dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
211
Crookshanks
join:2008-02-04
Binghamton, NY

Crookshanks

Member

Mr. Rigmaiden needs better expert witnesses....

quote:
Rigmaiden maintains that in order for the stingray to be able to collect location data from his air card, Verizon Wireless had to write data to the air card consisting of “identifying information for the FBI’s emulated cell sites” as well as make configuration changes that would cause the air card to recognize the FBI’s emulated cell tower as an authorized tower for providing service and cause the air card to attempt connections to the emulated tower prior to attempting connections with actual Verizon Wireless towers.
Verizon's cooperation would not be required in this instance. So long as the "stingray" is broadcasting the appropriate SID any nearby Verizon Wireless device is going to prefer it over more distant cell sites with weaker signal.
quote:
“The FBI technical agents needed Verizon Wireless to write data to the aircard in this manner because the aircard’s properly configured Preferred Roaming List prevented it from accessing rogue, unauthorized cell sites
Not if the "unauthorized" cell site is masquerading as a legitimate one. The PRL doesn't list towers, it lists system/network IDs, and priority frequencies to scan for service when the phone is cold booted. The "stingray" likely behaves just as a femtocell does, broadcasting on the exact same frequencies as the macro cellular network. No PRL modification would be necessary. Hell, a system that depended on PRL modifications would be useless for 3G devices, since the user controlled (via *228) when they would pull such an update, and most aren't proactive enough to bother.
CXM_Splicer
Looking at the bigger picture
Premium Member
join:2011-08-11
NYC

1 edit

CXM_Splicer

Premium Member

This is true but would would have ALL Verizon cellphones in range connecting to the Stingray. Obviously a warrant wouldn't allow that. The PRL modification would set the target's phone to look for the Stingray (on a separate network) first and a Verizon network second. That would prevent any other Verizon user in the area of the Stingray from connecting to it. What you talk about is possible though and is done by hackers every now and again

The biggest problem with a MITM attack on cellphones is when the target phone is connected to the rogue cell site, they cannot get any incoming calls. Outgoing calls can be routed through an alternate path but, unless Verizon gives you a connection to their switch, incoming voice, email, text will not be intercepted.

EDIT:Rogue not Rouge! Sometimes even with spell check these things happen.
Crookshanks
join:2008-02-04
Binghamton, NY

Crookshanks

Member

said by CXM_Splicer:

This is true but would would have ALL Verizon cellphones in range connecting to the Stingray. Obviously a warrant wouldn't allow that.

And? As long as they are just passing the traffic there really isn't an issue here. Internet wiretaps are going to "see" every packet passing the wire, they just use filters to limit the ones they actually capture. No difference here.
CXM_Splicer
Looking at the bigger picture
Premium Member
join:2011-08-11
NYC

CXM_Splicer

Premium Member

Well the analogy is actually more like spoofing the Internet, it is not a traditional MITM attack or a simple eavesdropping; the traffic is only one way. I highly doubt (technical impossibility aside) that the FBI would spoof the Internet for a 1-2 block radius so that everyone in that radius is actually sending data to the FBI instead of the Internet. It is much easier to redirect only the target's DNS address to the FBI so that they are spoofed but no one else is.

I honestly don't know how they are operating and I wouldn't say they are beyond what your are describing but the way the article is describing it is more 'efficient' and less intrusive. If they have Verizon's cooperation in reprogramming the phone i don't see why it wouldn't happen that way.
Crookshanks
join:2008-02-04
Binghamton, NY

Crookshanks

Member

To the best of my knowledge a PRL update can't be forced with a 3G phone. It can only be requested by the phone itself during initial provisioning and/or PRL updating (via *228 on VZW, other codes on different carriers). 4G devices work differently of course.

Anyway, they aren't using this for wiretapping, they could just as easily do that using the lawful intercept technology built into the telco switch. They're using this to triangulate the location of a mobile device faster than they otherwise could. It's not really a MITM attack as they are classically understood and aren't any real any privacy concerns if an "innocent" phone connects to their base station.

Also, they don't "spoof" the internet to wiretap someones internet connection, but they do monitor at the network edge, and by definition that means innocent packets will also be passing through the dragnet. So long as they don't monitor/record those packets there isn't a problem