In 2012, the Wall Street Journal first reported on a mysterious cellphone surveillance tool being used by law-enforcement; years later, we learned that the origin of this report was an obsessive jailhouse lawyer who didn't believe that the cops had caught him the way they said they had.



It turned out that law enforcement across America had been secretly buying and using a location-tracking cellphone surveillance tool from the Harris Corporation, which called the device a "Stingray." The Stingray — shrouded in secrecy — was the first know "cell site simulator": a fake cellphone tower that tricked nearby phones into connecting to it briefly in order to capture their unique identifiers.





As the years went by, we learned more about this form of surveillance, including disclosures about the existence of more powerful CSSes with wider features — including Drtboxes, which are affixed to the underside of planes or drones and used to capture citywide location/identity data from millions of phones.





CSSes remain shrouded in mystery. None of the police agencies that use them will describe their capabilities — they seem to have been bound by nondisclosure agreements — and the companies jealously guard the details of how they work. Thanks to leaks and diligent work by independent researchers, we have a fragmentary record of what these devices do, which defects in mobile phone standards they exploit, and what avenues we might pursue in order to avoid being caught by them (at least 40 CSSes of unknown origin were discovered to be in operation in DC in 2018; many presume that they are being operated by hostile foreign powers).





Now, the Electronic Frontier Foundation's Threat Lab has published

Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks, a plain-language, soup-to-nuts guide to CSSes that organizes and explains everything that is in the public record about CSSes (including the fact that we don't have any effective way to reliably detect them or prevent our phones from connecting to them).





It's not a pretty picture, but it is an accurate one. The fact that our phones are so insecure should be alarming to everyone, because the capabilities that the police are exploiting today aren't always used wisely or proportionately, and because these same tactics will be used by totalitarian governments, hostile foreign powers, organized crime, and, eventually, petty criminals and stalkers. EFF's guide is a wakeup call to governments, the security community, law enforcement, and technologists — to say nothing of the billions of people who use insecure mobile phones every day.

The intersection of cell networks, security, and user privacy has historically not been an accessible field, but that's slowly changing. Each year there is more research in this field being published and open source projects (such as srsLTE) that enable this research are improving dramatically—and more people are starting to question why more work isn't being done to fix these issues. Cell network security is broken in some pretty fundamental ways. It's up to all of us over the next few years to demand lawmakers pay closer attention to the issue, and to put pressure on standards groups, carriers, network operators, and vendors to make necessary improvements. Together, we can protect and defend users' privacy.



Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks

[Threat Lab/EFF]