I can see why they'd write it for a specific cheap device. Is this stuff possible with a typical phone modem, though; or does it rely on some special features? Forgive my ignorance. :)
Possible, yes, it's just looking at various 3GPP network messages and parsing out a few common anomalies. Accessible, not all the time.
This project uses QMDL (Qualcomm debug logging) on a device with an accessible modem debug port and debug logging enabled. Most older Qualcomm devices have this form of debug logging available by default, but on newer devices, the debug interface is usually more locked down, requiring some degree of shenanigans to access.
Take a look at SnoopSnitch (similar project for Qualcomm Android phones), QCSuper and MobileInsight (tools capable of capturing signaling data from QC and Mediatek phones), and SCAT (capable of capturing signaling data from some Samsung basebands).
Other vendors usually have similar debug modes for their modems, but they often aren't reverse engineered or as easy to access as the Qualcomm ones.
You could bring it to a large festival or even a protest. Law enforcement deploys them all the time. I found one using SnoopSnitch on an Android phone while at a large festival here in Louisiana.
Does that work by comparing known cell sites to found cells sites? I know some StingRay detectors use that method and it's prone to false positives around large events where mobile carriers or 3rd parties bring in legitimate temporary cell sites to improve cell service at the venue and provide more capacity.
Here in Brazil criminals are starting to use those to send phishing SMS, exploiting our ubiquitous mobile payment system (pix) or pretending to be a second authentication factor for banks.
They are quite common in some municipalities. There are folks who talk about this at length in cybersecurity circles every year at conferences, it’s been an issue for a long while and the scope of the problem continues to grow.
I'm wondering if using an imsi catcher is still effective? Most of the time I'm using calling over wifi (VoLTE) or I'm in a car (where an imsi catcher isn't really practical).
The purpose is to track the location of a specific phone using triangulation based on the closes cell towers which receive the phone’s signals. The phone maintains a connection to the nearest cell tower(s) to be on the network in case a call is initiated.
It’s not necessarily intended to intercept, although I believe there were some that downgraded G3 to G2 to be able to potentially do that.
I don’t know whether downgrade attacks are still viable (or needed).
Note that if you are being specifically targeted then a warrant to the provider would presumably net the equivalent of real time 911 location data.
As far as I understand, outside of active interception the only use for these things is warrantless dragnet surveillance of location. (And active interception is increasingly not possible due to better security practices.)
From what Ive read about stingrays here on HN, the device is fooling your cell phone to make a tower connection using the movile network. This does not depend on you making a call, the cell phone is normally doing background activity to connect to cell towers all the time.
IIRC even with airplane mode the stingray can capture phone info, IMEI, GPS location, etc.
> IIRC even with airplane mode the stingray can capture phone info, IMEI, GPS location, etc.
No. Airplane mode turns off the cellular radio's emissions, that's the whole point. A cellular base station emulator isn't going to do anything in that situation.
