Stingrays Can Do More Than You Ever Imagined: Law Enforcement, Cellphone Interceptions, and Countermeasures

Previously, we reported on the existence of stingrays, also known as `IMSI catchers’, which are used by law enforcement as mobile cellphone towers. Stingrays intercept location and other data from all cellphones in the area, redirecting the traffic from regular cellphone towers. They can be used to get cellphone data without having even to go through phone companies to get it.

Thanks to the case US v. Rigmaiden and terrific reporting from Kim Zetter on the Threat Level blog at Wired, we now have a much more comprehensive picture of how they work and what they can do. It turns out that Stingrays have been around for longer, can do much more and are much more widespread than we might have supposed, and that how much they are really used may well be unknown to the courts.

Use of Stingrays Could Destroy The Fourth Amendment

In the Rigmaiden case, which involves identity theft, the government is arguing that it can collect information on all cellphone users within a given area, and that provided it then discards the information of subscribers who are not Rigmaiden, the Fourth Amendment’s “particularity” requirement is not violated. We strongly disagree. An essential part of the Fourth Amendment is that it requires law enforcement to describe ahead of time the specific person or persons to be searched. If the courts adopt the government’s interpretation here, then the Fourth Amendment would be converted into a license for the government to search everyone’s information, provided that the government agent intended to discard the information of people who were not the target of the warrant. Let’s be realistic; if information were gathered from a bystander’s cellphone that disclosed an intent to commit a crime, does anyone believe that law enforcement would discard the information and not act upon it?

Law enforcement, without actual evidence to believe that someone is planning or engaging in criminal activity, is supposed to presume that they are innocent, and to leave them alone.

Stingrays Can Reprogram The Permissions on Your Devices

Mr. Rigmaiden’s air card, which he used to connect to the Internet from his phone, was set up so as not to connect to unrecognized networks. Verizon and law enforcement worked together to forcibly reprogram it so that it would accept incoming calls from the FBI that would disclose his exact location. So, if you set up your devices in a manner intended to make them secure not only from law enforcement but also from security threats from criminal actors, and then law enforcement wants access to them anyway, they will happily go ahead and do what for anybody else would be criminal hacking under the Computer Fraud and Abuse Act.

This is the irony of the current clamor for “cybersecurity.” Law enforcement does not want you to be able to take steps to make your devices secure, whether you are a private individual or a corporation. The FBI is, in fact, emphatic about the need for “back doors” that would allow law enforcement access to every device. However, doors don’t care who goes through them; opening a back door for law enforcement also inherently makes devices vulnerable to exactly the kind of of cybersecurity attacks that the government claims to be concerned about. The Stingray and the FBI’s proposed back doors damage the property of every digital device user.

Stingrays Have Become Much More Mobile and Portable

From being about 50cm high in the 1990s, modern stingrays have become much more portable, like any other device, and are now usually referred to as being “suitcase-sized.” The excellent Texas-based privacy blog Grits for Breakfast reported last month that the FBI has acknowledged using them very commonly for at least five years, and carrying them around in vans, but it also looks like law enforcement officers no longer need to use vans to conceal the equipment; they can simply walk through a crowd while carrying them. Slate reports that they have become portable enough for them to be used by private parties as part of extortion schemes. A British privacy group also appears to have developed an “IMSI catcher catcher” which will detect the use of IMSI catchers in the surrounding area.

UPDATE 2: And is anyone else seeing here a convergence between stingray and drone technology? Flying stingrays, baby. You heard it here first.

Judges Don’t Know What They’re Dealing With

One problem with stingrays is that the judges who approve “pen register” surveillance warrants are often not aware that such an intrusive tool is being used. The warrant will not typically name the technology, but will talk in general about intercepting “cellphone location” data. This means that judges have no occasion to find out about what technologies are being used or how intrusive they are, and also that the public has no way of knowing how many of the pen register warrants issued across the nation are really for the use of stingrays or comparable devices, rather than for more conventional requests to phone companies for cellphone location data.

UPDATE: The ACLU obtains the smoking gun corroborating that this is happening.

Conclusion

Technologies, once released, cannot easily be suppressed. Law enforcement has been using stingrays for many years. But we hope that the Rigmaiden case will lead to a definitive ruling on the merits that IMSI catchers violate the Fourth Amendment, because they cannot be used without violating its particularity requirements. Therefore, no warrant can be devised that would both meet the requirements of the Fourth Amendment and permit the use of stingrays by law enforcement. Meanwhile, I’m going to chase up on the “IMSI catcher catcher”, and see if I can get one!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.