[digi_owl]

Best i can tell, stingray is a passive device.

It just use a directional antenna to listen for the "keepalive" exchange between cell tower and device, focusing on a specific IMSI.

Also, even if your device is currently using LTE or similar, the GSM (or whatever 2G radio it has) will still be on and talking to the relevant network (unless you specifically tell the device otherwise, and the OEM allowed you to). This to provide a smoother handover should the LTE signal drop too low.

Hailstorm on the other hand is basically a jammer tuned to 3G and 4G frequencies, thus forcing any devices in range to drop down to 2G. For the general public a jammer would be a big nono, but law enforcement is a different matter.

[dublinben]

IMSI catchers (like Stingray) are not fully passive devices. They have an operation mode where they broadcast a signal that appears to come from a legitimate cell phone tower. This captures traffic from all devices within range, targeted or not. This is why they are often called "cell site simulators" because that accurately describes how they are often used. For more information, check out this EFF page.

https://www.eff.org/sls/tech/cell-site-simulators

[chrissnell]

...but how? Comments above imply that 3G and 4G are protected with strong encryption/authentication. How is a Stingray capturing metadata from calls and SMS?

[diafygi]

I was under the impression that Hailstorms either have valid cell tower certificates (dunno if wireless carriers are complicit) or they exploit the vast quantity of modem firmware bugs.

http://www.ee.columbia.edu/~roger/ShmooCon_talk_final_011620...

[diafygi]

I thought Stingray was active because you can detect it if you have the right firmware.

http://www.slate.com/blogs/future_tense/2014/12/31/snoopsnit...

Also, I thought Hailstorm was LTE only (and doesn't degrade to 2g).

https://insidersurveillance.com/deciphering-harris-hailstorm...