FOIA Confirms Lawless Nature of FBI Sky Spies
From the post:
The Electronic Frontier Foundation (EFF) released documents received in response to a Freedom of Information Act lawsuit that confirm the use of cell-site simulators in surveillance aircraft and the shocking disregard for oversight or regulatory policy what-so-ever. The federal government is flying spy-planes over US soil as the EFF put it, “without any policies or legal guidance.” North Star Post has been reporting on these activities since our founding following the independent disclosure of FBI operated domestic aerial surveillance on May 26th, 2015.
The EFF reports: the FBI’s “first successful airborne geolocation mission involving cellular technology” apparently occurred sometime in 2009, even as late as April 2014 lawyers from the FBI’s Office of General Counsel were discussing the need to develop a “coordinated policy” and “determine any legal concerns.”
NSP most prominently reported on the FBI evasion of established policy in regards to warrants for the use of cell-site simulator deployment in October of last year.
Aircraft have been identified as part of the FBI, DEA, DHS and other fleets, with many aircraft flying on a daily basis. The fleet is predominantly single-engine Cessna aircraft, with most flying 4-5 hours in looped patterns and circles with a radius of 2-2.5 miles. The 2+ mile figure is most likely the range of the DRT box although this has yet to be substantiated by government documents.
…
More details at the post will help you with tracking these planes and other details.
Security Syllogism:
All software/hardware have vulnerabilities.
DRT boxes are hardware and software.
Therefore, DRT boxes have vulnerabilities.
Yes? It’s been a while but I think that works.
While tracking airplanes and complaining about illegal law enforcement activity is useful, how much more useful would be vulnerabilities in DRT boxes?
DRT boxes promiscuously accept input, always a bad starting point for any hardware/software.
It could be as simple as building a directional “fake” cellphone that overloads the DRT box with noise.
Experts who have access to or who liberate DRT boxes can no doubt provide better advice than I can.
But on the whole, I’m not included to trust law breakers who later plead having been caught, they can now be trusted to follow the rules, but without any oversight.
That just strikes me as wholly implausible if not idiotic. The best defense is a good offense.
North Star Post has started a series on aerial surveillance: Part 1.
If you don’t know North Star Post (I didn’t), you should check them out. Follow @NStarPost.
I have no connections with North Star Post but consider it a public service to recommend you follow useful accounts, even ones that aren’t mine.
PS: If you do run across hacking information for DRT boxes, please post and/or re-post prominently. It’s not so much a matter that I become aware of it but that the public at large is enabled to defend itself.
Hello – thank you for sharing our article! I’m the main technical person on the North Star Post team. My twitter handle is @jason_nstar
I agree with your comments and find them interesting. I think that a large amount of surveillance and offensive cracking technology is designed rather arrogantly. The developers assume that they’re attacking and ignore the potential for counterattacks. This seems to be the case in the Snowden files, Hacking Team, and Gamma / FinFisher.
I do not have access to a DRT box to explore for vulnerabilities, but it’s possible that there are exploits. As the computing power on these increases, remote exploitation could be really interesting. A cell phone running Osmocom-bb or other code with the ability to create baseband messages could be used to send arbitrary messages to a DRT box / cell-site simulator. Perhaps a rooted Android w/ Qualcomm diagnostic access will work? If anybody has some technical details, they should reach out. We just started running a Tor onion service for leaks (address on my twitter and instructions at nstarpost.com).
One challenge that needs to be kept in mind–you probably want to avoid attacking legitimate cell towers, so detection is important. It is very difficult to confirm a cell-site is rogue above ~95% confidence without access to the carrier’s infrastructure and other information if the device is not doing really aggressive things like downgrade attacks on encryption and protocols, or hammering you with messages to target your location.
Detection is important because it lays the groundwork for more interesting ways to defend against these attacks. I hope that our and others’ reporting on the scale of these attacks might drive technical, business, and/or political decisions that limit the effectiveness and scope of this surveillance. Law enforcement seems to dislike their use of surveillance tech being made public, so better detection and disclosure might have a chilling effect on careless use. Carriers and device makers can improve the security of the network, devices, and/or include detection and warnings. Congress might do something… but probably not. A more informed public might pressure all of the parties involved.
I expect and hope the field of active counter-surveillance will emerge from ideas like yours.
I would just throw out one more idea / comment:
We recently published an article on Cellebrite, which is used for copying data off of cellphones. Cellebrite sells a version of their UFED software on a portable unit running Windows XP Embedded. How often do you think those get security updates? Seems like a lower hanging fruit than DRT boxes.
Link: http://nstarpost.com/17518/175572/a/cellebrite-what-you-need-to-know-about-cell-phone-forensics
Thanks again! I’d be interested to discuss this further, or any other thoughts you have on surveillance / counter-surveillance.
Comment by jason_nstar — March 11, 2016 @ 1:29 pm
Your comment triggered a thought of an easier means to defeat DRT boxes on a regular basis.
The majority of mobile users switch between the same cell towers day in and day out. Over a week you would have a list of all the towers they are likely to visit.
Change the phone software to ignore stronger towers that are not in the list of “remembered” towers. A refinement would ping the tower API at: http://developer.opensignal.com/ and if the tower ID cannot be verified, ignore the stronger but unregistered tower.
For security conscious users, a check-cell-tower feature that checks the remembered towers against that same API would be nice.
I suspect those cellphone software would defeat aerial DRT boxes without any effort on the part of users (an important feature of any security improvement).
Do you think this idea for defeating DRT boxes could be patented? 😉
Comment by Patrick Durusau — March 11, 2016 @ 3:23 pm
The AIMSICD project at https://secupwn.github.io/Android-IMSI-Catcher-Detector/ attempts to identify unrecognized towers, and I also saw a project that someone at MIT had started a few years ago but went nowhere. So there is some prior art that would probably get in the way of enforcing a patent. Cryptophones may also do this, but I’m not sure. I don’t know that either can force the device to ignore unknown towers, but this is possible in a custom OS. I’m keeping an eye on the Copperhead Android fork – it might support cell-site simulator detection and avoidance in the future.
Here’s a URL for Copperhead: https://copperhead.co/android/
Cell towers do change from time to time, so some level of flexibility or crowdsourced reputation would help improve security as a stopgap before newer protocols hopefully improve and older protocols are retired.
I think the surveillance tech will also improve and might start to take advantage of other properties of cell phones. Models, chipsets, and devices are probably somewhat identifiable based on characteristics about RF signal behavior, response times, and other pieces of metadata.
Comment by jason_nstar — March 11, 2016 @ 3:56 pm
Thanks for the pointers!
I was just teasing about patents. If anything, the idea of detecting illegitimate towers is too obvious to be patentable, at least in my view. Of course, there are companies in the business of patenting the obvious these days.
I’ll be looking at Copperhead, you would think news of routine use of DRT boxes would create a demand for avoiding them. Avoidance other than trusting the government to not err again.
Comment by Patrick Durusau — March 11, 2016 @ 4:18 pm