photo by Garry Knight
Consider this scenario: I am a good guy, and I want to gather information on a bad guy using his cellphone.
Conveniently, I happen to have a box that lets me trick mobile phones into thinking they are talking to an ordinary cell tower, when in fact they are talking to me. I put the box somewhere near the bad guy and wait to capture signals from his phone.
Now, if that was all the box did, the bad guy - not to mention his neighbors, some of whose phones would also be fooled into talking to my magic box - would instantly notice something wrong. Their phones could not make calls, send texts or access the Internet. In order for my box to be useful beyond merely locating my target, it would have to do more; it would need to actually function as a go-between and connect nearby phones with a real nearby tower, while intercepting whatever it is I want it to intercept.
This is an old hacking technique known as a man-in-the-middle attack, and it is being used, not just by hackers and government spies, but by federal and local police agencies. We just don’t know exactly which local police departments, with a handful of exceptions, one of which appears to be in Charlotte, North Carolina.
The Charlotte-Mecklenburg Police Department has for years conducted secret surveillance of wireless devices, including cellphones, according to the Charlotte Observer. Charlotte City Manager Ron Carlee defended the practice, saying that “to deny CMPD the use of this modern investigatory tool would not be in the best interest of public safety for the Charlotte-Mecklenburg community.”
We do not know if the equipment and techniques used by the Charlotte police executed a man-in-the-middle attack the way I described it here, but it is a plausible guess. The widely used StingRay device can both force nearby mobile devices to connect to it and intercept communications once they do. While it is not known which device the Charlotte police used, it is fair to assume it may have similar capabilities.
The Wall Street Journal reported last week that federal law enforcers, including the U.S. Marshals Service, have taken a form of this espionage literally to new heights, by mounting StingRay-like devices on small planes and using them to scan broad areas, and thousands of nontargeted cellphones, in search of targeted individuals. The Journal’s sources indicated that the feds’ equipment is programmed to “let go” of nontargeted cellphones, and in any event, these ears-in-the-air are not well-suited to extended eavesdropping (though presumably this, too, would be possible with drones that could stay aloft in a particular location for long periods). Plane-mounted StingRays reportedly can locate a target to within 10 feet, close enough to be used, say, to scan a prison for contraband cellphones.
Man-in-the-middle attacks have existed as long as data has moved over wires. Yet the police using a cell-site simulator is not exactly the same as using a classic wiretap on a landline phone. Wiretaps involved either the cooperation of the phone company or someone physically accessing the phone lines involved. A cell-site simulator can be used without the cellular provider that runs the real tower ever knowing surveillance took place. Cellphone carriers need never be asked or notified at all.
Earlier this year, Assistant Secretary of State Victoria Nuland was caught in a diplomatic mess when someone intercepted her private phone call overseas. Her call, which included a vulgar expression of frustration with the European Union, was posted by an unidentified party on YouTube and spread, largely via Twitter. While it is possible the interception came from a local cell provider that was required to help target the diplomat, it may also have been what Nuland later called “impressive tradecraft” - a man-in-the-middle attack or a similar technique used for espionage.
Back in the old days, when then-U.S. prosecutor Rudy Giuliani and his colleagues went after the mafia in New York, they had to get permission from a judge in order to tap an alleged crime figure’s phone line or to use a pen register to see which phone numbers he dialed. They would ask for permission to go to restaurants or clubs known as a mob hangouts to plant microphones. In all these cases, they had to meet the standards necessary to secure a search warrant.
In Charlotte, the judges’ comments indicate that they may not have received the full story about what exactly they were being asked to authorize. It is much more than a wiretap on a single person’s phone. Depending on how precisely the cops can target their surveillance, everyone in a given location with a particular cellphone provider is apt to end up routed through the box. My conversations, emails and text may be intercepted by the police while they are investigating someone who happens to live in my high-rise. One Charlotte judge has already disputed the city’s assurances that probable cause is offered before every instance in which the equipment is used.
The police have said they don’t listen to calls, read emails or look at texts from people other than the one they are investigating. I have no reason to question the integrity of the Charlotte police. But even if they have not looked at any information they shouldn’t, they have created a system that relies solely on the integrity of its users. Sooner or later, inevitably there will be breaches. All it takes is one corrupt officer - much less an overzealous or unethical individual to occupy a higher position. Nor is Charlotte an isolated case. The American Civil Liberties Union says it has identified at least 46 agencies in 18 states that possess StingRays, while other government units continue to keep their possible possession of the gadgets under wraps.
Most of us have long assumed the National Security Agency could do the things a StingRay can do, but do we want to put this capability in the hands of local cops in Charlotte? Or in Broward County, Florida, where I reside? Or in Ferguson, Missouri? If that thought makes you uncomfortable, you are not alone.
The authorities are probably concerned that if they are open about the full capabilities of this technology, criminals will become more vigilant. They might turn their phones off when they are not using them, or leave them at home when they don’t want to be tracked. They might also make more effort to use virtual private networks and other encryption on their data. Sophisticated criminals doubtless do so already. If nothing else, criminals are apt to make greater use of disposable prepaid phones, or of borrowed or stolen phones that are difficult to tie to a specific individual.
The bigger threat for police is an extension of what we are seeing with iPhones and Android devices, whose vendors are responding to customer concerns by building in encryption that is not accessible to the police, or even to the vendors themselves.
This would be another instance in which the surveillance state’s secrecy and overreach backfires, as citizens take steps to restore the checks and balances that security and police agencies are circumventing.
There is no reason to keep law enforcement capabilities a secret, and only a debatable reason to make such capabilities available at all to police departments in places like Charlotte or Ferguson. Since it is debatable, we should have that debate. Thanks to the Charlotte Observer, The Wall Street Journal, the ACLU and a few others, now we might.