Are you being pursued by a stingray?

Are you being pursued by a stingray?

This time, you might be safe only while swimming in deep waters

Stingrays are being sighted in a number of notable locations – London, Washington DC, Hamburg Germany as just three examples – and it is not clear who is doing the snooping on people’s online activities.

Stingrays are fake telecommunication towers. They jump in the middle of an online exchange; fool the phone into routing the message through them, and only then pass the message on to a nearby official telecommunication tower. And as they reroute this communication, they can identify the individual phone, its location, read text messages, and eavesdrop on the entire conversation.

If this activity was done by cybercriminals, we would call it a man-in-the-middle attack. But since these devices are usually operated by government security agencies – and their operation is usually – but not always — legal and approved by the courts, we won’t.

How intrusive do you want your IMSI catcher?

The devices are commonly called Stingrays as that’s the name of one of the most common brands on the market. Otherwise they are known as cell-site simulators (CSS) or IMSI catchers. IMSI – pronounced something like MC Hammer – stands for International Mobile Subscriber Identity. This unique number is located on the SIM card of your device and is used by the telecommunication network to identify your device as it routes your call to the nearest communication towers and on to its final location.

Are you being pursued by a stingray? - in-post
Stingray device ready to go mobile

IMSI catchers come in two basic flavors – passive and active. Passive means that the device primarily records the traffic going by and does not try to unencrypt or alter the contents. Active devices can do much, much more including blocking selected numbers, altering message contents, and bumping telephone traffic to a lower-level unencrypted network where conversations can be easily listened to.

Yes, they probably have your number

IMSI catchers are used throughout the US, in Britain, Ireland, and even privacy-conscious Germany. Chances are, if you have ever been near a protest or walked in the center of Washington DC, your presence has been recorded by a IMSI catcher. In the first half of 2017, as one example, German authorities used IMSI catchers over 50 times including at the G20 Summit in Hamburg.

Your privacy rights have just been vacuumed up by a Stingray

The big issue with IMSI catchers isn’t their targeted use against the bad guys, it’s the near indiscriminate sucking up of data on everyone in their path. This is especially a civil liberties issue in the US where the 4th amendment to the Constitution includes right of the people to be secure against unreasonable searches. If the police want to search your home or wallet, for example, they need to first convince the judge that there is probable cause so he can issue a warrant. But with IMSI catchers, the process seems to be reversed by the authorities first collecting the data, and then getting justification for a more detailed continued search. As a general rule, government agencies – at least in the US and the UK – conceal their use of IMSI catchers. Their unwillingness to identify the sources of information on a suspect’s activities or location has led to some cases being thrown out by the court.

In Europe, the quiet over IMSI catchers is deafening – especially after the fuss over GDPR and private data. As shown by their use in Germany, they can record precisely who is at a protest and where they are. While companies may be restricted in their ability to collect data on private individuals, the government seems to be in a different position.

Everybody (on the security forces) has one

Given this opportunity to find the bad guys, their friends, and their precise location; IMSI catcher technology is quite popular with security forces around the globe – including some connected with oppressive regimes. As the technology has gotten more advanced, it’s gotten smaller and more portable. What used to take a van with a huge antenna on top can now be carried around in a briefcase. The technology has also gone airborne with authorities in the United States placing IMSI catchers in airplanes or drones and collecting data over urban areas.

While the use of IMSI catchers is believed to be ubiquitous – but almost no one is talking about specifics. Thanks to the aggressive use of non-disclosure agreements between Harris – makers of the ever-popular Stingray devices – and their clients, it is impossible to get an accurate estimate of the countries where Harris markets these devices, the number of devices in use, or the names of the individual agencies using them.

Surveillance is getting more affordable for the good and the bad guys?

Both the good and the bad guys can buy their way into the latest IMSI technologies – and the costs are falling. From the official side, a fully-loaded professionally-manufactured device can cost upwards of 100,000 Euro. For the DIY market, the estimated costs to build a basic device is just 1,200 Euro. Directions for building some devices are even posted on Github. In addition, there are YouTube videos explain how to make your own passive IMSI collection device for less than 10 Euro.

Operating the device is a separate legal issue. In general, using a full-fledged device would require permission from the authorities as it is potentially interfering with phone transmission networks. And is it legal to passively collect and retain IMSI numbers? But then, how many hackers bother asking for permission?

No IMSI hammer for now

Uncovering an IMSI catcher use is difficult – but possible. Most detection technologies attempt to identify anomalies or communication towers frequently switching networks. Yes, there are even DIY detectors you can build and apps to install on your android phone – but they are a work in progress. So in the meantime, if you think you are having a nice, private conversation on the phone – forget about it.

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.