Researchers from Oxford University and the Technical University of Berlin today plan to present the results of a study of five stingray-detection apps. The results aren’t encouraging. In fact, they found they could fully circumvent each one, allowing the researchers to trick the phones into handing over their sensitive data.
To skirt some of the detection apps, the spy would need to know the unique IMSI identifier of the target’s phone ahead of time, perhaps by using an IMSI catcher on the victim earlier or obtaining it from their carrier via a legal order. But for two of the most popular detector apps, someone could just as easily use a stingray to steal that IMSI identifier and start tracking and wiretapping them from the first time they targeted them, without raising any warning from the person’s stingray-monitoring app.
“People have the sense that IMSI-catcher detection apps can protect you against tracking,” says Ravishankar Borgaonkar, the lead researcher on the study, which his co-authors are presenting at the Usenix Workshop on Offensive Technologies. “This research demonstrates that these apps fail to detect IMSI catchers and lack fundamental technical capabilities. And it highlights the problems in building such privacy protection apps for everybody.”
Spy vs Spy
In their experiments, the Oxford and Berlin researchers tested Android apps SnoopSnitch, Cell Spy Catcher, GSM Spy Finder, Darshak, and AIMSICD—the first three of which have each been downloaded between a hundred thousand and a half million times, according to the Google Play store’s stats. (Borgaonkar himself is the co-creator of the Darshak app, which he launched back in 2014.) All of those apps were designed to send alerts when they detect that a phone has connected to a rogue cell tower that could eavesdrop on its calls and data, or steal the IMSI—international mobile subscriber identity, a number uniquely assigned to each phone on a GSM network—that would allow it to track the owner’s location.
But the researchers simply switched to other methods that only a subset—or in some cases none—of the apps could detect. The White-Stingray used a different command to downgrade the phone’s connection to 2G, which neither triggered the detection apps nor appeared on phone’s interface. Rather than send a silent text message, it would make a silent call that connected to the target phone, determine its IMSI, and hang up before the phone rang. It surveyed nearby cell towers, and then imitated their configurations to avoid looking ‘new’. And it also deployed another trick that the apps didn’t try to detect: It prompted the phone to transmit a list of all the other nearby towers, and the strength of each tower’s signal, allowing a snoop to triangulate the phone’s exact location. “They don’t try to identify this method at all,” Borgaonkar says of that last technique.
Among the apps’ stingray checks, the trickiest to bypass was the one that looked for a lack of encryption between the phone and cell tower. With their White-Stingray tool, the researchers used a technique to establish that encryption called an “authentication token relay”—if the spy already knows the phone’s IMSI, they can pre-generate a token that allows them to perform the authentication and create an encrypted connection with the phone, stealing its secrets. That would work in cases where the surveillance target has been spied on with an IMSI catcher before, or where police obtained the IMSI from a phone carrier earlier and wanted to continue to track the person. But two of the apps, Cell Spy Catcher and GSM Spy Finder, also failed to check for that encryption in the first place, allowing a stingray to bypass their checks without the authentication trick.
‘One Step Ahead’
WIRED reached out to the four stingray detector apps (aside from the one created by Borgaonkar himself) and two didn’t respond. A spokesperson for Cell Spy Catcher admitted that Android stingray detection apps “cannot detect all aspects of IMSI catcher usage. However, our app will still detect most attacks by such devices.” But Gabdreshov Galimzhan, the Kazakh developer of GSM Spy Finder, disputed the study’s results. “My program always detects the listening devices,” he wrote, also taking issue with the researchers’ use of a custom stingray setup rather than those typically used by police or government agencies.
But Borgaonkar argues that whatever his small team of researchers can do with their stingray, the professionals could just as easily do with theirs. “The point is that if people are smart—and we know that they’re smart—they can always stay one step ahead,” he says.
That premise may overestimate the resources of some stingray users, argues Matt Green, a professor focused on computer security at Johns Hopkin University. He points out that it’s not only intelligence agencies or military operatives who use stingrays, but also local police departments, who may not have the most up-to-date gear. “Smart attackers who are trying to evade these apps probably can evade them. That’s bad. On the other hand, we don’t know if current IMSI catchers are trying to evade them, so it’s kind of an open question,” Green says. He argues that the test’s assumption that in-the-wild stingrays are roughly equivalent to the researchers’ homemade one “is fair for sophisticated agencies, but maybe doesn’t apply to your local police department using last year’s IMSI catcher model to catch drug dealers.”
Regardless, Borgaonkar argues the study’s results point to real shortcomings in freely available IMSI catcher detectors (they didn’t test paid versions, like those sold by companies like Cryptophone, Cepia Technologies, and Delma). And he says that the architecture of the GSM system means that the spies can always stay a step ahead, tricking phones into giving up information in ways that will slip past any app trying to monitor those communications. “All the power belongs to the base station in the design,” he says. “The phone is a dumb device. It just listens and accepts commands.”
Solving that larger architectural problem will require not just improvements in some Android apps, but coordinated security upgrades from phone manufacturers, carriers, and the companies like Qualcomm that sell the baseband chips that handle phones’ telecommunications. Until then, Borgaonkar says, stingray detection and defense will remain a game of cat-and-mouse—one where the hunters have the advantage.