n8fr8
commented
10 years ago I took a quick peek into the source code and found that this app essentially uses the phone's >"standard" API to query the cellular towers.
Yes, it does. The goal was to build a mass-market tool that could be run on most GSM Android phones without requiring root. It is not a precise tool, and yes, we are trusting the handset, OS, and APIs itself are not manipulated... more on that below...
Have you witnessed a real stingray device and confirmed that it shows up as a different tower?
We do not have a commercial law enforcement device, but we do have similar research hardware. Ultimately, the GSM protocol is not secured in any reliable or reasonable way, and spoofing is possible. Again, our first step was to build a tool that allowed us to easily gather this type of data across many users, and compare what is found.
ALSO, this app is meant to be able to document blackout or other unexpected events, say during a protest, such as happened during Occupy protests in San Francisco on the BART train, or in many other countries. Spidey looks for "diffs" in the network, anomalies which can be documented and analyzed later.
If these devices perform MitM attacks, won't they just spoof the IDs of valid towers? Meaning >Android.telephony would return the spoofed ID?
In theory, sure. GSM completely sucks! However, Stingray devices are not "God-mode" devices - they cannot disable telecommunications systems for everyone in the region, so spoofing a real tower would likely be frowned upon.
How do we verify the Android.telephony package doesn't get "updated" in the future to simply >"whitelist" Stingray ID's and refuse to include them in the results (or return spoofed results)? >Wouldn't that basically ruin the detection mechanism this app uses? How do we fingerprint those >APIs to prove they don't change out from underneath us?
This is highly unlikely, but the best response to this would be to use a verified open-source ROM such as Cyanogen or OMNI, which is built from source that can be seen. Otherwise, you might then say "well they could be whitelisted in the baseband", and once you say "baseband" then all bets are off.
Ultimately, this project might be defeated, and only specialized custom hardware will be able to detect stingray devices. For now, we do not think that is the case.
I know this app is passive currently, but it would be cool if there was a user-defined trigger that >could be ran when certain events happen. Such as....
4a. Event whenever a brand new tower is found. Regardless of whether it's a stingray or not. This >event could be used to dump crypto passwords from RAM and unmount encrypted volumes prior to >verifying that this tower is trusted. (Sort of a paranoid response to something new.)
4b. Event whenever a cell tower is found that doesnt exist in the open database.
Great ideas! Please add them as specific feature requests, so we can track them.
Have you considered that this OpenCell ID database may also be spoofed by the new stingray the >phone just connected to? Is the OpenCell ID database in a location where law enforcement could >simply force the site to add Stingray's as legitimate looking towers?
Sure. OpenCellID is a place holder for something more trustworthy and verified. For now, it is the easiest free, open API to use.
Perhaps the app should cache the Cell ID and look it up over a trusted WIFI connection once the >user gets to home/work/school and make sure it matches the search over performed over 3G/4G >>(through the stingray)?
Yes, that is a good idea (another feature request!)
Perhaps send the suspicious tower ID's to a friends and have their client verify it got the same >answer.
Yes, diffing between friends, sharing data is at the core of what we want to do.
I'm very interested in preventing this violation of our legal rights. I would love to assist with code >updates and more features to help detect this illegal wiretapping. Do you have an outstanding >TODO list (besides what I found in the code already)? I'm a C++/Java developer for a living and >have a substantial security background. Where can I help?
It is all here essentially. This was the work of one semester as part of a class at MIT Media Lab, done with support of the ACLU and the Guardian Project (https://guardianproject.info). We expect to continue, but for now, it is yet another promising open-source project :)
I took a quick peek into the source code and found that this app essentially uses the phone's "standard" API to query the cellular towers.
I have a few questions however regarding this....
I know this app is passive currently, but it would be cool if there was a user-defined trigger that could be ran when certain events happen. Such as....
4a. Event whenever a brand new tower is found. Regardless of whether it's a stingray or not. This event could be used to dump crypto passwords from RAM and unmount encrypted volumes prior to verifying that this tower is trusted. (Sort of a paranoid response to something new.)
4b. Event whenever a cell tower is found that doesnt exist in the open database.
Perhaps the app should cache the Cell ID and look it up over a trusted WIFI connection once the user gets to home/work/school and make sure it matches the search over performed over 3G/4G (through the stingray)?
Perhaps send the suspicious tower ID's to a friends and have their client verify it got the same answer.
In closing:
I'm very interested in preventing this violation of our legal rights. I would love to assist with code updates and more features to help detect this illegal wiretapping. Do you have an outstanding TODO list (besides what I found in the code already)? I'm a C++/Java developer for a living and have a substantial security background. Where can I help?