Cellphone Surveillance Explained - Stingray/IMSI Catchers

00:06

hey security researcher here once again

00:09

thanks for checking out my video today

00:12

we're going to talk about stingrays I'm

00:14

actually going to use the term cell

00:15

phone tower simulator it's a much safer

00:18

term for me to use we're going to

00:21

discuss what these devices are who uses

00:24

them how they function how they're

00:27

deployed what they can do once they are

00:30

deployed how you yourself can determine

00:32

if one is operating in your area as well

00:35

as what you can do to protect yourself

00:37

from them now

00:39

this is going to be a long video I'm

00:41

recording the audio here for god knows

00:43

how many times I'm going to try to

00:46

include as much information as I can

00:47

here I ask that you be patient and watch

00:51

this thing all the way through by the

00:53

time you're done hopefully not only do

00:55

you know more about this stuff than just

00:57

about anybody you know but you're pissed

00:59

and you're willing to start to talk to

01:02

others about this because this is a

01:04

problem that all being said the

01:07

information that I provide in these

01:08

videos is not intended for the

01:10

criminally minded this really truly is

01:12

about education you cannot make informed

01:15

decisions about things as complicated as

01:17

technology if you don't have even the

01:19

most basic understanding of what it is

01:21

that you're talking about so let me take

01:24

twenty years of research experience boil

01:26

it down into plain English so that we

01:28

can all better understand the risks that

01:30

we face on a daily basis now let's get

01:33

into this topic again cell phone tower

01:35

simulators and the first point is what

01:38

they are now I suppose the first thing

01:41

that we need to do here is give you a

01:44

visual reference of what it is that

01:45

we're talking about some of this

01:47

equipment is designed to be installed in

01:51

a vehicle like a surveillance van or an

01:54

SUV of some type maybe it's an airplane

01:56

or a drone a lot of the stuff can be

02:00

located in fixed positions so a building

02:03

with an antenna nearby basically what

02:06

the equipment needs is access to power

02:09

access to some sort of data whether it's

02:12

a high-speed data connection like the

02:15

one that you have coming into your house

02:16

or the ability to communicate wirelessly

02:20

with some sort of a data connection but

02:23

those things are required for it to

02:24

function depending on how its operating

02:27

it also needs some sort of a terminal

02:31

like a laptop computer and whatever

02:34

associated software to translate the

02:36

data that the equipment is bringing in

02:39

that said there's also smaller devices

02:42

so when the media refers to it as one

02:46

specific device that's big and bulky

02:48

what they're concealing through

02:50

obfuscation is things like this device

02:53

that fits in a backpack or this device

02:57

that's handheld so you could walk into

03:00

maybe a tea party gathering or some sort

03:04

of a labor protest or whatever and you

03:07

know gather information about the

03:09

devices that are present or this device

03:11

right here that allows the attacker to

03:14

attack up to sixty thousand phones at

03:17

one time

03:18

not exactly targeted surveillance in my

03:21

mind and when you keep in mind the fact

03:24

that these can be located in fixed

03:25

positions you could sprinkle these

03:27

around a community and monitor every

03:30

single phone in town we'll cover all of

03:34

this things that are at least publicly

03:36

known about this technology because I'm

03:38

really not interested in spending a lot

03:40

of time here or meeting people like

03:42

these guys so I'm going to try to only

03:46

discuss what is publicly known and put

03:49

it into context so that we can all

03:50

understand the threat so now that you

03:53

know what the things look like let's

03:54

talk about what they actually are and

03:56

how they function so what is a cell

03:59

phone tower simulator just as the name

04:02

implies it functions like a legitimate

04:04

cell phone tower it communicates back

04:07

and forth with your device on its normal

04:09

communication channels so as far as your

04:11

device is concerned it's on a legit cell

04:14

phone tower it works on all of these

04:17

smart and dumb phones that are out the

04:19

market today and no I don't care how

04:21

super cool or secure you think your

04:24

phone is it is susceptible to attack by

04:27

these types of devices I know that

04:32

everyone likes to talk about the legal

04:34

restrictions of the use of cell phone

04:36

tower simulators warrants writs court

04:39

orders trap-and-trace pen registers etc

04:41

but this technology is designed to work

04:44

without having to attain legal

04:46

authorization it can be deployed without

04:48

anyone knowing that it's being used

04:50

there's no paper trail that the system

04:52

is being deployed so there's no audit

04:55

that can occur to find out whether it

04:57

was used you have to realize that before

05:00

they used to have to go through the

05:01

cellular service providers to gather

05:03

information but it was really messy and

05:06

it left paper trails everywhere with the

05:09

release of this technology all the way

05:11

down to your local community now they

05:15

don't have to worry about that now this

05:17

would be a concern to you and I if we

05:18

had a system that was displaying a

05:20

disdain for traditional legal

05:21

limitations on power and authority if we

05:24

had organizations and agencies and

05:27

individuals operating and secret hiding

05:29

behind non-disclosure agreements lying

05:31

to Congress or just general corruption

05:34

running rampant throughout the system

05:35

but since we know we don't have that

05:38

happening here in the United States we

05:40

know that we don't have anything to

05:41

worry about right that is until you

05:44

realize that it's already been proven

05:46

that for as little as twelve hundred

05:49

dollars or less just about anybody can

05:52

build a device that has similar

05:54

capabilities to this technology the fact

05:56

that backdoors exist in any of our

05:59

technology means that not only can the

06:02

quote unquote good guys use it but

06:04

anybody who's aware that those backdoors

06:06

exist can also use them we are all

06:10

operating under a very flawed trust

06:12

model when it comes to technology we are

06:15

putting our faith and trust in

06:16

corporations and technology where it

06:19

should never have been placed to begin

06:21

with and it's been going on for so long

06:23

that we become apathetic to the risks

06:26

and it's really time to stop that so

06:29

let's go on and talk more about this

06:31

technology and I'll get off my soapbox

06:33

so let's talk about how these devices

06:36

function what's happening here is what

06:38

the InfoSec community calls a

06:40

man-in-the-middle attack just as the

06:42

name implies the attacker slips within

06:45

range of your device and the network

06:46

node that it's try

06:47

to communicate with in this case a

06:49

cellphone tower and depending on its

06:52

mode of operation can interact with the

06:55

data that's being sent to and from your

06:57

device it could be listening

06:59

it could be acting as a relay and

07:01

capturing all the information that's

07:03

supposedly being sent directly to the

07:05

cellular network you have to keep in

07:09

mind that your phones are slaves to the

07:10

tower so anytime your device is

07:13

connected to any cell phone tower

07:15

whether it's legitimate or simulated the

07:18

tower dictates to the phone what's going

07:20

to happen during that communication

07:22

session including shutting off session

07:24

encryption so now how are these devices

07:27

deployed so if you have an attacker that

07:30

has a cell phone tower simulator how is

07:33

it that they can set this thing up so

07:35

that your device will connect to it well

07:37

as we covered in cell phone tracking

07:39

explain in plain English part one your

07:42

phone checks in with the cell phone

07:43

network towers on a regular basis this

07:46

is somewhere around every three to seven

07:48

seconds your phone is always trying to

07:51

connect to numerous towers at the same

07:53

time to ensure you quality of service

07:55

when a phone initially connects to a

07:58

tower for the first time it gathers

07:59

information about the surrounding

08:01

network things like what carriers are

08:04

operating towers in the network what

08:06

channel's your phone can use to

08:08

communicate with the antennas on those

08:09

towers this information is temporarily

08:12

stored on your phone so if your device

08:15

moves loses signal etc it can quickly

08:18

switch channels in order to maintain

08:20

connectivity it's also why when you

08:22

travel your phone may tell you that

08:24

instead of using say AT&T your phone is

08:27

connected to metro pcs it all goes back

08:30

to billing for roaming and things like

08:32

that so while this information has its

08:35

legitimate uses this information is also

08:37

useful to an attacker who comes into an

08:39

area and wants to configure their cell

08:42

phone tower simulator to work more

08:44

efficiently they can query the towers

08:47

themselves and get information about

08:50

what cell phone towers are in the area

08:52

what frequencies or channels the

08:54

antennas on those towers are operating

08:56

on what carriers your phone might be

08:59

expecting to see in the area

09:02

and then using that information they can

09:04

configure their simulated cell phone

09:05

tower now since the phones are really

09:08

slave to the tower the towers send the

09:12

phones all the commands is related to

09:14

their operations so if you were running

09:17

a simulated cell phone tower you could

09:19

tell the phone that you're the strongest

09:21

cell phone tower in the area in order to

09:23

trick it to get it to attempt to connect

09:26

to your device you can also shut off

09:30

session encryptions so that what would

09:32

normally be protecting either shut it

09:35

off or downgrade it to make it easier to

09:37

crack so what would normally protect the

09:40

confidentiality of your communications

09:42

is basically negated so first we need to

09:45

understand that these devices operate in

09:47

one of two modes one is a passive mode

09:51

and the best way I can describe passive

09:53

to you is it's like the radio in your

09:56

car you can tune in to different

09:58

frequencies or channels and you can hear

10:00

information but you can't interact with

10:03

that information all you can do is

10:05

listen to it when it comes to cellular

10:08

technology or maybe encrypted

10:09

information you can listen to it record

10:12

it and then D encrypt it but you're

10:14

never really transmitting so you're not

10:18

giving away the fact that you're there

10:20

the other mode that these things operate

10:23

in is it is an active mode and an active

10:25

mode is where the device is now acting

10:28

as a relay so instead of your traffic

10:30

going directly to the cellular tower or

10:33

being broadcast to the cellular tower

10:35

where they could listen they've now

10:37

tricked your phone to directly

10:38

connecting to them and they're receiving

10:40

all the information coming directly from

10:42

your phone and then passing it on to

10:44

either a wireless network or a directly

10:47

connected high-speed Internet network so

10:50

that everything that's coming off of

10:52

your phone passes through their device

10:54

and they can capture and filter all of

10:56

the information that's coming off of it

10:58

now what is that information and what

11:01

are the commands that they can send back

11:03

to your phone when they're in active

11:05

mode what does that allow them to do

11:08

okay well without putting these in any

11:10

specific order some of the information

11:12

that can be captured on your device is

11:15

something called an IMEI number IMEI

11:17

stands for international mobile station

11:20

Equipment Identity it's also known as

11:23

the meid or mobile equipment identifier

11:25

now this is the unique serial number of

11:28

your specific phone and using it the

11:30

person that's doing the attack can

11:32

determine the make model and product

11:34

variant so maybe it's a samsung galaxy

11:37

s6 or an iphone 6 or an HTC One m9

11:41

whatever but you can also determine the

11:44

product variant which tells them things

11:46

like the device firmware that may be

11:49

operating because of the chips that are

11:50

installed on that specific phone it's

11:53

very specific down to your exact device

11:57

that's your phone's unique identifier on

12:00

the network you yourself can find this

12:02

number it's either going to be on a

12:04

white sticker under the battery or you

12:07

can find it by bringing up your phone's

12:08

keypad and hitting star pound zero six

12:12

pound or in modern vernacular star

12:16

hashtag zero six hash tag but yeah star

12:20

pound zero six pound will bring up your

12:22

phone's unique serial number now

12:25

something to keep in mind here is if

12:27

you're a special person maybe you work

12:29

for an agency or a department and you

12:32

have a special phone that you think is

12:34

secure if it has a unique IMEI number

12:37

that identifies it as a unique piece of

12:39

hardware that can actually help an

12:42

attacker determine whether or not your

12:44

device is worth looking at so some of

12:46

the same techniques and tools that you

12:48

use to determine whether certain people

12:50

are worth looking at can also be turned

12:52

around and used on you this technology

12:55

is a dual edged sword so you need to

12:57

keep that in mind so another piece of

12:59

information that can be gathered is

13:01

something called an IM SI or MC it's

13:05

where the term MC catcher comes from

13:07

IMSI is international mobile subscriber

13:10

identity this number is encoded on your

13:13

cell phone SIM card or on the phone

13:16

itself if it doesn't have a SIM card the

13:18

number is directly associated with the

13:20

person who's paying for the service so

13:23

not only can it be used to track it back

13:26

to whoever's paying the bill it can also

13:28

be you

13:29

used to associate to the person who uses

13:31

that SIM card for making phone calls so

13:34

even if you're switching phones on a

13:36

regular basis maybe you think you're

13:38

James Bond and that's going to like

13:40

somehow protect you that SIM card has a

13:43

unique identifier that's associated with

13:45

whoever's paying the bill and if

13:48

somebody is monitoring that SIM card

13:49

that MC number they can associate your

13:52

voice with that MC and then it doesn't

13:56

matter who's paying the bill as far as

13:57

they're concerned that MC is you when

14:00

one of these cell phone tower simulators

14:02

is in passive mode again listening like

14:05

your car radio any information that's

14:07

transmitted to or from your phone can be

14:10

captured and monitored that includes

14:12

live calls that includes text messages

14:15

as you send them that includes emails

14:17

any data traffic anything that you're

14:20

doing even if you're using one of these

14:21

applications that's super cool and it

14:24

encrypts my voice traffic and sends it

14:26

over the wireless and blah blah blah

14:28

you're still transmitting it and anybody

14:30

that can tune in to pick up that

14:32

transmission can capture that

14:34

transmission and even if it is encrypted

14:37

they now have the data and can D encrypt

14:41

it themselves so again we're operating

14:44

under a terribly flawed trust model when

14:46

it comes to technology and I really

14:48

don't care how smart you think you are

14:50

you're operating under a flawed trust

14:53

model believe me so that's just it in a

14:56

passive mode it really gets interesting

14:58

when these devices operate in an active

15:01

mode because now they can interact

15:03

directly with your phone they can mess

15:06

with power management so you may think

15:08

your phone shuts off the screen does

15:10

what it normally does and it makes the

15:12

noises that it normally does when it

15:14

shuts off but the phone isn't really off

15:16

so the microphone can still be used to

15:18

eavesdrop on what's going on in the room

15:20

the camera can still be activated the

15:22

GPS can still be tracked you have to

15:25

realize that you know anything that's

15:27

stored on the device at this point

15:29

because this device has connected on to

15:31

your phone so your banking history your

15:34

passwords your call logs your phone book

15:36

all of which can be used to create

15:38

additional target lists all of this

15:41

stuff is available whenever one of the

15:42

these devices in an active mode connects

15:45

up to your cell phone something else

15:47

that's important to pay attention to is

15:49

you know I'd mentioned that your camera

15:50

can be activated and a lot of people

15:53

will automatically think well whatever

15:55

my phone's in my pocket

15:56

well where's your phone when you're

15:58

reading in text and where is the camera

16:00

when you're looking at the screen on

16:03

your phone you've got a camera that's

16:05

pointed at you so I can identify that

16:07

you're reading that text but where's the

16:09

camera on the back of your phone pointed

16:11

you know these things can be used for

16:14

video surveillance they can be used for

16:16

audio surveillance even in your own home

16:18

even in your business now even if your

16:21

colleagues your friends and your family

16:23

members don't take this stuff seriously

16:24

it's up to you to do it you have to

16:27

educate them and they need to understand

16:29

it you're going to get a lot of flack

16:31

you're going to be told you're crazy and

16:33

you're paranoid but the fact of the

16:34

matter is is this stuff is happening I

16:37

just want to take a second to point out

16:38

something here we're only talking about

16:40

cell phones in this video but you need

16:42

to think about all the other devices

16:43

that you own that operate wirelessly if

16:46

they transmit and receive information

16:49

there can be subject to a

16:50

man-in-the-middle attack so we're not

16:52

just talking about your cell phone your

16:55

tablet your laptop maybe your PC if

16:58

you've connected it wirelessly but also

17:00

the wireless router itself all of these

17:02

devices can be attacked remotely through

17:04

a man-in-the-middle attack so it's

17:07

important that you realize we are

17:08

operating under a terribly flawed trust

17:11

model when it comes to technology now

17:13

let's get back on topic and talk about

17:15

man-in-the-middle attacks using cell

17:17

phone tower simulators against your cell

17:19

phone what are some of the symptoms that

17:21

this could be occurring against your

17:23

device so when it comes to symptoms it's

17:28

important that a state here that this

17:31

technology is always evolving so some of

17:33

the symptoms that I'm going to say now

17:34

might not be symptoms next week when the

17:37

new version comes out these are just

17:40

some of the things that I know of I'm

17:42

probably going to miss a few of them but

17:45

here's a list anyway your phone gets

17:48

warm you're not even on it and you pick

17:51

it up and it's warm which means it's

17:52

been transmitting and receiving the

17:54

battery drains quicker than usual

17:56

well you have no or seriously degraded

17:59

data service when there should be decent

18:01

data service you have no or seriously

18:04

degraded voice service maybe there's a

18:06

lot of people around and they're routing

18:09

all of the traffic through one of these

18:10

cell phone tower simulators so there

18:13

isn't as much bandwidth to go around and

18:15

the voice service now sucks this one is

18:18

usually a dead giveaway but I absolutely

18:20

do not recommend that you try it it is

18:22

illegal don't do this unless of course

18:26

it's a genuine emergency but if you try

18:30

to dial nine-one-one and you do not have

18:33

911 again don't do this but that's a

18:38

dead giveaway that your device is

18:40

connected to a cell phone tower

18:41

simulator um your friends might get a

18:45

text message from you but when that text

18:48

message comes up on their phone it

18:49

doesn't come up with your phone number

18:51

it comes up with something odd like some

18:53

sort of a four-digit combination of

18:56

numbers but not your actual phone number

18:59

okay so you've made it this far and

19:01

you're interested in figuring out what

19:03

the solution to all of this is if you

19:05

cheated and fast forward and got here

19:07

shame on you go back and listen to the

19:08

whole thing you're not as smart as you

19:10

think you are and there's stuff that you

19:12

need to know so if you got here

19:15

organically thank you for listening to

19:16

the whole thing and let's talk about

19:18

solutions the technology is constantly

19:20

evolving it's kind of like the weapons

19:22

and armor thing that is the weapons

19:24

improve the armor improves and as the

19:26

armor improves the weapons improve it's

19:29

just that we're talking about cyber

19:30

weapons

19:32

so what is the armor that we can use

19:34

against these cyber weapons how can we

19:36

protect ourselves and the solution at

19:40

least as I see it is really twofold one

19:43

is signal isolation which means

19:47

encapsulating your phone in a way that

19:50

you can prevent all the signals that

19:52

your phone can interact with from

19:54

getting tore from your phone if your

19:57

phone can receive any signals whatsoever

19:59

it can be used to compromise the

20:03

integrity of the device the microphone

20:05

all the things that we've discussed can

20:06

all be accessed if your phone can send

20:08

and receive signals so you have to find

20:11

a way to isolate it so that it can't

20:13

send and receive signals but that causes

20:16

a problem in your connectivity because

20:18

now since the phone can't send and

20:20

receive signals you're essentially

20:22

isolated I have a solution for that as

20:24

well so let's take this in two parts

20:27

let's talk about the isolation options

20:29

that are out in the market and let's

20:31

talk about the connectivity option so

20:34

let's start with the do-it-yourself

20:36

solutions and the do-it-yourself crowd

20:38

is really adamant that they have the

20:40

solution I have a question for you if

20:43

you believe that you have the solution

20:44

have you paid to have a lab test your

20:48

solution and keep in mind that the

20:50

solution that you send to the lab is

20:52

going to be different than the next one

20:54

you make because you're just slapping

20:56

these things together so the reason that

20:59

I say have you had it tested is you know

21:03

we're all familiar with you know gasses

21:05

air and a car tire liquids water in a

21:08

bucket I can hear the air leaking out of

21:11

my car tire I know that it's leaking

21:13

I can see moisture on the outside of my

21:16

bucket and wipe it off and it comes back

21:18

so I know that my buckets leaking I

21:20

can't hear the RF leaking out of my

21:23

enclosure

21:24

I can't wipe it off and see it reappear

21:27

again on the outside of my

21:28

do-it-yourself enclosure I have no idea

21:31

what frequencies are penetrating my

21:33

enclosure I have no idea

21:37

I don't know how effective it is until I

21:39

have it tested because nobody unless you

21:43

have about a hundred and fifty grand

21:44

worth of equipment can tell you what

21:47

frequencies are leaking out of your Do

21:49

It Yourself enclosure and the enclosure

21:51

that you make is going to be different

21:53

than the enclosure that the next guy

21:54

makes even if they're using the same

21:56

overall premise so there's just too many

21:59

variables in the do-it-yourself

22:00

community for me to endorse any

22:02

do-it-yourself solution that brings us

22:05

to the commercial products that are out

22:06

in the market and there's really two

22:08

families of products soft cases and hard

22:10

cases these soft cases that are out on

22:13

the market were analyzed by Purdue

22:15

University cyber forensics lab and they

22:17

found that of the ones that they tested

22:19

they had an overall failure rate of

22:21

about 53 percent

22:22

so more than half the time in a normal

22:25

network operating environment they

22:27

failed when you bring a cell tower

22:30

simulator in and you get the antenna

22:32

even closer and you up the power output

22:35

they're going to fail even more

22:36

frequently than fifty three percent soft

22:39

cases are not reliable products I

22:43

another thing to note about soft cases

22:45

is I don't know of any of the soft cases

22:47

that are out on the market that have

22:48

paid to have an independent nationally

22:50

recognized lab certify that their

22:53

product works what I typically see is

22:56

shielding effectiveness based on the

22:58

materials that they're then sewing

23:00

together to make their product the

23:03

shielding effectiveness of a material is

23:05

totally different than the shielding

23:08

effectiveness of the product that you

23:09

then make out of that material so

23:12

there's that - now that leaves you with

23:16

signal blocking hard cases that are

23:19

rigid in construction so I only know of

23:22

one out there that's manufacturing a

23:24

hard case that actually works and they

23:27

do have independent lab verification of

23:30

the effectiveness of their product I'm

23:32

not going to endorse anybody's products

23:34

today that's not what I'm here for this

23:36

is about information but if you're

23:38

looking for a signal blocking product

23:39

you're ultimately looking for something

23:41

with laboratory verification that proves

23:44

the highest level of signal attenuation

23:47

possible this is measured in something

23:50

called dB

23:51

or decibels of signal attenuation and

23:53

you want that number as high as possible

23:56

no matter what solution you're looking

23:57

for I would look at the signal blocking

24:00

hardcase that's out on the market and I

24:02

would stay away from the fabric now

24:04

you've blocked signals so you can't

24:06

receive phone calls and text messages on

24:08

your phone now what do you do to

24:11

maintain connectivity well this is going

24:14

to sound a little odd because it's a

24:16

little retro but if you get yourself a

24:18

one-way alphanumeric pager you can not

24:22

only receive numeric messages but you

24:24

can also get text messages and emails it

24:27

is an unencrypted connection but most of

24:30

the messages that you're going to get

24:32

honey pick up a gallon of milk on your

24:33

way home mr. Smith your paperwork's

24:36

ready swing by my office to pick it up

24:37

those messages don't need to be

24:39

encrypted so you don't really have to

24:43

worry about that aspect of it the big

24:45

benefit that you get is you get

24:46

connectivity without all the strings

24:48

attached you don't have a microphone

24:50

that can eavesdrop on your conversations

24:52

you don't have cameras that can see what

24:54

you're doing you don't have GPS tracking

24:56

the devices only listen they don't

24:58

broadcast so you can't be location

25:01

tracked you can regain some of your

25:04

privacy while still maintaining

25:05

connectivity and that's really what it's

25:07

all about I didn't create this problem

25:10

I'm just trying to provide you with a

25:12

navigation around it so get yourself a

25:15

signal blocking product that works and

25:17

get yourself a one-way alphanumeric

25:19

pager modify the outgoing message on

25:22

your voicemail so at the end of it you

25:23

say if this matter is really urgent

25:25

please send me a page or a text or

25:27

whatever at this you know insert number

25:30

here and there you go you've blocked

25:33

third party intrusion into your cell

25:36

phone you've maintained connectivity

25:38

with the outside world and is it perfect

25:41

no but again I didn't create the problem

25:43

I'm just trying to give you one path

25:45

around it if you found value in this

25:48

information please hit the subscribe

25:49

button share this video with your

25:51

friends and family stay tuned because

25:53

there is more fun to come I am security

25:56

researcher and if you just gave me the

25:58

last 26 minutes of your life I want you

26:00

to know that I really appreciate it

26:04

you