StingRay :Controversial cellular phone surveillance device

Ever wonder how police, intelligence agencies, and different private agencies track or monitor your phone? ”


The inherent vulnerabilities of SS7, a protocol used by network operators around the globe, make this a reality. SS7 stands for Signaling System 7. It is a standard that dates back to the 1970s and manages the communication between the networks of different operators. Thanks to this system, you can still receive calls even when you are not near a cell tower of your provider – when traveling, or abroad. It lets your operator transmit your communications over the networks of competitors or other countries. The tricky thing is that network operators have elevated access to user communications. Just by seeing which cell tower was used to deliver a particular message, your carrier can verify your location. In fact, SS7 makes this kind of information available to all operators worldwide. To access it, you had to be an operator.

These exploits are possible mostly because regular calls and text messages travel over mobile networks virtually unencrypted. The GSM protocol encrypts calls while they are in transit – on their way between the user handset and the nearest cell tower. However, they get unencrypted when they reach the cell tower so it could transfer them to the next node in the network. If you have infiltrated the network (as would be the case if you are using an IMSI-catcher, or an SS7 exploit), this in-transit encryption doesn’t bother you.

Measures users can take are :

  • Use strong end-to-end encryption. This is the type of encryption, in which the messages get scrambled on the sender’s end and decrypted only once they reach the recipient's Even if someone takes hold of a network and intercepts such a message, they wouldn’t be able to read it without the encryption key – which only the two communicating parties share.

  • Detect and avoid IMSI-catchers. It is a bit trickier when it comes to location tracking. To locate you via SS7, attackers must have your device’s IMSI – a unique identifier for every cellular user. To get this number, they must first use a Stingray device near your phone. However, with the help of an IMSI-catcher detector app – such as the one featured on our Secure Phone device – you can avoid such attacks.

  • Use a multi-IMSI SIM. Steering clear of IMSI-catchers is not easy. In case your device gets compromised in such an attack, from that moment on, the IMSI associated with it can always be used to track you. Unless you use a technology that lets you swap that identifier for another one. Secure Group’s Secure SIM is one such offering – a SIM card that contains up to 16 IMSI numbers.

In above one of the measures is IMSI catchers. Now, let's see what is IMSI catchers are? And how it helps to get each and every information of the phone.

An International Mobile Subscriber Identity (IMSI) catcher is an eavesdropping device used to track mobile users and intercept their communications. Essentially a "fake" mobile tower acting between the target mobile phone and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack. The 3G wireless standard offers some risk mitigation due to mutual authentication required from both the handset and the network. However, sophisticated attacks may be able to downgrade 3G and Long Term Evolution (LTE) to non-LTE network services which do not require mutual authentication.

The assignment of an IMSI catcher has a number of difficulties:

  • It must be ensured that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the mobile station, there is no need to log into the simulated base station.

  • Depending on the signal strength of the IMSI-catcher, numerous IMSIs can be located. The problem is to find out the right one.

  • All mobile phones in the area covered by the catcher have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers. Only the observed person has an indirect connection.

  • There are some disclosing factors. In most cases, the operation cannot be recognized immediately by the subscriber. But there are a few mobile phones that show a small symbol on the display, e.g. an exclamation point if encryption is not used. This "Ciphering Indication Feature" can be suppressed by the network provider, however, by setting the OFM bit in EFAD on the SIM card. Since the network access is handled with the SIM/USIM of the IMSI-catcher, the receiver cannot see the number of the calling party. Of course, this also implies that the tapped calls are not listed in the itemized bill.

  • The assignment near the base station can be difficult, due to the high signal level of the original base station.

  • As most mobile phones prefer the faster modes of communication such as 4G or 3G, downgrading to 2G can require blocking frequency ranges for 4G and 3G.

IMSI-catcher sometimes referred to as a stingray from the brand name of a popular IMSI catcher sold by the Harris Corporation, can be used to impersonate a legitimate cell tower, giving the malicious operator access to local mobile device traffic. The StingRay is an IMSI-catcher, a controversial cellular phone surveillance device, manufactured by Harris Corporation. Initially developed for the military and intelligence community, the StingRay and similar Harris devices are in widespread use by local and state law enforcement agencies across Canada, the United States, and in the United Kingdom. Stingray has also become a generic name to describe these kinds of devices.

How StingRay works:

Cellular networks are distributed throughout areas called cells, with one “cell-site” per cell area. As you drive to work and travel throughout a region, you move amongst various cell areas and your phone naturally connects with each respective cell-site. Now, your phone is programmed to connect with the strongest cell-site that it finds. What a stingray device does is broadcast signals that are more powerful than any of the nearby cell-sites, essentially tricking your phone to connect with it instead of the real thing. It can happen to your phone without you ever noticing anything at all. Once your phone connects, the stingray device can target its IMSI — the specific set of numbers that identifies each cellular device — and, depending on how sophisticated the stingray is, it can even get a hold of metadata and text messages from your phone.

As discussed earlier, the main advantage of using StingRay is to get each and every information of the phone. This device can be used by many agencies, legally or not legally. Though it is said that this device is used to track criminals but it is also used by criminals. There are many applications that can be used to detect IMSI catcher. But the ugly truth is that almost all the applications can be easily bypassed, allowing the stingray owner to eavesdrop on calls, intercept messages, and track the precise location of a phone.

On the plus side, all of the apps were able to detect some kind of surveillance, such as when a cell connection was forcibly downgraded, and when a "silent" text message was received to geolocate a phone.

But all of the apps could still be tricked -- simply by switching to another attack method instead.


Wish this feeds your curious mind

Until our next post stay tuned


Follow us on Instagram & Twitter

#cybersecurity #infosec #securityfolks #surveillance

11 views

People Do Crazy Stuff and We are one of them.

Thinkers and doers, from the field of Cybersecurity, Ethical Hacking, Python, Dark Net and Forensics, getting inspired from people from the same as well as different field of knowledge.

  • 800px-Telegram_2019_Logo.svg
  • Twitter
  • Instagram
  • Facebook

© 2020 by Bluefire Redteam LLP