Spidey: Android-based Stingray Detector Watch them watch you: an innovative way to detect cell-phone spying

Introduction

Team members Kade Crockford Project partner ACLU of Massachusetts kcrockford@aclum.org Nathan Freitas Project partner The Guardian Project nathan@guardianproject.info Jeffrey Warren MIT, Computer Science jtwarren@mit.edu

Feature Image

Featured image: SpideyApp user interface.

Images

Image 1: Industrial strength IMSI catcher from Harris Corporation called a “Stingray” device.

Image 2: Homemade IMSI catchers cost less than $1000 to make with range to listen on neighbors.

Image 3: Screenshot of our pre­launch page used to spark interest in Spidey.

Additional Information github.com/jtwarren/spidey http://signup.spideyapp.com/

Cited Resources The bill of rights http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html Amicus Brief https://www.aclu.org/files/assets/rigmaiden_amicus.pdf EFF on Stingrays https://www.eff.org/deeplinks/2012/10/stingrays­biggest­unknown­technological­threat­cell­phone­privacy The ACLU of Massachusetts https://aclum.org/about The Guardian Project http://en.wikipedia.org/wiki/The_Guardian_Project_(software) User testing methodologies http://courses.csail.mit.edu/6.831/2014/readings/L11­user­testing/

Nothing to hide http://en.wikipedia.org/wiki/Nothing_to_hide_argument

Location MIT Media Lab, Center for Civic Media 75 Amherst Street Wiesner Building (E15)

Timeframe February 2014 ­ May 2014

Abstract The goal of this project is to develop an easy, usable tool to help activists, security researchers, and others determine if there is a cell phone sniffer within range of their device. Cell phone sniffers­­technically called IMSI catchers­­are tools capable of locating and identifying wireless devices (cellular phones) in their vicinity, as well as capturing unencrypted cellular communication such as voice calls, emails, and SMS messages. Cell phone sniffers work by pretending to be normal cell towers, thereby tricking phones into connecting and sending identifying information to the surveillance device, instead of to the phone company. The Harris Corporation is one of the main manufacturers of IMSI catchers in the United States. Harris makes cell phone sniffers called Stingrays, which it sells to local, state, and federal law enforcement throughout the United States. Stingrays and other IMSI catchers pose unique privacy threats to people because the surveillance they conduct is by default a dragnet, not targeted at a specific subject. This is because the devices ensnare private information of people within a geographic region, not just information of persons specifically targeted by the government. For example, if police wanted to know who was at a protest, they could simply turn on an IMSI catcher and immediately collect a fairly reliable list of protest attendees. Documents released to the public strongly suggest the FBI does not obtain warrants to use IMSI catchers. However, it is not just law enforcement who utilizes these devices: hackers, criminals, and private security professionals can also use cell phone sniffers for identity theft and other kinds of harmful surveillance. The ACLU and like­minded organizations are working on legal and policy reforms to current surveillance law, in order to ensure that people do not get swept up in unconstitutional or unethical surveillance dragnets simply because they are in the wrong place at the wrong time. These efforts include educating the public and policymakers about the dangers posed by the powerful surveillance devices. The first step to fixing any problem is exposing it. To date, however, there is no finished app available to help everyday cell phone users detect or obstruct IMSI catchers, meaning that people whose information is compromised will likely never know about it and have no chance to stop it. Current attempts to address this problem involve specialized hardware or extremely outdated phones, both of which are impractical for a typical user. Our team­­composed of the ACLU of MA, The Guardian Project, and MIT students­­is operating from shared values including safety, privacy, and freedom. We hope the Spidey application both broadens awareness of surveillance technologies in general and focuses a national conversation on IMSI catchers specifically, towards the end of technological and policy reform. We are building an innovative Android­based Stingray detector based on cell tower scan differentials stored in a local database to detect anomalies. In the future, we hope to couple this with machine learning models at scale to increase confidence in IMSI catcher detection.

Project Narrative

Background An International Mobile Subscriber Identity (IMSI) is a number that is used to uniquely identify a cell phone user. An IMSI catcher is a device that is capable of detecting and recording IMSIs of cell phones within range without the knowledge or consent of the cell phone user. The “Stingray” (seen in Image 1 above) is a specific brand of high power IMSI catcher sold to government and law enforcement agencies and manufactured by Harris Corporation. IMSI catchers work by spoofing a cell tower and thereby tricking cell phones into connecting to them. Some particularly powerful IMSI catchers force phones into no call­encryption mode and can therefore eavesdrop on voice calls, emails, and SMS messages.

Figure 1: How stingrays work.

Cellular phones will send a signal to the “cell tower” roughly every 10 seconds whether they are trying to make a call or not. The device is able to record the precise location of every cell phone within range, record when and with whom cellular communications (calls, texts, etc) are made, and is sometimes even used to record the content of communication (text or voice).

The Issue Governments and law enforcement agencies are using stingray devices as a way to track and locate cellular phones without warrants . This kind of tracking violates the Fourth Amendment’s 1

prohibition against unreasonable searches, and threatens the privacy rights of thousands of people accused of no wrongdoing. Namely, the Fourth Amendment of the bill of rights states the following:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. 2

In 2013, the Massachusetts Supreme Judicial Court ruled that police are required to obtain a warrant in order to track someone’s cell phone. Various other courts have reached the same conclusion. The Supreme Court of the United States ruled in US v. Jones that the government is required to obtain a warrant before putting GPS trackers on our cars to map our movements. State legislatures have also updated their statutes in recent years to reflect the growing threat to privacy posed by electronic location tracking and surveillance. Maine and Montana now require warrants for all electronic location tracking, including the use of Stingray­style devices. Unfortunately, those state laws and court rulings do not apply to the FBI’s deployment of cell phone sniffers. Federal law currently allows agents of the federal government to use the technology without judicial oversight. In United States v. Rigmaiden, the FBI used a Stingray to locate Daniel Rigmaiden in his home. Rigmaiden was using a Verizon air­card to connect to the internet, and the FBI wanted to find him in order to search him, his computer, and his apartment, in connection with a tax fraud investigation. Rigmaiden’s lawyers asked a judge to disregard all evidence resulting from the use of the Stingray device, since the FBI did not obtain a warrant to deploy it. In May 2013, a US District Court judge denied Rigmaiden’s motion, allowing the fruit of the FBI’s warrantless surveillance to be used against him in court. As the Electronic Frontier Foundation wrote, warrantless Stingray surveillance “is the digital version of the pre­Revolutionary war practice of British soldiers going door­to­door, searching Americans’ homes without rationale or suspicion, let alone judicial approval”. While the Rigmaiden case was a loss for privacy advocates, other 3

courts will inevitably rule on the question. In other words, Rigmaiden isn’t the last legal word on warrantless Stingray spying. While these cases may seem nuanced and arcane, the legal authorities for Stingray use are incredibly important for the ordinary cell phone user who wants to remain private in the 21st

1 http://privacysos.org/node/1199 2 http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html 3 Fakhoury, Hanni, and Trevor Timm. "Stingrays: The Biggest Technological Threat to Cell Phone Privacy You Don't Know About." Electronic Frontier Foundation. N.p., 22 Oct. 2012.

century. If police can use these devices without a warrant, they can easily track and monitor thousands of political protesters, religious worshippers, and voters­­compromising not only our Fourth Amendment rights but also our First Amendment rights to freedom of speech and association.

The Project Partners

ACLU The American Civil Liberties Union (ACLU), is a non­profit community organization founded in 1920 with the stated mission to “Defend and preserve the individual rights and liberties that the Constitution and laws of the United States guarantee everyone in this country”. The ACLU uses 4

an integrated advocacy model, bringing together lobbyists, communications experts, attorneys, public advocates, and community organizers to expand civil rights and civil liberties in the United States, for all people. The organization receives no government funding, and relies on donations from supporters to underwrite its work. For years now the ACLU has been aggressively leading the charge nationally in litigation, lobbying, and public education on issues related to cell phone tracking and surveillance. In the case of US v. Rigmaiden, the ACLU filed an amicus brief arguing that the FBI should have told a judge that it intended to use a Stingray device to locate its suspect. “By failing to apprise the magistrate that it intended to use a stingray, what the device is, and how it works,” the attorneys wrote, “[the government] prevented the judge from exercising his constitutional function of ensuring that warrants are not overly intrusive and all aspects of the search are supported by probable cause”. Kade Crockford, the director of the ACLU of Massachusetts’ Technology for Liberty project, is working on the Spidey app. She has extensive knowledge of the national landscape pertaining to surveillance issues, and has helped identify and focus the issues, as well as provide research, writing, and advocacy assistance for this project.

The Guardian Project The Guardian Project was founded in 2009 by Nathan Freitas. The Guardian Project sets out to create open­source mobile applications that help people communicate more freely and protect themselves from intrusion and monitoring. The Guardian Project has an array of open­source applications for both iOS and Android with over two million downloads and hundreds of thousands of active users. Most popular is Orbot which provides a Tor proxy for Android 5

devices.

4 "About the ACLU." American Civil Liberties Union. 5 http://en.wikipedia.org/wiki/The_Guardian_Project_(software)

Nathan Freitas, founder of The Guardian Project, is a key contributor to the Android application that we’re building. Moreover, his knowledge of cellphones and the cellular network make him an invaluable team member.

The Project As a group we set out to research and hopefully solve the problem of identifying IMSI catchers from a technological standpoint. We hope to broaden awareness of surveillance technologies by making available an easy­to­use tool to help individuals protect themselves. Ideally, the app will eventually be able to notify users with 100% confidence that they are in the range of a Stingray device, and provide them with actionable information instructing them of their options. We had several goals in mind that guided our decision making and design process. First, we wanted to build an application for the “mainstream” market. We did not want people to have to purchase special equipment or hardware in order to use our application. Next, as IMSI catchers mainly affect users of mobile phones, we wanted to build something that could be installed on a mobile phone or something that is extremely portable. Finally, we wanted a product that is extremely user­friendly, since we are targeting such a large audience­­the entire cell phone using public. We decided to make an Android application after considering the above set of goals. Android has over 50% market share on the smartphone market . It does not require any additional hardware 6

as an Android smartphone is effectively a computer attached to a cellular radio. Finally, the Android market is already accustomed to installing applications and therefore the user base will have few learning hoops to jump through before successfully deploying our app.

Codesign Our team worked best during in­person meetings and teamwide hackathons. We started off the semester meeting remotely over google hangouts but this turned out to be pretty inefficient for several reasons. First, we struggled to use this time to collaborate and accomplished shared goals. Instead, the time would be used to sync up and decide on tasks for the next week. Additionally, working remotely did not allow us to leverage the shared knowledge within the group. This was especially a problem at the early stages of design and development. Realizing the inefficiencies of meeting remotely online, as a team we decided to meet in person at the MIT Media Lab. Specifically, Kade proposed the idea of meeting in person. Meeting times were decided over email and were generally easy to coordinate. We started this mid semester and have had several very successful and productive meetings. This gave us a larger amount of time to work together and bounce ideas and questions off of one another. We also started having work days which were longer (6+ hours) sessions dedicated to making progress on our project and related materials. For the same reasons, these have been very productive and successful.

6 http://www.geekwire.com/2014/android­70­sales/

Design Candidates A major consideration in coming up with designs is the constraints imposed by the Android platform and the cellular protocols in general. It is a hard problem to detect IMSI catchers and a task that is not straightforward. Therefore, our design candidates primarily centered around exploring different ways to detect IMSI catchers.

Train and Diff In this design candidate we imagined a user who might want to might want to check a particular location for an IMSI catcher. This could be someone at their home or possibly a legal observer at a protest. This user of the application would spend some time training their phone to detect all cell towers in range and store their information in a local database. Scanning again would allow them to compare the results and look for anomalies.

Figure 1: Simple train and diff design candidate.

Passive Alerts In this design candidate we imagined an application that constantly scans for cell tower information. New towers are checked against a central database and stored as legitimate or not. The user is alerted when a sketchy or new tower is found. This is very similar in concept to the first design candidate; however, it requires more implementation and depends on a centralized database of cell tower information.

Figure 2: Passive alert design candidate.

Stingray Sharer In this design candidate we imagined an application that allowed users to find and share information regarding stingray devices. For example, a user would see a device in use at a protest. The user would then take a picture and upload it to a centralized server. The server would then notify all users within range that there is a stingray nearby.

Figure 3: Stingray sharer design candidate.

Project Iterations The project iterations largely came in the form of paper prototypes which paralleled our actual development of the application. We found issues in some of our basic assumptions as we did user testing on our prototypes. This led us to change our designs as shown below.

User testing was conducted on individuals using a method called formative evaluation. In this 7

method of user testing, the user is given a set of tasks that is representative of actual use of the application. Then, the user is allowed to complete the tasks, speaking aloud as he or she attempts to complete the tasks without help. The following is a final list of the tasks that a user was given:

Open the Spidey application. Learn more about the application and what an IMSI catcher is. Find out which cell towers the phone is aware of. Find out if the cell phone is aware of any new cell towers. Compare the result set with a previous one to determine anomalies. Send anomalous tower information to team@spideyapp.com

Iteration 1 The first iteration of our application was very similar to the train and diff design candidate. The user would open the application and be presented with a screen allowing them to scan the surrounding cell towers. The user would be presented with the results of the scan after it finishes. This process could be repeated, allowing the user to take scans and look at the results.

Figure 4: First iteration of Spidey.

There were several problems with this approach, as indicated by the user feedback. The first and most important problem was that the users did not have the correct framing or context for what the application intended to do. This problem could be addressed by including obtaining background information in user testing but it seems that may be out of scope. Another problem users had with the application was that they would only be able to use it in one place at a time

7 http://courses.csail.mit.edu/6.831/2014/readings/L11­user­testing/

since moving to a new location would likely change all cell towers. This could possibly be resolved by separating scans based on location taken.

Iteration 2 The second iteration included an “about” section, intended to allow users to gain more information on the problem at hand and how this application is trying to solve it. The about section contained information such as “What is Spidey”, “What is an IMSI catcher”, “Who uses IMSI catchers”, etc. Additionally, to address the concern of only being able to use the application in a specified location, scans were able to receive tags such as “home” or “Boston Commons” and would be saved to the database with the location. One of the biggest problems found in this iteration is that users of the application did not have a geographical reference, nor did they realize the importance. For example, one user scanned and recorded results outside her dorm then subsequently crossed the field and scanned again, tagging with the same location.

Iteration 3 The final iteration, the one that is being implemented, attempts to resolve the issues found in the previous versions. The “about section” added in iteration 2 was found to be useful and remains in the design. Additionally, it was found to be important to be able to scan and save results and multiple locations. To really stress the importance of location (even sitting in a different room may affect results), we’ve added a map showing the users current location. We will perhaps overlay past scans or tagged locations to further stress location while scanning.

Figure 6: Locally aware project iteration.

Figure 7: User interface of SpideApp showing landing screen, scan comparison, and sharing options.

Conclusion The codesign process has given us the opportunity to explore the problem posed by IMSI catchers and Stingray devices and build something that can detect their presence. We really believe that our application will help spread awareness of the issue and inform people about an extremely prevalent surveillance technology that they probably did not know existed. While we have shown a strong prototype Android application, there is still a decent amount of work to do before launching publicly. We are currently in the process of seeking funding for this project from the Knight Foundation Prototype Fund. Additionally, we are gaining interest on on our website (spideyapp.com) with about 5 email signups per day. We will plan a big launch around this and think there will be a lot of press interested in writing about the problem and our application ­­ which in itself will be a step toward our objective of informing people about the problem. One of the biggest challenges that we’re facing and will likely continue to face as we roll out our application is caused by one of our basic assumptions: people care about this problem. While it is true that there are many people who care greatly about this problem, a large portion of people fall into those who feel they “have nothing to hide” . The biggest challenge here is overcoming 8

people's preconceived ideas about privacy, and educating them about the problem and why they should care. There are applications that check which towers a phone is connected to, but there aren’t any that act as a tool for the user in the way that we’ve designed Spidey. Spidey allows users to scan cell

8 http://en.wikipedia.org/wiki/Nothing_to_hide_argument

towers, store them in a local database, and compare them to other scans. The application will be further developed and attempt to use advanced methods such as machine learning to better understand the environment and strive to increase confidence in detecting anomalies. Going forward we want to turn this from more than just a tool into a real application that people will use and come to rely on. We want to implement features such as: user defined scan start and stop, automated tower scanning as a background service, improved tower detection using all available APIs. Spidey is an open­source project hosted on GitHub. After launch, we will use Github to track issues, progress, and milestones. We will leverage the communities that have grown around both the ACLU and The Guardian Project to adopt and continue work on Spidey. The ACLU of Massachusetts will invest its significant social media and communications capital in securing media coverage of the app, as well as promoting its use among members, donors, and supporters.

Which tower are you connected to? Find out which cell towers your phone can see and where they are located

Table of Contents Description Workshop Facilitators Guide

Description This hands­on workshops teaches people about their phone diagnostic modes and introduces them to IMSI­catchers, what they are, how they work, and why they pose a problem. The workshop uses the phones diagnostic information to gather information on the cell tower. The information is then plugged into an open source database (http://opencellid.org/) to find the location of the tower. This workshop offers a great opportunity to talk about the difference between IMEI and IMSI. The workshop can be used as a starting point to explain what an IMSI catcher is, how it can identify people, and why there is so much concern centered around the problem.

IMSI vs. IMEI Many people do not know what IMSI (International Mobile Subscriber Identity) or IMEI (International Mobile Station Equipment Identity) numbers are. An IMEI is a number that is used to uniquely identifies a mobile station, or cell phone in this context. It is important to note that the IMEI is only used for identifying the device and has no permanent or semi­permanent relation to the subscriber. Thus, it can be used to prevent stolen phones from accessing the network, even if cell phone’s subscriber identity module (SIM) is changed. An IMSI is a number that is used to uniquely identify the user of a cellular network. The IMSI is stored in the SIM and it therefore corresponds to the operator of the phone.

Workshop

Figure 1: Diagnostic screens of Android (left) and iOS (right)

Android The Android platform has a set of “secret” commands that allows the user to see more detailed information on the phone. This includes things such as the IMEI (international mobile equipment identity), the connected cell tower, the phones signal strength, etc. This can menu can be accessed on an Android device by typing *#*#4636#*#* from the dialer application. Note: the user will be automatically redirected after typing the last asterisk.

iOS iOS has a similar diagnostic mode to the Android operating system. On iOS it’s known as “field test” and is accessed by calling *3001#12345#*. Note: the user must press call for the phone to enter field mode. Another useful key code is *#06# which displays the IMEI without needing to press call.

OpenCellID OpenCellId (http://opencellid.org/) is an open database that provides cell tower information. Taking the information from the phone’s diagnostic menu, OpenCellId can be used to find the location of a cell tower. Each cell tower is identified by 4 numbers: the mcc (mobile country code), mnc (mobile network code), lac (location area code), and cid (cell id). The mcc and mnc together uniquely identify a mobile phone operator (for example, AT&T is mcc: 310, mnc: 410), and the cid uniquely identifies the cell tower.

Figure 2: OpenCellId cell tower location based on mcc, mnc, lac, and cid

Facilitators Guide

Time This workshop takes around 30 minutes to facilitate and can vary depending on number of people in the audience, level of interest in the problem, and general excitement to figure out new things.

Agenga 5 minutes: Talk about the how cell phones connect to the network and send/receive data,

what IMEI and IMSI are and how they can be used to identify a person. 5 minutes: Explain what an IMSI catcher is, how they are used, and the problems they

pose. 10 ­ 15 minutes: Tell people the code and let them explore the “secret” screens. 10+ minutes: look up cell towers in OpenCellID on different service providers and leave

time to talk and answer questions.

Materials The facilitator should have an iPhone and/or Android cellphone with service. It is okay to do without this as long as someone in the audience has a phone or one can be borrowed for the duration of the workshop.

Preparation Sufficient research on the cell network how IMSI catchers work should be done before the workshop.

Addendum What to do when you’re being watched

Sweet, everything appears the same! There are the same number of towers in this location as the last time you scanned, which means that everything appears to be normal! Check back again later to see if anything has changed. Uh­oh, something’s changed! First of all, don’t panic. Take these steps to help determine what’s going on, and what you can do.

1. Are you sure you're in the same place where you last scanned? Even standing on the other side of a building, or another room in your house, can change the number of towers in range. Make sure you're in the same spot you were the last time you scanned this location.

2. Still getting a different result? Go to OpenCellID and input the cell ID of the anomalous

tower(s). The anomalous towers are marked with red stop signs. (TODO: In the future we will automate the OpenCellID automatic checking)

3. Determine your threat and risk level, and act accordingly. If you are worried that police or

criminals may be trying to intercept your communications, turn your phone off or don't communicate anything sensitive while in range of the anomalous tower. If you want to take further action, see below.

4. You might want to call out the watchers. People conducting surveillance like to do it in

secret, and will often scatter if they are identified. That said, you must be very careful and use your own judgment before taking any action. Where you are, who you are, and what level of risk you're willing to take play large roles in determining what you should do with the information you have. Nothing here should be construed as legal advice, and the Spidey team cannot be held liable for any decisions you make based on this information. Assess your surroundings. Are you at home? Are you comfortable going outside to see if there is anything suspicious in your neighborhood? Bring a camera to take pictures of anything that looks out of the ordinary. Are you at a protest? You might want to alert your fellow demonstrators that something is amiss. If you feel comfortable doing so, you can find a journalist and tell them you think the police might be using an IMSI catcher to spy on dissidents. If you feel brave, you could even ask to speak with the most senior police officer present, and ask them if they are using an IMSI catcher at the protest. In most jurisdictions, it is perfectly legal to film the police; you might want to film your interaction to ensure that you have an accurate record of what happens. Be careful and don't put yourself at unnecessary risk. Alerting the police to the fact that you suspect them of

spying on you could make you a target of police repression. Be careful and use your best judgment.

5. Share your scan results with the Spidey team, composed of programmers, legal experts,

and community advocates. When you share your scan results, you agree that the team has the right to contact you to follow up. Submitting your scan results does not guarantee legal representation.