It's not hard to think of ways to outsmart Stingray-detector apps

A group of researchers from Oxford and TU Berlin will present their paper, White-Stingray: Evaluating IMSI Catchers Detection Applications at the Usenix Workshop on Offensive Technologies, demonstrating countermeasures that Stingray vendors could use to beat Stingrays and other "cell-site simulators" (AKA IMSI catchers).

Stingrays, Dirtboxes and other IMSI catchers are fake cellular towers that trick phones into connecting to them, enabling attackers to identify people, break into their phones, and steal their data.

Free apps like SnoopSnitch, Cell Spy Catcher, GSM Spy Finder, Darshak, and AIMSICD detect common tactics used by IMSI catchers to alert users when their phones are being targeted.

The Oxford/TU Berlin team built an IMSI catcher from scratch that they called the "White Stingray," and used different — but equally effective — attacks on target phones that the apps couldn't detect.

One of the app creators says that the countermeasures are wholly theoretical and that his app will still reliably detect real-world cell-site simulators. Johns Hopkins security researcher Matt Green also points out that many cell-site simulators are operated by low-expertise local law enforcement, and that even if the companies behind the simulators update their products, the cops who use those products might not ever run the updates.

The team set up their makeshift stingray in a room-sized Faraday cage, to prevent it from accidentally intercepting the phone signals of anyone outside the room. Upon pitting each app against their surveillance tool, they found that each one looked for clues of only a few of the techniques a fake cell tower system might use to track or tap a phone. The apps could detect some hints that the phone was under stingray surveillance. They alerted the user, for instance, when White-Stingray downgraded the phone's connection to a 2G signal to exploit the older protocol's weaker security, as well as when it established an connection between the "cell tower" and the phone that lacked encryption. They could also tell when the stingray sent "silent" text messages, which ping the phone to determine its presence without displaying anything to the user, and that the fake tower didn't exist on previous cell tower maps.

But the researchers simply switched to other methods that only a subset—or in some cases none—of the apps could detect. The White-Stingray used a different command to downgrade the phone's connection to 2G, which neither triggered the detection apps nor appeared on phone's interface. Rather than send a silent text message, it would make a silent call that connected to the target phone, determine its IMSI, and hang up before the phone rang. It surveyed nearby cell towers, and then imitated their configurations to avoid looking 'new'. And it also deployed another trick that the apps didn't try to detect: It prompted the phone to transmit a list of all the other nearby towers, and the strength of each tower's signal, allowing a snoop to triangulate the phone's exact location. "They don't try to identify this method at all," Borgaonkar says of that last technique.

White-Stingray: Evaluating IMSI Catchers Detection Applications [Ravishankar Borgaonkar, Andrew Martin, Shinjo Park, Altaf Shaik, Jean-Pierre Seifert/Usenix Workshop on Offensive Technologies]


[Andy Greenberg/Wired]