Hackernoon logoA proposed method for triangulation of rogue IMSI catchers (a.k.a. “Stingray” devices) by@mitchellpkt

A proposed method for triangulation of rogue IMSI catchers (a.k.a. “Stingray” devices)

"Mitchell P. Krawiec-Thayer, PhD" Hacker Noon profile picture

@mitchellpkt"Mitchell P. Krawiec-Thayer, PhD"

Stingrays are on the loose in Washington D.C.

It has been widely reported this week (AP, NPR, Washington Post, BBC) that Washington D.C. and other undisclosed cities are exhibiting anomalies that appear to be due to unauthorized and unknown IMSI catchers (such as the notorious “stingray” devices). These spying devices are often used by law enforcement to track individuals, intercept texts, and listen to calls. (The ACLU keeps an updated list of federal agencies known to employ IMSI catchers for domestic surveillance.)

The suspected existence of rogue IMSI catchers with unknown operators in American cities was disclosed in a letter (and its attachment) from the Department of Homeland Security to Oregon Senator Ron Wyden, dated 26-March 2018.

The letter acknowledges that the “use of IMSI catchers by foreign governments may threaten U.S. national and economic security,” and admits that the U.S. is unprepared for detecting such a threat:

“[The Department of Homeland Security does not currently have] the technical capability to detect IMSI catchers. To support such a capability, DHS would require funding to procure, deploy, operate and maintain the capability, which includes the costs of hardware, software, and labor.”

We need a net to catch these stingrays

In this article, I propose a simple “net” that legitimate federal agencies could cast over Washington D.C. (or any other area) to map the locations of unauthorized IMSI catchers. This undetectable counterattack is nonintrusive, inexpensive, and would require no new technology.

A grid of honeypot devices that appear to be victims’ cell phones should be placed in a grid throughout the region of interest. A blacklist of the honeypots’ identification information (IMSI/ESN) would be provided to all authorized service providers in the area. At a predetermined coordinated time, the legitimate cell towers implement the blacklist and drop all connections to the honeypot devices.

Any honeypot cell phones that appear to stay connected to a “cell tower” are actually interacting with an ISMI catcher! Once all legitimate cell tower connections are denied, the honeypots that are still receiving service must be physically near unauthorized IMSI catchers that are unaware of the blacklist.

To better locate the source of the rogue signals, the net controller can slowly lower the signal broadcast power on the devices. The positions of the ISMI catchers can then be pinpointed from the honeypots that stay connected longest due to stingray proximity.

Keeping it safe to swim

The net described above should be quickly implemented using extant inexpensive technology to definitively map the scale of the rogue stingray problem. A honeypot outside the fence of each embassy would quickly identify which foreign governments are scooping up data in this way.

Since updating and activating a device ID blacklist is not a burdensome task for authorized cell tower operators, this could be implemented as a routine procedure. In fact, cooperating law enforcement and telecommunications companies could easily crowdsource the net to any any phone on a regional network! When a device is not actively in use, the service providers could momentarily add it to a blacklist and drop all legitimate connections for a few seconds. If the device found and connected to a “cell tower” during the blackout, then it must have been ensnared by a nearby rogue stingray. By routinely detecting nearby IMSI catchers with idle devices, this stingray net could be nondisruptively cast over an entire country.

Thanks @Dad for sending an article about rogue IMSI catchers, which caused me to ponder methods for addressing the current situation in D.C. and elsewhere.


Associated Press: US suspects cellphone spying devices in DC, Frank Bajak, 2018.04.04: https://apnews.com/d716aac4ad744b4cae3c6b13dce12d7e/APNewsBreak:-US-suspects-cellphone-spying-devices-in-DC

NPR: Feds Say They’ve Detected Apparent Rogue Spy Devices In D.C., Merrit Kennedy, 2018.04.04: https://www.npr.org/sections/thetwo-way/2018/04/04/599428495/feds-say-theyve-detected-apparent-rogue-spy-devices-in-d-c

Washington Post: DHS has detected possible cellphone surveillance in D.C. — and doesn’t know who’s doing it, Matt Zapotosky, 2018.04.03: https://www.washingtonpost.com/world/national-security/dhs-says-it-has-detected-possible-cellphone-surveillance-in-dc--and-doesnt-know-whos-doing-it/2018/04/03/f69fbe36-3785-11e8-acd5-35eac230e514_story.html

BBC: Mystery Stingray devices discovered in Washington, 2018.04.04: http://www.bbc.com/news/technology-43639709

MuckRock: Rochester police release unredacted list of Harris Corp StingRay and KingFish products, Curtis Waltman, 2016.12.02: https://www.muckrock.com/news/archives/2016/dec/07/rochester-police-release-unredacted-list-harris-co/

Electronic Frontier Foundation: One Pager on Cell Site Simulators, https://www.eff.org/document/eff-one-pager-cell-site-simulators

New York Times: New York Police are Using Covert Cellphone Trackers, Civil Liberties Group Says, Joseph Goldstein, 2016.02.11: https://www.nytimes.com/2016/02/12/nyregion/new-york-police-dept-cellphone-tracking-stingrays.html

American Civil Liberties Union: Stingray tracking devices: who’s got them? Updated March 2018: https://www.aclu.org/issues/privacy-technology/surveillance-technologies/stingray-tracking-devices-whos-got-them

DHS Letter Cover: https://www.documentcloud.org/documents/4429966-DHS-response-to-Wyden-3-26-18.html

DHS Letter Attachment: https://www.documentcloud.org/documents/4430049-DHS-attachment-in-response-to-Wyden-3-26-18.html


Join Hacker Noon

Create your free account to unlock your custom reading experience.