating system with granular security management and streamlined, security-optimized components and communication stacks.” ESD America’s product brochure adds that the OS is customized Android, with baseband firewall, configurable OS security profiles, and an encrypted storage system as standard features in their US$3,500 handset.

“Interceptor use in the US is much higher than people had anticipated,” said ESD America CEO Les Goldsmith in a Computerworld article. Goldsmith conducted testing on his company’s “baseband firewall” while driving by an unnamed government facility in the Nevada desert that runs an interceptor. ”As we drove by, the iPhone showed no difference whatsoever,” he said. “The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree.”

“What we find suspicious is that a lot of these interceptors are right on top of US military bases,” said Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”

Known unknowns
Devices like the Stingray sport macho titles as they’re pitched to US government agencies and law enforcement. The VME Dominator (“a real time GSM A5.1 cell phone interceptor”) from US-based Meganet Corporation ratchets up the stakes.According to the firm’s Web site, the device can “can fit inside a small suitcase” and uses “a proprietary technology allowing you to intercept, block, follow, track, record and listen to communications.”

“It cannot be detected,” says the Meganet site. “It allows interception of voice and text. It also allows voice manipulation, up or down channel blocking, text intercept and modification [and] calling & sending text on behalf of the user.”

However, “pursuant to Federal law at 47 U.S.C. 302a, this product is available only for use by the Government of the United States or any agency thereof.” But if Snowden’s taught us anything, it’s that these agencies thereof are not always as scrupulous as perhaps they ought to be.

Drones and catcher-catchers
Various governments may have their reasons for sniffing data from handsets, but as is often the case, technology developed for government use finds its way into the hands of citizens.

Just look at drones: a technology pioneered for military use but now used to make unique videos—like this one depicting Hong Kong’s nightscape during recent events.

Drones can document scenery, but can also be used to snoop. Unauthorized base stations, whether government-sponsored or not, seem exclusively aimed at the latter. While equipment like the CryptoPhone (IMSI-catcher catchers) is available, some question whether a modified handset is an adequate tool against such technologies.

For example, “I would bet money that there are governments that are spying in [Washington] DC,” said Christopher Soghoian, principal technologist for the ACLU, who has written extensively on the use and abuse of IMSI-catchers. “Whether you can detect that with a $3,000 device, I don’t know,” says Soghoian in the Washington Post article.

I don’t know either. But I do know this: the densely populated and highly smartphone-penetrated cityscapes of Asia are ripe for exploitation by IMSI-catchers.

Years ago, “war-driving” through the streets of Hong Kong revealed unsecured wi-fi networks. And today, an Android app is in the works.  The app seems to be designed to act like a Cryptophone and sniff out IMSI-catchers.

Perhaps it’s time for some of Asia’s switched-on tech guys to head out with some detection equipment and see what is, or is not, out there.

If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Other Posts · Wireless