Location Tracking with Stingrays & Universal Software Radios

The Wall Street Journal recently reported on the FBI’s cell phone tracking tools collectively referred to as “Stingrays” being the forefront of a new Fourth Amendment battle. The tools were used to track Daniel David Rigmaiden who was arrested for fraud, he has stated he is innocent and requested information regarding the tools used to track him, which the FBI are not keen to give up as they state it would provide criminals with knowledge to evade the tools which are being used without a warrant.

U.S. Patent and Trademark Office - Harris Stingray II

The Stingray devices are wireless surveillance tools that operate as multi-channel software defined radio which mimics a cellular base station and collects information from a phone even if the device is not in use. The tools are used to gather unique device IDs and subscriber IDs from target phones (MIN, IMSI, MEID, IMEI). In addition these devices can track location using a method similar to cell tower triangulation but a bit in reverse. Instead of getting location and signal strengths from the towers, a surveillance vehicle that is running the device will drive around a target location and gather the signal strength from the target device as it connects from different locations.  This allows the operator to get a fairly accurate location via triangulation of  the target phone.

The reason for using tools such as this is to circumvent the need to get information from carriers directly, which requires a subpoena, and a court order and possibly even a search warrant depending on the information requested. By intercepting the signals with these devices, law enforcement is able to essentially cut out the middle man. However as the case with Mr. Rigmaiden shows at special court order was still granted before the tool was used. The question for the courts is if the use of these tools require the same protections for monitoring citizens as other methods.

USRP1

Although the FBI and law enforcement do not want information being leaked regarding how these systems work, hackers and researchers alike have been building similar software defined radio peripherals that allow them to mimic cellular towers.  For around $3,500 you too can build your own cellular base station, using a Universal Software Radio Peripheral such as those provided by Ettus paired with OpenBTS and additional software.  Some researchers have even found ways to trick phones into disabling encryption so not only can they get device information and location, but also intercept calls through vulnerabilities in GSM.

Not only are these tools being used by law enforcement, but they could also potentially be used by criminals to gather information such as location, phone numbers you call and potentially intercept your phone calls, however the later is highly unlikely given the cost and effort required.