# RCMP intercept cell phones with Stingray



## james4beach (Nov 15, 2012)

http://www.cbc.ca/news/technology/rcmp-blackberry-hack-montreal-mob-murder-pub-ban-lifted-1.3629222

US police agencies widely use the Stingray device to intercept cell phone communications -- this can capture location, data, text, and voice calls. It has not been known whether Canadian police are doing the same.

It appears they have been.

These are essentially "man-in-the-middle" attacks, meaning that police are hacking your cell phone. And it's done indiscriminately; it's not technically possible to target a single cell phone. Instead, it's done for an entire region at a time. All cell phones within that region are hacked simultaneously.

This means that if you are in one of the areas where police are hacking cell phones, your privacy has been compromised as well.


----------



## carverman (Nov 8, 2010)

james4beach said:


> http://www.cbc.ca/news/technology/rcmp-blackberry-hack-montreal-mob-murder-pub-ban-lifted-1.3629222
> 
> US police agencies widely use the Stingray device to intercept cell phone communications -- this can capture location, data, text, and voice calls. It has not been known whether Canadian police are doing the same.
> 
> ...


Nothing new.

In Canada, Ottawa at least, there is a secret gov't building establishment where CSIS and the RCMP can listen in on private telephone conversations. 
This is the case with landlines and cellphones which still have to go over the switched telephone network to get to the other parties cell phone. 

Every cell phone has a area code + NNX(xxx-yyyy) and has to be routed over switched networks. Those lines or central office trunks (even if digital)can be monitored for any reason, such as quality of service etc. 

If the suspected person has a cellphone, and can be identified by the police or security establishment as a threat or criminal, then the particular cell phone number assigned can be obtained from the cell phone provider for the security establishment. 


If the cellphone conversation is using Blackberries, then it requires some additional descrambling equipment to monitor the conversation, but the security forces have the means to do this.

If you are not into crime or a possible security issue to the country, then there is nothing to worry about.


----------



## andrewf (Mar 1, 2010)

james4beach said:


> http://www.cbc.ca/news/technology/rcmp-blackberry-hack-montreal-mob-murder-pub-ban-lifted-1.3629222
> 
> US police agencies widely use the Stingray device to intercept cell phone communications -- this can capture location, data, text, and voice calls. It has not been known whether Canadian police are doing the same.
> 
> ...


If you use a VPN service on your phone, then they cannot intercept your data traffic, at least.


----------



## james4beach (Nov 15, 2012)

carverman said:


> If you are not into crime or a possible security issue to the country, then there is nothing to worry about.


That's not true. When this man-in-the-middle attack is performed, it effects ALL cell customers within antenna range of the interceptor device (the Stingray). Even if you are not involved any kind of crime your cell phone is being hijacked and its normal functionality -- talking to a cell tower -- is being intercepted. *If police are after one guy under surveillance, but you're a doctor or lawyer driving through the region, then your phone is being tapped as you pass through the area.*

Here are a few reasons that's a major problem

1. It disrupts the normal operation of the equipment and service you're paying for. The police are not professional mobile service operators, yet they are hijacking your phone. This can disrupt the service. At the very least, it drives the power usage up. At worst, it could disrupt other operations you are relying upon.

2. If you are the lawyer in my hypothetical example, the police area *now eavesdropping* on your communications *without court order, with no warrant, no justification*. These police have completely tapped your text messages, voice calls, etc.

3. There is no transparency from the police that requires a thorough audit of what information they have access to. Without transparency and oversight, these systems can be abused. In all those cases where police have tapped lawyer cell communications, we have no audit trail about what they did with that information.

4. Dishonourable police operators could take that information and use it for other means. A police operator with sexual curiosity could spy on women sending naked pictures. They could take privileged information a lawyer has access to. They could take insider information from a corporation and use it for illicit stock trades. There's so much info they have access to.

It's not far fetched to imagine that the police might capture naked pictures that a young girl is sending a boy at school. There is an IT operator with access to that, and he doesn't have any oversight process or audit process. What is that guy doing with that data?

And how many times are police effectively wire-tapping lawyers, or perhaps protest groups, and using the information they learn to their benefit? These are cases that require court orders, yet this kind of broad interception doesn't seek any permission.


----------



## james4beach (Nov 15, 2012)

By the way, this also means police are intercepting communications from judges and members of parliament. And we're not talking about police operators who have any kind of security clearance.

This is totally unacceptable! Our society decided long ago that police are not allowed to spy on lawyers and judges.


----------



## olivaw (Nov 21, 2010)

The world changed on 9/11. We became less bold - more frightened. We demanded that our security services prevent another 9/11 and we gave them sweeping powers of surveillance and enforcement. It is no surprise that the CSIS and the RCMP monitor us. It is what the majority of Canadians demand of them.


----------



## sags (May 15, 2010)

Capturing the information on cellphones or computers is one thing, but the ability to use the information in a court of law is quite another.

I remember two high profile criminal trials in a local city where the court wouldn't allow any evidence from a cellphone or laptop seized and opened without a specific search warrant to do so.

One instance was a young man who defaced the local cenotaph with graffiti and had taken pictures of the damage on his cellphone. The judge wouldn't allow the evidence and he was found not guilty, much to the dismay of the community.

The other was a much more serious case of the murder of a child. The perpetrator had a lot of damning evidence in his laptop, but the evidence was thrown out because of an illegal search. Fortunately he was convicted on other evidence.

As long as the courts keep a vigil on the use of the information and Canadians support the independence and gatekeeper role of the courts, they shouldn't have much to concern themselves with.

I think the key point is that there is lots of information about us held in different places. We can't do much to prevent that, but we can diligently preserve the concept of when and how the information can be used.

We can accomplish that by supporting the court's decisions on illegal searches, even if we have to hold our nose to do it.


----------



## andrewf (Mar 1, 2010)

carverman said:


> If you are not into crime or a possible security issue to the country, then there is nothing to worry about.


So you won't mind if the government starts intercepting your mail and reading it (along with potentially everyone else in the country)?


----------



## LBCfan (Jan 13, 2011)

james4beach said:


> http://www.cbc.ca/news/technology/rcmp-blackberry-hack-montreal-mob-murder-pub-ban-lifted-1.3629222
> 
> US police agencies widely use the Stingray device to intercept cell phone communications -- this can capture location, data, text, and voice calls. It has not been known whether Canadian police are doing the same.
> 
> ...


Cell phone trannsmissions have been 'in the clear' and interceptable from day 1. Everyone does or should know there is no expectation of privacy. Same goes for un-encrypted Internet and text. The only thing the Stingray has added is location.

This is far from a "man in the middle" attack. Read up on IT Security before freaking out.

It has been nearly ten years since I retired from an IT Security position with a major Canadian corporation, but I don't think things like HTTPS or BES have changed that much. If you want security, you just need encryption. Location data is another thing.


----------



## humble_pie (Jun 7, 2009)

andrewf said:


> So you won't mind if the government starts intercepting your mail and reading it (along with potentially everyone else in the country)?



google has been reading our e-mails for years


----------



## humble_pie (Jun 7, 2009)

yesterday i was talking to someone about data aggregation. Data mining. He calls it data analytics. Says he's going for a master's in data analytics at the U of T.

i confided a few recent examples where i believe the IP provider might have not only been studying where i surf & analyzing key words out of my e-mails, but also in recent months i've been wondering whether they now have software that can configure live phone conversations into the picture.

it's always hard to stay away from conspiracy theories but we must keep trying, he said.

always stay grounded, he added.

Leitrim, i said.


----------



## andrewf (Mar 1, 2010)

humble_pie said:


> google has been reading our e-mails for years


That is something you opted into. I don't recall opting in to monitoring my wireless communication by the RCMP.


----------



## humble_pie (Jun 7, 2009)

andrewf said:


> I don't recall opting in to monitoring my wireless communication by the RCMP.



leitrim - a DOD initiative that dates back to WW II - reportedly can monitor all phone conversations anywhere in canada, wireline or wireless. 

i have no idea how leitrim operatives decrypt, or whether they can decrypt everything.

leitrim is looking, of course, for the biggies. Terrorism, the money routing that can foreshadow trouble, child porn. But if their machines want to listen to you telling the SO you'll pick up 2 litres of milk at the dep when you stop for gas on the way home, they can.

lately there have been some slight signs that at least one of the national telcos has developed a similar phone analytic. To be married to internet data bases. Is, in fact, being married.


----------



## james4beach (Nov 15, 2012)

LBCfan said:


> This is far from a "man in the middle" attack. Read up on IT Security before freaking out.


I read this stuff daily as part of my job. I'm an expert and consultant in software & hardware security, including communication security.

It is _most definitely_ a man-in-the-middle attack. They place a new transmitter, boost the power and wash out the legitimate transmitter (the cell tower) to trick mobile phones into connecting to the new malicious tower. Then they relay the information to the legitimate cell tower. That's classic man-in-the-middle. This terminology is even used on the Wikipedia page.

This is the kind of procedure you do when you're a hacker and want to hack into someone's cell phone. (That reminds me, do we have audits on how the RCMP discards this hacking equipment they own? Where does it go?)



> google has been reading our e-mails for years


There's a difference. The google systems are automated. Information flows through and the data is crunched, with no human intervention. Plus these are Google's services. Of course the data flows them (just as with a cell carrier, the data naturally flows through the cell carrier). They are the service provider!

The Stingray and RCMP's man-in-the-middle attack is different. They are using force (in this case, electromagnetic force ... washing out the real transmitter) to *intercept* a signal. The data from all the cell phones in the region are captured onto the device, meaning that the information now flows through a new path, through the police equipment when it normally would not have.

It's classic wire tapping. The legality is highly questionable. When the RCMP turns on their Stingray, it forcibly captures all cell transmissions in the area. For a suspect they have a warrant for, sure ... just like the police can set up a parabolic antenna and listen to a suspect's voice conversations through a window.

But police are not allowed to wiretap broad groups of people without a warrant. Yet that's what the RCMP is doing. The Stingray is indiscriminate. ALL cell phones within electromagnetic range are hacked by this process and redirected to the police.

You guys should be more fearful of where this is going. In the USA, many city police departments now routinely use Stingrays to intercept and capture cell transmissions. This is not just done by the FBI or security services, but by regular police.

In countries like Turkey and Russia, the same equipment is used to spy on people, get dirt on enemies of the state, and (because of corrupt police) also used for individual means. A crooked cop could easily use this to spy on his wife and see if she's cheating on him. Or spy on business owners and share business intelligence with an accomplice. Perhaps this doesn't happen in Canada, but this is what's done in other countries.

Regular police are not qualified to use this kind of equipment, in my opinion. They don't have security clearances. Nobody is permitted to intercept signals without warrants. The RCMP may have people with security clearances who are qualified to use this, but we don't have any audit trail or oversight that ensures this.

We don't know who is using this equipment, or how they are held to account. Without audit & oversight, and without secret-level security clearances, this equipment is ripe for abuse.


----------



## Eclectic12 (Oct 20, 2010)

james4beach said:


> ... There's a difference. The google systems are automated. Information flows through and the data is crunched, with no human intervention. Plus these are Google's services ...


In some cases ... in other cases, Google's streetview vans also grabbed SSID's, MAC addresses etc. while driving by.

http://www.zdnet.com/article/how-to-keep-your-wi-fi-location-out-of-google/
https://www.theguardian.com/technology/2010/may/21/google-street-view-uk-data
http://www.salon.com/2014/02/05/4_w...ing_privacy_and_collecting_your_data_partner/
http://www.huffingtonpost.com/nathan-newman/why-googles-spying-on-use_b_3530296.html


Cheers


----------



## LBCfan (Jan 13, 2011)

james4beach said:


> I read this stuff daily as part of my job. I'm an expert and consultant in software & hardware security, including communication security.
> 
> It is _most definitely_ a man-in-the-middle attack. They place a new transmitter, boost the power and wash out the legitimate transmitter (the cell tower) to trick mobile phones into connecting to the new malicious tower. Then they relay the information to the legitimate cell tower. That's classic man-in-the-middle. This terminology is even used on the Wikipedia page.
> 
> This is the kind of procedure you do when you're a hacker and want to hack into someone's cell phone.


I'm glad you are such an expert. In a former life, I used to head up IT security for a major Canadian Corp. If you consider listening in to open air-waves a MIM attack, your consultancy would not get many contracts at my megacorp.

Is it a man in the middle attack? No James, it is not. A classis man-in-middle attack tricks you into thinking you're connected to (as an example) your bank. Since such connections are encrypted the attacker must intercept and mimic several parties. That way they can avoid the encryption they can't break. If you are suggesting that police forces are doing this, then it could be a MIM attack. That means they are doing more than listening. Are you suggesting that?


----------



## andrewf (Mar 1, 2010)

LBCfan said:


> I'm glad you are such an expert. In a former life, I used to head up IT security for a major Canadian Corp. If you consider listening in to open air-waves a MIM attack, your consultancy would not get many contracts at my megacorp.
> 
> Is it a man in the middle attack? No James, it is not. A classis man-in-middle attack tricks you into thinking you're connected to (as an example) your bank. Since such connections are encrypted the attacker must intercept and mimic several parties. That way they can avoid the encryption they can't break. If you are suggesting that police forces are doing this, then it could be a MIM attack. That means they are doing more than listening. Are you suggesting that?


If you read up on how these devices work, it sure sounds like it is using a MITM attack to obtain this information. Contrary to what you say, cell phones do not transmit in unencrypted form to cellular network, otherwise anyone would be able to passively observe all conversations/communications.

https://en.wikipedia.org/wiki/Stingray_phone_tracker



> Interception of communications content[edit]
> By way of software upgrades,[11][21] the StingRay and similar Harris products can be used to intercept GSM communications content transmitted over-the-air between a target cellular device and a legitimate service provider cell site. The StingRay does this by way of the following *man-in-the-middle attack*: (1) simulate a cell site and force a connection from the target device, (2) download the target device's IMSI and other identifying information, (3) conduct "GSM Active Key Extraction"[11] to obtain the target device's stored encryption key, (4) use the downloaded identifying information to simulate the target device over-the-air, (5) while simulating the target device, establish a connection with a legitimate cell site authorized to provide service to the target device, (6) use the encryption key to authenticate the StingRay to the service provider as being the target device, and (7) forward signals between the target device and the legitimate cell site while decrypting and recording communications content.
> 
> The "GSM Active Key Extraction"[11] performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider.[22] While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device.[23] Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail.
> ...


----------



## james4beach (Nov 15, 2012)

LBCfan said:


> If you consider listening in to open air-waves a MIM attack, your consultancy would not get many contracts at my megacorp.


You are misinformed about what this device does.
https://en.wikipedia.org/wiki/Stingray_phone_tracker

The RCMP doesn't just listen to open airwaves. They turn on a transmitter that is more powerful than the legitimate transmitter, to trick the victim's phone into establishing a new connection with the fake cell tower (the Stingray). These are highly invasive devices which don't just listen to RF ... they put out new signals to disrupt normal cell phone operation. They also crack the encryption key to accomplish man-in-the-middle operation. As andrewf posted.


----------



## james4beach (Nov 15, 2012)

The Current (on CBC) ran a segment this morning about how Canadian authorities are using Stingray (the cell phone interceptor), and the expert says: this type of interception can't be limited to a single target. Rather, it is a *mass surveillance tool* because it intercepts all cell phones in the region.

You can find this interview within today's episode. Here's a link to the audio:
http://podcast.cbc.ca/mp3/podcasts/current_20170323_26016.mp3

Personally, I would like to see some disclosure from the government that indicates to what extent the Canadian government is routinely intercepting my communications, even if it's just collateral damage to a legitimate interception.

In the US, it's already well known that even smaller local police departments use cell phone mass surveillance. This should be of interest to business people as well, who could have their industrial secrets compromised by unethical local police officers. Incidents of corruption and criminality run quite high among smaller American police so I'd say this kind of wanton monitoring is of great concern.

And as I mentioned before, lawyers and judges should be concerned (both in US and Canada). Privileged information that lawyers & judges have can be intercepted by police.


----------



## james4beach (Nov 15, 2012)

Beware, media is reporting that someone is broadly intercepting cell phones signals in downtown Ottawa. December and January, downtown core. Interception has been detected in public office areas and near parliament

http://www.cbc.ca/news/politics/imsi-cellphones-spying-ottawa-1.4050049

Hard to tell who's doing it


----------



## agent99 (Sep 11, 2013)

carverman said:


> Nothing new.
> 
> In Canada, Ottawa at least, there is a secret gov't building establishment where CSIS and the RCMP can listen in on private telephone conversations.
> This is the case with landlines and cellphones which still have to go over the switched telephone network to get to the other parties cell phone.


This is true. I used to know a tech guy who worked there. He was more of a maintenance type and of course couldn't tell me exactly what he or they did. But I gathered that they had ability to listen and record phone conversations. I am sure US is doing the same for security reasons, so was not surprised that Trump could say his phones were "tapped" - so are everyone else's. You can be sure some foreign embassies are doing the same. Like it or not, it's the era we are living in.


----------



## james4beach (Nov 15, 2012)

We don't live in a totalitarian state or in a terrorist state -- we live in a country based on laws.

Someone is breaking the law by intercepting cell phones in the Ottawa downtown & parliament regions. It might be:

(1) Foreign spies ... which should be caught & put on trial for espionage
(2) Criminal gangs ... which should be prosecuted for the theft of information
(3) Canadian police ... breaking the law, should be caught & put on trial
(4) Canadian intelligence ... might be breaking the law, depending on the agency

Either way it's a problem. Some agencies have the capability of doing these things but are not permitted to under the law. If it turns out that Canadian police or CSEC are doing this on home soil, they are breaking the law and the people must be charged for it, and put on trial, and convicted if they're guilty.


----------



## james4beach (Nov 15, 2012)

Breaking news today, CBC informs us that local police are also using Stingray-like devices to intercept cell phone calls! Just like in the USA.

http://www.cbc.ca/news/technology/c...-police-canada-imsi-catcher-privacy-1.4066527

At least six city police departments, probably more, are intercepting cell phone signals. The implications of this are huge. As I described earlier, the interception affects everyone in the area of the fake cell tower -- it is inherently a "mass surveillance" activity. *This means that police are tapping your cell phone, without your knowledge, in your city*.

Implications are huge for certain professionals such as lawyers, who have a duty to protect their clients. Lawyers should avoid cell phones or texts with sensitive client information, because the police are able to intercept this information.

The other implication is that if you experience sub par cell service, it could be because police are interfering with the signals. This means that Bell, Rogers, Telus are suffering service degradation based on police activity (depending on how widespread the use of Stingray devices is).


----------

