It has been nearly a year since we reported on the ubiquitous device used by the government and local law enforcement called the Stingray. The findings and disclosures about cell phone tracking have since evolved to alarming proportions, to the point where individuals should take precautions in defense of these devices. An article appearing in Motherboard urges people to lobby their phone companies for information which might be crucial in combating this epidemic of cell tower mimicry, and to find which companies give police access to their services.
According to Ravishanka Borgaonkar, a senior researcher at the Intel Collaborative Research Institute for Secure Computing, all mobile devices are constantly revealing their locations to all, and thus are easy to track, and because stingray devices can be easily built at home for about $1500, you may be in danger from more than just law enforcement agencies.
Each phone has an International Mobile Subscriber Identity or IMSI, which can be snagged by commercially available IMSI Catchers or Stingrays. If someone has your IMSI, they know where you are.
“If you are doing an active attack, then you could follow the victim easily. This is the way cellular system has been designed and it is not possible to change with a minimal change.”
Motherboard explains further,
“Handsets readily share IMSIs because it facilitates roaming. Out of all the phones being used in the wild today, 2G GSM phones are the most vulnerable. GSM is, by far, the leading global standard for mobile. While most networks are switching to 3G and 4G, the older generation 2G networks remain in place as fallbacks, so when IMSI catchers want to listen in, they force mobiles to connect via 2G connections. Then, devices can be tracked, listened to or blocked without the device even verifying that tower it has connected to is legitimate (mutual authentication, in technical lingo). The encryption on it is so weak that users should assume any communication is in plain text.”
By sharing data among devices, a user could be warned that a new base station has appeared in an area that hasn’t been observed there before. If that base station had an extraordinarily strong signal, it would be cause for alarm and alert the phone user
The hitch is that this would require the cooperation of the makers of the mobile operating system (Google, Microsoft, Apple), and they have shown no enthusiasm for doing such. The improved encryption these makers have provided in newer phones make it difficult for the government and others to access data stored on them, but attacks via IMSI make phones still vulnerable not only to the government-run Stingrays, but home-made versions which can be built using over-the-counter hardware.
With access to the right info, security conscious mobile users could receive warnings that someone might be trying to track them or is listening in to their conversations, but the big techs aren’t cooperating, and nor are the major wireless carriers. It is therefore incumbent on consumers to continue to press for the information to be unlocked.
If you’re are like many people, you might be likely to say that since you’ve nothing to hide and you’re not a criminal, there is nothing to worry about. Just remember that in this world there are good guys and there are bad guys. If the good guys can track you, then so can the bad guys. Do you really want these folks able to identify where a well-heeled target, like maybe you, is located?