LAPD & Chicago bought "Stingrays on steroids" with asset-forfeiture & DHS money

[Read the post]

1 Like

I am shocked to find gambling in this casino.


Is there a way to detect if you’re connecting to a fake tower or intermediate? Can the cell companies tell they have a stowaway? Can anyone just go buy one of these with a couple bitcoins, are they legal to own and operate?


Paging @shaddack

Here I am.

Some apps out there.

The methods work only on certain cellphones due to specific hardware compatibility requirements (Qualcomm chipset for Snoopsnitch, for example).

The general way to detect an IMSI catcher is by correlating the surrounding cell information with a known-good database, monitoring the cell signal strength to check if something tries to overpower the signal locally, and so on.

The IMSI catcher can be implemented in a rough form on a software-defined radio with open software, so there are test platforms for the countermeasure systems which are under development. The AIMSICD is already in alpha and downloadable as source.


I should go read the source before axing questions… But wouldn’t that be quite false positive prone? Do you really need a DB of known towers?

It sure seems like a diffie Hellman between two handsets over the data layer between two third party apps, with certs is fundamentally better (but it isn’t easy!!!).

Perhaps, @shaddack, we should start up a non profit client cert authority in… Say… Cuba. Sun, beaches, cigars, and strong crypto? Eh? Eh???


The database of known-good ones is crucial, I’d say. Look around, and see what’s new in the “landscape”. The cell companies rarely put up new stuff, and it can be kept track of with relative ease. There are exceptions, like mobile cells used for mass gatherings, but these also can be taken in account.

A nice hack could be a way to locate the cell. Plot the signal strength of the suspicious one vs the position on the map, with omnidirectional antenna works well over short distances (or triangulation by signal strength vs directional antenna orientation, over longer distances). (The signal strength at short distance vs directional antenna at long distance approaches are general.)

That wouldn’t hide you from the catcher. Just conceal the encrypted part of your data. But you’d still be exposed against baseband attacks (see cellphone baseband processor hacking).

Sounds nice. The flaw is the centralized approach. Everything centralized is prone to being infiltrated or otherwise attacked.

It would not hide you from the catcher, and baseband attacks could still be an issue, but every transport layer should be assumed to be compromised. And even highly decentralized environments are vulnerable (bitcoin, tor, and bittorrent are poster children).

But virtual circuits with PFS are pretty good.

1 Like

warrant-proof, huh?

No. Reason #1: It’s jamming legally licensed spectrum. Whether or not calls go through, it’s overpowering the people who have a legal right to the spectrum.
Reason #2: It’s fraud. It’s falsely spoofing a network node in order to gain access to privileged information. This actually runs afoul of the 1987 CFAA as far as I understand it. So there’s that too. People have gotten tens to hundreds of thousands of dollar fines, and jailtime for violating the CFAA in less egregious ways.

What’s funny is that the CFAA technically only deals with “protected computers” which means computers designated solely for the use of government institutuions as well as those designated for the use of the financial industry. Cellphones are computers. A public health worker’s institutionally issued phone getting jammed is interference against a computer for the exclusive use of a government institution.

In other words, I think these stupid, traitors need to be given the Aaron Schwartz treatment. Send them all to prison and drag out their trials until they lose hope and kill themselves.


More to the point, is there any way that, once such a connection was detected, malware could be uploaded to the connected Intercept device, damaging / disabling / controlling it? Or, more probably, malware could be loaded to the intercepted phone, as an added spying method?

1 Like

This could be quite poetic. Would however require some quality time with such device, preferably in a lab. But I can imagine an enterprising hacker rushing to a nearby cafe when the distributed grid alerts to a bogey, and having the time of the day.

MITM, and baseband processor attacks[1]. So, yes.

[1] In quite many phones, the baseband and application processors aren’t properly separated and share memory. The baseband one usually has high level of privileges. Compromise it, and you pwn the whole memory address space and therefore the whole device.

I’m just waiting for the day when, if someone tries to hack my brain, this happens to them:

Attack barriers in GitS are pretty badass.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.