[walrus01]

I work in wireless telecom: Really doubtful "we don't know how to find them". The FCC's enforcement bureau has a set of vans equipped to find unauthorized transmitters. IMSI catchers must transmit and remain on the air. It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours. The only other explanation I can think of is being operated from embassies with full diplomatic protections, but that runs the risk of the host county (USA) PNG'ing several staff with 24 hour notice as punishment.

Quick edit: Whole US federal agencies have their own TSCM (technical surveillance countermeasures) staff entirely separate from the FCC. It is a job position at the dept of state. Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

[trhway]

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

how about quick switching between several [semi-stationary or briefcase carried] catchers (by analogy with an old Russia/USSR anti-aircraft tactic of quickly switching between several radars to avoid being detected and locked-in by an anti-radar missile :).

[walrus01]

Theoretically possible. Using current off the shelf tech, several imsi catchers could be networked together by normal LTE data networks with battle tested VPN crypto. Doable with any mifi type hotspot device or even just a modern phone and tethering. People with high end spectrum analyzers and directional antennas would struggle to locate a thing that only powers on for 1-2 minutes, and the relocated to a random location. If I were trying to find such things I would need three separate DF (direction finding) teams, and try to establish a pattern of behavior or movement on the part of the operators to narrow down the target areas. Could take weeks.

[bertjk]

I'm not a wireless expert, but then wouldn't it also be theoretically possible to have a network of direction finders? Isn't direction finding also a repeatable set of steps that can benefit from automation?

[walrus01]

Yes, though DF can be much more efficient with directional (yagi, parabolic, horn) antennas. If fully automated by network the antennas connected to the spectrum analyzers need to be on two axis motorized platforms.

[cryptonector]

It would be easier to, you know, secure wireless communications to begin with. It's not like the Feds couldn't arrange to have stingrays that are properly keyed. (And there's always CALEA.) Yes, I know, it would only be easier for new kit, but it will take a long time to get it deployed. But every year we delay this makes the pain worse.

[lsaferite]

"The best time to plant a tree was 20 years ago. The second best time is now."

[sounds]

Phased arrays of antennas can compute the incoming direction of a signal entirely through signal processing and do not require a motorized platform.

[walrus01]

purely Rx phased arrays, unless very large, do not have nearly the gain (in dBi) of a good parabolic or horn. and not nearly as much directional discrimination as a good sized (90cm) parabolic.

in a phased array that is also a Tx this can be partially compensated for with higher dBm output power from the radio itself, but that's not the usage scenario we're talking about here.

[toomuchtodo]

Can LTE carrier networks not act as an enormous observation system for unauthorized IMEI catchers?

[spaceman1331]

> networked together

The manufacturer bears responsibility for misuse given the current state of the market; this is why markets exist, to trade information. If there is a genuine inability to communicate, then the market ceases to exist.

Open societies favor markets for a reason: communication, open lines of communication, and stable ones at that. There are all kinds of ways a computer virus can infect a system that is automatic; consider the possibility that a virus has infected an "autonomous" control system for a moving vehicle. A mechanical coupling usually makes this impossible, a steering wheel.

[ci5er]

I'm sorry, but ... what?

[PeterisP]

The other explanation is very low power / short range e.g. femtocells. If a Stingray-like device is affecting a single building or the like, targeting a particular person, it likely won't be noticed by anyone.

[walrus01]

Something strong enough to get a whole building full of phones to ping it most certainly can be found by a $70,000 spectrum analyzers and trained RF engineer.

[bigiain]

Hell - I bet you could find that with a $12 RTL-SDR and a home built antenna plugged into your laptop - if you were curious and suspected there was one nearby...

[uabstraction]

Never underestimate the amateur radio community. They hunt down radio pirates, emitters of interference, and hidden beacons for FUN! With the right antenna and a halfway decent receiver, it is not too difficult to hunt down the source of a transmission.

https://en.m.wikipedia.org/wiki/Transmitter_hunting

[ilkan]

This doesn't sound like a technical problem. More like a government is being defunded, half the vans need repair, lack of senior management, no direction, other priorities, shortage of techs, hiring freeze, the remaining people only work from 9-5 and we don't pay overtime, type of problem.

[spartango]

While there is extensive infrastructure for detecting active transmitting devices like Stingrays, there's no discussion (or tooling) around passive IMSI grabbers. These devices are significantly more limited (no IMEI or MSISDN, GSM-only), they remain pretty effective in areas/networks where GSM is still in place.

[walrus01]

https://mg.co.za/article/2016-09-01-00-meet-the-grabber-how-...

Verint engage gi2

[subway]

Depends on how much the devices cost to procure, and the budget of the party using them. Seems like these could be treated as "black-throws" given the right cost:budget ratio.

[bigiain]

OpenBTS and Ettus USPR (software defined radios) have made it inexpensive enough for hobbyists to set up cellular base stations at Burningman.

The difference between an open source base station, and a homebuilt stingray in negligible.

While a grand or two's worth of radio hardware and however many weekends/evenings spent getting it all set up and the a software configured is _kind of_ expensive - it's effectively free at criminal org, corporate espionage, or state levels of action.

[int0x21]

Try less than $200. LimeSDR Mini or a couple Motorola C123s running Osmocombb with a filter swap...or a hacked femtocell

[vvanders]

Not even that, if you want to use them as a MitM just broadcast the data you want and any arbitrary receiver will pick them up that can't be pinpointed.

That's assuming you don't mind losing the transmitting hardware.

[subway]

I think we're saying the same thing.

[beamatronic]

I am not familiar with this term, “black-throw”, can you elaborate?

[subway]

blackthrow or svartkast is a term for a device left behind in potentially hostile territory to continue operating until it is discovered or fails

[walrus01]

For example an imsi catcher spliced into 120vac power and stuffed up into a ceiling tile in a busy shopping mall. I bet that with a stepladder, a clipboard and two guys in high visibility vests, a set of electrician tools, you could do this at nearly any mall in America.

[subway]

Bonus points for installing a few near each other, configured to operate identically, but at different times.

[mschuster91]

How do you get the sniffed data, though? You're gonna need some form of high bandwidth uplink.

[OnMyPhone]

One option might be to have the sniffing device setup with a hidden wireless network (of some sort).

Then when you walk around, sit in the food court eating, or if the device is close to the outside, sit somewhere out of sight of the cameras with a strong wifi antennae and grab whatever data.

Unless they have some "free" wifi that the device could hop on to send it to some server somewhere.

Using that and / or 4g would make it easier to find the device and, of course, the person though.

[rsync]

"It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours."

Even more so in 2018 where an IMSI catcher is only relevant/useful if you downgrade the target to 2G operation, which requires some kind of additional interference/jamming.

Unless they are using "stingray" as some kind of generic term for "device you use to intercept mobile phones" and there are now 3G/LTE "stingrays".

This would all be so simple to deal with if phones just displayed an "unlocked" or "downgraded" warning when operating in 2G or unencrypted mode ...

[walrus01]

IMSI catchers exist for at least 3gpp release 12, which is one type of LTE.

https://www.unwiredinsight.com/2014/highlights-of-3gpp-relea...

https://www.google.ca/search?q=3gpp+release+12+imsi+catcher&...

[rainbowmverse]

>> Evolved from bug detection and removal in the analog days to now encompass just about everything that can leak data.

Relevant: http://www.cryptomuseum.com/covert/bugs/selectric/index.htm

[sorokod]

I think it is reasonable to ask if the "feds" actually want to find those stingrays.

Disinformation is a powerful tool.

[greggarious]

>It would be very risky to operate, even briefly, a portable imsi catcher in a briefcase and move it around WA DC, nevermind one that remained in fixed locations for hours.

I'd assume if it was run from an embassy it's not risky at all actually - they can just tell the FCC to pound sand

[blitmap]

I'm laughing because that's how this discussion will go when posted here: We'll detail a method to catch rogue sting-rays, then brainstorm how to operate them with less risk.

[crankylinuxuser]

Well, yeah. That's standard operating procedure for Red/Blue team work.

By knowing how to hack, one knows how to defend. But knowing how to defend also imparts the knowledge to hack.

[616c]

How do I get into TSCM from convential appsec work? Is it EE guys and gals and smizmars?