The Stingray II

Bloomberg Businessweek (North America) - - Focus On/Security -

hen Daniel Rig­maiden was a lit­tle boy, his grand­fa­ther, a vet­eran of World War II and Korea, used to drive him along the roads of Monterey, Cal­i­for­nia, play­ing him tapes of Ron­ald Rea­gan speeches. Some­thing about the ideals of small govern­ment and per­sonal free­dom may have af­fected him more deeply than he re­al­ized. By the time Rig­maiden be­came a dis­af­fected, punk-rock-lov­ing teenager, ev­ery­thing about liv­ing in Amer­ica dis­ap­pointed him, from the two-party sys­tem to taxes. “At that age, ev­ery­body’s look­ing for some­thing to rebel against,” he tells me over Mex­i­can food in Phoenix—where, un­til re­cently, he was re­quired to live un­der the con­di­tions of his pa­role. “I thought, ‘I ei­ther have to fight the rigged sys­tem, or I have to opt out com­pletely.’ ”

Rig­maiden is 35 and slen­der, quiet with a sar­donic smile and thick shock of jet-black hair. Speak­ing softly and rapidly, he tells the story of how he evolved from a bot­tom-feed­ing In­ter­net out­law to one of the na­tion’s most pre­scient tech­no­log­i­cal pri­vacy ac­tivists. Rig­maiden left home in 1999 af­ter grad­u­at­ing high school and spent al­most a decade knock­ing around col­lege towns in Cal­i­for­nia, liv­ing un­der a se­ries of as­sumed names. “I didn’t want to be con­strained by all the rules of so­ci­ety,” he says. “It just didn’t seem real to me.” He’d spend weeks liv­ing in the woods, scroung­ing for food and wa­ter, test­ing his lim­its; then he’d find a place to crash for a while and make a lit­tle money on the In­ter­net—first sell­ing fake IDS, then mov­ing on to more se­ri­ous crimes. In 2006 he wrote soft­ware to mine in­for­ma­tion from data­bases on the In­ter­net—names, birth­dates, So­cial Se­cu­rity num­bers, and the em­ployer iden­ti­fi­ca­tion num­bers of busi­nesses. Then he filed fake tax re­turns, hun­dreds of them, col­lect­ing a mod­est re­fund with each.

He bought gold coins with cash, built a nest egg of about $500,000, and planned to move to South Amer­ica when the time was right. Then, in 2008, an FBI, IRS, and U.S. Postal Ser­vice task force grabbed Rig­maiden at his apart­ment in San Jose and in­dicted him on enough wire fraud and iden­tity theft charges to put him away for the rest of his life. Only af­ter he was caught did the au­thor­i­ties learn his real name.

The mys­tery, at least to Rig­maiden, was how they found him at all. He’d been liv­ing com­pletely off the grid. The only thing con­nect­ing him to the world out­side his apart­ment, he knew, was the wire­less Air­card of his lap­top. To find him, he rea­soned, the peo­ple who caught him would have had to pluck the sig­nal from his par­tic­u­lar Air­card out of a wilder­ness of other sig­nals and pin­point his lo­ca­tion. To do that, they’d need a de­vice that, as far as he knew, didn’t ex­ist.

Rig­maiden made it his mis­sion to find out what that de­vice was. He was jailed but never tried; he slowed down the process by fil­ing end­less mo­tions con­test­ing his ar­rest, in­sist­ing he’d been es­sen­tially wire­tapped with­out a war­rant. In the prison li­brary, he be­came a stu­dent of telecom­mu­ni­ca­tions. Among the most im­por­tant things he learned was that when­ever a cell phone com­mu­ni­cates with a cell tower, it trans­mits an In­ter­na­tional Mo­bile Sub­scriber Iden­tity, or IMSI. His Air­card, like a cell phone, had an IMSI. He rea­soned that the govern­ment had to have a gad­get that mas­quer­aded as a cell tower, trick­ing his Air­card into hand­ing over its IMSI, which was then matched up to the IMSI con­nected to all his on­line phony tax fil­ings. It was all in­fer­ence, at first, but if it was true, that would be enough for him to make the case that what was done to his Air­card was an il­le­gal search.

It took two years be­fore Rig­maiden found the first real glim­mer of proof. He was plow­ing through a stash of records the Elec­tronic Fron­tier Foun­da­tion had un­earthed in the files of the FBI’S Dig­i­tal Col­lec­tion Sys­tem Net­work—the bureau’s tech­no­log­i­cal com­mu­ni­ca­tions mon­i­tor­ing pro­gram—and no­ticed a men­tion of a Wire­less In­ter­cept and Track­ing Team, a unit set up specif­i­cally for tar­get­ing cell phones. He con­nected what he found there to an agenda he’d found from a city coun­cil meet­ing in Florida in which a lo­cal po­lice depart­ment was seek­ing per­mis­sion to buy sur­veil­lance equip­ment. The at­tach­ment gave the equip­ment a name: Stingray, made by Har­ris Corp.

The Stingray is a suit­case-size de­vice that tricks phones into giv­ing up their se­rial num­bers (and, of­ten, their phone calls and texts) by pre­tend­ing to be a cell phone tower. The tech­ni­cal name for such a de­vice is IMSI catcher or cell-site sim­u­la­tor. It re­tails for about $400,000. Har­ris and com­peti­tors like Dig­i­tal Re­ceiver Tech­nol­ogy, a sub­sidiary of Boe­ing, sell IMSI catchers to the mil­i­tary and in­tel­li­gence com­mu­ni­ties, and, since 2007, to po­lice de­part­ments in Los An­ge­les, New York, Chicago, and more than 50 other cities in 21 states. The sig­nals that phones send the devices can be used not just to lo­cate any phone po­lice are look­ing for (in some cases with an ac­cu­racy of just 2 me­ters) but to see who else is around as well. IMSI catchers can scan Times Square, for in­stance, or an apart­ment build­ing, or a political demon­stra­tion.

Rig­maiden built a file hun­dreds of pages thick about the Stingray and all its cousins and com­peti­tors—trig­ger­fish, King­fish, Am­ber­jack, Har­poon. Once he was able to ex­pose their se­cret use—the FBI re­quired the po­lice de­part­ments that used them to sign nondis­clo­sure agree­ments—the pri­vacy and civil-lib­er­ties world took no­tice. In his own case, Rig­maiden filed hun­dreds of mo­tions over al­most six years un­til he fi­nally was of­fered a plea deal—con­spir­acy, mail fraud, and two counts of wire fraud—in ex­change for time served. He got out in April 2014, and his pro­ba­tion ended in Jan­uary. Now Rig­maiden is a free man, a Rip Van Win­kle awak­en­ing in a world where cell phone sur­veil­lance and se­cu­rity is a bat­tle­ground for ev­ery­one.

sur­veil­lance, the per­son hack­ing into your cell phone might not be the po­lice or the FBI. It could be your next-door neigh­bor.

In Fe­bru­ary, on a snowy morn­ing in An­napo­lis, Md., a panel of three judges is hear­ing ar­gu­ments in the first Stingray case to make it to an ap­peals court. It’s the case of Ker­ron An­drews, a 25-year- old man ar­rested two years ago in Bal­ti­more for at­tempted mur­der. His court-ap­pointed lawyer did what a lot of court-ap­pointed lawyers in Bal­ti­more have been do­ing in re­cent years: In­spired by the Rig­maiden case, she con­tested his ar­rest on Fourth Amend­ment grounds, ar­gu­ing that the tech­nol­ogy used to ap­pre­hend the sus­pect was not spec­i­fied in the court or­der al­low­ing the po­lice to search for him at a par­tic­u­lar house. At first, pros­e­cu­tors said they could not con­firm that any tech­nol­ogy was used at all—those nondis­clo­sure agree­ments have kept more than one po­lice depart­ment quiet—but even­tu­ally they con­ceded that the po­lice found An­drews with a Hail­storm, a next- gen­er­a­tion ver­sion of the Stingray, also built by Har­ris. When a judge tossed out most of the ev­i­dence in the case, the state ap­pealed, mak­ing Mary­land v. An­drews the first IMSI catcher case to po­ten­tially make sweep­ing case law at the ap­pel­late level.

Dur­ing ar­gu­ments, at least two of the three ap­pel­late judges on the panel ap­pear skep­ti­cal of the state’s case. Judge Daniel Fried­man seems ex­as­per­ated that the po­lice and pros­e­cu­tors didn’t seem to un­der­stand the Hail­storm well enough to know if it was in­trud­ing on the pri­vacy of sus­pects. Judge An­drea Leahy sug­gests that this case fits tidily into the Supreme Court’s 2012 de­ci­sion USA v. Jones, which ruled that the po­lice could not in­stall a GPS de­vice on some­one’s car with­out a war­rant. “Wire­taps re­quire war­rants,” she says.

Then Daniel Ko­brin, the ap­pel­late lawyer rep­re­sent­ing An­drews, ar­gues, in a way that would make Tim Cook proud, that Hail­storm vi­o­lates ev­ery­one’s rea­son­able ex­pec­ta­tion of pri­vacy. Un­like, say, the garbage you’d leave out­side your house, Ko­brin says, there’s noth­ing about a phone that is thought of as fair game for the po­lice. “When I have my phone and I’m walk­ing down the street, I’m not telling my phone to let Ver­i­zon or Sprint or T-mo­bile know where I am,” the lawyer says. “Phones are not track­ing devices. No­body buys them for that rea­son. No­body uses them for that rea­son.” A few weeks later, the panel would af­firm the lower court’s de­ci­sion to sup­press ev­i­dence seized as a re­sult of the use of the Hail­storm. Soon, Mary­land may have to go the way of Wash­ing­ton state and re­quire ex­plicit lan­guage in its war­rants about the use of any cell-site sim­u­la­tor to catch clients.

Watch­ing the pro­ceed­ings from the gallery is Christo­pher Soghoian, the prin­ci­pal tech­nol­o­gist for the Amer­i­can Civil Lib­er­ties Union. He, even more than Rig­maiden, may be the per­son most re­spon­si­ble for ex­pos­ing the vul­ner­a­bil­ity of the telecom­mu­ni­ca­tions sys­tem to sur­veil­lance and goad­ing the states, one by one, to reg­u­late its use. A bearded, long­haired PH.D. from the Univer­sity of In­di­ana, Soghoian has been rais­ing the alarm about the Stingray for five years— ever since he got a mes­sage sent by Rig­maiden from prison say­ing he could prove the po­lice hacked his phone. “I re­mem­bered see­ing it in The Wire,” Soghoian says, “but I thought that was fic­tional.” (Phone-trac­ing gad­gets are a tele­vi­sion sta­ple, also pop­ping up in Home­land.) Soghoian’s col­leagues ed­u­cated dozens of pub­lic de­fend­ers in Mary­land about the po­lice’s fa­vorite toy; in one case last sum­mer, a de­tec­tive tes­ti­fied that the Bal­ti­more po­lice have used a Hail­storm some 4,300 times. “That’s why there are so many Stingray cases in Bal­ti­more,” Soghoian tells me. “Be­cause the de­fense lawyers were all told about it.”

Har­ris is a pub­licly traded Florida-based de­fense con­trac­tor with a $9.7 bil­lion mar­ket cap and 22,000 em­ploy­ees. In the 1970s, Har­ris built the first se­cured hot­line be­tween the White House and the Krem­lin; later it branched out into GPS, air traf­fic man­age­ment, and mil­i­tary ra­dios. Har­ris’s first vis­i­ble foray into cell­site sim­u­la­tion was in 1995, when the FBI used the Har­ris-made Trig­ger­fish to track down the no­to­ri­ous hacker Kevin Mit­nick, who, in his time, seized pro­pri­etary soft­ware from some of the na­tion’s largest tele­com com­pa­nies.

The Stingray ar­rived a few years later— an up­date of Trig­ger­fish de­signed for the new dig­i­tal cel­lu­lar net­works. The first clients were sol­diers and spies. The FBI loves IMSI catchers—“it’s how we find killers,” Di­rec­tor James Comey has said— even if last fall, un­der pres­sure af­ter Rig­maiden’s case and oth­ers be­came pub­lic, the Jus­tice Depart­ment an­nounced that the FBI would, in most cases, need war­rants be­fore us­ing them.

Most lo­cal po­lice de­part­ments, though, still aren’t bound by that di­rec­tive. Nei­ther are for­eign gov­ern­ments, which are widely sus­pected to be us­ing IMSI catchers here (as we are no doubt do­ing else­where). And so, amid the pub­lic­ity over the Stingray, a mar­ket­place has opened up for coun­ter­mea­sures. On the low end, there’s Snoop­snitch, an open source app for An­droid that scans mo­bile data for fake cell sites. On the high end, there’s the Cryp­to­phone, a heav­ily tricked-out cell phone sold by ESD Amer­ica, a bou­tique tech­nol­ogy com­pany out of Las Ve­gas. The $3,500 Cryp­to­phone scans all cell-site sig­nals it’s com­mu­ni­cat­ing with, flag­ging any­thing sus­pi­cious. Even though the Cryp­to­phone can­not

defini­tively ver­ify that the sus­pect cell is an IMSI catcher, “we sell out of ev­ery Cryp­to­phone we have each week,” says ESD’S 40-year-old chief ex­ec­u­tive of­fi­cer, Les Gold­smith, who has mar­keted the phone for 11 years. “There are lit­er­ally hun­dreds of thou­sands of Cryp­to­phones glob­ally.” ESD’S dream clients are na­tions. Last year the com­pany de­buted a $7 mil­lion soft­ware suite called Over­watch, de­vel­oped with the Ger­man firm GSMK. Over­watch, ESD says, can help au­thor­i­ties lo­cate il­le­gal IMSI catchers us­ing tri­an­gu­la­tion from sen­sors placed around a city. “Right now, it’s go­ing into 25 dif­fer­ent coun­tries,” Gold­smith says.

On a par­al­lel track to the de­fense mar­ket, hob­by­ists and hack­ers have gone to work on the cell net­works and found they can do a lot of what Har­ris can. In the early days of cell phones, when the sig­nals were ana­log, like ra­dio, DIY phone- hack­ing was a cinch. Any­one could go to a Ra­dioshack and buy a re­ceiver to lis­ten in on calls. Congress grew con­cerned about that and in the 1990s held hear­ings with the cel­lu­lar in­dus­try. It was an op­por­tu­nity to shore up the net­works. In­stead, Congress chose to make it harder to buy the in­ter­cep­tion equip­ment. The idea was that when dig­i­tal mo­bile tech­nol­ogy took hold, in­ter­cept­ing dig­i­tal sig­nals would be just too ex­pen­sive for any­one to bother try­ing. That turned out to be more than a lit­tle short­sighted.

For as long as you’ve been us­ing a phone on a 2G (also called GSM) net­work or any of its dig­i­tal pre­de­ces­sors, your calls, texts, and lo­ca­tions have been vul­ner­a­ble to an IMSI catcher. In 2008 re­searcher To­bias En­gel be­came the first to demon­strate a crude home­made IMSI catcher, lis­ten­ing to calls and read­ing texts on a pre-2g dig­i­tal cell net­work. Two years later, at a DEF CON hack­ing con­fer­ence in Las Ve­gas, re­searcher Chris Paget mon­i­tored calls made on 2G with a gad­get built for just $1,500. What made it so cheap was “soft­ware-de­fined ra­dio,” in which all the com­pli­cated telecom­mu­ni­ca­tions tasks aren’t pulled off by the hard­ware but by the soft­ware. If you couldn’t write the soft­ware your­self, some­one on the In­ter­net had prob­a­bly al­ready done it for you.

Phones now op­er­ate on more so­phis­ti­cated 3G and 4G (also known as LTE) net­works. In the­ory, IMSI catchers can pin­point only the lo­ca­tion of th­ese phones, not lis­ten to calls or read texts. But none of that mat­ters if the IMSI catcher in ques­tion can just knock a phone call back down to 2G. En­ter Har­ris’s Hail­storm, the suc­ces­sor to Stingray. “It took us a while to stum­ble onto some doc­u­ments from the DEA to see that the Hail­storm was a na­tive LTE IMSI catcher,” the ACLU’S Soghoian says. “It was like, ‘Wait a se­cond—i thought it’s not sup­posed to work on LTE. What’s go­ing on?’ ”

They found a hint to the an­swer last fall, when a re­search team out of Ber­lin and Helsinki an­nounced it had built an IMSI catcher that could make an LTE phone leak its lo­ca­tion to within a 10- to 20-me­ter ra­dius—and in some cases, even its GPS co­or­di­nates. “Ba­si­cally we down­graded to 2G or 3G,” says Rav­is­hankar Bor­gaonkar, a 30-year-old PH.D. who has since been hired at Ox­ford. “We wanted to see if the prom­ises given by the 4G sys­tems were cor­rect or not.” They weren’t. The price tag for this IMSI catcher: $1,400. As long as phones re­tain the op­tion of 2G, calls made on them can be down­graded. And the phone car­ri­ers can’t get rid of 2G—not if they want ev­ery phone to work ev­ery­where. The more com­plex the sys­tem be­comes, the more vul­ner­a­ble it is. “Phones, as lit­tle com­put­ers, are be­com­ing more and more se­cure,” says Karsten Nohl, chief sci­en­tist at Se­cu­rity Re­search Labs in Ber­lin. “But the phone net­works? They’re rather be­com­ing less se­cure. Not be­cause of any one ac­tion but be­cause there’s more and more pos­si­bil­ity for one of th­ese tech­nolo­gies to be the weak­est link.”

The de­vice Bor­gaonkar’s team built is called a “pas­sive re­cep­tor,” a sort of bud­get Stingray. In­stead of ac­tively tar­get­ing a sin­gle cell phone to lo­cate, down­grade to 2G, and mon­i­tor, a pas­sive re­cep­tor sits back and col­lects the IMSI of ev­ery cell sig­nal that hap­pens by. That’s ideal for some po­lice de­part­ments, which, the Wall Street Jour­nal re­ported last sum­mer, have been buy­ing pas­sive devices in large num­bers from KEYW, a Hanover, Md., cy­ber­se­cu­rity com­pany, for about $5,000 a pop. One Florida law en­force­ment doc­u­ment de­scribed the devices as “more por­ta­ble, more re­li­able and ‘covert’ in func­tion­al­ity.” If all you want to do is see who’s hang­ing out at a protest—or in­side a house or church or drug den—th­ese pas­sive re­cep­tors could be just the thing.

A pro­gram­mer I spoke with who has worked for Har­ris is of two minds about what the hob­by­ists are up to. “There’s a gi­ant dif­fer­ence be­tween do-it-your­self IMSI catchers and some­thing like the Har­ris Stingray,” he says proudly. That said, he’s taken with how fast the am­a­teurs are catch­ing up. “I’d say the most im­pres­sive leap is the ad­vance­ment of LTE sup­port on soft­ware-de­fined ra­dio,” he says. “That came out of nowhere. From noth­ing to 2G took, like, 10 years, and from 2G to LTE took five years. We’re not there yet. But they’re com­ing. They’re def­i­nitely com­ing.”

You don’t have to look far to see what a world of cheap and plen­ti­ful IMSI catchers looks like. Two years ago, China shut down two dozen fac­to­ries that were man­u­fac­tur­ing il­le­gal IMSI catchers. The devices were be­ing used to send textmes­sage spam to lure peo­ple into phish­ing sites; in­stead of

pay­ing a cell phone com­pany 5¢ per text mes­sage, com­pa­nies would put up a fake cell tower and send texts for free to ev­ery­one in the area.

Then there’s In­dia. Once the govern­ment started buy­ing cell- site sim­u­la­tors, the calls of op­po­si­tion-party politi­cians and their spouses were mon­i­tored. “We can track any­one we choose,” an in­tel­li­gence of­fi­cial told one In­dian news­pa­per. The next tar­gets were cor­po­rate; most of the late-night calls, ap­par­ently, were used to set up sex­ual li­aisons. By 2010 se­nior govern­ment of­fi­cials pub­licly ac­knowl­edged that the whole cell net­work in In­dia was com­pro­mised. “In­dia is a re­ally sort of ter­ri­fy­ing glimpse of what Amer­ica will be like when this tech­nol­ogy be­comes wide­spread,” Soghoian says. “The Amer­i­can phone sys­tem is no more se­cure than the In­dian phone sys­tem.”

In Amer­ica, the ap­pli­ca­tions are ob­vi­ous. Lo­cat­ing a Kar­dashian (in those rare mo­ments when she doesn’t want the me­dia to lo­cate her) is some­thing any self-re­spect­ing TMZ in­tern would love to be able to do. “What’s the next su­per Mur­doch scan­dal when the pa­parazzi are us­ing a Stingray in­stead of hack­ing into voice­mail?” Soghoian says. “What does it mat­ter that you can build one for $500 if you can buy one for $1,500? Be­cause at the end of the day, the next gen­er­a­tion of pa­parazzi are not go­ing to be hack­ers. They’re go­ing to be re­porters with ex­pense ac­counts.”

Over coffee af­ter court in An­napo­lis, Soghoian and I pe­ruse the Alibaba.com mar­ket­place on his smart­phone. He types in “IMSI catcher,” and a list ma­te­ri­al­izes. The prices are all over the place, as low as $1,800. “This one’s from Nige­ria. ... This one’s $20,000. ... This one’s from Bangladesh.” I note that the ones on sale here seem to work only on 2G, un­like the Hail­storm. “You can get a jam­mer for like 20 bucks,” Soghoian says. With that, you roll any call back to 2G. Pair the sig­nal jam­mer with a cheap old IMSI catcher, and you’ve got a crude fac­sim­ile of a Hail­storm.

Ev­ery coun­try knows it’s vul­ner­a­ble, but no one wants to fix the prob­lem—be­cause they ex­ploit that vul­ner­a­bil­ity, too. Two years ago, Rep­re­sen­ta­tive Alan Grayson (D-fla.) wrote a con­cerned let­ter to the Fed­eral Com­mu­ni­ca­tions Com­mis­sion about cel­lu­lar sur­veil­lance vul­ner­a­bil­i­ties. Tom Wheeler, the for­mer in­dus­try lob­by­ist who now runs the reg­u­la­tory agency, con­vened a task force that so far has pro­duced noth­ing. “The com­mis­sion’s in­ter­nal team con­tin­ues to ex­am­ine the facts sur­round­ing IMSI catchers, work­ing with our fed­eral part­ners, and will con­sider nec­es­sary steps based on its find­ings,” says FCC spokesman Neil Grace.

Soghoian isn’t op­ti­mistic. “The FCC is sort of caught be­tween a rock and a hard place,” he says. “They don’t want to do any­thing to stop the devices that law en­force­ment is us­ing from work­ing. But if the law en­force­ment devices work, the crim­i­nals’ devices work, too.” Un­like the bat­tle be­tween the FBI and Ap­ple, the net­work-vul­ner­a­bil­ity strug­gle doesn’t pit pub­lic sec­tor against pri­vate; it’s the pub­lic sec­tor against it­self.

From his apart­ment in cen­tral Phoenix, Rig­maiden con­sulted with the Wash­ing­ton state branch of the ACLU when it helped draft the state law re­quir­ing a war­rant for the use of IMSI catchers. He’s su­ing the FBI for more Stingray doc­u­ments, and re­cently the court shook loose a few more. And now that his pa­role is over and he can travel, he’d like to lecture across the coun­try about fight­ing sur­veil­lance. “Ev­ery­thing that I thought was wrong back then is even worse to­day,” he says, chuck­ling softly. “The only thing that’s changed is now I’m go­ing to do the other route—which is par­tic­i­pate and do what I can to try to change it.”

As im­prob­a­ble a pri­vacy stan­dard bearer as Rig­maiden may be, his abil­ity to draw in­fer­ences and con­nect dots proved use­ful once; maybe it will again. He has dug up the specs of some KEYW pas­sive devices, and he sees no rea­son the big

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.