A Quick and Dirty Guide to Cell Phone Surveillance at Protests
As uprisings over police brutality and institutionalized racism have engulfed the country, many are facing the full power of weapons and law enforcement surveillance for the first time. When protesters, cell phones and police are in the same place, protesters should be concerned about cell phone surveillance. Security practitioners or other protesters often respond to this concern with advice on the use of cell site simulators (also known as CSS, IMSI catcher, Stingray, Dirtbox, Hailstorm, fake base station or crossbow) by local law enforcement. But often this advice is misleading or rooted in a fundamental lack of understanding of what a cell site simulator is, what it does, and how often it is used.
Although it is possible that cell site simulators are used or have been used during protests, this should not stop people from expressing their disagreement. With a few simple precautions by protesters, the most severe abuses of these tools can be mitigated.
The bottom line is as follows: there is very little concrete evidence of the use of cell site simulators against protesters in the United States The threat of cell site simulators should not prevent activists from disagreeing or using their phones. On the other hand, given that over 85 local, state and federal law enforcement agencies across the country have some form of CSS (some of which use hundreds of times a year), it is not unwise to include cell site simulators in your security plan if you go to a protest and take a few simple steps to protect yourself.
CSS is a device that mimics a legitimate cell tower. Police around the world use this technology primarily to locate a phone (and therefore a person) with a high degree of accuracy or to determine who is in a particular location. In the past, there were reports that advanced CSS could intercept and record content and metadata of phone calls and text messages using 2G networks, but there are no publicly known ways to listen to text messages and calls on 4G networks. Cell site simulators can also disrupt cellular service in a specific area. However, it is very difficult to confirm conclusively that the government is using CSS, as many of the noticeable signs of using CSS – draining the battery, interrupting the service, or downgrading the network – can occur for other reasons, such as cell network failure.
For more details on how cell site simulators work, read our in-depth white paper “I have to catch them all.”
Interception of phone calls and text messages is the scariest potential of CSS, but perhaps the least likely. Content interception is technically unlikely because, to the best of our knowledge, it is based on an ongoing security study (ie a study on 2G and LTE / 4G networks that does not take into account security flaws or fixes that may occur in 5G standard), content interception can only be performed when the target is connected via 2G, which makes it somewhat “noisy” and easy for the user. Cell site simulators cannot read the contents of encrypted messages such as Signal,, WhatsApp, Wire, Telegram or Keybase in each scenario0.
Police using CSS to intercept content is also legally unlikely, as state and federal eavesdropping laws generally prohibit the interception of communications without a warrant. And if the police receive a wiretapping order from the court, they can go directly to the telephone companies to monitor the telephone conversations, giving them the advantage of not having to be physically close to the person and the opportunity to use the evidence gathered in court.
One advantage that law enforcement could gain from using CSS to intercept content during a protest is the ability to effectively eavesdrop on several people without having to know who the first ones are. This would be beneficial if the police did not know in advance who was leading the protest. This type of mass surveillance without an order would be illegal. But the police were known to use CSS without command to track suspects. So far, there are no reports of police using this type of surveillance during protests.
Finding a specific mobile device (and its owner) is anecdotally the most common use of cell site simulators by law enforcement, but conversely may be the least useful in protest. Finding a specific person is less useful in a protest, because the police can usually already see where everyone is using helicopters and other methods of visual surveillance. However, there are situations in which police may want to track a demonstrator discreetly, using CSS rather than a personal team or helicopter.
If CSS were to be used during a protest, the most likely use would be to determine who is nearby. A law enforcement agency can theoretically collect IMSI at all on-site collection and send this to the telephone company later to identify the user to prove they were at the protest. There are other ways to achieve this: law enforcement could ask telephone companies for a “tower dump”, which is a list of each subscriber who has been connected to a particular tower at a particular time. However, this would have the disadvantage of being slower, requiring an order and having a wider radius, potentially gathering the IMSI of many non-protesters.
Denial of service or signal mute are additional features of CSS. In fact, the FBI acknowledged that CSS could cause it signal to interrupt people in the area. Unfortunately, for the same reasons, it is difficult to detect the use of CSS, it is difficult to say how often they violate the service either intentionally or accidentally. What looks like signal attenuation can also be tower overload and connection failure. When a large number of people suddenly gather in one place, it can overload the network with amounts of traffic for which it is not intended.
How to protect yourself from a cell site simulator
As noted in our Self-Defense Monitoring Guide for Protesters, the best way to protect yourself from a cell site simulator is to put your phone in airplane mode and deactivate GPS[2], wifi and Bluetooth, as well as cellular data. (While GPS is “receive-only” and does not omit location information on its own, many applications track GPS location data, which eventually ends up in databases, law enforcement can search later.)
We know that some IMSI capture devices can also capture content, but as far as we know, none of them can do this without lowering your cellular connection to 2G. If you are concerned about protecting your device against this attack, the best thing you can do is use encrypted messages such as Signal or Whatsapp and put your phone in airplane mode if you see it falling to 2G. (There are many legitimate reasons for your phone to downgrade part of your connection to 2G, but safer than sorry. See the article : Oscars Present 17 Awards for Technical and Scientific Achievement.) An important part of protests can be streaming / recording and instantly uploading videos of police violence against protesters. This contradicts the advice to keep your phone off / in airplane mode. It is up to you to decide what your protest priorities are and to know that what is important to you may not be someone else’s priority.
Unfortunately, iOS and Android currently do not offer easy ways to force your phone to use only 4G, although this is something that developers they could certainly add to their operating systems. If you can turn off 2G on your phone, this is a good precaution.
How a cell site simulator can be found
Unfortunately cell site simulators are very difficult to detect. Some of the signs that one can interpret as evidence, such as downgrading to 2G or losing your connection to the cellular network, are also common signs of a congested cellular network. There are some applications that claim to be able to detect IMSI capture devices, but most of them are either based on outdated information or have so many false positives that they become useless.
One potential way to detect cell site simulators is to use a software-defined radio to map all cellular antennas in your area and then search for antennas that show up and then disappear, move, show up in two or more places. , or are particularly powerful. There are several projects that are trying to do this, such as “Sea glass“and”SITCH“For 2G antennas and own EFF”Crocodile hunterFor 4G antennas.
Although it is possible that cell site simulators are used or have been used during protests, this should not stop people from expressing their disagreement. With a few simple precautions by protesters, the most severe abuses of these tools can be mitigated. This may interest you : Hackaday Links: January 3, 2021. Nevertheless, we call on legislators and people at all levels in the cellular communications industry to take these issues seriously and work to end the use of CSS.
Comments are closed.