stringray? can i build one?

[i8igmac]

I have read a few articles about changes with law inforcment, witch require search warrants in most situations to allow use and logging of information gathered from a stingray... cell phone calls, text, etc

My lame term(cell phone tower mitm attack)

Can I build one of these? I would think the process is identical to karma like attacks...

Edited September 9, 2015 by i8igmac

[cooper]

Um... You want to build your own cell phone tower that basically proxies on to the actual tower?

[i8igmac]

Um... You want to build your own cell phone tower that basically proxies on to the actual tower?

I made a correction to the title... the device is called stingray...

And yes. What frequency would I need to transmit?

[Rkiver]

Can you build one? Yeah with the right equipment.

Should you build one....I'd strongly suggest checking your local laws. You could face criminal charges if you are in breach of law.

[cooper]

As per Wikipedia (also here) there are 14 possible bands of which typically 3-4 are supported by your phone. According to this archived topic here the 900 MHz band is the public one in the US. You're allowed to transmit with up to 1 watt of power according to this but you might want to find a better source. Generally speaking, so long as you don't interfere with the regular service on public land you can do whatever the hell you want.

[vailixi]

Probably highly illegal unless you live in Serbia.

I think with software defined radio and dect it could be done. I hear cell phone encryption takes a lot of compute power to crack. I think the reason law enforcement or ABC company is able to monitor cell phone communications is because they can easily obtain the encryption keys from the the cellular carriers. Most telephone traffic is encrypted these days. Also I'm pretty sure cell carriers just straight up monitor your transmissions these days anyhow.

An attacker would probably be more likely to succeed at exploiting the phone and recording transmissions that way.

[cooper]

It's not anywhere near illegal. One of the bands is specifically available to you to run your low-powered cell phone service on. There are rules to ensure you don't mess around with other people's service but as long as you abide by those rules there's nothing illegal going on here.

Telephone traffic between you and the tower is encrypted (well, it can be to be precise) but from the tower on may not be. There are 4 variants for cellphone encryption of which 1 is "no encryption at all" and one has been thoroughly defeated already. The problem is the staggering inertia of the telecom companies that want to milk their hardware for all its worth - they invested X in a tower whose associated hardware can only do those 2 making it nice an cheap. The fact that it's insecure doesn't prevent it from working so they do nothing and keep making money, or they invest in securing the traffic the net benefit of which is invisible to their customers so it's tough to pass those costs on to them.

Monitoring takes place well beyond the cell tower. It's much, MUCH cheaper that way and also much, MUCH more reliable. Also really easy to hide from the targeted individual.

[Paper Tiger]

Um... You want to build your own cell phone tower that basically proxies on to the actual tower?

Yes and Checkoff would like to know where all the Nuclear Wessles are

Probably highly illegal unless you live in Serbia.

I think with software defined radio and dect it could be done. I hear cell phone encryption takes a lot of compute power to crack. I think the reason law enforcement or ABC company is able to monitor cell phone communications is because they can easily obtain the encryption keys from the the cellular carriers. Most telephone traffic is encrypted these days. Also I'm pretty sure cell carriers just straight up monitor your transmissions these days anyhow.

An attacker would probably be more likely to succeed at exploiting the phone and recording transmissions that way.

Yes highly illegal, even for the police to use! however your assumption of how it works isn't correct - When a stingray is present it forces all phones that have "WCDMA preferred " set (and older phones) onto an unencrypted 2G network and they capture the data in clear text for the most part.

How do I know? I live and work in DC/NoVA - Stingrays are frikking everywhere man!

Once I figured out how to know when they're being used it's easy to detect without anything special. I was messing with the IMSI catcher detector I got off the EFF website. After 6 months of zero notifications I finally got a RED hit after going out to buy beer. and contacted the developers for further info. After much back and forth with them I came to realized how the app worked. A stingray is detected when your cell phone is forced onto an unencrypted network along with a few other events to verify that you are being spied on. For me I happened to be at a 7-11 buying beer and my best guess is that apartment building nearby was being monitors for drug related crime. Plus that area is a Highway choke-point and one sting ray strategically placed there would easily records the comings and goings of hundreds of thousands of commuters. The way the software worked to detect if an IMSI catcher was operational in your area is by referencing the access point name off an open source database and if your phone was forced on to the pre-3g unencrypted network it would notify you.

I started noticing that I would go to some metro stations and have good signal one day, but on other days I would get forced on the edge network. Those were the days that I also got notifications from the IMSI catcher detector. Plus on those same days an excessive number of "Anti-terror" cops would be standing around the metro station in a gaggle.

As an example - my train pulls into Chinatown station, normally my phone would connect to the H+ (HSPAP) network and I'd have full signal. but on several occasions I would only get the Edge network. at the same time that station would be crawling with cops. From talking with the developers of the IMSI catcher and screwing with the WiFi pineapple I figured there was a rogue cell station with an aggressive broadcast setting. I found a way to force my phone on the H+ network by typing in a code and changing my phone from "WCDMA preferred" to "WCDMA only" - I noticed that if you are on the EDGE network then make this change you will all the sudden get the high speed network. To me this confirms that there is a rogue cell tower or a stingray present. However, if you are in an area and the cell repeater is old tech then you will get zero bars. Plane and simple, no need for an IMSI catcher detector when you can just do this manually. No all cell phones allow you to make this change and not all cell phone will allow you to switch from the H+ to an unencrypted network.

My phone is a Nexus 4 - here is the code. Have fun hunting Stingrays.

*#*#4636#*#* -> SEND - Choose "phone information" - half way down the page you will see " WCDMA preferred"

[Quintox]

Paper Tiger: I changed my settings to WCDMA only. So how do I hunt for Stingrays in my area. using my Android Samsung Note 2

 

[Karit]

Assuming you have a license for the frequency or a good Faraday cage. Have a read about making your own Cell tower which could be handy for this.

https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/

One tip set the Ki to * so encryption isn't used and will allow SIMs you don't know the keys for connect.