Stingrays—devices used by government agencies to intercept or disrupt mobile communications and track people through their phones—are more popular than ever with law enforcement and government agencies. Just yesterday, the US Internal Revenue Service (IRS) admitted it uses such equipment as part of its criminal investigations.
Stingrays usually work by abusing older mobile networks such as 3G, 2G, and GSM. But with an estimated 1.4 billion people using the more secure LTE by the end of 2015, these attacks could be getting a bit out of date. LTE, or Long Term Evolution, is the latest generation of mobile communications networks; it's a 4G technology.
"To the best of our knowledge, our work constitutes the first publicly reported practical attacks against LTE access network protocols," the researchers from Technische Universität Berlin, Telekom Innovation Laboratories, Aalto University, and the University of Helsinki write in their paper.
In short, Stingrays typically work by pretending to be a cell phone tower. When a passing phone connects, the Stingray is able to scoop up sensitive pieces of data, such as the phone's unique identification code (this is known as an International Mobile Subscriber Identity, or IMSI—Stingrays are officially called "IMSI catchers"). Depending on the Stingray model, an attacker might be able to track the location of a phone (and in turn its user), cut off service to the device, or intercept its calls and texts. The researchers' new Stingray works in a similar way, but utilizes the latest LTE network instead of the aging 3G and GSM ones.
According to the researchers, previous methods used to trigger attacks on users, such as phone calls or SMS, are not as effective anymore, as tools exist to detect them. But as long as the target has the appropriate apps installed, social media services can also be used to force the target device to communicate with the attacker's LTE Stingray, all without alerting the target.
For example, the researchers sent messages to a target's Facebook account, which, because the message was coming from someone who was not on the target's friends list, landed in their "Other" message folder and did not send the user a notification. They also used WhatsApp to initiate attacks, in which case it was necessary to know the target's phone number.
As for this latest Stingray, researchers were able to find a device's location with much more accuracy than a traditional GSM Stingray, and could shut off the device's network capability entirely.
The Stingray used in the research was cobbled together with a modest laptop running Ubuntu, a radio peripheral that costs around 1,000 euros, and some freely available open source software. Back in 2010, hacker Kristin Paget demonstrated another home-made Stingray at the Defcon hacking conference which cost around $1,500 to build, but that was for GSM networks.
Law enforcement agencies have already been trying to update their Stingrays before older networks become redundant. In the US, the News Tribune uncovered a purchase order from the Drug Enforcement Administration (DEA) for a "Hailstorm" upgrade, which "is necessary for the Stingray system to track 4G LTE phones."
Despite little public information available about their development for law enforcement, it's clear that LTE networks will not be immune to Stingray attacks.
Correction: A former version of this article incorrectly referred to Kristin Paget as Chris Paget. We apologise for the error.