Cellphone Surveillance & Cell-Site Simulator Detection & Decommissioning
This global organisation had several eavesdropping and unauthroised surveillance challenges that differed across several regions. Specifically, the customer had become aware that they were the target of a concerted campaign by a state actor in a particular region and were also dealing with an aggressive competitor in another region that spanned several nations.
The Customer Brief to CommsLock
The customer perceived and had good reason to suspect that they were exposed to a broad range of threats both in the physical and the cyber domain. They requested assistance specifically with respect to the attack vector of cellphone surveillance using cell-site simuators. The assignment for CommsLock was to determine the presence of these simulators, establish the location of the simulators using triangulation methods, and decommision the simulators (in some of the instances).
The CommsLock team were tasked as follows:
1. Identify Rogue Access Points being devices equipped with wireless cards.
- Mobile devices devices with wireless cards will more often than not seek to automatically connect to an access point that emits the strongest signal. These RAPs attempt to auto connect mobile devices in a defined vicinity, normally an attacked will determine the location of the nearest licensed cell tower and look to locate their wireless access point between the target and the legitimate service in order to give the best chance of emitting the strongest signal and thus trick the mobile device into an auto-connect to their domain.
- All of the target’s network traffic can now be manipulated by the attacker. The particular novel aspect of this attack strategy is that it is particularly dangerous as the attacker does not even have to be on a trusted network to do this. The key to success deployment and intercept by the attacker is achieving close enough physical proximity;
2. Detection of dirtboxes (or DRT boxes) which are cell site simulators that act as fake cell phone towers utilising IMSI (International Mobile Subscriber Identity) catcher technology. The terminology is confused in public discourse about these methods and you will variously hear them describes StingRay Devices, Stingray Clones, IMSI Catchers, DirtBoxes, Fake WiFi Hotspots, and Cell-Site Simulators. These terms refer to different hardware deployments and some refer to the attack methods used to eavesdrop once a device has been tricked into connecting.
Defining the Types of Cellphone-Surveillance Solutions
StingRay is an IMSI-catcher that was designed and commercialized by the Harris Corporation but as a result of its StingRay, the name is used improperly to reference several types of cellphone-surveillance solutions.
The StingRay cellular-surveillance system costs as much as $400,000 in the basic configuration, and its price varies with add-ons. The IMSI-catcher is a surveillance solution used by military and intelligence agencies for telephone eavesdropping. It allows for intercepting mobile phone traffic and tracking movements of mobile phone users. An IMSI catcher operates as a bogus mobile cell tower that sits between the target mobile phone and the service provider’s real towers.The IMSI catcher runs a Man In the Middle (MITM) attack that can not be detected by the users without using specific products that secure communications on mobile devices.”
(Source: ZD Net)
When a device is tricked into connected to a StingRay station this allows law enforcement to:
- Perform data extraction from cellular devices
- Collect information that identifies a cellular device (i.e. IMSI, ESN) directly from it by using radio waves
- Run Man In The Middle attacks to eavesdrop on Communications Content
- Write metadata to the cellular device
- Run Denial of Service, preventing the cellular device user from placing a call or accessing data services
- Acquire the personal information of the device user
- Intercept calls and intercept internet traffic
- Send fake texts and inject malware on the device at will
- Track the location of targets
- Force an increase in signal transmission power and force an abundance of signal transmissions
Law Enforcement use StingRay to mitigate the risk present from cyber criminals and foreign state-sponsored hackers but is also deployed as a citizen tracking tool. Law enforcement and intelligence agencies can target a specific individual analyzing incoming and outgoing calls and drawing on the targets social network.The principal problem in the adoption of the StingRay cellphone-surveillance technology is that, different from other solutions, it targets all nearby cellular devices, allowing an attacker to get information from hundreds of devices concurrently.”
As explained by Nathan Freed Wessler, an attorney with the ACLU’s Speech, Privacy & Technology Project:
StingRay equipment sends intrusive electronic signals in the immediate vicinity, sinking private buildings and siphoning data about the locations and identities of cellphones inside”
5G technology will be a game-changer, offering new possibilities for technical surveillance. With every 5G device always connected, it will make it much, much harder for counter surveillance companies to detect 5G listening devices”
(Source: The Latest Cyber Technical Surveillance Counter-Measures by Dr. Adrian Wong
Active & Passive Modes
StingRay equipment operates in active and passive modes. The StingRay system is typically installed in a vehicle in a way that agents can move it into any neighborhood. It tricks all nearby cellular devices into connecting to it and allowing data access by law enforcement. In active mode the device simulates the behavior of a wireless carrier cell tower. StingRay equipment operating in active mode will force each cellular device in a predetermined area to disconnect from its legitimate service provider cell site and establish a new connection with the attacker’s StingRay system. StingRay broadcasts a pilot signal that is stronger than the signals sent by legitimate cell sites operating in the same area, forcing connections from the cellular device in the area covered by the equipment.
In passive mode, it actively interferes with cellular devices performing operations like data exfiltration. A StingRay that is operating in passive mode is able to receive and analyze signals being transmitted by mobile devices and wireless carrier cell stations. The term “passive” indicates that the equipment doesn’t communicate directly with cellular devices and does not simulate a wireless carrier cell site. The activity of base station surveys allows extraction of information on cell sites that includes identification numbers, signal strength, and signal coverage areas. StingRay operates as a mobile phone and collects signals sent by cell stations near the equipment.
The Outcome of the CommsLock Review
Using our Adaptive Threat Defense Management tools CommsLock detected several RAP’s and cell-site simulators in the vicinity of the organisations offices in nine geographically dispersed locations in localities of little or no interest to law enforcement which suggested that they were not “legitimate” LE deployed StingRay devices. When triangulation allowed the CommsLock to successfully locate several of these devices it was clear that they did not fall into the “legitimate”” category and their locations clearly indicated that the “object of interest” was our customer.
We stated in our report to the customer:
The resources required to install these “dirty boxes” are not excessive and are available for purchase online to the average citizen or activist group with tech savvy members. If you as our client does not responsibility for adopting the Cyber Technical Surveillance Counter Measures that CommsLock has recommended then whoever is responsible will be able to exfiltrate data from anyone who inadvertently connects to the network or is not familiar with cybersec best practice. Also if this hacking / surveillance method is deployed in the area whoever is responsible is an active operator – this is not a passive tactic – they will therefore more than likely have deployed other attack vectors. The number of threat surfaces in the buildings we surveyed, and based on our assessment of your employees cyber-hygiene attitude, tends to suggest that the threat your organistaion faces is at the top end of the range. We would advise immediate remediation measures and the immediate implementation of the tools we have recommned in parallel with extensive employee training. Without this your organisation currently represents a target rich environment.”