Bloomberg Businessweek (North America)

W

The Stingray II

hen Daniel Rigmaiden was a little boy, his grandfathe­r, a veteran of World War II and Korea, used to drive him along the roads of Monterey, California, playing him tapes of Ronald Reagan speeches. Something about the ideals of small government and personal freedom may have affected him more deeply than he realized. By the time Rigmaiden became a disaffecte­d, punk-rock-loving teenager, everything about living in America disappoint­ed him, from the two-party system to taxes. “At that age, everybody’s looking for something to rebel against,” he tells me over Mexican food in Phoenix—where, until recently, he was required to live under the conditions of his parole. “I thought, ‘I either have to fight the rigged system, or I have to opt out completely.’ ”

Rigmaiden is 35 and slender, quiet with a sardonic smile and thick shock of jet-black hair. Speaking softly and rapidly, he tells the story of how he evolved from a bottom-feeding Internet outlaw to one of the nation’s most prescient technologi­cal privacy activists. Rigmaiden left home in 1999 after graduating high school and spent almost a decade knocking around college towns in California, living under a series of assumed names. “I didn’t want to be constraine­d by all the rules of society,” he says. “It just didn’t seem real to me.” He’d spend weeks living in the woods, scrounging for food and water, testing his limits; then he’d find a place to crash for a while and make a little money on the Internet—first selling fake IDS, then moving on to more serious crimes. In 2006 he wrote software to mine informatio­n from databases on the Internet—names, birthdates, Social Security numbers, and the employer identifica­tion numbers of businesses. Then he filed fake tax returns, hundreds of them, collecting a modest refund with each.

He bought gold coins with cash, built a nest egg of about $500,000, and planned to move to South America when the time was right. Then, in 2008, an FBI, IRS, and U.S. Postal Service task force grabbed Rigmaiden at his apartment in San Jose and indicted him on enough wire fraud and identity theft charges to put him away for the rest of his life. Only after he was caught did the authoritie­s learn his real name.

The mystery, at least to Rigmaiden, was how they found him at all. He’d been living completely off the grid. The only thing connecting him to the world outside his apartment, he knew, was the wireless Aircard of his laptop. To find him, he reasoned, the people who caught him would have had to pluck the signal from his particular Aircard out of a wilderness of other signals and pinpoint his location. To do that, they’d need a device that, as far as he knew, didn’t exist.

Rigmaiden made it his mission to find out what that device was. He was jailed but never tried; he slowed down the process by filing endless motions contesting his arrest, insisting he’d been essentiall­y wiretapped without a warrant. In the prison library, he became a student of telecommun­ications. Among the most important things he learned was that whenever a cell phone communicat­es with a cell tower, it transmits an Internatio­nal Mobile Subscriber Identity, or IMSI. His Aircard, like a cell phone, had an IMSI. He reasoned that the government had to have a gadget that masquerade­d as a cell tower, tricking his Aircard into handing over its IMSI, which was then matched up to the IMSI connected to all his online phony tax filings. It was all inference, at first, but if it was true, that would be enough for him to make the case that what was done to his Aircard was an illegal search.

It took two years before Rigmaiden found the first real glimmer of proof. He was plowing through a stash of records the Electronic Frontier Foundation had unearthed in the files of the FBI’S Digital Collection System Network—the bureau’s technologi­cal communicat­ions monitoring program—and noticed a mention of a Wireless Intercept and Tracking Team, a unit set up specifical­ly for targeting cell phones. He connected what he found there to an agenda he’d found from a city council meeting in Florida in which a local police department was seeking permission to buy surveillan­ce equipment. The attachment gave the equipment a name: Stingray, made by Harris Corp.

The Stingray is a suitcase-size device that tricks phones into giving up their serial numbers (and, often, their phone calls and texts) by pretending to be a cell phone tower. The technical name for such a device is IMSI catcher or cell-site simulator. It retails for about $400,000. Harris and competitor­s like Digital Receiver Technology, a subsidiary of Boeing, sell IMSI catchers to the military and intelligen­ce communitie­s, and, since 2007, to police department­s in Los Angeles, New York, Chicago, and more than 50 other cities in 21 states. The signals that phones send the devices can be used not just to locate any phone police are looking for (in some cases with an accuracy of just 2 meters) but to see who else is around as well. IMSI catchers can scan Times Square, for instance, or an apartment building, or a political demonstrat­ion.

Rigmaiden built a file hundreds of pages thick about the Stingray and all its cousins and competitor­s—triggerfis­h, Kingfish, Amberjack, Harpoon. Once he was able to expose their secret use—the FBI required the police department­s that used them to sign nondisclos­ure agreements—the privacy and civil-liberties world took notice. In his own case, Rigmaiden filed hundreds of motions over almost six years until he finally was offered a plea deal—conspiracy, mail fraud, and two counts of wire fraud—in exchange for time served. He got out in April 2014, and his probation ended in January. Now Rigmaiden is a free man, a Rip Van Winkle awakening in a world where cell phone surveillan­ce and security is a battlegrou­nd for everyone.

surveillan­ce, the person hacking into your cell phone might not be the police or the FBI. It could be your next-door neighbor.

In February, on a snowy morning in Annapolis, Md., a panel of three judges is hearing arguments in the first Stingray case to make it to an appeals court. It’s the case of Kerron Andrews, a 25-year- old man arrested two years ago in Baltimore for attempted murder. His court-appointed lawyer did what a lot of court-appointed lawyers in Baltimore have been doing in recent years: Inspired by the Rigmaiden case, she contested his arrest on Fourth Amendment grounds, arguing that the technology used to apprehend the suspect was not specified in the court order allowing the police to search for him at a particular house. At first, prosecutor­s said they could not confirm that any technology was used at all—those nondisclos­ure agreements have kept more than one police department quiet—but eventually they conceded that the police found Andrews with a Hailstorm, a next- generation version of the Stingray, also built by Harris. When a judge tossed out most of the evidence in the case, the state appealed, making Maryland v. Andrews the first IMSI catcher case to potentiall­y make sweeping case law at the appellate level.

During arguments, at least two of the three appellate judges on the panel appear skeptical of the state’s case. Judge Daniel Friedman seems exasperate­d that the police and prosecutor­s didn’t seem to understand the Hailstorm well enough to know if it was intruding on the privacy of suspects. Judge Andrea Leahy suggests that this case fits tidily into the Supreme Court’s 2012 decision USA v. Jones, which ruled that the police could not install a GPS device on someone’s car without a warrant. “Wiretaps require warrants,” she says.

Then Daniel Kobrin, the appellate lawyer representi­ng Andrews, argues, in a way that would make Tim Cook proud, that Hailstorm violates everyone’s reasonable expectatio­n of privacy. Unlike, say, the garbage you’d leave outside your house, Kobrin says, there’s nothing about a phone that is thought of as fair game for the police. “When I have my phone and I’m walking down the street, I’m not telling my phone to let Verizon or Sprint or T-mobile know where I am,” the lawyer says. “Phones are not tracking devices. Nobody buys them for that reason. Nobody uses them for that reason.” A few weeks later, the panel would affirm the lower court’s decision to suppress evidence seized as a result of the use of the Hailstorm. Soon, Maryland may have to go the way of Washington state and require explicit language in its warrants about the use of any cell-site simulator to catch clients.

Watching the proceeding­s from the gallery is Christophe­r Soghoian, the principal technologi­st for the American Civil Liberties Union. He, even more than Rigmaiden, may be the person most responsibl­e for exposing the vulnerabil­ity of the telecommun­ications system to surveillan­ce and goading the states, one by one, to regulate its use. A bearded, longhaired PH.D. from the University of Indiana, Soghoian has been raising the alarm about the Stingray for five years— ever since he got a message sent by Rigmaiden from prison saying he could prove the police hacked his phone. “I remembered seeing it in The Wire,” Soghoian says, “but I thought that was fictional.” (Phone-tracing gadgets are a television staple, also popping up in Homeland.) Soghoian’s colleagues educated dozens of public defenders in Maryland about the police’s favorite toy; in one case last summer, a detective testified that the Baltimore police have used a Hailstorm some 4,300 times. “That’s why there are so many Stingray cases in Baltimore,” Soghoian tells me. “Because the defense lawyers were all told about it.”

Harris is a publicly traded Florida-based defense contractor with a $9.7 billion market cap and 22,000 employees. In the 1970s, Harris built the first secured hotline between the White House and the Kremlin; later it branched out into GPS, air traffic management, and military radios. Harris’s first visible foray into cellsite simulation was in 1995, when the FBI used the Harris-made Triggerfis­h to track down the notorious hacker Kevin Mitnick, who, in his time, seized proprietar­y software from some of the nation’s largest telecom companies.

The Stingray arrived a few years later— an update of Triggerfis­h designed for the new digital cellular networks. The first clients were soldiers and spies. The FBI loves IMSI catchers—“it’s how we find killers,” Director James Comey has said— even if last fall, under pressure after Rigmaiden’s case and others became public, the Justice Department announced that the FBI would, in most cases, need warrants before using them.

Most local police department­s, though, still aren’t bound by that directive. Neither are foreign government­s, which are widely suspected to be using IMSI catchers here (as we are no doubt doing elsewhere). And so, amid the publicity over the Stingray, a marketplac­e has opened up for countermea­sures. On the low end, there’s Snoopsnitc­h, an open source app for Android that scans mobile data for fake cell sites. On the high end, there’s the Cryptophon­e, a heavily tricked-out cell phone sold by ESD America, a boutique technology company out of Las Vegas. The $3,500 Cryptophon­e scans all cell-site signals it’s communicat­ing with, flagging anything suspicious. Even though the Cryptophon­e cannot

definitive­ly verify that the suspect cell is an IMSI catcher, “we sell out of every Cryptophon­e we have each week,” says ESD’S 40-year-old chief executive officer, Les Goldsmith, who has marketed the phone for 11 years. “There are literally hundreds of thousands of Cryptophon­es globally.” ESD’S dream clients are nations. Last year the company debuted a $7 million software suite called Overwatch, developed with the German firm GSMK. Overwatch, ESD says, can help authoritie­s locate illegal IMSI catchers using triangulat­ion from sensors placed around a city. “Right now, it’s going into 25 different countries,” Goldsmith says.

On a parallel track to the defense market, hobbyists and hackers have gone to work on the cell networks and found they can do a lot of what Harris can. In the early days of cell phones, when the signals were analog, like radio, DIY phone- hacking was a cinch. Anyone could go to a Radioshack and buy a receiver to listen in on calls. Congress grew concerned about that and in the 1990s held hearings with the cellular industry. It was an opportunit­y to shore up the networks. Instead, Congress chose to make it harder to buy the intercepti­on equipment. The idea was that when digital mobile technology took hold, intercepti­ng digital signals would be just too expensive for anyone to bother trying. That turned out to be more than a little shortsight­ed.

For as long as you’ve been using a phone on a 2G (also called GSM) network or any of its digital predecesso­rs, your calls, texts, and locations have been vulnerable to an IMSI catcher. In 2008 researcher Tobias Engel became the first to demonstrat­e a crude homemade IMSI catcher, listening to calls and reading texts on a pre-2g digital cell network. Two years later, at a DEF CON hacking conference in Las Vegas, researcher Chris Paget monitored calls made on 2G with a gadget built for just $1,500. What made it so cheap was “software-defined radio,” in which all the complicate­d telecommun­ications tasks aren’t pulled off by the hardware but by the software. If you couldn’t write the software yourself, someone on the Internet had probably already done it for you.

Phones now operate on more sophistica­ted 3G and 4G (also known as LTE) networks. In theory, IMSI catchers can pinpoint only the location of these phones, not listen to calls or read texts. But none of that matters if the IMSI catcher in question can just knock a phone call back down to 2G. Enter Harris’s Hailstorm, the successor to Stingray. “It took us a while to stumble onto some documents from the DEA to see that the Hailstorm was a native LTE IMSI catcher,” the ACLU’S Soghoian says. “It was like, ‘Wait a second—i thought it’s not supposed to work on LTE. What’s going on?’ ”

They found a hint to the answer last fall, when a research team out of Berlin and Helsinki announced it had built an IMSI catcher that could make an LTE phone leak its location to within a 10- to 20-meter radius—and in some cases, even its GPS coordinate­s. “Basically we downgraded to 2G or 3G,” says Ravishanka­r Borgaonkar, a 30-year-old PH.D. who has since been hired at Oxford. “We wanted to see if the promises given by the 4G systems were correct or not.” They weren’t. The price tag for this IMSI catcher: $1,400. As long as phones retain the option of 2G, calls made on them can be downgraded. And the phone carriers can’t get rid of 2G—not if they want every phone to work everywhere. The more complex the system becomes, the more vulnerable it is. “Phones, as little computers, are becoming more and more secure,” says Karsten Nohl, chief scientist at Security Research Labs in Berlin. “But the phone networks? They’re rather becoming less secure. Not because of any one action but because there’s more and more possibilit­y for one of these technologi­es to be the weakest link.”

The device Borgaonkar’s team built is called a “passive receptor,” a sort of budget Stingray. Instead of actively targeting a single cell phone to locate, downgrade to 2G, and monitor, a passive receptor sits back and collects the IMSI of every cell signal that happens by. That’s ideal for some police department­s, which, the Wall Street Journal reported last summer, have been buying passive devices in large numbers from KEYW, a Hanover, Md., cybersecur­ity company, for about $5,000 a pop. One Florida law enforcemen­t document described the devices as “more portable, more reliable and ‘covert’ in functional­ity.” If all you want to do is see who’s hanging out at a protest—or inside a house or church or drug den—these passive receptors could be just the thing.

A programmer I spoke with who has worked for Harris is of two minds about what the hobbyists are up to. “There’s a giant difference between do-it-yourself IMSI catchers and something like the Harris Stingray,” he says proudly. That said, he’s taken with how fast the amateurs are catching up. “I’d say the most impressive leap is the advancemen­t of LTE support on software-defined radio,” he says. “That came out of nowhere. From nothing to 2G took, like, 10 years, and from 2G to LTE took five years. We’re not there yet. But they’re coming. They’re definitely coming.”

You don’t have to look far to see what a world of cheap and plentiful IMSI catchers looks like. Two years ago, China shut down two dozen factories that were manufactur­ing illegal IMSI catchers. The devices were being used to send textmessag­e spam to lure people into phishing sites; instead of

paying a cell phone company 5¢ per text message, companies would put up a fake cell tower and send texts for free to everyone in the area.

Then there’s India. Once the government started buying cell- site simulators, the calls of opposition-party politician­s and their spouses were monitored. “We can track anyone we choose,” an intelligen­ce official told one Indian newspaper. The next targets were corporate; most of the late-night calls, apparently, were used to set up sexual liaisons. By 2010 senior government officials publicly acknowledg­ed that the whole cell network in India was compromise­d. “India is a really sort of terrifying glimpse of what America will be like when this technology becomes widespread,” Soghoian says. “The American phone system is no more secure than the Indian phone system.”

In America, the applicatio­ns are obvious. Locating a Kardashian (in those rare moments when she doesn’t want the media to locate her) is something any self-respecting TMZ intern would love to be able to do. “What’s the next super Murdoch scandal when the paparazzi are using a Stingray instead of hacking into voicemail?” Soghoian says. “What does it matter that you can build one for $500 if you can buy one for $1,500? Because at the end of the day, the next generation of paparazzi are not going to be hackers. They’re going to be reporters with expense accounts.”

Over coffee after court in Annapolis, Soghoian and I peruse the Alibaba.com marketplac­e on his smartphone. He types in “IMSI catcher,” and a list materializ­es. The prices are all over the place, as low as $1,800. “This one’s from Nigeria. ... This one’s $20,000. ... This one’s from Bangladesh.” I note that the ones on sale here seem to work only on 2G, unlike the Hailstorm. “You can get a jammer for like 20 bucks,” Soghoian says. With that, you roll any call back to 2G. Pair the signal jammer with a cheap old IMSI catcher, and you’ve got a crude facsimile of a Hailstorm.

Every country knows it’s vulnerable, but no one wants to fix the problem—because they exploit that vulnerabil­ity, too. Two years ago, Representa­tive Alan Grayson (D-fla.) wrote a concerned letter to the Federal Communicat­ions Commission about cellular surveillan­ce vulnerabil­ities. Tom Wheeler, the former industry lobbyist who now runs the regulatory agency, convened a task force that so far has produced nothing. “The commission’s internal team continues to examine the facts surroundin­g IMSI catchers, working with our federal partners, and will consider necessary steps based on its findings,” says FCC spokesman Neil Grace.

Soghoian isn’t optimistic. “The FCC is sort of caught between a rock and a hard place,” he says. “They don’t want to do anything to stop the devices that law enforcemen­t is using from working. But if the law enforcemen­t devices work, the criminals’ devices work, too.” Unlike the battle between the FBI and Apple, the network-vulnerabil­ity struggle doesn’t pit public sector against private; it’s the public sector against itself.

From his apartment in central Phoenix, Rigmaiden consulted with the Washington state branch of the ACLU when it helped draft the state law requiring a warrant for the use of IMSI catchers. He’s suing the FBI for more Stingray documents, and recently the court shook loose a few more. And now that his parole is over and he can travel, he’d like to lecture across the country about fighting surveillan­ce. “Everything that I thought was wrong back then is even worse today,” he says, chuckling softly. “The only thing that’s changed is now I’m going to do the other route—which is participat­e and do what I can to try to change it.”

As improbable a privacy standard bearer as Rigmaiden may be, his ability to draw inferences and connect dots proved useful once; maybe it will again. He has dug up the specs of some KEYW passive devices, and he sees no reason the big