I’ve been reading in amazement lately about the use of mobile phone tracking by US law enforcement. I’m not amazed that it is happening, but I am amazed by the way that it is happening. Let me explain why.
Mobile phones, as they are currently engineered are very susceptible to tracking. Many smartphones have GPS location capabilities built in that can log location information. Apps cam be used to extract this from a phone, either with the consent of the user (finding lost phone services, parental tracking, business applications, etc) or without (malware, abusive location-based services, etc). Older versions of iPhone software even logged this information on a unprotected file that could be accessed by anyone holding the phone.
The mobile service provider also knows the location of mobile phones whenever the phone is turned on – this is just part of providing the service. The phone is always in touch with the nearest base station – the antennas you see on towers and tops of buildings are the visible parts of base stations. The service provider keeps a database of where a phone is located so when an incoming call comes in the phone can be alerted.
When I have thought about law enforcement tracking mobile phones as part of an investigation, for example, I’ve imagined them going to the mobile service provider with an appropriate court order, and getting that information. Instead, it seems a different approach is being used – one that involves what we in the security industry would call an impersonation attack on the mobile phone network.
In my cybercrime mystery novel Counting from Zero, I talk about mobile phone base station impersonation attacks, and also talk about other aspects of mobile phone security. I’ve always imagined these attacks being launched by criminals or intelligence agencies, but never as a routine part of law enforcement, where the software used is known as “stingray”.
Basically, as described in a number of articles, including this one in the WSJ, the investigators use a piece of software that pretends to be a mobile service provider base station – hence the impersonation. Unfortunately with today’s mobile phones, there is no authentication or validation of this – your mobile phone just assumes that and transmission it receives on the mobile phone frequencies (which by the way requires a spectrum license from the FCC to do so) is a valid base station and will communicate with it. A phone will pick the strongest one when there is a choice, so the attacker doesn’t need to jam or shut down the legitimate base station, just overpower it. When the mobile phone connects, the stingray software learns the serial number of the mobile phone (the IMSI for those technically inclined) which can be mapped to a telephone number. By noting the signal strength and by taking a few readings in a number of locations , the location of the mobile phone can be determined by triangulation.
Now since this fraudulent base station doesn’t have access to subscriber data or the data network, they can’t actually get in the middle of actual calls and listen in – this would be a full Man-in-the-Middle attack or MitM as it is known in the industry. However, the software is impersonating a mobile operator’s base station and transmitting on frequencies licensed to that mobile operator. Also, I don’t think this approach is so selective that it only impacts the target of the investigation. When a stingray is setup, it would trap all mobile phones in the vicinity into communicating with it. More than likely it can disconnect the mobile users who are not the subject of the attack, but I’m not sure.
Another very worrying thing about this is that it appears that law enforcement is being very tight lipped about discussing the capabilities of their stingray devices: what it can do to the target and what it can do to other mobile phone users in the area. Even more strangely, it has been reported that evidence collected using these devices is also systematically being deleted, which seems very odd behavior for investigators.
There is most likely a lot more to tell about this story. As I said, I’m a bit amazed at the use of the stingray by law enforcement. Does this really seem like legitimate behavior? Fortunately, it seems that the issue is likely to get a full hearing in the courts soon, and we may find out the whole story.