top of page

L3Harris Stingray - You phone is compromised

  • 7 minutes ago
  • 8 min read

Source: ABC News

Wikipedia explanation can be read here.


Stingray II Device
Stingray II Device

Stingray forces close vicinity based cell phones to route to Stingray and then it relays cell calls to a real cell tower AFTER harvesting all your data, tracking your location, injecting data to your phone, and more.
Stingray forces close vicinity based cell phones to route to Stingray and then it relays cell calls to a real cell tower AFTER harvesting all your data, tracking your location, injecting data to your phone, and more.
All cell phones in the reach of Stingray because a map of nodes.
All cell phones in the reach of Stingray because a map of nodes.

If mounted to every cell tower, then Stingray can intercept all calls, from every cell in the tower's range.


Known Modes: SOURCE Wikipedia


Active mode operations

  1. Extracting stored data such as International Mobile Subscriber Identity (IMSI) numbers and Electronic Serial Number (ESN),[14]

  2. Writing cellular protocol metadata to internal storage

  3. Forcing an increase in signal transmission power[15]

  4. Forcing an abundance of radio signals to be transmitted

  5. Forcing a downgrade to an older and less secure communications protocol if the older protocol is allowed by the target device, by making the Stingray pretend to be unable to communicate on an up-to-date protocol

  6. Interception of communications data or metadata

  7. Using received signal strength indicators to spatially locate the cellular device[9]

  8. Conducting a denial of service attack

  9. Radio jamming for either general denial of service purposes[16][failed verification – see discussion] or to aid in active mode protocol rollback attacks


Passive mode operations

  1. Conducting base station surveys, which is the process of using over-the-air signals to identify legitimate cell sites and precisely map their coverage areas


Active (cell site simulator) capabilities

In active mode, the StingRay will force each compatible cellular device in a given area to disconnect from its service provider cell site (e.g., operated by Verizon, AT&T, etc.) and establish a new connection with the StingRay.[17] In most cases, this is accomplished by having the StingRay broadcast a pilot signal that is either stronger than, or made to appear stronger than, the pilot signals being broadcast by legitimate cell sites operating in the area.[18] A common function of all cellular communications protocols is to have the cellular device connect to the cell site offering the strongest signal. StingRays exploit this function as a means to force temporary connections with cellular devices within a limited area.


Extracting data from internal storage

During the process of forcing connections from all compatible cellular devices in a given area, the StingRay operator needs to determine which device is the desired surveillance target. This is accomplished by downloading the IMSI, ESN, or other identifying data from each of the devices connected to the StingRay.[14] In this context, the IMSI or equivalent identifier is not obtained from the cellular service provider or from any other third-party. The StingRay downloads this data directly from the device using radio waves.[19]


In some cases, the IMSI or equivalent identifier of a target device is known to the StingRay operator beforehand. When this is the case, the operator will download the IMSI or equivalent identifier from each device as it connects to the StingRay.[20] When the downloaded IMSI matches the known IMSI of the desired target, the dragnet will end and the operator will proceed to conduct specific surveillance operations on just the target device.[21]


In other cases, the IMSI or equivalent identifier of a target is not known to the StingRay operator and the goal of the surveillance operation is to identify one or more cellular devices being used in a known area.[22]  For example, if visual surveillance is being conducted on a group of protestors,[23] a StingRay can be used to download the IMSI or equivalent identifier from each phone within the protest area. After identifying the phones, locating and tracking operations can be conducted, and service providers can be forced to turn over account information identifying the phone users.


Cellular telephones are radio transmitters and receivers, much like a walkie-talkie. However, the cell phone communicates only with a repeater inside a nearby cell tower installation. At that installation, the device takes in all cell calls in its geographic area and repeats them out to other cell installations which repeat the signals onward to their destination telephone (either by radio or landline wires). Radio is used also to transmit a caller's voice/data back to the receiver's cellular telephone. The two-way duplex phone conversation then exists via these interconnections.


To make this work correctly, the system allows automatic increases and decreases in transmitter power (for the individual cell phone and for the tower repeater) so that only the minimum transmit power is used to complete and hold the call active ("on"), allowing the users to hear and be heard continuously during the conversation. The goal is to hold the call active but use the least amount of transmitting power, in order to conserve batteries and be efficient. The tower system will sense when a cell phone is not coming in clearly and will order the cell phone to boost transmit power. The user has no control over this boosting; it may occur for a split second or for the whole conversation. If the user is in a remote location, the power boost may be continuous. In addition to carrying voice or data, the cell phone also transmits data about itself automatically, and that is boosted or not as the system detects need.


Encoding of all transmissions ensures that no crosstalk or interference occurs between two nearby cell users. The boosting of power, however, is limited by the design of the devices to a maximum setting. The standard systems are not "high power" and thus can be overpowered by secret systems using much more boosted power that can then take over a user's cell phone. If overpowered that way, a cell phone will not indicate the change due to the secret radio being programmed to hide from normal detection. The ordinary user cannot know if their cell phone is captured via overpowering boosts or not. (There are other ways of secret capture that need not overpower, too.)


Just as a person shouting drowns out someone whispering, the boost in RF watts of power into the cell telephone system can overtake and control that system—in total or only a few, or even only one, conversation. This strategy requires only more RF power, and thus it is simpler than other types of secret control. Power boosting equipment can be installed anywhere there can be an antenna, including in a vehicle, perhaps even in a vehicle on the move. Once a secretly boosted system takes control, any manipulation is possible from simple recording of the voice or data to total blocking of all cell phones in the geographic area.[24]


Tracking and locating

A StingRay can be used to identify and track a phone or other compatible cellular data device even while the device is not engaged in a call or accessing data services.[25]


A StingRay closely resembles a portable cellphone tower. Typically, law enforcement officials place the StingRay in their vehicle with a compatible computer software. The StingRay acts as a cellular tower to send out signals to get the specific device to connect to it. Cell phones are programmed to connect with the cellular tower offering the best signal. When the phone and StingRay connect, the computer system determines the strength of the signal and thus the distance to the device. Then, the vehicle moves to another location and sends out signals until it connects with the phone. When the signal strength is determined from enough locations, the computer system centralizes the phone and is able to find it.


Cell phones are programmed to constantly search for the strongest signal emitted from cell phone towers in the area. Over the course of the day, most cell phones connect and reconnect to multiple towers in an attempt to connect to the strongest, fastest, or closest signal. Because of the way they are designed, the signals that the StingRay emits are far stronger than those coming from surrounding towers. For this reason, all cell phones in the vicinity connect to the StingRay regardless of the cell phone owner's knowledge. From there, the StingRay is capable of locating the device, interfering with the device, and collecting personal data from the device.[26][27]


Denial of service

The FBI has claimed that when used to identify, locate, or track a cellular device, the StingRay does not collect communications content or forward it to the service provider.[28]  Instead, the device causes a disruption in service.[29] Under this scenario, any attempt by the cellular device user to place a call or access data services will fail while the StingRay is conducting its surveillance. On August 21, 2018, Senator Ron Wyden noted that Harris Corporation confirmed that Stingrays disrupt the targeted phone's communications. Additionally, he noted that "while the company claims its cell-site simulators include a feature that detects and permits the delivery of emergency calls to 9-1-1, its officials admitted to my office that this feature has not been independently tested as part of the Federal Communications Commission’s certification process, nor were they able to confirm this feature is capable of detecting and passing-through 9-1-1 emergency communications made by people who are deaf, hard of hearing, or speech disabled using Real-Time Text technology."[30]


Interception of communications content

By way of software upgrades,[31] the StingRay and similar Harris products can be used to intercept GSM communications content transmitted over-the-air between a target cellular device and a legitimate service provider cell site. The StingRay does this by way of the following man-in-the-middle attack: (1) simulate a cell site and force a connection from the target device, (2) download the target device's IMSI and other identifying information, (3) conduct "GSM Active Key Extraction"[31] to obtain the target device's stored encryption key, (4) use the downloaded identifying information to simulate the target device over-the-air, (5) while simulating the target device, establish a connection with a legitimate cell site authorized to provide service to the target device, (6) use the encryption key to authenticate the StingRay to the service provider as being the target device, and (7) forward signals between the target device and the legitimate cell site while decrypting and recording communications content.


The "GSM Active Key Extraction"[31] performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider.[32] While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device.[33] Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail.

GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1.[34]  However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time.[32] While A5/1 and A5/2 use different cypher strengths, they each use the same underlying encryption key stored on the SIM card.[33] Therefore, the StingRay performs "GSM Active Key Extraction"[31] during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key.[35] Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.[35]


A rogue base station can force unencrypted links, if supported by the handset software. The rogue base station can send a 'Cipher Mode Settings' element (see GSM 04.08 Chapter 10.5.2.9) to the phone, with this element clearing the one bit that marks if encryption should be used. In such cases the phone display could indicate the use of an unsafe link—but the user interface software in most phones does not interrogate the handset's radio subsystem for use of this insecure mode nor display any warning indication.


Passive capabilities

In passive mode, the StingRay operates either as a digital analyzer, which receives and analyzes signals being transmitted by cellular devices and/or wireless carrier cell sites or as a radio jamming device, which transmits signals that block communications between cellular devices and wireless carrier cell sites. By "passive mode", it is meant that the StingRay does not mimic a wireless carrier cell site or communicate directly with cellular devices.

 
 
bottom of page