Stringray device phone technology tricks your cellphone into connecting to the Stingray ‘phone tower’ (your phone doesn’t realize it’s connecting to a cell phone simulator interceptor rather than your provider’s tower – it’s the ultimate in cell phishing), and then sucks down all of your International Mobile Subscriber Identity (IMSI) information, including not only your call details, but even your text messages, email, and other private information. (This is also known as an IMSI catcher.) Now being deployed by local police and sheriff departments, these cell phone interception and eavesdropping devices are not only legal, but they require no warrant, and their use is jealously protected by the Feds.
How the Stingray Works (Infographic from USA Today):
In fact, the Justice Department says of using a Stingray without a warrant, “If a device is not capturing the contents of a particular dialogue call, the device does not require a warrant, but only a court order under the Pen Register Statute showing the material obtained is relevant to an ongoing investigation.”
However, there is no evidence that the agencies and actors using them are even getting a court order at all, and even if they have one, because these devices capture all cell phones keyed to the carrier that the Stingray tower is emulating, the private data of everybody whose phone is tricked by the Stringray can be captured.
In fact, last year, in just one month, 17 of these fake cell phone towers were discovered. Les Goldsmith, the CEO of ESD America, who makes phones that are hardened against being intercepted, said in an article in ComputerWorld that “Interceptor use in the U.S. is much higher than people had anticipated. One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one at South Point Casino in Las Vegas.” Goldmith also pointed out that “What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases. Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
But we’re starting to learn who they are.
In Florida it turns out that the Tallahassee Police Department has used a Stingray at least 200 times in the past 5 years.
And just a few months ago, in California, the Sacramento County Sheriff’s department was sued by the ACLU for failure to provide records and information about their Stingray use that had been uncovered a few years previous. (You can read that Stingray IMSI lawsuit here.)
Of course, you may feel for the Sacramento sheriff’s department, as they were likely caught between a rock and a hard place – it is likely that they, like the Erie County sheriff’s department in Buffalo, NY, had to sign a non-disclosure agreement (NDA) with the FBI in order to legally deploy their Stringray.
You can read the full NDA here, but a few of the more interesting bits include:
Disclosing the existence of and the capabilities provided by such equipment/technology to the public would reveal sensitive technological capabilities possessed by the law enforcement community
If the Erie County Sheriff’s Office learns that a District Attorney, prosecutor, or a court is considering or intends to use or provide any information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (including its technical/engineering description(s) and capabilities) beyond the evidentiary results obtained through the use of the equipment/technology in a manner that will cause law enforcement sensitive information relating to the technology to be made known to the public, the Erie County Sheriff’s Office will immediately notify the FBI in order to allow sufficient time for the FBI to intervene to protect the equipment/technology and information from disclosure and potential compromise.
In addition, the Erie County Sheriff’s Office will, at the request the FBI, seek dismissal of the case in lieu of using or providing, or allowing others to use or provide, any information concerning the Harris Corporation wireless collection equipment/technology.
And don’t think for a minute that you are safe if you aren’t in New York, Florida, or California. Because, according to the ACLU, Stingray or similar IMSI sucking cell tower simulators are deployed in at least 18 states.
List of States in which State or Local Agencies are Known to be Using Stingray or Cell Simulator Technology
This ACLU map includes a color-coded key as to what is known about who is using Stingray or other IMSI catching technology in each state:
Teal = local police
Maroon = state and local police
Tan = state police
Grey = unknown (to be clear, it doesn’t mean nobody is using it, it means it is not yet known)
So what, if anything, can you do to avoid having your data slurped up by Stingray or another IMSI catcher?
One of the best things you can do is install an app on your smartphone that will essentially wall off your conversation and text data (typically by encrypting it – so they will still slurp it, but they will have no idea what it says). There is a great article with links to both Android and iPhone apps that do this over at PrivacySOS.org.
There are also Android apps that will alert you to the presence of a Stingray or Stingray-like IMSI catcher tower. They are, in no particular order (and we have no direct experience with them), SnoopSnitch, HammerHead, and Android IMSI Catcher Detector.
So, are you taking measure to protect yourself against Stingray and other IMSI catchers? If so, what measures are you taking?
|Get notified of new Internet Patrol articles!