New York City is steeped in signals—the constant chatter of people, the hum of traffic, the visual barrage from bright signs and towering buildings. In NYC, the senses are constantly bombarded with information from all directions. But even if we closed our eyes and somehow quieted the people and stopped the cars, the city is still inundated with signals. While imperceptible to us, we are immersed in the invisible radio frequency signals which bounce from antenna to antenna to connect millions of cellphones to one another.
These invisible signals are easy to forget. Most consumer gadgets hide the complicated underpinnings of how they function. A cellphone would never ask the user which cell tower it should connect to or which satellites the GPS should use. Instead, a sleek interface covers much of the engineering that creates a frictionless experience.
Much of the time, hiding these complicated tidbits make the user’s experience better, but occasionally the lack of transparency creates security flaws that governments, law enforcement and criminals can use to their advantage. That is the case with your cellphone, some of the most basic protocols that underlie every call and text are vulnerable, and no one knows who is taking advantage of them or how often they are compromised.
Cellphones are easy to trick into giving up information. The devices that are capable of this deceit, cell site simulators, are used by governments and hackers alike to track their prey, but no one knows how many there are or where they might be located. But what if we could hunt the hunters?
“These vulnerabilities are inherent in how 2G, 3G, and 4G function,” said Cooper Quintin, Senior Staff Technologist at Electronic Frontier Foundation, referencing three common cellular standards. “It doesn't matter what country you are in or what device you have. In short, IMSI catchers will work against any cell phone anywhere in the world.”
A cellphone is programed to be greedy. When given the choice between two cell towers, one with a strong signal and one with a weak one, the phone will almost always connect to the stronger of the two, even in the middle of a call. An IMSI catcher can be disguised as a regular cell tower and, by adjusting some parameters, it can appear to be the best choice for your phone to connect to. Once that connection is made, any information transmitted over the network is potentially compromised. This is sometimes called a “man in the middle” attack.
Normally, when information is sent from a cell phone, it passes it to a nearby cell tower to be relayed.
The antenna receives the information and sends it to the intended recipient
But during a in a man in the middle attack, the information is first passed to a third party before continuing along the normal route. When this happens, the service remains uninterrupted, but the man in the middle can monitor or even intercept the information before it gets to the recipient.
The phone calls, text messages and location of a common cellphone user may not be that interesting to the man in the middle, but what about a banker, a CEO or the president? If President Trump uses a cellphone that utilized the standard cellular technology, his information is at risk too.
In March 2017, for the first time, the Department of Homeland Security publicly acknowledged IMSI catchers may be in use around the capital region. The information was revealed in a letter to Oregon Senator Ron Wyden from Christopher Krebs, a senior member of the Department of Homeland Security.
“The Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) has observed anomalous activity in the National Capital Region (NCR) that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers,” Krebs said in the letter.
Stingrays are expensive. The manufacturers, like Harris Corporation, keeps price lists for their cell site simulators hidden with non-disclosure agreements. This lack of transparency makes it difficult to know exactly how expensive they are, but FOIA requests have shown how much the NYPD has spent on these devices.
In a purchase order placed by the NYPD with Harris Corp on March 28, 2013, the department agreed to a $1.2 million dollar purchase for “cellular tracking systems, upgrades and maintenance.” NYPD extended this agreement after one year to include an additional $333,320 for “new items and maintenance.” The contract was renewed and extended again in April of 2016 for an additional $104,216 for eight items.
Because of their high price and the need for FBI approval to purchase, Stingrays were generally beyond the reach of your average person. But as the techniques used by the equipment became better understood, enterprising engineers discovered they could build a similar device on a budget.
In 2010, at a talk titled “Practical Cellphone Spying” at DEF CON 18, an annual conference in Las Vegas, a hacker demonstrated one of these homemade devices. Kristin Paget took the stage and, after a brief introduction, explained what was about to happen.
“Before we start, a couple of notes on privacy,” Paget said. “First off, cellular phone calls will be recorded during the talk.” She smiled while the crowd lightly laughed. After a brief pause, she added, “surprise,” and the audience’s laughter swelled.
She goes on to show the device that will intercept the cellular traffic. It is an underwhelming, almost simple device—only a laptop, antennas and a Universal Software Radio Peripheral or USRP.
A USRP is a type of software defined radio. SDRs allow a user to cheaply mimic expensive radio equipment. While traditionally, many attributes of a radio signal are defined by physical hardware, SDRs can change these properties with software. The ability to quickly, easily and precisely change a radio signal make SDRs an agile and useful tool for anyone hacking radio frequencies.
Paget booted up her device and before even configuring it to resemble an AT&T cellphone tower, 30 phones automatically connected to the faked station.
Paget mentions her USRP cost around $1500. In the ten years since Paget’s talk, the equipment has only become cheaper. Now, they are available online for a few hundred dollars.
“Basically you need to buy a software defined radio and download and configure some software,” said Quintin. “You could probably do it for about $600 and an old laptop.”
Those same SDRs that made building a Stingray at home more feasible also made researching them easier. This led researchers to create new tools to track and potentially trace Stingrays in the wild.
In 2017, researchers at University of Washington set out to look for Stingrays. Peter Ney, then a PhD candidate, and his team—Ian Smith, Gabriel Cadamuro and Tadayoshi Kohno—developed a device that would connect to the nearest cellphone tower, ask for its credentials and store them in a database. They paid rideshare drivers in Seattle and Milwaukee to install the devices in their cars. While they drove around the city the devices collected readings for eight weeks.
“One of our big motivations was to give solid, scientifically valid data that could be used to help inform journalists and the legal community about where and when IMSI-catcher may be used,” Ney said. “We felt that the only way to actually achieve this goal was to build and deploy a real system that could measure and detect when IMSI-catchers were being used.”
Ney’s team analyzed the data and looked for traces of IMSI catchers and found some interesting results. By combing through the dataset for outliers, they were able to identify a few potential IMSI catchers: one at the Seattle-Tacoma International Airport and another at United States Citizenship and Immigration Services building.
“The anomalies we look for come from how we know IMSI-catcher work and experimental tests we've done in controlled lab environments,” Ney said. “We call these settings and configurations that we expect from an IMSI-catcher ‘signatures’, and our goal is to see if any of the cell towers in our data set match these signatures.”
These anomalies include spoofed transmissions, unusual channel switching and unexpected broadcast properties. In the case of the USCIS building, the data showed a tower that transmitted on six different channels or frequencies. According to their data, most cell towers only broadcast from one channel and, very rarely, as many as three. Six channels from one antenna was a clear outlier.
At Seattle-Tacoma airport, the team was able to collect over 2000 readings. Most of these were perfectly normal, but one reading stood out.
Cell towers transmit information about their configurations and properties on something called a Broadcast Control Channel or BCCH. The information sent on this channel along with the signal strength are the main factors taken into account by a phone before choosing which tower to connect to. At the Seattle airport, the settings on the BCCH were consistent for all but one reading where four of the settings were outside the previous measured ranges.
Ney and his team were never able to completely confirm that either of these readings were IMSI catchers.
Milwaukee and Seattle have an abundance of targets for someone wanting to intercept information from a cell phone, but it doesn’t have anywhere near the density of targets as NYC. New York is the epicenter of business, media and politics in the U.S.. IBM, Facebook, Google all have a home here. The New York Stock Exchange handles billions of dollars a day. The United Nations hosts diplomats, dignitaries and staff from countries around the world. The NSA, DHS, FBI and CIA all have a presence in New York, not to mention the NYPD, one of the largest police forces in the nation. If you wanted to find someone worth spying on, New York City is the place to do it.
Ney and his team didn’t stop working on SeaGlass after their first sweep. “We viewed it as a prototype to test our methodology and to start working with real data,” Ney said. Soon after they published the paper, Ney and his team began to develop more advanced equipment.
Before setting out to find Stingrays in NYC, I had to devise a strategy. I knew the types of locations that might be vulnerable to attack—the United Nations, Wall Street, IBM research centers. With a long list of potential targets, I created a map of potential targets in Manhattan. Since the devices I would use to collect readings were still new, I only had access to two of them. After a few test sweeps, one malfunctioned leaving just one device for our hunt. I cut the list of targets down to concentrate on the densest areas of the island.
To find a Stingray the devices would need to be in the right place at the right time. In other words, one of our sensors would need to be within range of a Stingray at the exact time it was powered on. There needed to be an overlap of time and place. After a few practice runs to test the devices and the readouts, and one incredibly long day on a Citi Bike, I had a basic lay of the land. Now it was time to start collection.
Over the course of four days and 105 miles, the sensor was driven around the city in the bag of a bike messenger, Sandro Luna. After responding to a Craigslist ad and with the promise of $50 a day, Luna carried my sensors while he delivered packages. All the while, he was passively collecting information about every cell tower he passed.
If these devices were in widespread use, there is a good chance Luna would have passed one. Over the course of four days, he traveled from the upper west side, to the tip of the island and almost everywhere in between. He passed the UN, embassies and consulates from many different countries, big banks, Wall Street and more than a few local and federal law enforcement and government buildings.
We delivered the data to Ney for analysis. His team is working to create algorithms that can automatically sense outliers in their data, but they were not ready for testing at the time. For now, he looks through the data row by row looking for anomalies. Ney spent a few days combing through what we delivered and called me over the weekend to tell me the results. The data Luna had collected was clean and painted a portrait of the “normal” RF landscape of New York, but there was nothing that looked like a Stingray.
“When I analyzed the data you gave me, I had two thoughts,” Ney said. “One, you collected a solid amount of data—enough to do some pretty good analysis, but nothing longitudinal. And two, it looked very normal.”
We did a thorough job of collecting this data and the result is a map of the 3G spectrum of radio frequencies across lower Manhattan. Since identifying IMSIs requires an understanding of what the radio spectrum normally looks like, the data we collected can be used as the baseline to which new data are compared.
“This can make it easier to identify any future changes in the cellular network that could be indicative of an IMSI-catcher transmission,” Ney said.
The findings are inconclusive. While the data did not show any IMSI catchers being used in New York City, that does not mean they are not there. Like Ney mentioned, there simply was not enough data to do the sort of prolonged or longitudinal study that makes Stingrays easier to identify. Since so little is known about the capabilities of newer models of Stingrays, it is also impossible to know whether whomever is operating IMSI catchers are using new tricks researchers like Ney have not discovered yet. Finally, the devices were only searching on the 3G network. This older standard has more exploitable flaws than the newer 4G. This is still relevant because IMSI catchers can force the target phone to use the less secure network if it appears to offer better connectivity.
Hunting Stingrays is a little like hunting anything else. It requires a wealth of patience, the right tools and a dose of good luck. The hidden signals are elusive even to the trained eye and they are obscured by the noise of regular transmissions. But that does not mean IMSI catchers are undetectable, we just need more people watching for them.
Ney says he and his team will continue to develop their sensors and refine their algorithms. One day, they hope to release the tools to the world as open source software so more people can map the invisible RF spectrum.