FBI Admits Use of Zero-Day Exploits and Stingrays

In a profile of Amy Hess, the FBI’s executive assistant director for science and technology and overseer of the bureau’s Operational Technology Division, conducted by the Washington Post in the wake of the San Bernardino shootings, the FBI executive openly admitted to the use of a number of techniques the FBI use in order to track down criminals. Amongst the methods brought to light by reporter Ellen Nakashima are Zero-Day Exploits, Stingrays and the OTD’s Remote Operations Unit of hacking technicians.

For those unaware, a Stingray is a type of “cell-site simulator” that imitate cellular towers, in order to collect communications data from mobile telephones within range, both suspect and bystander alike. The tool has been a long-kept secret by the FBI, with them requiring local law enforcement members involved in their use to sign nondisclosure agreements. While Hess insisted that the FBI never enacted a gag on the police, they wanted to keep the details of the device’s functionality shielded.

A zero-day exploit is a flaw in a piece of software that can be manipulated in order to exploit it in some way, that are unknown to the software’s vendor and thus unpatched. Usage of these can allow for easier hacks into suspects PCs or mobile devices, however favoring such techniques is unreliable, and thus not a preferred method to use.

The real worry with these types of attacks are the privacy implications on the common person. A stingray’s data would have to be checked in order to identify the suspect’s data, meaning that the privacy of everyone within proximity of the device potentially has their privacy violated. Holding on to known exploits instead of reporting them to the software developers for patching opens any user of the software open to attack from a hacker were the exploit discovered by another unsavory party. As a result of these implications, both are seen as controversial by privacy advocates and as a result, governments have often tried to distance themselves from discussion of their use. Now, in an unusual moment of transparency, the FBI has potentially put itself a little closer to the disc

IRS Used Stingray To Track 37 Phones

Digital security is an issue that is raised weekly, with digital privacy seeming to be at odds, security or privacy. These topics come to a point when the topic of Stingray towers is brought up, mobile devices that mimic mobile phone towers. These devices can be used to intercept data such as phone calls and text messages, potentially leading the authorities to important information. The problem is that these devices act much like regular towers, in that you can’t target them, this means that you can only collect everyone’s data in range and search for the stuff you are interested in afterwards. Seems the IRS (Internal Revenue Service) has been using one of these devices since 2011 and are looking at getting another.

IRS Director John Koskinen wrote in an open letter to Oregon Senator, Ron Wyden, in the hopes of answering some questions regarding the “cell-site simulator technology”. In the letter, they state that they used the device on 11 federal grand jury cases, tracking a total of 37 cellular devices. It does continue to say though that they used the Stingray (constantly referred to as a cell-site simulator) in four non-IRS cases, one federal and three state level.

At the end of the letter, he continues to say about the Department of Justice requiring a warrant now in order to use the technology, along with probable cause and certain restrictions being met.

While it is nice to see agencies report this kind of information and take these steps to monitor information in a legal and controlled way, you have to wonder, if they were trying to monitor 37 phones, how many other phones did they intercept in total?

Judge Says Stingrays “Are Simply Too Powerful” Without Rules

Stingrays have become one of the most contested ways of digital surveillance since they became public knowledge last year. The devices act like mobile phone towers, simulating their actions while allowing them to intercept and identify the devices connecting to them. The problem many have seen with this device is that they are not selective, they do not target a specific person or phone because the technology does not work like that, this means that when one goes up all mobile devices in the area send their information to the tower. This provides the tower with their location but can also be used to intercept calls and text messages sent by any devices in the nearby area. A judge in Illinois has made a stand and said that unless his three requirements are met, he will not authorise the use of a stingray.

The first requirement is that the stingrays require a warrant to be used, a claim that has been highly contested and was originally an issue given that some law enforcement agencies have used the device hundreds of times without any government oversight.

The second requirement is that the data collected (which is not relevant or approved by the warrant) is “immediately destroyed” and this action is proven to the court.

The third requirement is that the devices cannot be used in areas where a large number of mobile phones will be active, such as at a public sporting event or large gathering.

These steps could be the first sign of a powerful device being controlled and monitored rather than deployed without thought of the freedom and privacy of others around it.

Fake Data-Collecting Mobile Towers Discovered in London

A joint investigation by Sky News and German security company GMSK Cryptophone has uncovered up to 20 fake mobile towers in London that are collecting user data from nearby mobile phones. The “towers” are effectively Stingray boxes – recently used illegally by police in the US to monitor citizens – that mimic mobile towers, tricking a passing phone into revealing its international mobile subscriber number (IMSI) and electronic serial number (ESN), making it possible to track the location of the phone.

The Metropolitan Police has responded to the revelation, but its statement is about as vague and non-committal as it gets. Commissioner Bernard Hogan-Howe told Sky News, “We’re not going to talk about it, because the only people who benefit are the other side, and I see no reason in giving away that sort of thing.”

Human rights watchdog Privacy International (PI) has described the Metropolitan Police’s position on the matter as “laughable,” adding that it is possible that the Police themselves could be responsible. “We can’t be sure that all these are used by law enforcement agencies,” said Matthew Rice, advocacy officer for PI. “They can be used by criminals, and are easily bought from the internet for about £1,000. The police need to explain what they are doing to protect the public from criminals using such equipment as well as explaining how they use it.”

“Even when used by police, IMSI catchers are very difficult to use in a targeted manner, meaning when used in urban areas thousands of people’s mobile phones would be swept up in that dragnet,” he added. “What police do with that data, we don’t know. With 20 IMSI Catchers now confirmed to be deployed across London – we need law enforcement to step up, have an honest conversation about their use, so we can ensure the public are being properly protected.”

The Metropolitan Police has refused any further comment.

Thank you BBC News for providing us with this information.

Image courtesy of High Tech Forum.

Public Record Request Reveals Stingray Used 303 Times Without Legal Reason

Digital privacy is a concept that is being contested with government monitoring. With section 215 of the Patriot act set for renewal in America, with reviews and discussions pushing the talks to the last possible minute, the concept of acquiring data illegally is almost considered taboo, or at least admitting to it is.

I’ve previously written an article about Stingrays, no not the creatures that swim around the ocean, but the device used by the Government to mimic a cell tower and intercept mobile communication data. The topic of Stingrays has once again been raised with a Public Record Request in San Bernardino County (East of Los Angeles County) has revealed that since acquiring a stingray in 2012, in the period between January 1st, 2014 and May 7th, 2015, the stingray has been deployed 303 times.

This would not be a problem normally, I mean they are just using a device to help fight crime and do their duty, right? With the public record request, Ars Technica was able to get an example of a template for a “pen register and trap and trace order” used to deploy the stingray.  This piece of paperwork was typically used to collect metadata in almost real-time from a telephone company about the activity on a landline, obviously before the mass adoption of mobile phones by the public. The order itself, however, does not mention in any way the Stingray device.

The public awareness of Stingrays has rocketed in recent years, given that previously a Non-Disclosure Agreement (an agreement between the creators of the Stingray and the companies that use them to prevent the spread of information regarding the devices), has caused cases to be dropped, rather than breach the NDA with both the FBI and the Harris Corporation (the creators of the Stingray Device). In April 2015, a women accused of being a getaway driver changed her guilty plea and refused to testify against her three co-defendants after a police detective was challenged during a deposition and they refused to provide further information. The case was then dropped, this is not the first time that legal action has been muddied by the use of stingrays.

In an email exchange between Sarasota Police Department and North Port Police Department, the departments hid the use of Stingrays from judges and defendants at the request of the US Marshal Service (who the devices were on loan from at the time). The advice given to the departments from the U.S. Marshalls Task Force was to state that they “received information from a confidential source regarding the location of the suspect”. This means they were advised to lie regarding how information was gathered in order to hide the use of Stingrays, possibly in accordance with the NDA surrounding the device.

The non-disclosure agreement was revealed by Erie County, New York, and has been seen as stating that the FBI would rather drop a legal case rather than disclose information regarding the Stingray devices. This is however in contrast to a statement the FBI released stating that the NDA should not stop legal action based on the fact that a Stingray was used in the case.

Stingrays have been controversial devices since their public appearance, and with the court cases dismissed due to their use and most recently the awareness that the devices are being deployed with little to no legal oversight, they will continue to be a highly contested device until either legislation is implemented to protect the public from what is essentially the same meta-data mass collection that the national security agencies are currently being sued and debating.

What are your thoughts? Should devices like these be allowed to help fight crime, do they require more legal oversight or has their development been overshadowed with too many legal gray areas and cloak and dagger deployments?

Thank you Ars Technica for the information.

Image courtesy of Infosec Institue.