Government's Use of Spoofed Cell Towers Under Fire As is Verizon Wireless's Aid Of Such Practices The ACLU recently uncovered heavy government use of devices known as "stingrays," which allow law enforcement to trick a user's cell phone to connect to a spoofed device instead of a tower for the purposes of data collection. As Wired explores, the Department of Justice is under fire for using these devices without informing Judges about either the devices, or the fact they could collect data from uninvolved third parties.

quote: At issue is whether law enforcement agents invaded Daniel David Rigmaiden’s privacy in 2008 when they used a so-called stingray to track his location through a Verizon Wireless air card that he used to connect his computer to the internet. Also at issue is whether a warrant the government obtained from a judge covered the use of the stingray and whether the government made it sufficiently clear to the judge how the technology it planned to use worked. Over the course of a three-hour hearing in the U.S. District Court in Arizona, Rigmaiden, 31, asserted that the warrant the government obtained only authorized Verizon Wireless to provide agents with data about the air card but did not authorize agents to use the invasive stingray device. He also asserted that Verizon Wireless “reprogrammed” his air card to make it interact with the FBI’s stingray, something that he says was outside the bounds of the judge’s order. This of course wouldn't be the first time that carriers went well above and beyond normal legal process (sometimes to the point of It's a classic man in the middle attack with the government as the man in the middle, and it requires carrier help to pull off. As such, Verizon Wireless is also accused of going above and beyond normal subpoenas to actually modify user gear so they connect to these spoofed towers:This of course wouldn't be the first time that carriers went well above and beyond normal legal process (sometimes to the point of breaking the law ) to win favor with law enforcement -- and in turn regulators and politicians. In most of these instances government adherence of the law is a distant afterthought, your privacy is the primary casualty, and the details of legal abuse only come to light years after the fact.







News Jump Europe's Top Court: Net Neutrality Rules Bar Zero Rating; ViacomCBS To Rebrand CBS All Access As Paramount+; + more news Verizon To Buy Reseller TracFone For $7B; 5G Not The Competitive Threat To Cable Many Thought It Would Be; + more news MS.Wants Records From AT&T On $300M Project; Google Fiber Outages In Austin, Houston, Other Texan Cities; + more news States With The Biggest Decreases In Speed; AT&T Hopes You'll Forget Its Fight Against Accurate Maps; + more news AT&T's CEO Has A Familiar $olution To US Broadband Woes; EarthLink Files Suit Against Charter; + more news 5G Doesn't Live Up To Hype, AT&T's 5G Slower Than Its 4G; Cord-Cutting Now In 37% of Broadband Households; + more news FCC Cited False Broadband Data Despite Warnings; ZTE, Huawei Replacement Cost Is $1.87B, But Only $1B Allocated; + more Cogeco Rejects Altice USA's Atlantic Broadband Bid; AT&T Is Astroturfing The FCC In Support Of Trump Attack; + more news Big CBRS Auction Winners: Verizon, Windstream, Dish, Cablecos; Altice USA makes play for Atlantic Broadband; + more news Verizon, SpaceX, CenturyLink, Charter Among RDOF Bidders; Streaming 1st Choice For 50% Of Viewers: What Now? + more news ---------------------- this week last week most discussed view:

topics flat nest

S_engineer

Premium Member

join:2007-05-16

Chicago, IL S_engineer Premium Member Geez... Verizon should use this in one of their ads......

"Can you bust me now?" Crookshanks

join:2008-02-04

Binghamton, NY Crookshanks Member Mr. Rigmaiden needs better expert witnesses.... quote: Rigmaiden maintains that in order for the stingray to be able to collect location data from his air card, Verizon Wireless had to write data to the air card consisting of identifying information for the FBIs emulated cell sites as well as make configuration changes that would cause the air card to recognize the FBIs emulated cell tower as an authorized tower for providing service and cause the air card to attempt connections to the emulated tower prior to attempting connections with actual Verizon Wireless towers. Verizon's cooperation would not be required in this instance. So long as the "stingray" is broadcasting the appropriate SID any nearby Verizon Wireless device is going to prefer it over more distant cell sites with weaker signal. quote: The FBI technical agents needed Verizon Wireless to write data to the aircard in this manner because the aircards properly configured Preferred Roaming List prevented it from accessing rogue, unauthorized cell sites Not if the "unauthorized" cell site is masquerading as a legitimate one. The PRL doesn't list towers, it lists system/network IDs, and priority frequencies to scan for service when the phone is cold booted. The "stingray" likely behaves just as a femtocell does, broadcasting on the exact same frequencies as the macro cellular network. No PRL modification would be necessary. Hell, a system that depended on PRL modifications would be useless for 3G devices, since the user controlled (via *228) when they would pull such an update, and most aren't proactive enough to bother. Verizon's cooperation would not be required in this instance. So long as the "stingray" is broadcasting the appropriate SID any nearby Verizon Wireless device is going to prefer it over more distant cell sites with weaker signal.Not if the "unauthorized" cell site is masquerading as a legitimate one. The PRL doesn't list towers, it lists system/network IDs, and priority frequencies to scan for service when the phone is cold booted. The "stingray" likely behaves just as a femtocell does, broadcasting on the exact same frequencies as the macro cellular network. No PRL modification would be necessary. Hell, a system that depended on PRL modifications would be useless for 3G devices, since the user controlled (via *228) when they would pull such an update, and most aren't proactive enough to bother. CXM_Splicer

Looking at the bigger picture

Premium Member

join:2011-08-11

NYC 1 edit CXM_Splicer Premium Member Re: Mr. Rigmaiden needs better expert witnesses....



The biggest problem with a MITM attack on cellphones is when the target phone is connected to the rogue cell site, they cannot get any incoming calls. Outgoing calls can be routed through an alternate path but, unless Verizon gives you a connection to their switch, incoming voice, email, text will not be intercepted.



EDIT:Rogue not Rouge! Sometimes even with spell check these things happen. This is true but would would have ALL Verizon cellphones in range connecting to the Stingray. Obviously a warrant wouldn't allow that. The PRL modification would set the target's phone to look for the Stingray (on a separate network) first and a Verizon network second. That would prevent any other Verizon user in the area of the Stingray from connecting to it. What you talk about is possible though and is done by hackers every now and againThe biggest problem with a MITM attack on cellphones is when the target phone is connected to the rogue cell site, they cannot get any incoming calls. Outgoing calls can be routed through an alternate path but, unless Verizon gives you a connection to their switch, incoming voice, email, text will not be intercepted. Crookshanks

join:2008-02-04

Binghamton, NY Crookshanks Member Re: Mr. Rigmaiden needs better expert witnesses.... said by CXM_Splicer: This is true but would would have ALL Verizon cellphones in range connecting to the Stingray. Obviously a warrant wouldn't allow that.

And? As long as they are just passing the traffic there really isn't an issue here. Internet wiretaps are going to "see" every packet passing the wire, they just use filters to limit the ones they actually capture. No difference here. CXM_Splicer

Looking at the bigger picture

Premium Member

join:2011-08-11

NYC CXM_Splicer Premium Member Re: Mr. Rigmaiden needs better expert witnesses.... Well the analogy is actually more like spoofing the Internet, it is not a traditional MITM attack or a simple eavesdropping; the traffic is only one way. I highly doubt (technical impossibility aside) that the FBI would spoof the Internet for a 1-2 block radius so that everyone in that radius is actually sending data to the FBI instead of the Internet. It is much easier to redirect only the target's DNS address to the FBI so that they are spoofed but no one else is.



I honestly don't know how they are operating and I wouldn't say they are beyond what your are describing but the way the article is describing it is more 'efficient' and less intrusive. If they have Verizon's cooperation in reprogramming the phone i don't see why it wouldn't happen that way. Crookshanks

join:2008-02-04

Binghamton, NY Crookshanks Member Re: Mr. Rigmaiden needs better expert witnesses.... To the best of my knowledge a PRL update can't be forced with a 3G phone. It can only be requested by the phone itself during initial provisioning and/or PRL updating (via *228 on VZW, other codes on different carriers). 4G devices work differently of course.



Anyway, they aren't using this for wiretapping, they could just as easily do that using the lawful intercept technology built into the telco switch. They're using this to triangulate the location of a mobile device faster than they otherwise could. It's not really a MITM attack as they are classically understood and aren't any real any privacy concerns if an "innocent" phone connects to their base station.



Also, they don't "spoof" the internet to wiretap someones internet connection, but they do monitor at the network edge, and by definition that means innocent packets will also be passing through the dragnet. So long as they don't monitor/record those packets there isn't a problem

PhoneBoy

Google "No Agenda"

join:2002-01-02

Gig Harbor, WA PhoneBoy Member Please tell me this is an April Foolks joke Sad thing is, I know it isn't. It's just par for the course.

n2jtx

join:2001-01-13

Glen Head, NY n2jtx Member Data Plan I guess if you do not have a data plan or do not use it (I don't use my Sprint data plan) then this particular option does not work. In that case, they need to set up spoofed public WiFi hotpots.

FifthE1ement

Tech Nut

join:2005-03-16

Fort Lauderdale, FL FifthE1ement Member Re: Data Plan said by n2jtx: I guess if you do not have a data plan or do not use it (I don't use my Sprint data plan) then this particular option does not work. In that case, they need to set up spoofed public WiFi hotpots.





5th Who cares why how they are doing it, the real question is why? And spoofing WiFi hotspots is even easier than the cellphones. I can create (spoof) a McDonald's, etc WiFi with my phone easily. And then all the data going through can be spied on. It shouldn't be but can and that is the whole point.5th

IowaCowboy

Supermarket Hero

Premium Member

join:2010-10-16

Springfield, MA ARRIS SB6183

Netgear R8000

IowaCowboy Premium Member Prepaid phones A lot of prepaid phones can be activated anonymously without providing a name or SSN.



I'm sure the drug dealers are using prepaid phones to transact their dirty work. Back in the old days they used pagers and the police departments asked the phone company to switch the pay phones in high crime neighborhoods to pulse tone dialing so the pager systems would not recognize the touch tones.



The only way this form of spying is going to work is to pass a law requiring telecom companies to record and verify the identities of individuals who open a line of service like banks do when you open an account.



The only ones who are going to get scrutinized are law abiding citizens like myself as I have a contract plan with VZW which requires me handing over my personal information to VZW.



The drug dealers are going to use prepaid phones that don't require handing over personal information to activate service.



I know all this stuff because I like to watch Cops. I also know a few active and retired law enforcement officers. Wilsdom

join:2009-08-06 Wilsdom Member Re: Prepaid phones Tower spoofing will grab the prepaid users' conversations too. Many countries do require prepaid phones to be registered, so the US will eventually follow their example since they are "more civilized" than us, but really we're at the point where signal tracking and voice identification can provide total surveillance.

OSUGoose

join:2007-12-27

Columbus, OH OSUGoose Member Re: Prepaid phones Funny the AT&T GoPhone and Boost Mobile I've bought BOTH required the same info as if a contract phone.

FifthE1ement

Tech Nut

join:2005-03-16

Fort Lauderdale, FL FifthE1ement to Wilsdom

Member to Wilsdom

said by Wilsdom: Tower spoofing will grab the prepaid users' conversations too. Many countries do require prepaid phones to be registered, so the US will eventually follow their example since they are "more civilized" than us, but really we're at the point where signal tracking and voice identification can provide total surveillance.





5th You said that to start a flame war, no? More civilized? Is rioting in the street and destroying property daily civilized (Greece), is taking 75% of a person's hard earned wage civilized (France), I can go on and on and on and on and on and on... ETC! There is a reason most of those "civilized" you call them would sell their first born to come to the United States! Maybe you could pack up and make room for them! Sound good?5th rradina

join:2000-08-08

Chesterfield, MO rradina to IowaCowboy

Member to IowaCowboy

Switching pay phones to pulse dialing -- did that actually work? The pager system will respond to the tones if you can generate them -- regardless of whether or not pay phone can generate them.

jjoshua

Premium Member

join:2001-06-01

Scotch Plains, NJ jjoshua Premium Member Unauthorized spectrum use Is anyone saying that it's ok for the government to use licensed spectrum without authorization?



Otherwise, Verizon would have to give authorization in any case and this would demonstrate their willingness to bend over backwards to help the government.

seamore

Premium Member

join:2009-11-02 seamore Premium Member nothing Like i said before, there's absolutely nothing that we can do about things like this. NOTHING! MaynardKrebs

We did it. We heaved Steve. Yipee.

Premium Member

join:2009-06-17 MaynardKrebs Premium Member Re: nothing www.silentcircle.com

morbo

Complete Your Transaction

join:2002-01-22

00000 morbo Member Re: nothing Interesting, but how is this any different from other companies that are required to build in back doors for easy government agency access? Just like the other companies, they cannot say that they have this back doors to the data, yet all the backdoors exist and the encrypted calls are all routed through Verizon and AT&T's backbone connection to the NSA.



Privacy is an illusion. Kearnstd

Space Elf

Premium Member

join:2002-01-22

Mullica Hill, NJ Kearnstd Premium Member Re: nothing seems like the reason other nation's governments are looking to migrate completely to Linux. They know the US government wants back doors and will not take that risk with their own government computers and MS Windows.

Anonymous_

Anonymous

Premium Member

join:2004-06-21

127.0.0.1 Anonymous_ Premium Member Re: nothing said by Kearnstd: seems like the reason other nation's governments are looking to migrate completely to Linux. They know the US government wants back doors and will not take that risk with their own government computers and MS Windows.

just like how much MS patches one hole they open another one?

FFH5

Premium Member

join:2002-03-03

Tavistock NJ FFH5 to seamore

Premium Member to seamore

said by seamore: Like i said before, there's absolutely nothing that we can do about things like this. NOTHING!

Especially when judges are more than willing to give official approval thru warrants issued to police. tired_runner

Premium Member

join:2000-08-25

New York 231.3 37.3

·callwithus

tired_runner Premium Member Coming to a cell site near you MPAA & RIAA spoofing cell sites to track pirates downloading content via prepaid cell phones with a data-enabled plan.



That would be funny to see them attempt prosecuting... Mike Larry downloaded 25 Justin Bieber songs.... Yeah... Mike Larry... That detective from Bad Boys

marigolds

Gainfully employed, finally

MVM

join:2002-05-13

Saint Louis, MO marigolds MVM Warrents One thing I think is not clear in this article or the Wired article...



Warrants were obtained for this deployment. The contention is that such a device should not be used even with a warrant because uninvolved third parties can connect to the sting ray. (Of course, that prompts the question of why the third parties can connect if the FBI is not rewriting configurations on those devices too.)

koolman2

Premium Member

join:2002-10-01

Anchorage, AK koolman2 Premium Member Re: Warrents Maybe that's why they required Verizon to modify the device. They probably set it up as an access point that any unmodified device would not connect to, so only this one guy would.

marigolds

Gainfully employed, finally

MVM

join:2002-05-13

Saint Louis, MO marigolds MVM Re: Warrents That would seem to make sense. If that is the case, though, then the privacy argument is much weaker. That would mean the device only collected the information that was expressly allowed by the warrant.

cableties

Premium Member

join:2005-01-27 cableties Premium Member lastweeks news...



Maybe Obama will just turn a blind eye (like he gave Monsata carte blanc on the GMO non-liability...like Chaney and CleanWater Act to fracking fluid non-liability to Haliburton).



"do you think the feds would allow ANY communication that can't be intercepted or monitored in the name of protecting the republic?" I reference Iridium. I read about this lastweek.Maybe Obama will just turn a blind eye (like he gave Monsata carte blanc on the GMO non-liability...like Chaney and CleanWater Act to fracking fluid non-liability to Haliburton)."do you think the feds would allow ANY communication that can't be intercepted or monitored in the name of protecting the republic?" I reference Iridium. rradina

join:2000-08-08

Chesterfield, MO ·Charter

rradina Member How Can This Be Stopped? Even if we pass air tight laws governing the use of the cell tower honey pots, how can this cannot be enforced? Even if all the equipment has an black box that records when and where it was used and the data that is collected, the tech is already "out there". This would be as fruitless as banning guns.



Regarding the info they collect, they might not be able to use the initial information they gather as evidence but once they smell something interesting, then they'll follow the rules and eventually legally obtain evidence.

badtrip

Premium Member

join:2004-03-20 badtrip Premium Member What's Verizon's angle? I just don't get Verizon's angle in this; there's not enough information given. What value is there in so blindly and recklessly complying with these requests to install snooping hardware and facilitate monitoring?



Does the US gov pay Verizon cash incentives? It can't be preferential regulatory treatment because if so there would be lawsuits flying this second by competitors that did not comply with govt requests (if there are any).



If it is a cash incentive, then I'd like to see how much is being paid and what portion of Verizon's profit these payment comprise.

OSUGoose

join:2007-12-27

Columbus, OH OSUGoose Member Re: What's Verizon's angle? GSA Contracts to be a provider to Fed Agencies. your comment..

