The Stingray Secret Is Coming Out Of The Closet

Sorry this post is so long, but we are beginning to see more information on how Stingrays work and are used.

As I said the other day in my last Stingray post, the cat is kind of out of the bag (see post) and only going to be more so.

Well, along those lines, Wired just wrote a long article (see article) talking about Stingrays.

In the article, they found a warrant request from the FBI to use a Stingray against a bank robbery suspect.  So far, so good.  Most people would probably agree bank robbery is not good and we should try to capture robbers.  The warrant was secret, but a defendant wanted the court to strike evidence gained from using the Stingray, so the warrant got unsealed.

The FBI agent did not call the device a Stingray;  he called it either a mobile pen register or trap and trace equipment.  Since most of you are probably not familiar with wiretaps or Stingrays, let me very quickly explain that a Stingray is neither one of those two devices.  A pen register or trap and trace technology sits on the line of one person (or maybe a few, depending on what the warrant allows) and captures phone numbers, times, etc. of calls coming in and out of those target phone numbers.  A Stingray, sitting in a downtown plaza in a major city might intercept the calls of a thousand users (or more), none of whom the FBI has a warrant to look at their traffic.  We are counting on the FBI to throw away the information that is not covered by the warrant.  That is kind of like counting on the NSA to  throw away the firmware source code they reviewed for those disk drives hacked by GCHQ and them.  NOT going to happen.

The FBI did tell the judge that the mobile pen register could disrupt phone service – but he didn’t say how or for how long.

The way we think Stingrays work is that they send out a more powerful signal than the local cell towers do so the phone locks onto it.  After they get the data they want, they send the phone a signal that says they are too busy and the phone looks for a real cell tower.  Since the Stingray can’t really handle the call, how disruptive it is depends on how many phones try to lock on to it and how quickly it can tell the phones it is busy.  At least that is what we think.

The article has a number of links to other articles on Stingrays and the lengths the government has gone to keep the technology secret.  They say this is to stop the bad guys from figuring out a way around them and there is probably some truth to that concern.

There is also some question as to whether Harris, the maker of Stingrays, lied to the FCC when they got approval to sell them.  Apparently, Harris told the FCC that they would only be used in emergencies, but that is clearly not true – unless you have a really broad definition of an emergency.  However, we really don’t know what Harris told the FCC, because those documents are sealed.

The FCC said that if wireless customers experienced unexplained service disruptions they should report it to the FCC and they will investigate.  I could report service disruptions every day, but I doubt most of those are caused by Stingrays.

The article says that Stingrays take advantage of a vulnerability in the old 2G cellular network that was fixed in 3G and 4G that makes the phone cough up information.  This means that the Stingray has to jam 3G and 4G signals in order to force the phone to attempt a 2G connection.  Depending how long the Stingray jams 3G and 4G signals and how much 2G capacity the carriers have in any given area, the Stingray might, effectively, disable your cell phone until they move or turn off the Stingray.

This is what the FBI doesn’t want people to know (probably among many other things).  Given the information above, if you can configure your phone to ONLY accept 4G connections, maybe you can defeat the Stingray.  I don’t know for sure, but maybe.

As I said, the cat is out of the bag.  Sen. Bill Nelson (D-FL) asked the FCC to spill the beans.  This is interesting because Harris, who makes the Stingray, is based in Florida.  One question he asked of the FCC is what controls did you, the FCC, put in place to make sure that Harris wasn’t lieing when they told the FCC how it was going to be used (emergency only).  The answer, which I suspect Nelson already knows, is that they did not do anything.

Given that Harris was also Nelson’s second biggest campaign donor and he effectively fired a heat seeking missile at them, I would definitely say that this won’t stay under wraps for much longer.  Before I said they could keep it under wraps for 3-5 years.  Now I think that timeline is much shorter.




Facebooktwitterredditlinkedinmailby feather

Maybe it is time to thank Lenovo?

I just wouldn’t buy their computers.

I wrote the other day about the problem Lenovo is having.  They contracted with a company called Superfish and installed some crapware on your computer (if you bought a Lenovo consumer grade computer) that shoved ads at you.

That wouldn’t be that much of a problem – everyone from Facebook to GMail does it – until it was discovered that Superfish used a library from Komodia that hacks into your SSL encrypted traffic to look at your banking traffic, along with everything else, to figure out what ads to show you.

That would have been bad enough if the way they hacked into your SSL (https) encrypted traffic didn’t completely compromise the security of your computer.

Here is the part where we need to thank Lenovo.  They shined a bright light on some digital cockroaches and there is a lot of scurrying.

Microsoft and other vendors have now, correctly, classified the Komodia software as spyware and flag, quarantine and/or delete it, depending on your system’s configuration.  What was discovered was that Komodia sold their software to lots of firms – not just Superfish – so that crap is all around you.  They said on their web site that they had over 100 development firms using their software.  They very blatently said that hacking your client’s SSL traffic is hard to do, so let us do it.

Now, ARS Technica, a well respected geek site, is reporting that researchers have found evidence of Komodia based attacks against users of GMail, Amazon, eBay and Twitter, among many other sites.

The details are very geeky, so I am not going to bore most people – click on the link above to read the ARS Technica article if you are interested.

Suffice it to say, Komodia is in a world of hurt, business wise.  Their site was down for a while and no one in the tech world will touch them with a 10 foot pole for fear, rightfully, of guilt by association.

Sadly, what they were trying to do is probably not much worse than what a lot of advertising brokers do – it is just that they took a few “shortcuts” that have come back to bite them in the rear.

The moral of the story is that security MUST be a key component of the development process and an outside advisor (advertisement: like me!) is probably requisite.  Otherwise, the fox (the developers) will be guarding the henhouse (the architecture and design) and that sometimes does not turn out well.

One last thought that requires that you put on your tin foil hat.  What if an unnamed three letter agency was interested in targeting your web traffic?  Getting you to install some Komodia based software under some guise would allow them to totally own your computer.  Note that I am not saying that Komodia is an NSA plot, but if they were smart, they would do something like this – and probably already have.

That means that you should not count on using SSL (Https) encryption for anything that you really want to be secure.  You need to use a completely different technique.  

p.s.  Now that people are looking, they have found another product – Privdog, from the SSL certificate company Comodo that has a similar problem.  That means that Comodo should be on your S**t list too.


Facebooktwitterredditlinkedinmailby feather