02/05/2018
According to news reports from outlets including IDG's CSO, the US Department of Homeland Security said in early April of this year that there are unauthorized "stingrays" in the Washington, DC areas and in "other cities." To be perfectly honest, I cannot find the term stingray in the documents I read, and "StingRay" is a trademark of Harris Corporation, but appears to be commonly used in a generic sense.
What is a Stingray?
The devices to which the DHS referred are more accurately "IMSI capture" or "cell site simulator" devices. That is they capture the International Mobile Subscriber Identity numbers of mobile phones. The IMSI is just one of the numbers associated with a mobile device and identifies the subscriber and service provider. The devices capture other information, too and the ones from Harris can do a lot more including potentially eavesdropping on phone calls, SMS, and cell data, and preventing a phone from being used. I don't have space to go into GSM phone operation here, but tracking phone location by IMEI number and potentially being able to listen in on phone conversations are both serious. There are also portable devices called "Kingfish". One can reportedly build a passive IMSI catcher for about seven dollars.
The devices called "stingrays" act as cell site simulators, looking to the phone as though they are legitimate cell sites. These various devices have been used by law enforcement to track and capture criminal suspects. That appears to be the intent of the devices, and that is a good thing. But with prices ranging from 25 thousand to 130 thousand US dollars, they are also in the price range of potential bad actors. A StingRay can also be used in passive mode to locate cell sites.
These devices could be used by law enforcement, criminals, foreign governments, or potentially other groups. The DHS declined to speculate on the uses or even owners of the devices it knows of in a November 27th, 2017 memo. The Electronic Frontier Foundation has written about cell site simulators and the potential for abuse including compromises of privacy.
What all this means is that these "stingray" devices can compromise all three aspects of the CIA triad of confidentiality, integrity, and availability, along with authentication! That compromise can be by law enforcement or other groups. This reinforces the idea that anything you do or say online can be seen by others.
Countermeasures
The sheer number of mobile devices worldwide makes it unlikely that someone (or a group of people) is tracking all of them all the time. Actual countermeasures to stingrays are limited. There are apps to detect these StingRays, but they can be defeated, making them of limited use. And the US government is likely to regulate the use, at least to some extent. Even with that regulation, mobile devices are still likely to be able to be tracked. The only way to ensure confidentiality is to use third-party encryption apps for all traffic.
To your safe computing,
John McDermott
Related Training:
Cyber Security Training