The 404 Media Podcast (Premium Feed)
from 404 Media
How to Detect Phone Spying Tech (with Cooper Quintin)
Episode Notes
/Transcript
Hello, and welcome to the four zero four Media Podcast where we bring you unparalleled access to hidden worlds both online and IRL. Four zero four Media is a Germanist family company and needs your support. To subscribe, go to 404media.co. As well as bonus content every single week, subscribers also get access to additional episodes where we respond to their best comments, and they get early access to our interview series too, like this episode. Gain access to that content at 404media.co.
Joseph:This week, I'm speaking to Cooper Quinton, a security researcher and senior public interest technologist with the Electronic Frontier Foundation. Cooper has done a lot of work looking into IMSI catchers or as you'll hear us talk about, maybe we should probably actually describe them as cell site simulators. These are these small devices that pose as a phone tower to then sweep up information about nearby mobile phones. Cooper has helped develop this tool called RayHunter, which allows people to detect if maybe there is an IMSI catcher or a cell site simulator around me somewhere. This is a really, really interesting conversation that gets much more in the weeds than I think, you know, a lot of coverage would.
Joseph:So I'll throw to the interview and I really, really hope you enjoy the conversation. Cooper, thank you so much for coming on the show. Really, really appreciate it.
Cooper:Yeah. I'm really excited to be here.
Joseph:Of course. So I don't know if everyone is going to be really aware of what an IMSI catcher is, a Stingray, a cell site simulator. I don't say that one that often. That's why it's a little bit tricky to get out. How about to get the conversation going?
Joseph:Could you just tell us what is an IMSI catcher and how does it work exactly?
Cooper:Yeah. For sure. So Stingray, CellSight simulator, and IMSI Catcher are terms that are often used interchangeably, and they pretty much all mean the same thing. It's usually a fake cell tower that police are able to use to trick your phone into connecting to it instead of the real cell tower. And this is usually used to find the identity or MZ of your phone.
Cooper:MZ stands for international mobile subscriber ID. This is a unique ID that's used by your SIM card to identify it to the base station to the tower. Right? And to the phone company for the purposes of billing, most importantly, in their eyes. Every phone has an MZ.
Cooper:Every SIM card has its own unique MZ. And this can uniquely identify you. So once your phone connects to an MC catcher, the police get your MC, and then they can go bother the phone company until they give you your until they give the police your subscriber details, your name, your address, and all of that stuff.
Joseph:Right. So it's it's funny because as with a lot of stuff in telecom security, the way these networks are ex are exploited or attacks in various ways often comes down to simply how telecommunications networks work, right? Like, this is able to function as a fake cell phone tower because phones simply in virtue of how they work are always trying to talk to a cell phone tower that's nearby or I guess the nearest free or something like that. Is that fair?
Cooper:Yeah. That's completely fair. Yeah. If MC catchers really just take advantage of how the cell phone network was designed to work. Right?
Cooper:Your phone is to a degree, always tracking you. Right? Because the phone company has to know what towers you're connected to to locate you to be able to send you messages most efficiently. Right? So if you get a text message, there's two ways to wrap this to you.
Cooper:Right? There's there's one is to send that text message to every cell tower in The United States. Right? And everybody tries to read it and sees it's not for them and then discards it. Right?
Cooper:Or the you can with your MZ, let the phone company know what, you know, what part of what region you're in, and then the phone company can send route the message to that region. Right? And so like, you're always connecting to the towers. You always have this unique ID, and there's really no way to get around that. You always have to have an MC.
Cooper:Right? Some phone companies, there's a couple of interesting companies out now that are doing interesting things like rotating your MC. Those are interesting ways to sort of get around that issue. But in general, especially with, you know, the big three now, AT and T, Verizon, and T Mobile. Right?
Cooper:There's no getting around the fact that your your cell phone is constantly tracking you. And that MZ catchers can take advantage of that because there are so many messages. Right? Your phone is always looking for the strongest. Like, your phone is always looking for the best connection.
Cooper:Right? And it is happy to connect to a new tower that pops up. Right? Especially if that tower looks stronger than the other surrounding towers.
Joseph:Which is what a cell site simulator will do. Right? Does it does it look like the strongest tower nearby?
Cooper:Yeah. Yeah. That is often what they do is they'll look like the strongest tower nearby or, you know, they will advertise themselves as available, advertise other towers as not available. They will pretend to be another tower, right, that that you're really connected to. And they can send a message that looks like it's from that tower that says, hey, please disconnect from me right now and rejoin on this other tower, which is also from the MC catcher.
Cooper:Right? So they can trick your phone into connecting to it that way. And then there's all these messages that your phone sends to the tower and the tower sends back to your phone without any sort of authentication ever happening. Right? And some of those messages can contain your MC and the tower can specifically request your IMC, and the phone happily gives up that information.
Joseph:Right. Totally. And I think we'll get a little bit more into this in a minute. But broadly, what are some of the capabilities beyond just grabbing an IMSI? Like, are these capable of doing anything else?
Cooper:Yeah. Absolutely. So the purported use of IMSI catchers is to track down a specific person. Right? The reason police say they need these is for like a manhunt.
Cooper:Right? Or, you know, locating somebody who's been kidnapped. Right? Or search and rescue operations, things like that. And they are useful for that.
Cooper:Right? The cell phone company can give you somebody's location, but only, you know, down to, you know, at at best a 150 meters. Right? And not any sort of verticality. Right?
Cooper:If somebody's in a big apartment building, right, what the MC catcher can do is really track them down to the specific apartment there. Right? Like this is the most fine grained location data, and it's the most accurate. Right? You can always get it.
Cooper:You're not always going to get data from there are a lot of other location things. Right? Like I said, you can get location from from tower pings from phone companies. Right? You could get location from a tool like PenLink, from WebLock.
Cooper:Right? But people aren't always going to be in the WebLock database. Right? The phone pings aren't always gonna be the most accurate. With a suit tool like an MC Catcher, you can always very accurately locate somebody.
Joseph:Yeah. And for those who may not have read this piece that we published actually just shortly after shortly before we were recording this, WebLock is this tool that ICE has bought which uses location data probably sourced from the ad ecosystem. But what you're saying here, of course, and absolutely correct, an IMSI capture so much more powerful because it's using much more of the telecommunications backbone than, I don't know, is this person maybe in this advertising dataset? Like, who knows? Right.
Cooper:Right. Exactly. Exactly. And you can't, you know, you can't fool it by turning off location services, right, or not having, you know, any apps on your phone that are not giving location data to to any apps that have ads. Right?
Cooper:The MC Hatcher will still work. The other concerns though with an MC Hatcher, the concern is that you could use it, for example, to identify who is in a particular location. Right? So the the theory and we haven't seen any examples of this to my knowledge. But the theory is that police could sit outside of a protest, right, and gather up all of the identities of the people going to that protest or sit outside of an abortion clinic or sit outside of a mosque.
Cooper:Right? Anywhere where they want to identify all of the people in that area. And that to me, that is much more concerning if police are just using MC catchers to, you know, find a kidnapped person. Right? Or to, like, find somebody who is accused of murder.
Cooper:Right? Like, that's I could still find issues with the way they're using it. But if they're getting a warrant and they're only using it for that and they're minimizing the data, right, I have bigger fish to fry. But if they are using this to surveil free speech, right, if they're using this to figure out who is engaging in their constitutionally protected right to protest, that's a problem. Another problem is that because of the way MC catchers work, they could be used and have been used in the past, we know for sure, to man in the middle calls and text messages, which aren't encrypted.
Cooper:Right? So you could use these to listen in on people's calls, read people's text messages. One of the ways that they're commonly used right now, not by police, but by scammers, is to send people text messages from, you know, quote unquote legitimate phone numbers. Right? So there was a story, I think a couple years back now, about a woman who was driving around France and got pulled over, and they saw some weird equipment in the back of her car, called out the bomb squad.
Cooper:Bomb squad came out and called out the the IT guys. Right? And it turned out that it was actually an MC catcher in the back of their car.
Joseph:We've had similar in Southeast Asia recently as well, I think. Where they just drive around these cars with an MC catcher, isn't it?
Cooper:Yeah. Yeah. Exactly. They drive around and they broadcast, you know, text messages in the in in the France case, it was from the the French, health ministry. Right?
Cooper:They're claiming to be from the French health ministry. Just SMS scams. Right? Like, trying to fish people's health logins, I guess, out of them. I don't know what the ultimate financial Right.
Cooper:I mean, this this isn't America. Right? Like, there's universal health care. So I don't know what you're seeking to get in that case.
Joseph:But that brings up something interesting in that, obviously, at the same time, the technology is sophisticated in that, you know, law enforcement agencies are using it, that sort of thing. And then on the flip side, it's really not that sophisticated in some cases because somebody's driving around with a car, just shoved in the back there, like almost common criminal level. So like, is there is there a disconnect there where maybe the law enforcement people have the more sophisticated one, I imagine, and the criminals have something else, you think?
Cooper:I think so. I mean, I think it's different different use cases. Right? But, like, the and and, I mean, you can build an MC catcher right now with a $20 software defined radio.
Joseph:I've done just that. Actually, maybe I'll put a link to that in the show notes as well. But, I I can't remember who published it. Someone published a guide and I followed it and just wrote about it, but it it's crazy cheap and easy to do it on a very crude level. Yeah.
Cooper:Yeah. Exactly. And so I think that what police are really paying for, right, is is more powerful radios and more, you know, perhaps more sophisticated attacks and also most importantly, tech support. Right?
Joseph:Right.
Cooper:Somebody puts all of this in a truck. Right? Puts 13, you know, high end thousand dollar software defined radios in it, provides all this really nice easy to use software, and, you know, maybe some more sophisticated exploits, but then also gives them tech support. And I think that's really, you know I mean, the the the contracts the police are signing for these are close to a million dollars. Right?
Cooper:Like, that's the the the contract that Ice just signed was for 900 and something 900 and something thousand dollars. Right? A lot of the contracts that we've seen are for close to $1,000,000. Like, that's that's a pretty standard rate for a truck filled with software defined radios that are acting as an MC catcher.
Joseph:Right. And you and you're totally right in that. It's mostly the tech support, the customer support where law enforcement want to buy a tool that works. They don't want to be going, oh, man, I better log into my Ubuntu terminal to configure my software defined. Like, they don't have time for that.
Joseph:Like, they might be trying to locate, people who they think are undocumented. They might be trying to locate somebody who's, you know, actually being kidnapped and is missing or something like that. They don't wanna be messing around with a terminal.
Cooper:You know? Yeah. Exactly. They're not trying to fix their Python dependencies and, you know, install PIP and and do all
Joseph:of that.
Cooper:Right? Not they're not gonna go out and learn c and c plus plus, you know.
Joseph:Exactly. And and, of course, that's a common thing across the surveillance industry where even with the malware stuff, it's much more about the company providing a service. And that kind of I'm going a little bit back in time, but that brings up the idea of Harris, right, where the name Stingray comes from. And I feel like of us use the word Stingray now because this it was much more popular term ten years ago. Can you just explain sort of where that term came from and sort of why we called it that at the time?
Cooper:Yeah. For sure. So so that terms that was a that was a brand name from a company called the Harris Corporation. L three Harris Corporation, which still exists and still makes lots of equipment for police and national security and all those. They actually also bought a cyber security company called Azimuth interestingly recently, which is which is interesting and might signal a shift to offensive cyber security, but that's another story.
Cooper:So the Stingray was their first really big it wasn't the first MC catcher, But it was the first one that really got a lot of attention and was really widely used by local law enforcement. Right? Federal law enforcement, the FBI, DOJ had had MC catchers before that. Triggerfish, I think, was a was a really early one Right. That was used to catch the hacker Kevin Mitnick.
Cooper:But the the Stingray was the first one that was bought by, you know, local police departments. Right? SFPD, NYPD, Chicago PD. And the first one that really caught on in the public imagination. Right?
Cooper:The first one that people really started, you know, looking into. And so, you know, it almost became sort of the Kleenex. Right? I think there's there's a term for this phenomenon that I forget at the moment. Right?
Cooper:But it became the Kleenex of IMSI catchers. Right?
Joseph:Or the Google, like that becomes a verb sort
Cooper:of Exactly. It became a verb. Every IMSI catcher is a stingray. You're gonna get stingrayed. Right?
Cooper:Right. Yeah. It became very common. And then, like, a lot of us in the in the space, right, started trying to use the the term cell site simulator to be, like, slightly more pedantic and accurate. Right?
Cooper:But I think, actually, Stingray still resonates with a lot of people. Right? Like, when I when I talk about this often, I'm like, who's who's heard of a cell site simulator? Nobody. Who's heard of an IMSI catcher?
Cooper:Maybe a couple people. Who's heard of a Stingray? Oh, yeah. Right? Everybody raises their hands.
Joseph:Yeah. I mean, it's a catchy name, and Yeah. It does resonate with people, and it sticks with them. I should I mean, I actually haven't covered IMSI Catchers really recently, you know what I mean? Just like I kinda did that back then and kinda been focused on some other stuff, but next time I do, I'm gonna try to say cell site simulator because even IMSI capture doesn't capture the full capabilities of the tool because as you say, it could be also for messages and calls.
Cooper:Right? Yeah. It doesn't. It really doesn't. Right?
Cooper:There was another actually really interesting, really really kind of scary use of cell site simulators, which was that there was a report from Amnesty International that some gentleman who had had NSO Group's Pegasus spyware installed on his phone, they thought that it was incredibly likely that this had been installed via use of an MC catcher. Right? Via use of a sorry. Not an MC catcher, but a cell site simulator.
Joseph:It's okay. Can we can use them interchangeably. This is what that what we're talking about.
Cooper:But this is the this is the right why those terms don't quite encompass it because Right. It's this this technology wasn't just catching his MC. Right? It was Right. Capturing his entire connection and manna the middling it, and then redirecting some some, you know, plain text query he made to a query to download NSO Group spyware.
Cooper:Yeah. I think that that especially in, like, military contexts, I don't think that's a unlikely usage, right, for this. I I don't think that that's something that, like, ICE is necessarily gonna be doing right now. I certainly don't think that's something that your local police department are going to be doing. Right?
Cooper:But, like, that is something that can be done. Right? And that, like, at the at the sort of nation state espionage level, that is a concern.
Joseph:Yeah. Absolutely. And, of course, even before local police maybe it was the same time, it was kind of such a long a long time ago. But IMSI catchers, cell site simulators, of course, were being flown in aircraft above literal war zones like Afghanistan and Iraq, whereas it is used as a surveillance weapon of war in Yeah. Probably to, you know, in use cases that some people might see as more legitimate than others, like, I'm not gonna go down that role.
Joseph:But what I'm trying to say is that I think you're right in that ICE isn't gonna be using an MC cache to deliver malware because that's, I mean, that's very expensive as well. Yeah, absolutely. Before we get to sort of what we've seen over the years, I guess just because you brought up ICE, what do you think they could plausibly use it for? And the the thing that comes to mind for me is I think there was a BuzzFeed news report a long time ago, or maybe it another outlet, where an IMSI catcher was used to track down somebody that enforcement of removal operations were were actually trying to find. What could you see more plausibly ICE using this sort of technology for if it's not delivering that way, you know?
Cooper:Yeah. There was actually a more recent case too where they that I and I think I wanna say Forbes reported on it where Ice used an MC catcher to track down somebody in Orem, Utah.
Joseph:Right. Yes. From Tom Fox Brewster. You're right. Yes.
Cooper:Yes. That's right. Yeah. Yeah. Yeah.
Cooper:Shout out to Tom. Great journalist. So yeah. Yeah. They so they have recently used used it for that.
Cooper:Right? And it's interesting case because I in the court documents, they say, you know, we had gotten this guy's home address from cellular records. Right? We figured he was at home because of the time of day. And, like, we we went and did visual inspection, and his car was in the driveway.
Cooper:And then we got out the MC catcher just to make triple sure that he was actually at home.
Joseph:A little bit fun.
Cooper:Yeah. Yes. Yeah. Just like, well, we gotta use this thing. Right?
Cooper:Like and we got the warrant, so why not? The interesting thing about Ipsy catchers is is that and I I think the reason that they've fallen off from from sort of being the the thing that everybody is concerned about and that everybody, you know, and that a lot of research is going towards is because in, I wanna say, 2020, there were some legal cases that that resolved in in that in that law enforcement would need to get a warrant to use an empty catcher. And before that, they were often, it seems, being used without getting a warrant. Right? And then courts decided, no, you actually do need to use a warrant for this.
Cooper:This is a general search. Right? And I think that ever since then, police departments are using Nimsey catchers a lot less, or maybe, you know, really only for their intended purpose or just to justify the fact that they bought it. Right? Like, that used by ICE almost seems like just a justification.
Cooper:Like, you're like, well, we bought this thing. We gotta use it. Otherwise, you know, we're not gonna be able to buy one again. Right?
Joseph:Right. I mean, can you can you briefly just touch on that? Because I was gonna ask where there was this time, as you say, where these local police didn't need a warrant, and they were sort of just going around and using these. Can you remember or do we know sort of what cops were using them for then before the warrant requirement came in? Is it sort of everything we've been speaking about already?
Cooper:Unfortunately, we don't because there's been so much secrecy around Nimsie catchers and how they're used. Right? And I mean, that's been one of the big problems for years is that like, especially with Harris. Right? Harris would encourage police and DAs to drop cases if it seemed like evidence acquired from Nimsey Catcher was going to come up in court.
Cooper:Because Harris really did not want their their, you know, information, their trade secrets, right, being revealed in court. And actually Harris has stopped selling to local law enforcement because this kept happening so much, right, that that IMSI catchers kept coming up in court and information kept getting leaked, you know, about how they work through this method. So now Harris only sells to federal law enforcement, and they no longer sell to local local police departments. And it seems like maybe they're even getting out of the game entirely. The recent purchases that I've seen for MC catchers tend to come more from a company called Jacobs, which bought a company called KeyW that was a big MC catcher manufacturer.
Cooper:And then the other the other one that I'm seeing a lot is Oktastic.
Joseph:I've literally never heard of these.
Cooper:So so Oktastic Crazy names. Israeli company. Yeah. No. Super crazy name.
Cooper:So Auktastic is an Israeli company that's that's now selling MC catchers that they claim operate natively on five g. And so, yeah, we're seeing really like Harris is no longer you know, seems to not really be in the market at all anymore. And these other smaller players have come and taken that over in The US. Yeah. But yeah, we don't know what they were being used for.
Cooper:Right? I mean, I you know, we can, I think, assume that they were being used for all the things I mentioned? Right? Being used to intercept calls, being used to locate people, right, being being used to determine presence in a specific area. I think all of those are very likely.
Joseph:Yeah. That makes sense. You mentioned five g just there. And as before we start to move to the second section, I just wanted to bring up this sort of there's this cat and mouse dynamic, right? Not as much as the exploit industry where an SO group or whoever will make or buy an exploit, then Google or Apple will patch it and that just goes on and on and on forever, essentially.
Joseph:Here, there's well, we've moved to three gs, then the IMSI catchers need to deal with that, then four gs, then five gs. What is going on there? Like, do they do they break five g? Do they downgrade the target? Like, what's happening there as far as we know?
Cooper:Yeah. For sure. I mean, the the issue with cellular networks, right, the core issue here is that cellular standards are governed by a body called the three g PPP, the three g public private partnership. And this is a standards body consisting of, like, hundreds of large companies, all of the largest companies, right, all of, you know, representatives from various governments that all have to come to an agreement on how cellular technology will work. And then they publish a, you know, thousand page standard on how, you know, three g or four g or five g is going to work.
Cooper:And then the phone companies only sort of follow it. And so because it's such a complex standard that's designed by committee and has to work everywhere and is only barely followed, right, this leaves a lot of room for exploits. Right? And because it's a standard when exploits are found, they're slow to get passed. Really, like, often you can't patch them until the next generation of cellular technology.
Cooper:Right? And you have to keep supporting all the previous generations of cellular technology because people will still have phones that only work on two g or only work on three g or only work on four g. Right? So for example, with two g, MZ catchers were really easy to build because in two g, the phone had to authenticate itself to the network as being a real subscriber using its MZ, but the network never had to authenticate itself to the phone. Mhmm.
Cooper:So you could very easily set up an entire man in the middle situation to listen to all of the phone calls and read the text messages and all of that. In four g, one of the big innovations other than, you know, speed and and and that stuff is that the phone and net and the network now had to mutually authenticate each other. Right? But unfortunately, all of that mutual a lot of messages get sent, including the IMSI before that mutual authentication ever happens. Right?
Cooper:Right. And a lot of messages are just not authenticated. So it's not like HTTPS where, you know, when I visit a website every you know, as soon I don't send anything to that website until that website verifies its authenticity. And then we establish a encrypted tunnel to communicate over. Right?
Cooper:It's more like there's a bunch of unencrypted stuff that happens. And then after that, some encrypted stuff might start happening, but the phone and tower can still send unencrypted unauthenticated packets to each other. So this is how, like, even on four g, a cell site simulator can spoof a tower and say like, hey, please disconnect from me this tower that I am and connect to this other tower that's over here. That's way stronger. Trust me.
Joseph:It's a mess. Yeah. That's what it sounds like.
Cooper:A huge mess. Yeah. It's a huge mess. And so five g fix a lot of those problems. It is definitely a step up from four g.
Cooper:Right? Now the the MC is always sent encrypted. Right? Or it is it is always like the the actual MC, which is called the and I think it's the subscribed user permanent identity and the subscribed user concealed identity. Something like that.
Cooper:I might be messing up the SCU part, but it's permanent identity and concealed identity. The permanent identity is the analog to the MZ. And then the concealed identity is is changed each time and derived from a key that both the user and the tower have. And this is the only one that's ever sent in five g. So police are still able to use MZ catches over five g by downgrading users to four g.
Cooper:Right? That has been the case for a bit. But also, there was actually just a paper that was, released at Black Hat this year, the big hacker conference in Las Vegas. The big cyber I shouldn't call it a hacker conference. The big No.
Cooper:Not black. Cybersecurity industry conference in Las Vegas. There was a there was a paper this year called five g Titanic, where a researcher demonstrated the ability to man in the middle conversations in five g. So I think that's it's curtains for five g, man.
Joseph:Yeah. Yeah. So we we already need to jump to the eight g or whatever, but it it it's exactly that dynamic where there are improvements, and then we find more vulnerable. I mean, and that's just cybersecurity and offensive security as well. Absolutely.
Joseph:Yeah. It's just the same thing here. Well, let's shift gears a little bit and let's talk about Ray Hunter because you have all of that context from cell site simulators. You've, you know, helped build and and release this tool. Could you first just tell us where the idea for it came and then maybe tell us what it is?
Joseph:You know, where how did this actually come about, first of all?
Cooper:Yeah. For sure. So I actually had a previous project called Crocodile Hunter. And we named it Crocodile Hunter because stingrays had killed Steve Irwin, and we were gonna take one back for Steve.
Joseph:Right.
Cooper:So basically, I had I had gotten excited about MC Catchers after I got asked to come out to the Standing Rock Reservation in North Dakota during the Node Apple Pipeline protests. This was a Dakota Access Pipeline. Was a big oil pipeline that was gonna cut across Indian land and go all the way across The US and leak oil all over the place and be generally horrible for the environment. The protesters there worried about MC catchers and had some, you know, like, some apps that were telling them that maybe MC catchers were present. So I went out there to go see if I could corroborate this.
Cooper:Right? Because I'd be concerned about that. And what I figured out quickly was that I had no idea what I was doing, and I had no idea how to actually tell if there was an MC catcher. Right? I had some apps that were saying some things that were, you know, maybe could be MC catchers, maybe could not be MC catchers.
Cooper:Right? I had some software defined radios I really had no idea what to do with. And I realized that we needed better a better method to actually determine if MC catchers were being used and actually prove it. Right? So we started out with a project called Crocodile Hunter, where the idea was that using some high end software defined radios and and some programs I had written on Linux, we could take these around and map out all of the cell networks in a specific area.
Cooper:And then look for any anomalies, any changes, cell towers that are moving, cell towers that are not where they should be, Cell towers that are broadcasting at extremely high, you know, signal, extremely high volume, basically. And then we could actually physically track those down. Right? And and look at them with our eyes. Right?
Cooper:And if it's if it's a, you know, established cell tower that's 200 feet high, right, you know, that's probably fine. Right? It's probably just misconfigured. You know, if the signal is coming from the back of a unmarked truck and, you know, four dudes with buzz guts jump out, you know, that's probably a good sign. That's an emcee catcher.
Cooper:Right? The problem with this is that it was it was a great system for me. Right? It was a really good system for somebody who compiles their own kernel for fun and likes to program in c and c plus plus and is a huge nerd. But I really wanted journalists and activists to be able to use this on their own because I can't be everywhere all at once.
Cooper:Right? And most journalists, for good reason, don't have the same amount of technical acumen that, say, for example, you do, Joseph.
Joseph:I mean, maybe, but I also don't have much time. Right? Whereas you were already an expert and you can kind of jump into it. I
Cooper:Right.
Joseph:I I I simply can't do that.
Cooper:Yeah. Yeah. I mean, that that was the other problem. Right? Is that the few journalists who did use this, right, like, I needed to be there as backup to actually interpret the results.
Cooper:Right? Because they weren't easy to interpret it. So we we kind of scrapped this idea. Also, it required, you know, at least a thousand dollars worth of of software defined radios, which is, you know, really inaccessible. So I scrapped this idea and went back to the drawing board.
Cooper:And then a friend of mine, Matthew Garrett, showed me this device, this little Orbit hotspot. Right? And this was a couple of years later. And he said, hey, you know, I've I've rooted this device, and it turns out it has this diag protocol on it, which I bet you could use to get a log of the mobile traffic. Right?
Cooper:The traffic going between the modem and the tower itself. And I thought was, oh, that's interesting. And so I started taking a look at it. Right? And it turned out that we can.
Cooper:So so Qualcomm chips. Qualcomm is one of the big cellular modem manufacturers. And their chips have this built in diagnostic protocol that on a rooted device, you can access, and it'll give you raw packet logs of the control data going back and forth between the device itself and the tower that it's connected to. And so what we decided was that we could turn this device into sort of a, you know, intrusion detection system or, you know, antivirus for MC catchers. Right?
Joseph:Right.
Cooper:So so by looking at that traffic, we can look for the things that MC catchers that one might expect MC catchers to do. Right? So this is what became Ray Hunter. And it's because it's called RayHunter. So we're, again, hunting for stingrays.
Cooper:Mhmm. We had cooler names in mind, but they were all trademarked. So RayHunter is what it what it came to be. But yeah, you go buy a older, you know, last generation mobile hotspot. They're like $20, $10 on eBay.
Cooper:You installed our custom firmware on it, you throw it in your pocket, and you go about your day. When it detects something, there's a little green line at the top of the screen. That line turns red if it it detects something. And then you can connect to the hotspot, connect to the web interface, and go download the files, the the packet captures, and send them to us or send them to another friend who's really into LTE for further analysis. Right?
Cooper:But we have some we have some signatures to detect what we think are signs of an MC catcher. And this is things like, did the tower request your MC when it shouldn't have? Or did the tower try to downgrade your connection to two g in a way that's suspicious? Suspicious. Right?
Cooper:And other things like that. Those are the sorts of things we're looking for. Kind of really obvious sign or not obvious, but like, you know, really high quality signs of MC catchers.
Joseph:Yeah. Like a a two g downgrade is very very unusual for a normal tower.
Cooper:Yes. Yeah. Especially in The US where there are no more we've shut down our two g networks in The US. Right? So if you see a two g downgrade in The US, that's a pretty strong sign that something weird is going on.
Cooper:Right?
Joseph:Right.
Cooper:The MZ one, unfortunately, is much harder to get right because, like I've said, the cellular network is bad. It was designed by hundreds of companies all with competing interests. Right? And it turns out that towers request your MZ fairly often for legitimate reasons. So if we just naively notify you every time your MZ was requested, this would cause a lot of false positives.
Cooper:And it did when we first started this. Right? And we've had to figure out smarter ways to determine when when a request looks suspicious. So we have a few goals for this project. One is to get a better understanding of how MC catchers work in The US.
Cooper:Right? One of the problems with MC catcher research is that we've never had a ground truth. Right? We've never had baseline data about how MC catchers work. And now for the first time, we have actual packet captures from actual MC catchers, like confirmed commercial MC catchers, and we can say, you know, exactly how they work, right, on a very technical low level.
Joseph:Right. Because you never had packets before. And and I know we're kind of glossing over that, but kind of to spell it out for listeners, packets are almost like the ground truth of what is happening. I'm trying to trying to think of a way to make it accessible at the same time, but like it's the gold it's the gold dust basically of cybersecurity or security research and that sort of things. Like, you want packets basically.
Joseph:It shows what's actually going on.
Cooper:Yeah. Exactly. This is the it's the, like, raw, you know, you know, stenographic court log of exactly what two computers said to each other. Right? And I'm like, you know, this is this is something that I can pass to another researcher.
Cooper:Right? I can have my own interpretation of it. Right? But I can pass it to another researcher and they it can have their interpret you know, they can confirm or disprove my interpretation. Right?
Cooper:But we all we're all working from the same ground truth, and that's not something that we've had in the past. So that's huge. One of the other goals of this was to get something that people could actually use and bring with them. Right? Like, this is something that's really easy for journalists to use.
Cooper:It's really easy for activists to use. Right? The hardest part is is, you know, opening a terminal on your computer to actually run the program to install it on the device. But once that's done, right, it's it's something you just throw it in your pocket and go about your day and see if the line turns red. And so that's been great.
Cooper:And and because it's so cheap, we can you know, a lot of people can use it all over the country. This lets us get to our other goal, which is we wanted to find out whether IMSI catchers are being used for the you know, to surveil sort of First Amendment protected activities like I was talking about earlier. Right? So we wanna know if these are being used at protests or being used at mosques or, you know, in abortion clinics. And as we've had people carrying these around, what we've found is no evidence to support that emcee catchers are being used at protests in The US.
Cooper:We have found several instances that we think are likely to be emcee catchers. Right? In The US and also outside of The US, we have found data from the Ranto project that suggests the use of an emcee catcher in the area, but none of them were at protests.
Joseph:Right. That's very, interesting because for years, the narrative is too strong. But one one of the concerns obviously was that, well, this pretty indiscriminate technology, which may or may not be deployed with or without a warrant, obviously, depends on the year we're talking about, but a massive concern was that, well, you could put this protest and you get all of the IMCs of the people who were at this protest, and then use that for later. A completely fine theory to have, and now it's really interesting because you and others and people using this tool are going out into the world and almost like collecting scientific data, which is not supporting that that is actually going on. So that's that's fair to say.
Cooper:Yeah. Yeah. That's absolutely fair to say. And I mean, that was that was a big impetus behind this project. I'm fairly, deeply connected to the activist community, right, around The US, and, you know, the the sort of anarchist community around The US.
Cooper:And I've a lot of people were very concerned about IMSI catchers being used at protests. Right? And there was this this sort of idea, right, that these must be at every protest. Right? And that, like, you know, maybe every cop had one.
Cooper:We don't even know. Right? And people were really unreasonably scared of these. And as a cybersecurity person, I want people to have have accurate threat modeling. Right?
Cooper:People are going to take risks, and I want them to take informed risks. Right? I want them to know what the actual risks they're taking are. I actually I I felt pretty strongly that cell system leaders were not being used as often as activists tended to think. But, yeah, exactly.
Cooper:This lets us do some, you know, sort of citizen science and actually gather data from the field all over the place to, you know, show with evidence whether or not these are being used at protests. And the evidence points to that they're most likely not being used in The US at protests right now. But that could also change. Right? ICE has definitely escalated their tactics.
Cooper:Right? And I wouldn't be surprised if they just decided, you know, we don't we don't actually need warrants for this for to use this thing. Right? Who's gonna stop us? You?
Cooper:No. Right? Right. So, like, that's we want people to keep using this because we wanna know if that situation does change. Right?
Cooper:And if this is a threat that activists do need to start being worried about.
Joseph:Yeah. That makes sense. I will just say before I ask, I think probably my last couple of questions is that I have installed this myself. I can't remember the exact process, but it was incredibly painless. It was so smooth, and it kind of reminded me of the setup process of a Graphene OS phone where with Graphene, you plug the phone into your computer, you open a web browser and like it installs.
Joseph:It's like magic. This was very close to that in that I installed it. Was like, is that it? Like I'm detecting IMSI catches now. It was really, really smooth.
Joseph:So I thought it was very interesting in that respect where you took something that was so technologically obscure, as you were saying, and now basically, anybody can do it if you can open the terminal and you feel like a badass doing it if you've never opened the terminal before. You're like like, you get to have that fun experience. But, very easy to use for sure.
Cooper:Yeah. Yeah. We've been that's one of our design goals has been to make it as easy to use and as easy to install as possible. Definitely, we wanna get to that graphing level where you can just do it over a browser. That's that's something we have definitely looked into and are are trying to figure out how best to do.
Cooper:The only the only thing really stopping us there is that the easiest way to install on these a lot of times is over the wireless interface, right, by actually connecting to the Wi Fi interface that these hotspots provide is usually the easiest way to install these. So that's not something that can work sort of the same way that graphene does because graphene works over it a hard over the USB connection that Chrome is able to access. But anyway, sorry. Getting way too into the weeds there.
Joseph:No. That makes that makes complete sense. It's very interesting, actually. Is a different problem because you are you are manipulating connecting to a literal WiFi hotspot, and you kinda need to do that in virtue of all the devices. Yes.
Cooper:Yeah. But we are working we're working on a graphical installer right now so that people no longer have to open the terminal. They can just open a normal GUI program and then click the install button and it installs. That's one of our one of our big priorities coming up here. So yeah, we're trying to we're really really always trying to make it as easy as possible to use.
Cooper:And, you know, we're trying to minimize the number of false positives so that when people get an alert, they can feel, you know, pretty confident in something. Because we don't wanna be in the position of spreading even more fear about MC gotchas. Like a lot of people ask, why don't we make this an app? Right? And there's a couple of reasons.
Cooper:Like one one is that you can't get this sort of low level data on the phone very easily. You can really only get it from certain phones if you root your phone. And I don't wanna be in
Joseph:the Don't do
Cooper:that. Telling people to root their phone because that's that's far worse for security a lot of times. Right? Like, I think most people should be much more concerned about rooting their phone than about an MC catcher. Right?
Cooper:Like, more people should be concerned about like mobile forensic tools like Celebrite. Right? If you're at a protest and you get arrested, you're much more likely for your phone to interact with a Celebrite device, which is a mobile forensic device that'll that'll vacuum up all of the data on your phone and store it for later analysis by police than you ever are to interact with an IMSI catcher. And if your phone is rooted, it's gonna be so much easier for Celebrite to do all that.
Joseph:It's already easy when it's not rooted. It's relatively speaking. Exactly. Exactly. You've just like opened the door for them.
Joseph:Yeah.
Cooper:Yeah. So that's that's why that's why we haven't done it as an app. But we're trying to make it as easy as possible, and we're trying to make it as reliable as possible so that people are given actually an accurate picture of what's going on. Right? I think one of the things I really liked about the Crocodile Hunter project was that we could actually physically track down cell site simulators.
Cooper:Right? And that's something still something I very much want to do. Like I was saying, the the the problem that we're that we're facing is that people are sending us all this data, and it's great. And I can look through the data and say, yes. I am, you know, 90% confident that this was an IMSI catcher, you know, that you saw in Downtown Chicago, you know, on on this day.
Cooper:Right? But who was running that IMSI catcher? Or can we be sure there was an IMSI catcher? Why were they using it? Right?
Cooper:We can't answer any of those questions. Right? And if you could actually physically track it down, you would, a, have proof that there was NimsaCatcher being used, and b, be on your way to figuring out who was using it and possibly why. And so that's something we're trying to figure out how to do on this device as well. But that's a it's a bit of a harder problem.
Joseph:Yeah. I bet. So I think I think just to wrap up, beyond that sort of technical stuff where you're making these improvements to the the interface and the capabilities of this tool, What are you hoping for for the future? Is it that just more people download and use this and gather data even if, I don't know, they don't find anything? Because most people are probably not actually going to find anything, an interesting problem or I guess a scientific issue.
Joseph:But what is your what are your hopes for this project going forward beyond the technical stuff?
Cooper:I mean, we hope you won't find anything. Right? That's the Right.
Joseph:Silver lining.
Cooper:But also I hope you will, and I hope you'll send it to me. But, yeah, I our our hopes for this project, I think, are one, to decrease the amount of fear that people have about MC catchers. Right? And I I kind of hope that this is already starting to work. Right?
Cooper:We've put out a we've put out a blog post. We've put out a report, you know, kind of talking about what found so far and and highlighting the fact that we haven't really found this at protests. Right? So I'm hoping that, you know, the the the sorts of people like me who intended to give technical advice to protesters will kind of, you know, disseminate that information as well and say, like, you know, we can we can kind of get to a point where we're like, look, these aren't being used to spy on protesters. And that's good.
Cooper:But the bad news is these aren't being used to spy on protesters, there's a lot of other technologies that we know are being used to spy on protesters. Like facial recognition, like license plate readers, like tools from PenLink, like WebLog and Tangles, right, and Celebrate. Right? But the good news is that all of the things that you want to do to protect against those, like putting on airplane mode, turning off location services, or just turning your phone off entirely. Right?
Cooper:Those are also also useful protections against Nimsie catcher. So if Nimsie catcher does show up, and you've already protected yourself against these much more likely technologies, you get free protection from MC catchers just for doing that. Right? So like, I'm hoping for that information to get out there. The other thing that I hope for from this project is now that, you know, as we sort of gather a ground truth of how MC catchers work, that companies who are higher up in this chain, right, companies like Apple and Google, companies like Qualcomm, right, who make a lot of the the bulk of the cellular modems, right, that they can start to integrate protections against MC catchers directly into their devices.
Cooper:Right? And Google has already done a really great job of this. Right? So on on modern pixel devices now, you can turn off your two d modem entirely. And I think with with Apple phones on lockdown mode, they will also not connect to
Joseph:two g connections. Interesting.
Cooper:So right so so this is a great first step. Right? Not connecting to two g already stops a lot of the, like, men in the middle type attacks. Sort of the worst attacks that a MCi hacker can perform. Right?
Cooper:Google phones will also now let you know if your phone connects to a tower and that tower suggests not using any encryption for the connection between the phone and the tower. Right? This is another good way to do a man in the middle attack, and it shouldn't usually happen. The reason that's there is only really for 911 calls or emergency service calls where, like, if you have a phone that's not a part of that network, you should still be able to connect to the nearest tower and make a 911 call. That's the most important thing.
Cooper:Right. Right? And so they need the and you need to not have encryption for that because that network doesn't have any key material to set up an encrypted connection. But if you're not making a 911 call and a tower says, hey, let's not use encryption. Right?
Cooper:That's a pretty big red flag. So Google is now alerting people on that on the latest Pixel phones. Right? And I would like to see Apple catch up with that. I would actually like to see and there's there's been some movement on Qualcomm to allow OEMs to sort of build these protections in, Qualcomm will raise a the Qualcomm chip will raise a flag to the phone when something weird happens, but nobody's really implementing this yet.
Cooper:To put that in a simpler way, Qualcomm chips have some really neat anti MC catcher protections that that they started building in a while back. But unfortunately, none of the phone manufacturers are using those. So I'm, you know, I'm hoping that as this project gets some success, right, and we can say, here are the actual attacks that we know are happening in the wild. Right? And here's the evidence.
Cooper:Here are the packet captures that people from these companies will start to build in protections on the phones. Because that's where it's actually needed. Right? RayHunter can't protect you from an emergency catcher. It can just let you know that one was maybe there.
Cooper:Right? But your phone should be the one actually protecting you from an Nimsey catcher.
Joseph:Yeah. That totally makes sense. Or of course, telecommunications networks actually affecting themselves. Or that's actually happen.
Cooper:The phone companies should be the ones protecting you from this, and they could actually detect these really easily because they have the picture of the entire network landscape, but they are not.
Joseph:No. That's not gonna happen. Okupa, thank you so much for joining us on the show this week. I thought that was a fascinating conversation. Thank you so much.
Joseph:I really, really appreciate it.
Cooper:Yeah. Thank you. Super happy to be here. Big fan of four zero four Media and and all you guys and all the work you've done in the past as well. And, yes, it's a it's an honor to be on the podcast.
Joseph:Of course. Thank you so much. As a reminder, four zero four Media is journalist founded and supported by subscribers. If you do wish to subscribe to four zero four Media and directly support our work, please go to 404media.co. You'll get unlimited access to our articles and an ad free version of this podcast.
Joseph:You'll also get to listen to the subscribes only section where we talk about a bonus story each week. This podcast is made in partnership with Kaleidoscope and Alyssa Midcalf. Another way to support us is by leaving a five star rating and review for the podcast. That stuff really does help us out. This has been four zero four Media.
Joseph:We'll see you again next time.