Mastodawn

Andrew Orr Apr 9

Here's how to set up ~$30 worth of gear to detect cell-site simulators, which are used by police and ICE to spy on phones in a physical location, using @eff's new tool Rayhunter https://micahflee.com/hunting-street-level-cell-phone-surveillance-with-rayhunter/

Hunting street-level cell phone surveillance with Rayhunter

Things are scary in the US right now. ICE is disappearing students for protesting genocide and kidnapping innocent people off the streets to enslave in El Salvador. All over the country, people are taking to the streets every week to protest oligarchy, and fascist counter-protesters are starting to show up

micahflee

Aaron Williamson Apr 9

@micahflee great post, thank you! I don't suppose the technology is there to enable users to home in on the approximate location of the CSS is there? Just to like... get a good look?

Swine Flu Pittsburgh Apr 10

@copiesofcopies @micahflee

It's not going to be that far away. Stingrays don't have the same elevation as real cell towers, and probably not as much power either if they have to be portable. That has to reduce their range. It might be worth just walking around and looking for suspicious vans.

MHS_Jenkins Apr 9

@micahflee @eff I've made a few and they work well. Just remember that this is all still in development. Thanks for showing some love to the EFF!

Royce Williams Apr 9

Great writeup!

One outstanding mystery to me: since a cell phone without a SIM can still call 911, it's not clear (from the references I've seen so far) that even an inactive SIM is required to detect.

Micah Lee Apr 9

@tychotithonus yeah, I'm not clear about this too. And I don't have a spare cell-site simulator laying around to test if it works or not lol

@tychotithonus @micahflee The ability to call 911 even without a SIM is limited to phones. Many data-only cell radios skip powering up the analog circuitry entirely if they can’t detect a SIM, since the device designers know the radio can’t ever be used to call 911. I don’t know how much research has been done into this device. It could even use a variety of cell radios, some of which don’t need a SIM and some of which do.

Easy enough to just throw an inactive SIM into it.

Royce Williams Apr 9

Hey, super informative and helpful - thank you!

Chumchum Tumtum Apr 9

@micahflee @eff oh it's like the Stingray we used to have to watch out for when selling dope. It's crazy that simple survival is going to be such a complex and sophisticated affair for people. It's so sad

@micahflee lemme guess: @eff just took a multi-network eSIM and multi-network WWAN modules to scan for "#deauth" / "#EvilTwin" attacks?

Cuz I remember @heiseonline or @golem actually suggest this as a method to detect #IMSIcatchers without requiring an expensive #SDR:

By precisely looking when which WWAN stick (for #3G back then) got disconnected and warning if they all got disconnected & reconnected at the same time...

AFAIK #GSMK uses that same technique for their #Baseband-#Firewall to automatically detect #Interception attempts and deploy countermeasures!

@kkarhan @micahflee @eff @heiseonline @golem Doesn’t need a SIM connected to an active account, so no need for the multi-network SIM. Not sure if the device itself can be used on multiple networks, but since Stingrays attack multiple networks at once, the device doesn’t need to connect to more than one.

Yes, it listens for control traffic and tries to detect suspicious patterns like deauths trying to force the modem to connect to a different tower.

@bob_zim @micahflee @heiseonline @golem Makes sense.

After all, the whole #IMSIcatcher system can be detected by passive #SIGINT as it's an active attack on mobile networks.

I wounder if I can get a compatible device in #Germany as well...

Bonis points if that device has a freely reprogrammable #IMEI to allow hiding it's identity.

lists.d/imei.devices.list.tsv at main · greyhat-academy/lists.d

List of useful things. Contribute to greyhat-academy/lists.d development by creating an account on GitHub.

GitHub

@kkarhan The system the EFF published is just software you can put on a cell-to-WiFi device you source yourself. The hotspot is just a cheap, preassembled way to get cell radio to listen, a processor to look at the control traffic, and WiFi to let you pull data off of it.

@bob_zim yeah. Seen it. in the writeup by @micahflee ...

I just hope to find any that ain't #NetLock'd / #SimLock'd to #Verizon and that these support more than #US-#LTE bands...

Not shure if it needs a valid #SIM or just an #ICCID + #Ki on a #SIM to get going (cuz in #Germany it's hard [imported #SIM] to illegal [domestic SIMs] to get an anonymous SIM since 07/2017.

I just wish @eff wouldn't expect everyone to use #centralized, #SingleVendor & #SingleProvider services like @signalapp in the age of #CloudAct, cuz neither I nor anyone I'd trust would submit #PII to them like a #PhoneNumer as a matter of principle!

Kevin Karhan :verified: (@kkarhan@infosec.space)

Content warning: Rant re: Signal Shills being dangerous Tech Illiterates

Infosec.Space

@bob_zim @micahflee @eff

Sadly there's only 1 listing on eBay willing to ship to #Germany...

Verizon Speed Handy Hotspot 4G LTE Connect bis Zu 10 Wi-Fi Aktiviert Geräte | eBay

Verizon Speed Mobile Hotspot | 4G LTE | Verbinden Sie bis zu 10 Wi-Fi-fähige Geräte |.

eBay

In #Flancia we'll meet Apr 9

@micahflee @eff I love you #EFF, thank you for existing!

Nate Allen Apr 9

@micahflee @eff if no one in #PDX has built one of these I suppose I will.

Joachim Ziebs Apr 9

@micahflee @eff Will this work in Europe, too, or is it limited to the USA?

@micahflee << @Documentally

Documentally Apr 9

@LDJ I know @micahflee from way back. Much respect. :-)