What Happens When the Surveillance State Becomes an Affordable Gadget?
When Daniel Rigmaiden was a little boy, his grandfather, a veteran of World War II and Korea, used to drive him along the roads of Monterey, California, playing him tapes of Ronald Reagan speeches. Something about the ideals of small government and personal freedom may have affected him more deeply than he realized. By the time Rigmaiden became a disaffected, punk-rock-loving teenager, everything about living in America disappointed him, from the two-party system to taxes. “At that age, everybody’s looking for something to rebel against,” he tells me over Mexican food in Phoenix—where, until recently, he was required to live under the conditions of his parole. “I thought, ‘I either have to fight the rigged system, or I have to opt out completely.’ ”
Rigmaiden is 35 and slender, quiet with a sardonic smile and thick shock of jet-black hair. Speaking softly and rapidly, he tells the story of how he evolved from a bottom-feeding Internet outlaw to one of the nation’s most prescient technological privacy activists. Rigmaiden left home in 1999 after graduating high school and spent almost a decade knocking around college towns in California, living under a series of assumed names. “I didn’t want to be constrained by all the rules of society,” he says. “It just didn’t seem real to me.” He’d spend weeks living in the woods, scrounging for food and water, testing his limits; then he’d find a place to crash for a while and make a little money on the Internet—first selling fake IDs, then moving on to more serious crimes. In 2006 he wrote software to mine information from databases on the Internet—names, birthdates, Social Security numbers, and the employer identification numbers of businesses. Then he filed fake tax returns, hundreds of them, collecting a modest refund with each.
He bought gold coins with cash, built a nest egg of about $500,000, and planned to move to South America when the time was right. Then, in 2008, an FBI, IRS, and U.S. Postal Service task force grabbed Rigmaiden at his apartment in San Jose and indicted him on enough wire fraud and identity theft charges to put him away for the rest of his life. Only after he was caught did the authorities learn his real name.
The mystery, at least to Rigmaiden, was how they found him at all. He’d been living completely off the grid. The only thing connecting him to the world outside his apartment, he knew, was the wireless AirCard of his laptop. To find him, he reasoned, the people who caught him would have had to pluck the signal from his particular AirCard out of a wilderness of other signals and pinpoint his location. To do that, they’d need a device that, as far as he knew, didn’t exist.
Rigmaiden made it his mission to find out what that device was. He was jailed but never tried; he slowed down the process by filing endless motions contesting his arrest, insisting he’d been essentially wiretapped without a warrant. In the prison library, he became a student of telecommunications. Among the most important things he learned was that whenever a cell phone communicates with a cell tower, it transmits an International Mobile Subscriber Identity, or IMSI. His AirCard, like a cell phone, had an IMSI. He reasoned that the government had to have a gadget that masqueraded as a cell tower, tricking his AirCard into handing over its IMSI, which was then matched up to the IMSI connected to all his online phony tax filings. It was all inference, at first, but if it was true, that would be enough for him to make the case that what was done to his AirCard was an illegal search.
It took two years before Rigmaiden found the first real glimmer of proof. He was plowing through a stash of records the Electronic Frontier Foundation had unearthed in the files of the FBI’s Digital Collection System Network—the bureau’s technological communications monitoring program—and noticed a mention of a Wireless Intercept and Tracking Team, a unit set up specifically for targeting cell phones. He connected what he found there to an agenda he’d found from a city council meeting in Florida in which a local police department was seeking permission to buy surveillance equipment. The attachment gave the equipment a name: StingRay, made by Harris Corp.
The StingRay is a suitcase-size device that tricks phones into giving up their serial numbers (and, often, their phone calls and texts) by pretending to be a cell phone tower. The technical name for such a device is IMSI catcher or cell-site simulator. It retails for about $400,000. Harris and competitors like Digital Receiver Technology, a subsidiary of Boeing, sell IMSI catchers to the military and intelligence communities, and, since 2007, to police departments in Los Angeles, New York, Chicago, and more than 50 other cities in 21 states. The signals that phones send the devices can be used not just to locate any phone police are looking for (in some cases with an accuracy of just 2 meters) but to see who else is around as well. IMSI catchers can scan Times Square, for instance, or an apartment building, or a political demonstration.
Rigmaiden built a file hundreds of pages thick about the StingRay and all its cousins and competitors—Triggerfish, KingFish, AmberJack, Harpoon. Once he was able to expose their secret use—the FBI required the police departments that used them to sign nondisclosure agreements—the privacy and civil-liberties world took notice. In his own case, Rigmaiden filed hundreds of motions over almost six years until he finally was offered a plea deal—conspiracy, mail fraud, and two counts of wire fraud—in exchange for time served. He got out in April 2014, and his probation ended in January. Now Rigmaiden is a free man, a Rip Van Winkle awakening in a world where cell phone surveillance and security is a battleground for everyone.
In the ongoing scrum over cell phone privacy, there are at least two major fields of play: phone-data encryption, in which, right now, Apple is doing its best not to share its methods with the government; and network security, in which the police and the military have been exploiting barn-door-size vulnerabilities for years. And it’s not just the government that could be storming through. The same devices the police used to find one low-rent tax fraudster are now, several years later, cheaper and easier to make than ever.
“Anybody can make a StingRay with parts from the Internet,” Rigmaiden tells me, citing a long litany of experiments over the years in which researchers have done just that. “The service provider is never going to know. There’s never any disruption. It’s basically completely stealth.” In the coming age of democratized surveillance, the person hacking into your cell phone might not be the police or the FBI. It could be your next-door neighbor.
In February, on a snowy morning in Annapolis, Md., a panel of three judges is hearing arguments in the first StingRay case to make it to an appeals court. It’s the case of Kerron Andrews, a 25-year-old man arrested two years ago in Baltimore for attempted murder. His court-appointed lawyer did what a lot of court-appointed lawyers in Baltimore have been doing in recent years: Inspired by the Rigmaiden case, she contested his arrest on Fourth Amendment grounds, arguing that the technology used to apprehend the suspect was not specified in the court order allowing the police to search for him at a particular house. At first, prosecutors said they could not confirm that any technology was used at all—those nondisclosure agreements have kept more than one police department quiet—but eventually they conceded that the police found Andrews with a Hailstorm, a next-generation version of the StingRay, also built by Harris. When a judge tossed out most of the evidence in the case, the state appealed, making Maryland v. Andrews the first IMSI catcher case to potentially make sweeping case law at the appellate level.
During arguments, at least two of the three appellate judges on the panel appear skeptical of the state’s case. Judge Daniel Friedman seems exasperated that the police and prosecutors didn’t seem to understand the Hailstorm well enough to know if it was intruding on the privacy of suspects. Judge Andrea Leahy suggests that this case fits tidily into the Supreme Court’s 2012 decision USA v. Jones, which ruled that the police could not install a GPS device on someone’s car without a warrant. “Wiretaps require warrants,” she says.
Then Daniel Kobrin, the appellate lawyer representing Andrews, argues, in a way that would make Tim Cook proud, that Hailstorm violates everyone’s reasonable expectation of privacy. Unlike, say, the garbage you’d leave outside your house, Kobrin says, there’s nothing about a phone that is thought of as fair game for the police. “When I have my phone and I’m walking down the street, I’m not telling my phone to let Verizon or Sprint or T-Mobile know where I am,” the lawyer says. “Phones are not tracking devices. Nobody buys them for that reason. Nobody uses them for that reason.” A few weeks later, the panel would affirm the lower court’s decision to suppress evidence seized as a result of the use of the Hailstorm. Soon, Maryland may have to go the way of Washington state and require explicit language in its warrants about the use of any cell-site simulator to catch clients.
Watching the proceedings from the gallery is Christopher Soghoian, the principal technologist for the American Civil Liberties Union. He, even more than Rigmaiden, may be the person most responsible for exposing the vulnerability of the telecommunications system to surveillance and goading the states, one by one, to regulate its use. A bearded, long-haired Ph.D. from Indiana University, Soghoian has been raising the alarm about the StingRay for five years—ever since he got a message sent by Rigmaiden from prison saying he could prove the police hacked his phone. “I remembered seeing it in The Wire,” Soghoian says, “but I thought that was fictional.” (Phone-tracing gadgets are a television staple, also popping up in Homeland.) Soghoian’s colleagues educated dozens of public defenders in Maryland about the police’s favorite toy; in one case last summer, a detective testified that the Baltimore police have used a Hailstorm some 4,300 times. “That’s why there are so many StingRay cases in Baltimore,” Soghoian tells me. “Because the defense lawyers were all told about it.”
Harris is a publicly traded Florida-based defense contractor with a $9.7 billion market cap and 22,000 employees. In the 1970s, Harris built the first secured hotline between the White House and the Kremlin; later it branched out into GPS, air traffic management, and military radios. Harris’s first visible foray into cell-site simulation was in 1995, when the FBI used the Harris-made Triggerfish to track down the notorious hacker Kevin Mitnick, who, in his time, seized proprietary software from some of the nation’s largest telecom companies.
The StingRay arrived a few years later—an update of Triggerfish designed for the new digital cellular networks. The first clients were soldiers and spies. The FBI loves IMSI catchers—“It’s how we find killers,” Director James Comey has said—even if last fall, under pressure after Rigmaiden’s case and others became public, the Justice Department announced that the FBI would, in most cases, need warrants before using them.
Most local police departments, though, still aren’t bound by that directive. Neither are foreign governments, which are widely suspected to be using IMSI catchers here (as we are no doubt doing elsewhere). And so, amid the publicity over the StingRay, a marketplace has opened up for countermeasures. On the low end, there’s SnoopSnitch, an open source app for Android that scans mobile data for fake cell sites. On the high end, there’s the CryptoPhone, a heavily tricked-out cell phone sold by ESD America, a boutique technology company out of Las Vegas. The $3,500 CryptoPhone scans all cell-site signals it’s communicating with, flagging anything suspicious. Even though the CryptoPhone cannot definitively verify that the suspect cell is an IMSI catcher, “we sell out of every CryptoPhone we have each week,” says ESD’s 40-year-old chief executive officer, Les Goldsmith, who has marketed the phone for 11 years. “There are literally hundreds of thousands of CryptoPhones globally.” ESD’s dream clients are nations. Last year the company debuted a $7 million software suite called OverWatch, developed with the German firm GSMK. OverWatch, ESD says, can help authorities locate illegal IMSI catchers using triangulation from sensors placed around a city. “Right now, it’s going into 25 different countries,” Goldsmith says.
On a parallel track to the defense market, hobbyists and hackers have gone to work on the cell networks and found they can do a lot of what Harris can. In the early days of cell phones, when the signals were analog, like radio, DIY phone-hacking was a cinch. Anyone could go to a RadioShack and buy a receiver to listen in on calls. Congress grew concerned about that and in the 1990s held hearings with the cellular industry. It was an opportunity to shore up the networks. Instead, Congress chose to make it harder to buy the interception equipment. The idea was that when digital mobile technology took hold, intercepting digital signals would be just too expensive for anyone to bother trying. That turned out to be more than a little shortsighted.
For as long as you’ve been using a phone on a 2G (also called GSM) network or any of its digital predecessors, your calls, texts, and locations have been vulnerable to an IMSI catcher. In 2008 researcher Tobias Engel became the first to demonstrate a crude homemade IMSI catcher, listening to calls and reading texts on a pre-2G digital cell network. Two years later, at a DEF CON hacking conference in Las Vegas, researcher Chris Paget monitored calls made on 2G with a gadget built for just $1,500. What made it so cheap was “software-defined radio,” in which all the complicated telecommunications tasks aren’t pulled off by the hardware but by the software. If you couldn’t write the software yourself, someone on the Internet had probably already done it for you.
Phones now operate on more sophisticated 3G and 4G (also known as LTE) networks. In theory, IMSI catchers can pinpoint only the location of these phones, not listen to calls or read texts. But none of that matters if the IMSI catcher in question can just knock a phone call back down to 2G. Enter Harris’s Hailstorm, the successor to StingRay. “It took us a while to stumble onto some documents from the DEA to see that the Hailstorm was a native LTE IMSI catcher,” the ACLU’s Soghoian says. “It was like, ‘Wait a second—I thought it’s not supposed to work on LTE. What’s going on?’ ”
They found a hint to the answer last fall, when a research team out of Berlin and Helsinki announced it had built an IMSI catcher that could make an LTE phone leak its location to within a 10- to 20-meter radius—and in some cases, even its GPS coordinates. “Basically we downgraded to 2G or 3G,” says Ravishankar Borgaonkar, a 30-year-old Ph.D. who has since been hired at Oxford. “We wanted to see if the promises given by the 4G systems were correct or not.” They weren’t. The price tag for this IMSI catcher: $1,400. As long as phones retain the option of 2G, calls made on them can be downgraded. And the phone carriers can’t get rid of 2G—not if they want every phone to work everywhere. The more complex the system becomes, the more vulnerable it is. “Phones, as little computers, are becoming more and more secure,” says Karsten Nohl, chief scientist at Security Research Labs in Berlin. “But the phone networks? They’re rather becoming less secure. Not because of any one action but because there’s more and more possibility for one of these technologies to be the weakest link.”
The device Borgaonkar’s team built is called a “passive receptor,” a sort of budget StingRay. Instead of actively targeting a single cell phone to locate, downgrade to 2G, and monitor, a passive receptor sits back and collects the IMSI of every cell signal that happens by. That’s ideal for some police departments, which, the Wall Street Journal reported last summer, have been buying passive devices in large numbers from KEYW, a Hanover, Md., cybersecurity company, for about $5,000 a pop. One Florida law enforcement document described the devices as “more portable, more reliable and ‘covert’ in functionality.” If all you want to do is see who’s hanging out at a protest—or inside a house or church or drug den—these passive receptors could be just the thing.
A programmer I spoke with who has worked for Harris is of two minds about what the hobbyists are up to. “There’s a giant difference between do-it-yourself IMSI catchers and something like the Harris StingRay,” he says proudly. That said, he’s taken with how fast the amateurs are catching up. “I’d say the most impressive leap is the advancement of LTE support on software-defined radio,” he says. “That came out of nowhere. From nothing to 2G took, like, 10 years, and from 2G to LTE took five years. We’re not there yet. But they’re coming. They’re definitely coming.”
You don’t have to look far to see what a world of cheap and plentiful IMSI catchers looks like. Two years ago, China shut down two dozen factories that were manufacturing illegal IMSI catchers. The devices were being used to send text-message spam to lure people into phishing sites; instead of paying a cell phone company 5¢ per text message, companies would put up a fake cell tower and send texts for free to everyone in the area.
Then there’s India. Once the government started buying cell-site simulators, the calls of opposition-party politicians and their spouses were monitored. “We can track anyone we choose,” an intelligence official told one Indian newspaper. The next targets were corporate; most of the late-night calls, apparently, were used to set up sexual liaisons. By 2010 senior government officials publicly acknowledged that the whole cell network in India was compromised. “India is a really sort of terrifying glimpse of what America will be like when this technology becomes widespread,” Soghoian says. “The American phone system is no more secure than the Indian phone system.”
In America, the applications are obvious. Locating a Kardashian (in those rare moments when she doesn’t want the media to locate her) is something any self-respecting TMZ intern would love to be able to do. “What’s the next super Murdoch scandal when the paparazzi are using a StingRay instead of hacking into voicemail?” Soghoian says. “What does it matter that you can build one for $500 if you can buy one for $1,500? Because at the end of the day, the next generation of paparazzi are not going to be hackers. They’re going to be reporters with expense accounts.”
Over coffee after court in Annapolis, Soghoian and I peruse the Alibaba.com marketplace on his smartphone. He types in “IMSI catcher,” and a list materializes. The prices are all over the place, as low as $1,800. “This one’s from Nigeria. ... This one’s $20,000. ... This one’s from Bangladesh.” I note that the ones on sale here seem to work only on 2G, unlike the Hailstorm. “You can get a jammer for like 20 bucks,” Soghoian says. With that, you roll any call back to 2G. Pair the signal jammer with a cheap old IMSI catcher, and you’ve got a crude facsimile of a Hailstorm.
Every country knows it’s vulnerable, but no one wants to fix the problem—because they exploit that vulnerability, too. Two years ago, Representative Alan Grayson (D-Fla.) wrote a concerned letter to the Federal Communications Commission about cellular surveillance vulnerabilities. Tom Wheeler, the former industry lobbyist who now runs the regulatory agency, convened a task force that so far has produced nothing. “The commission’s internal team continues to examine the facts surrounding IMSI catchers, working with our federal partners, and will consider necessary steps based on its findings,” says FCC spokesman Neil Grace.
Soghoian isn’t optimistic. “The FCC is sort of caught between a rock and a hard place,” he says. “They don’t want to do anything to stop the devices that law enforcement is using from working. But if the law enforcement devices work, the criminals’ devices work, too.” Unlike the battle between the FBI and Apple, the network-vulnerability struggle doesn’t pit public sector against private; it’s the public sector against itself.
From his apartment in central Phoenix, Rigmaiden consulted with the Washington state branch of the ACLU when it helped draft the state law requiring a warrant for the use of IMSI catchers. He’s suing the FBI for more StingRay documents, and recently the court shook loose a few more. And now that his parole is over and he can travel, he’d like to lecture across the country about fighting surveillance. “Everything that I thought was wrong back then is even worse today,” he says, chuckling softly. “The only thing that’s changed is now I’m going to do the other route—which is participate and do what I can to try to change it.”
As improbable a privacy standard bearer as Rigmaiden may be, his ability to draw inferences and connect dots proved useful once; maybe it will again. He has dug up the specs of some KEYW passive devices, and he sees no reason the big companies like Harris aren’t already miles beyond that now. “Every beat cop, every police car on every police force is going to have one of these passive interceptors in the car or on their utility belt,” Rigmaiden says. For surveillance to become truly democratized, he reasons, “it has to be as easy as installing an app on your phone. I think somebody somewhere would have to decide, I’m going to make this easy for people to do. And then they’d do it.”
He’s hardly alone in this view. “The next step for the technology is to go into the hands of the public, once it gets cheap enough,” says Jennifer Lynch, a staff attorney at the Electronic Frontier Foundation. “Companies are always going to try to find new markets for their technologies. And there are lots of people who want to spy on their neighbors or their spouses or their girlfriends.”
Meanwhile, apart from IMSI catchers, a whole other vulnerability has been exposed: Companies such as Verint Systems and Defentek have produced devices that exploit a huge security hole in SS7 (short for Signaling System 7), the network that interconnects every cellular provider around the world. Using SS7, researchers on laptops have been able to pinpoint the location of a particular cell phone anywhere in the world—and even intercept calls. The attacker does leave an IP address as a trace. “But if that IP address leads somewhere like Russia or China,” says Tobias Engel, who cracked SS7 in a 2014 demonstration in Hamburg, “you really don’t know much more.” The industry lobbying group CTIA–The Wireless Association maintains that SS7 is more secure in America than in Europe. “Outside the U.S., the networks are more fragmented, not as homogeneous,” says John Marinho, who runs the group’s cybersecurity working group.
Goldsmith of ESD—which has developed another multimillion-dollar software package, called Oversight, aimed at warding off SS7 attacks—disagrees. “That’s comical,” he says. “I can tell you we performed tests on U.S. carriers, and they’re just as vulnerable as anyone else.”
What fascinates Rigmaiden the most—and what sometimes makes him want to go live in the woods again—is how no matter what happens with Apple’s battle, the cell phone network problem may be with us for as long as there are networks. “This isn’t something that can really be fixed,” he says. “It’s just built into the way communications work. You can always zero into one signal among many signals, if you have enough data. You don’t need to hack anything—just analyze the signals in the air.”