The name stingray comes from the brand name of a specific commercial model of IMSI catcher made by the Florida-based Harris Corporation. That company’s StingRay is a briefcase-sized device that can be operated from a vehicle while plugged into the cigarette lighter. Harris also makes products like the Harpoon, a signal booster that makes the StingRay more powerful, and the KingFish, a smaller hand-held device that operates like a stingray and can be used by a law enforcement agent while walking around outside a vehicle. About a dozen other companies make variants of the stingray with different capabilities. The surveillance equipment is pricey and often sold as a package. For example, in documents obtained by Motherboard in 2016, Harris offered a KingFish package that cost $157,300 and a StingRay package that cost $148,000, not including training and maintenance. Documents obtained this year by the American Civil Liberties Union indicate that Harris has upgraded the StingRay to a newer device it calls a Crossbow , though not a lot of information is known about how it works. Separately, a classified catalog of surveillance tools leaked to The Intercept in 2015 describes other similar devices. Stingray is the generic name for an electronic surveillance tool that simulates a cell phone tower in order to force mobile phones and other devices to connect to it instead of to a legitimate cell tower. In doing so, the phone or other device reveals information about itself and its user to the operator of the stingray. Other common names for the tool are “cell-site simulator” and “IMSI catcher.”
To better understand the kind of surveillance that may be directed at protesters, here’s a breakdown of what we know and still don’t know about stingrays, and why their use is so controversial.Although law enforcement has been using the technologies since the 1990s, the general public learned about them only in the last decade, and much about their capabilities remains unknown because law enforcement agencies and the companies that make the devices have gone to great lengths to keep details secret. Stingrays are routinely used to target suspects in drug and other criminal investigations, but activists also believe the devices were used during protests against the Dakota Access pipeline , and against Black Lives Matter protesters over the last three months. The Justice Department requires federal agents to obtain a probable cause warrant to use the technology in criminal cases, but there is a carve-out for national security . Given that President Donald Trump has referred to protesters as “ terrorists ,” and that paramilitary-style officers from the Department of Homeland Security have been deployed to the streets of Portland , Oregon, it’s conceivable that surveillance conducted at recent demonstrations has been deemed a national security matter — raising the possibility that the government may have used stingray technology to collect data on protesters without warrants.
You could flip the Cellular Modem Hardware Kill Switch (HKS) on your Librem 5 and still call or text from your primary phone number while at that coffee-shop WiFi. This would offer you the ability to have a no-carrier phone–in either form–that now you only have when on WiFi–which means no triangulation-location tracking from cellular towers.
How does the stingray work?Phones periodically and automatically broadcast their presence to the cell tower that is nearest to them, so that the phone carrier’s network can provide them with service in that location. They do this even when the phone is not being used to make or receive a call. When a phone communicates with a cell tower, it reveals the unique ID or IMSI number (International Mobile Subscriber Identity) associated with the SIM card in the phone. The IMSI number identifies that phone and its owner as a paying customer of a cell carrier, and that number can be matched by the carrier to the owner’s name, address, and phone number. A stingray masquerades as a cell tower in order to get phones to ping it instead of legitimate cell towers, and in doing so, reveal the phones’ IMSI numbers. In the past, it did this by emitting a signal that was stronger than the signal generated by legitimate cell towers around it. The switch to 4G networks was supposed to address this in part by adding an authentication step so that mobile phones could tell if a cell tower is legitimate. But a security researcher named Roger Piqueras Jover found that the authentication on 4G doesn’t occur until after the phone has already revealed its IMSI number, which means that stingrays can still grab this data before the phone determines it’s not communicating with an authentic cell tower and switches to one that is authenticated. That vulnerability still exists in the 5G protocol, says Jover. Though the 5G protocol offers a feature that encrypts the IMSI when it’s disclosed during pre-authentication communication, law enforcement would simply be able to ask phone carriers to decrypt it for them. And a group of researchers from Purdue University and the University of Iowa also found a way to guess an IMSI number without needing to get a carrier to decrypt it. Because a stingray is not really a tower on the carrier’s network, calls and messages to and from a phone can’t go through while the phone is communicating with the stingray. So after the stingray captures the device’s IMSI number and location, the stingray “releases” the phone so that it can connect to a real cell tower. It can do this by broadcasting a message to that phone that effectively tells the phone to find a different tower.
What can law enforcement do with the IMSI number?
Law enforcement can use a stingray either to identify all of the phones in the vicinity of the stingray or a specific phone, even when the phones are not in use. Law enforcement can then, with a subpoena, ask a phone carrier to provide the customer name and address associated with that number or numbers. They can also obtain a historical log of all of the cell towers a phone has pinged in the recent past to track where it has been, or they can obtain the cell towers it’s pinging in real time to identify the user’s current location. By catching multiple IMSI numbers in the vicinity of a stingray, law enforcement can also potentially uncover associations between people by seeing which phones ping the same cell towers around the same time.
If law enforcement already knows the IMSI number of a specific phone and person they are trying to locate, they can program that IMSI number into the stingray and it will tell them if that phone is nearby. Law enforcement can also home in on the location of a specific phone and its user by moving the stingray around a geographical area and measuring the phone’s signal strength as it connects to the stingray. The Harris StingRay can be operated from a patrol vehicle as it drives around a neighborhood to narrow a suspect’s location to a specific cluster of homes or a building, at which point law enforcement can switch to the hand-held KingFish, which offers even more precision. For example, once law enforcement has narrowed the location of a phone and suspect to an office or apartment complex using the StingRay, they can walk through the complex and hallways using the KingFish to find the specific office or apartment where a mobile phone and its user are located.
Does the device only track mobile phones?No. In 2008, authorities used a StingRay and a KingFish to locate a suspect who was using an air card: an internet-connectivity device that plugs into a computer and allows the user to get online through a wireless cellular network. The suspect, Daniel Rigmaiden, was an identity thief who was operating from an apartment in San Jose, California. Rigmaiden had used a stolen credit card number and a fake name and address to register his internet account with Verizon. With Verizon’s help, the FBI was able to identify him. They determined the general neighborhood in San Jose where Rigmaiden was using the air card so they could position their stingray in the area and move it around until they found the apartment building from which his signal was coming. They then walked around the apartment complex with a hand-held KingFish or similar device to pinpoint the precise apartment Rigmaiden was using.
What is a dirtbox?A dirtbox is the common name for specific models of an IMSI catcher that are made by a Boeing subsidiary, Maryland-based Digital Receiver Technology — hence the name “DRT box.” They are reportedly used by the DEA and Marshals Service from airplanes to intercept data from mobile phones. A 2014 Wall Street Journal article revealed that the Marshals Service began using dirtboxes in Cessna airplanes in 2007. An airborne dirtbox has the ability to collect data on many more phones than a ground-based stingray; it can also move more easily and quickly over wide areas. According to the 2006 catalog of surveillance technologies leaked in 2015, models of dirtboxes described in that document can be configured to track up to 10,000 targeted IMSI numbers or phones.
Do stingrays and dirtboxes have other capabilities?
Stingrays and dirtboxes can be configured for use in either active or passive mode. In active mode, these technologies broadcast to devices and communicate with them. Passive mode involves grabbing whatever data and communication is occurring in real time across cellular networks without requiring the phone to communicate directly with the interception device. The data captured can include the IMSI number as well as text messages, email, and voice calls.
If that data or communication is encrypted, then it would be useless to anyone intercepting it if they don’t also have a way to decrypt it. Phones that are using 4G employ strong encryption. But stingrays can force phones to downgrade to 2G, a less secure protocol, and tell the phone to use either no encryption or use a weak encryption that can be cracked. They can do this because even though most people use 4G these days, there are some areas of the world where 2G networks are still common, and therefore all phones have to have the ability to communicate on those networks.
The versions of stingrays used by the military can intercept the contents of mobile communications — text messages, email, and voice calls — and decrypt some types of this mobile communication. The military also uses a jamming or denial-of-service feature that prevents adversaries from detonating bombs with a mobile phone.In addition to collecting the IMSI number of a device and intercepting communications, military-grade IMSI catchers can also spoof text messages to a phone, according to David Burgess, a telecommunications engineer who used to work with U.S. defense contractors supporting overseas military operations. Burgess says that if the military knows the phone number and IMSI number of a target, it can use an IMSI catcher to send messages to other phones as if they are coming from the target’s phone. They can also use the IMSI catcher for a so-called man in the middle attack so that calls from one target pass through the IMSI catcher to the target phone. In this way, they can record the call in real time and potentially listen to the conversation if it is unencrypted, or if they are able to decrypt it. The military systems can also send a silent SMS message to a phone to alter its settings so that the phone will send text messages through a server the military controls instead of the mobile carrier’s server.
Can the devices be used to infect phones with malware?Versions of the devices used by the military and intelligence agencies can potentially inject malware into targeted phones, depending on how secure the phone is. They can do this in two ways: They can either redirect the phone’s browser to a malicious web site where malware can be downloaded to the phone if the browser has a software vulnerability the attackers can exploit; or they can inject malware from the stingray directly into the baseband of the phone if the baseband software has a vulnerability. Malware injected into the baseband of a phone is harder to detect. Such malware can be used to turn the phone into a listening device to spy on conversations. Recently, Amnesty International reported on the cases of two Moroccan activists whose phones may have been targeted through such network injection attacks to install spyware made by an Israeli company. U.S. law enforcement use of stingrays domestically is more curtailed, given that they, unlike the military, need to obtain warrants or court orders to use the devices in federal investigations. But there is little transparency or oversight around how the devices are used by federal agents and local police, so there is still a lot that is unknown: for example, whether they’ve ever been used to record the contents of mobile phone communications or to install malware on phones.
News stories suggest that some models of stingrays used by the Marshals Service can extract text messages, contacts, and photos from phones, though they don’t say how the devices do this. Documents obtained by the ACLU in 2015 also indicate such devices do have the ability to record the numbers of incoming and outgoing calls and the date, time, and duration of the calls, as well as to intercept the content of voice and text communications. But the Justice Department has long asserted publicly that the stingrays it uses domestically do not intercept the content of communications. The Justice Department has stated that the devices “may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III [wiretapping] order.” As for jamming communications domestically, Dakota Access pipeline protesters at Standing Rock, North Dakota, in 2016 described planes and helicopters flying overhead that they believed were using technology to jam mobile phones. Protesters described having problems such as phones crashing, livestreams being interrupted, and issues uploading videos and other posts to social media.