NYPD Says Talking About Its IMSI Catchers Would Make Them Vulnerable To Hacking

An anonymous reader quotes a report from Motherboard: Typically, cops don't like talking about IMSI catchers, the powerful surveillance technology used to monitor mobile phones en masse. In a recent case, the New York Police Department (NYPD) introduced a novel argument for keeping mum on the subject: Asked about the tools it uses, it argued that revealing the different models of IMSI catchers the force owned would make the devices more vulnerable to hacking. The New York Civil Liberties Union (NYCLU), an affiliate of the ACLU, has been trying to get access to information about the NYPD's IMSI catchers under the Freedom of Information Law. These devices are also commonly referred to as "stingrays," after a particularly popular model from Harris Corporation. Indeed, the NYCLU wants to know which models of IMSI catchers made by Harris the police department has. "Public disclosure of this information, and the amount of taxpayer funds spent to buy the devices, directly advances the Freedom of Information Law's purpose of informing a robust public debate about government actions," the NYCLU writes in a court filing. The group has requested documents that show how much money has been spent on the technology. After the NYPD withheld the records, the FOI request was escalated to a lawsuit, which is where the NYPD's strange argument comes in (among others). "Public disclosure of the specifications of the CSS [cell site simulator] technologies in NYPD's possession from the Withheld Records would make the software vulnerable to hacking and would jeopardize NYPD's ability to keep the technologies secure," an affidavit from NYPD Inspector Gregory Antonsen, dated August 17, reads. Antonsen then imagines a scenario where a "highly sophisticated hacker" could use their knowledge of the NYPD's Stingrays to lure officers into a trap and ambush them.

because it hurts the feelings

[turkeydance]

of the elephant in the room if you talk about it

We used to say this about wiretaps too

[WillAffleckUW]

That was unconstitutional and illegal as well.

Admit the crime and stop covering it up.

Can't be that great a tool

[Opportunist]

If your security is dependent on you not talking about the technology altogether, it is a pretty insecure and unreliable system altogether and should not be used, especially not in a situation where gathering evidence is critical. How easily could said evidence be thrown out if the tool you use to gather it is so insecure, unreliable and in a generally sorry state that you cannot even TALK about it lest it breaks?

Re:Can't be that great a tool

[somenickname]

My thoughts as well. How can this be admissible in court if you can't publicly defend how/what/why you did what you did. If the technology is so vulnerable to hacking, that seems like it has "reasonable doubt" written all over it.

Re:

[fred911]

Because the law enforcement advises it's agents to use parallel construction when they've got tainted evidence as the basis for a prosecution.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[somenickname]

Sure, I understand that. And, presumably, what law enforcement is worried about is IMSI catcher catchers. Basically, a device that can detect when a spoofed cell phone tower is in play. If such a device were reliable enough that it could be presented as evidence, it could potentially stop stingray based parallel construction in its tracks.

Re:

[Fjandr]

A distributed app collecting signal strength and cell site hardware data could rapidly expose any portable IMSI device. Just needs to be built and publicized by someone with the time, interest, and skill.

Re:Can't be that great a tool

[BlueStrat]

A distributed app collecting signal strength and cell site hardware data could rapidly expose any portable IMSI device. Just needs to be built and publicized by someone with the time, interest, and skill.

I'm an R.F. engineering tech. I even worked for Harris (the manufacturer) back in the early '80s.

I'll bet just comparing phase to obtain directional data and comparing locational data to actual cell site locations should be enough to alert to shenanigans.

With a bit more sophistication the location could be narrowed to within ~10-15ft. Program a consumer hobby drone with the location, attach about a pound of HE to that drone, and IMSI goes bye-bye.

Strat

Re:

[AmiMoJo]

It's only used for parallel construction. No need to test it in court.

Re:

[wbr1]

It may not be admissible in court. But you can bet the parallel construction story given to defense during discovery and at trial is.

I solemnly testify that I Officer Green saw the defendant driving with a failed indicator lamp. That i when I discovered 20 kilograms of cocaine.

Re:

[meerling]

What they said is BS, they've been watching too many hollywood movies and tv shows, and are hoping the judge is too stupid to understand the difference between that and reality.

Novel excuse

[JustNiz]

Hacking? Wow thats a new one. They normally find a way to justify whatever removal of freedoms they are currently inflicting with the good old standby of somehow making it about child porn or child abuse.

First rule of IMSI club

[rsilvergun]

Do not talk about IMSI club. Second rule: it this is your first night you have to violate someone's rights.

Not to mention

[fred911]

The acknowledgement would also at a minimum be an admission of multiple violations of section 301 of the Communications Act.

https://www.law.cornell.edu/us... [cornell.edu]

Re:

[meerling]

Actually they have, but when it's provenance has been questioned, they've withdrawn it so they don't have to admit they used a stingray to get the info in an illegal and unconstitutional invasion of privacy.

Re:

[sir-gold]

Or they just drop the charges entirely and walk away.

http://arstechnica.com/tech-po... [arstechnica.com]

Re:

[meerling]

I have some pretty good ideas on a few ways to figure that out, and I'm not even a phreak!

Re:

[plover]

Only as long as you know which transmitter to measure. In a cell system, the subscribers aren't transmitting the phone's IMEI or the SIM card's IMSI, nor are they sending out the owner's name and number. They just send a temporary mobile ID, which is a randomly generated number that changes frequently. So which signal do you lock on to? Since 90+% of the population is carrying a cell phone, your $40 directional finder would point at everyone. Even a $40,000 direction finder would point at everyone if i

I can also imagine scenarios...

[caladine]

... where the police having this technology use it on a whim, without a warrant, and with absolutely no oversight.
Oh, wait. That's already happening and doesn't require a "sophisticated hacker".

Comprehensive defense testing

[Fjandr]

Taking a page from the State actors comprehensively exposing the defensive capabilities of the Internet core, there needs to be a distributed network setup to calculate and correlate all physical cell site information. When shared between a large number of users, it would be trivial to map all permanent physical infrastructure such that any IMSI catcher would light up like a bullseye the second it was turned on. Then that hardware could be targeted for comprehensive testing and exploitation. It wouldn't surprise me to see a future cellular botnet set up to do something just like that if it's not done for more above-board accountability reasons first.

Re:

[Xochil]

AIMSICD has been working well for me in this regard.

https://github.com/CellularPri... [github.com]

Re:

[AHuxley]

The next gen will not drop the telco generation or need to swamp an area with different power settings to be the new cell tower.
Its getting hard to map out. Unless all telco towers are visible/distant and a van/truck/car is also a very powerful new telco tower.
Gov and mil sites usually mask it with their very own "real" big normal looking cell tower or some very normal looking telco extender or standard contractor decorative private sector cell network.
The Greek wiretapping case https://en.wikipedia.o [wikipedia.org]

How about you audit and secure your code?

[sandbagger]

I'm very sorry you did not take security into account to the degree that you should have, and probably did no QA, but the facts are you have to in order to establish the credibility of your system and its data. Everyone else has to.

Astoundingly stupid...

[laird]

Revealing which models of devices they bought doesn't reduce their security, unless they're using units with widely known security flaws that they leave open.

Either they're really, really stupid or they think we are. Perhaps both?

Re:

[currently_awake]

Tapping phones requires a judicial warrant. If we know the model of IMSI catcher then we'd know if they have the ability to tap our phones without a warrant. Providing that information to a judge might result in a judicial order requiring a judges warrant to use it.

A completely neophyte non-hacker...

[KitFox]

...could also get their completely non-hacked, normal phone implicated in a crime, knowing that stingrays will be deployed to track it, and then lead them into an ambush.

Re:

[sir-gold]

Its easier than that.

Just grab a phone out of one of those recycling bins they have at some electrics stores, and call 911 (all phones can call 911, even if not activated). You don't even have to talk, just make muffled sounds, and the police will eventually show up.

The police don't even need to have a stingray, they already know where the phone is though e-911

translation

[Tom]

revealing the different models of IMSI catchers the force owned would make the devices more vulnerable to hacking.

In other words: There is at least one audit report giving them very bad marks on security and they don't have the time, budget or expertise to fix the problem. Basically, they should be treated as if they are already hacked by an unknown party or two.

You are not afraid of disclosing basic information unless you cover up known vulnerabilities.