Local Police May Be Hacking Your Phone: Piercing Secrecy Around Stingrays

Without your knowledge or permission, your smartphone’s calls could be being intercepted right now by your local police department, and your taxes are definitely being misused to pay for unconstitutional police snooping.


We have reported before on “stingrays”, which started being used by local police departments in around 2006. These devices impersonate a cellphone tower and intercept the calls that would otherwise flow to other actual nearby towers. Initially bulky, stingrays can now be laptop-sized or smaller, and the most advanced models are light enough to be carried by drones. Police departments conceal their use of this technology when applying for warrants to conduct surveillance, so judges can’t distinguish between applying for a “regular” interception on an individual phone and a stingray interception which gathers all traffic from nearby cellphone towers. The devices’ main manufacturer, Harris Corporation, even obliges police departments contractually to conceal their use of stingrays. The Obama administration is so keen to preserve the cloak of secrecy around stingrays that they sent in the US Marshals to prevent the ACLU from obtaining documents relating to stingray use by a north Florida police department. The courts are beginning to recognize the intrusive nature of cellphone tower dump data, but have not yet grappled with the fact that using stingrays, law enforcement don’t have to ask a cellphone company for the data; they can just suck it up without permission.

Now there is a new way to rip that cloak. Popular Science quotes the CEO of ESD America, which manufactures the $3,500 “CryptoPhone 500”, eagerly describing how his phones could detect when stingrays were being used in their vicinity. While testing the CryptoPhone 500 in August, users found 17 sites around the country where stingrays appeared to be being used on passersby. They could detect the use of stingrays because stingrays downgrade your connection from 4G to the less secure 2G and then turn off your phone’s encryption. Normal Android smartphones or IPhones are oblivious to this process.

Twitter users have been speculating whether these 17 sites map onto the sites of fusion centers around the country. Since we’re familiar with both stingrays and fusion centers, we can say conclusively that they don’t. Most sites seem to be in commercial areas, not around fusion center or military locations. ESD is not providing the precise site locations, and stingrays’ mobility further complicates the process of detecting them. We think that CryptoPhone users have captured what is likely to be only a small subset of stingray usage not by fusion centers, or by the NSA, but by regular local police departments around the nation. We’re supporting the efforts of researchers like Muckrock who want to get more transparency about stingray use by police departments, and to keep an eye out for proposals in your community to “upgrade” police department technology.

So, do we all have to go out and upgrade to the CryptoPhone 500 in order to feel safe in our communications? Well, no; there’s another, cheaper way to find out whether the government is using stingrays in your community.

In the next few years the major cellphone carriers are going to be turning off their insecure 2G, and it will no longer be possible to force phones down to 2G to intercept their calls or metadata. Harris Corporation, of course, has a solution: Government purchasers of stingray systems can buy their new, expensive “Hailstorm” upgrade, which can penetrate 4G. However, governments that do upgrade to Hailstorm will create a paper trail, and members of the public can find out about that. A simple FOIA request to your local jurisdiction asking for details of any documents including the words “IMSI catcher” (the technical term for stingrays), “Harris Corporation” or “Hailstorm” should work wonders, and will cost a lot less than a CryptoPhone 500.

When will these costs be added to the long list of the expenses of the mass surveillance state? Every time a security-conscious user feels that they have to buy a much more expensive smartphone, and every time a private vendor sells law enforcement on expensive technology upgrades deemed essential to maintain their unconstitutional surveillance of Americans’ communications without individualized probable cause, the costs of surveillance rise. They have us both going and coming: Your and my taxes will be used to upgrade law enforcement’s surveillance of us, and to insulate law enforcement’s own communications from surveillance by us (“ESD America’s Clients include Government, Intelligence, Police, Military, Narcotics Task Forces and Royalty.”)

But don’t forget, folks: If we don’t allow this to happen, The Terrorists Will Win. Or something. It’s the Islamic State this month, right? But can we at least note that police departments doing this are committing what would, for ordinary, non-uniformed citizens, be a felony?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.