What Your Phone Knows But Isn't Telling You

Researchers say your phone should inform you when a stealthy surveillance device is nearby.

​Law enforcement agencies are increasingly using StingRays—devices that can track every mobile phone in a given area by pretending to be a regular cell tower—and similar devices to track suspects, a practice that has been harshly criticized by privacy advocates.

Now, some researchers are suggesting that companies should give customers access to data that could protect them from this type of surveillance, either by law enforcement or by malicious hackers.

Adrian Dabro​wski, a PhD student at the University of Technology in Vienna, and four of his colleagues laid out a system to identify when there is a StingRay-like device in use nearby.

The system would work by logging data that phones already collect about towers from many users, effectively crowdsourcing the locations of suspicious signals that could mean the FBI, police, or scammers are logging people passing by.

By sharing data among devices, a user could be warned that a new base station had appeared in an area that hadn't been observed there before. If that base station has an unusually strong signal, that would be further cause for alarm. If it is initiating and then rejecting lots of handover requests, or commands to switch towers, that would be even more cause for alarm.

Data like this would be valuable for users who are privacy conscious, and would yield insights about the use of these surveillance devices over time.

However, this type of data gathering would require the cooperation of the makers behind mobile operating systems, including Google, Microsoft and Apple, which have shown little interest in the issue.

Dabrowski believes mobile devices should provide users access to data about the behaviors of cell towers they connect to, and advocates for sharing this data through an Application Programming Interface (API).

If mobile device makers allowed this information, which is typically inaccessible by most users without a technical background, to be shared through an API, developers could then build easy-to-use apps that would let users see if there are StingRay-esque signals in the area.

"By providing more technical insights into the radio layer (called 'baseband') through standard API, security enhancing applications could finally become available for a broad audience," Dabrowski wrote in an email. "The vast public deserves security and privacy, not only the minority of technically skilled people with the right hardware."

StingRays are the devices made by the Harris Corporation that can track everyone with a mobile phone in a given area. Apparently widely used by law enforcement and FBI, it turns out that the devices can also be built at home. The hacker Kristin Paget built one for about $1,500 and presented it at the Def ​Con hacker convention in 2010. So it's probably not just law enforcement keeping tabs on people.

According to Ravishanka Borgaonkar, a senior researcher at the Intel Collaborative Research Institute for Secure Computing, all mobile devices are constantly telling the world where they are, and this is what makes them easy to track.

With access to the right info, security conscious mobile users could receive warnings that someone might be trying to track them or even listen to them

Stingrays and other devices known as IMSI Catchers grab handsets' International Mobile Subscriber Identity, or IMSI, the number that mobile networks share to say who's allowed to use or roam on given cell towers. If someone knows what your IMSI is, they can know where you are.

"If you're doing an active attack, then you could follow the victim easily," Borgaonkar wrote. "This is the way cellular system has been designed and [it is] not possible to change with a minimal change."

Handsets readily share IMSIs because it facilitates roaming. Out of all the phones being used in the wild today, 2G GSM phones are the most vulnerable. GSM is, by far, the leading global standard for mobile. While most networks are switching to 3G and 4G, the older generation 2G networks remain in place as fallbacks, so when IMSI catchers want to listen in, they force mobiles to connect via 2G connections. Then, devices can be tracked, listened to or blocked without the device even verifying that tower it has connected to is legitimate (mutual authentication, in technical lingo). The encryption on it is so weak that users should assume any communication is in plain text.

The newer 3G and 4G connections are encrypted, meaning that government agencies can't listen in without active participation by carriers, but these phones will still give their IMSI to Stingrays, Borgaonkar explained, so that every mobile device is easily trackable today.

Dabrowski's colleagues tested two methods for spotting fake base stations, one using fixed devices and another using only hacked Android phones.

"Both of our IMSI Catcher Catchers were able to detect the attack reliably, even in identification mode where the phone is captured for less than two seconds," the collaborators wrote. "Our results indicate that the detection of this kind of attack became feasible with standard hardware."

In fact, a group called​ Snoopsnitch explains how to hack your Android phone to get access to this data and share it toward the same end—but you'll have to root, or hack, your own device to do it.

Stuart Ward, a former mobile security professional in Europe and who served on standards bodies in earlier eras, confirmed the researchers' methodology.

"There have been a few operators doing studies of the effect on their networks of StingRay type devices," he wrote. "The upshot of these is that the network will see a huge spike in failed handover requests, phones that in a call near the Stingray will try and handover to the much stronger signal."

With access to the right info, security conscious mobile users could receive warnings that someone might be trying to track them or even listen to them. But operating systems from Google, Microsoft and Apple lock that data down. Microsoft and Google declined to comment for this story; Apple did not respond.

The major carriers appear to have no objection to withholding data that could help customers identify when they're being tracked.

The five largest wireless carriers in the United States are Verizon, AT&T, Sprint, T-Mobile and US Cellular. We asked all five networks about measures that they could undertake that would permit users to use "think-level security," that is, having information that enables them to make an informed decision on whether they want to leave their phones on or make a call.

We may not know for certain that someone is listening or logging, but it might be helpful to know if—say at a political rally—there is medium to high likelihood that a device in the area is hoovering up people's mobile IDs.

T-Mobile sent this statement: "T-Mobile is continuously implementing advanced security technologies in accordance with worldwide recognized and trusted standards. We continue plans to upgrade our 2G/EDGE network with 4G LTE, which we hope will be substantially complete by the middle of 2015."

A Verizon spokesperson said that because it uses a CDMA network, which is different from GSM, its phones only connect with legitimate towers, even on their 2G network. They did not address the ease by which Verizon phones share IMSI data.

AT&T, Sprint and US Cellular did not respond to multiple requests for comment.

If the justification for keeping the data locked down is that it could confuse users, maybe it would make sense to simply make the data accessible to developers who want to work with it. But it might turn out that the real confusion is how we've let our gadgets put us in a world where it's so easy for strangers to keep tabs on us.