What is a Stingray?

​

Stingray is the generic name for an electronic surveillance tool that simulates a cell phone tower in order to force mobile phones and other devices to connect to it instead of to a legitimate cell tower.  In doing so, the phone or other device reveals information about itself and its user to the operator of the stingray.

​

Other common names for this type of device or  tool are known as “cell-site simulators” and “IMSI catchers.”

​

What is IMSI code?

• While your phone registers to the mobile network it sends its unique code called IMSI. This code is used to identify you as a network subscriber. What is this number for? Why do you need to know it? How does IMSI differs from TMSI? Let’s answer these and other questions. IMSI stands for International Mobile Subscriber Identity.  TMSI stands for Temporary Mobile Subscriber Identity, which is data sent between a mobile phone and its network.

​

Getting back to the Name Stingray.

Why is it called a Stingray?

​

The name Stingray comes from the brand name of a specific commercial model of IMSI catcher made by the Florida-based Harris Corporation. That company’s StingRay is a briefcase-sized device that can be operated from a vehicle while plugged into the cigarette lighter.   Harris also makes products like the Harpoon, a signal booster that makes the StingRay more powerful, and the KingFish, a smaller hand-held device that operates like a sStingray and can be used by a law enforcement agent while walking around outside a vehicle.

 

About a dozen other companies make variants of the stingray with different capabilities. The surveillance equipment is pricey and often sold as a package. For example, in documents obtained by Motherboard in 2016, Harris offered a KingFish package that cost $157,300 and a StingRay package that cost $148,000, not including training and maintenance. Documents obtained this year by the American Civil Liberties Union indicate that Harris has upgraded the StingRay to a newer device it calls a Crossbow, though not a lot of information is known about how it works. Separately, a classified catalog of surveillance tools leaked to The Intercept in 2015 describes other similar devices.

​

StingRay II, a cellular site simulator used for surveillance purposes manufactured by Harris Corporation, of Melbourne, Fla.

 

Photo: U.S. Patent and Trademark Office via AP

​

How does a Cell Site Simulator Work?  

​

"Extracting Data from Internal Storage"

​

During the process of forcing connections from all compatible cellular devices in a given area, the StingRay operator needs to determine which device is the desired surveillance target.   In this case, the targeted individual targeted by Organizational Stalking.

 

This extraction of information is accomplished by downloading the IMSI, ESN, or other identifying data from each of the devices connected to the Stingray.    In this context, the IMSI or equivalent identifier is not obtained from the cellular service provider or from any other third-party.    The Stingray downloads this data directly from the device using radio waves.

​

In some cases, the IMSI or equivalent identifier of a target device is known to the Stingray operator beforehand.    When this is the case, the operator will download the IMSI or equivalent identifier from each device as it connects to the StingRay.   

 

When the downloaded IMSI matches the known IMSI of the desired target, the dragnet will end and the Stingray operator will proceed to conduct specific surveillance operations on just the target device.

​

In other cases, the IMSI or equivalent identifier of a target is not known to the StingRay operator and the goal of the surveillance operation is to identify one or more cellular devices being used in a known area.

 

For example, if visual surveillance is being conducted on a group of protestors, a StingRay can be used to download the IMSI or equivalent identifier from each phone within the protest area.   After identifying the phones, locating and tracking operations can be conducted, and service providers can be forced to turn over account information identifying the phone users.

​

What can law enforcement do with the IMSI number?

 

Law enforcement can use a stingray either to identify all of the phones in the vicinity of the stingray or a specific phone, even when the phones are not in use.     Law enforcement can then, with a subpoena, ask a phone carrier to provide the customer name and address associated with that number or numbers.

 

They can also obtain a historical log of all of the cell towers a phone has pinged in the recent past to track where it has been, or they can obtain the cell tower's pinging in real time to identify the user’s current location.

 

By catching multiple IMSI numbers in the vicinity of a stingray, law enforcement can also potentially uncover associations between people by seeing which phones ping the same cell towers around the same time.

​

If law enforcement already knows the IMSI number of a specific phone and person they are trying to locate, they can program that IMSI number into the stingray and it will tell them if that phone is nearby. 

 

Law enforcement can also home in on the location of a specific phone and its user by moving the stingray around a geographical area and measuring the phone’s signal strength as it connects to the stingray. 

 

The Harris StingRay can be operated from a patrol vehicle as it drives around a neighborhood to narrow a suspect’s location to a specific cluster of homes or a building, at which point law enforcement can switch to the hand-held KingFish, which offers even more precision.  For example, once law enforcement has narrowed the location of a phone and suspect to an office or apartment complex using the StingRay, they can walk through the complex and hallways using the KingFish to find the specific office or apartment where a mobile phone and its user are located.

​

What is a dirtbox?

​

A dirtbox is the common name for specific models of an IMSI catcher that are made by a Boeing subsidiary, Maryland-based Digital Receiver Technology — hence the name “DRT box.”   They are reportedly used by the DEA and Marshals Service from airplanes to intercept data from mobile phones.   A 2014 Wall Street Journal article revealed that the Marshals Service began using dirtboxes in Cessna airplanes in 2007.

 

An airborne dirtbox has the ability to collect data on many more phones than a ground-based stingray; it can also move more easily and quickly over wide areas. According to the 2006 catalog of surveillance technologies leaked in 2015, models of dirtboxes described in that document can be configured to track up to 10,000 targeted IMSI numbers or phones.

​

Can the devices be used to infect phones with malware?

​

Versions of the devices used by the military and intelligence agencies can potentially inject malware into targeted phones, depending on how secure the phone is.

 

They can do this in two ways:

 

They can either redirect the phone’s browser to a malicious web site where malware can be downloaded to the phone if the browser has a software vulnerability the attackers can exploit; or they can inject malware from the stingray directly into the baseband of the phone if the baseband software has a vulnerability.

 

Malware injected into the baseband of a phone is harder to detect.  Such malware can be used to turn the phone into a listening device to spy on conversations.  Recently, Amnesty International reported on the cases of two Moroccan activists whose phones may have been targeted through such network injection attacks to install spyware made by an Israeli company.

​

U.S. law enforcement use of stingrays domestically is more curtailed, given that they, unlike the military, need to obtain warrants or court orders to use the devices in federal investigations.

 

But there is little transparency or oversight around how the devices are used by federal agents and local police, so there is still a lot that is unknown: for example, whether they’ve ever been used to record the contents of mobile phone communications or to install malware on phones.

​

News stories suggest that some models of stingrays used by the Marshals Service can extract text messages, contacts, and photos from phones, though they don’t say how the devices do this.

 

Documents obtained by the ACLU in 2015 also indicate such devices do have the ability to record the numbers of incoming and outgoing calls and the date, time, and duration of the calls, as well as to intercept the content of voice and text communications.

 

But the Justice Department has long asserted publicly that the stingrays it uses domestically do not intercept the content of communications. The Justice Department has stated that the devices “may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III [wiretapping] order.”

​

As for jamming communications domestically, Dakota Access pipeline protesters at Standing Rock, North Dakota, in 2016 described planes and helicopters flying overhead that they believed were using technology to jam mobile phones.   Protesters described having problems such as phones crashing, livestreams being interrupted, and issues uploading videos and other posts to social media.

 

Why are stingrays and dirtboxes so controversial?

​

The devices don’t just pick up data about targeted phones.

 

Law enforcement may be tracking a specific phone of a known suspect, but any phone in the vicinity of the stingray that is using the same cellular network as the targeted phone or device will connect to the stingray. Documents in a 2011 criminal case in Canada showed that devices used by the Royal Canadian Mounted Police had a range of a third of a mile, and in just three minutes of use, one device had intercepted 136 different phones.

​

Law enforcement can also use a stingray in a less targeted way to sweep up information about all nearby phones. During the time a phone is connecting to or communicating with a stingray, service is disrupted for those phones until the stingray releases them. The connection should last only as long as it takes for the phone to reveal its IMSI number to the stingray, but it’s not clear what kind of testing and oversight the Justice Department has done to ensure that the devices release phones. Stingrays are supposed to allow 911 calls to pass through to a legitimate cell tower to avoid disrupting emergency services, but other emergency calls a user may try to make while their phone is connected to a stingray will not get through until the stingray releases their phone. It’s also not clear how effective the devices are at letting 911 calls go through. The FBI and DHS have indicated that they haven’t commissioned studies to measure this, but a study conducted by federal police in Canada found that the 911 bypass didn’t always work.

​

Depending on how many phones are in the vicinity of a stingray, hundreds could connect to the device and potentially have service disrupted. 

​

How long has law enforcement been using stingrays?

​

The technology is believed to have originated in the military, though it’s not clear when it was first used in combat zones or domestically in the U.S.  The earliest public mention of a stingray-like device being used by U.S. law enforcement occurred in 1994, when the FBI used a crude, jury-rigged version of the tool to track former hacker Kevin Mitnick; authorities referred to that device as a Triggerfish. In a case in Utah in 2009, an FBI agent revealed in a court document that cell-site simulators had been in use by law enforcement for more than a decade. He also said they weren’t just used by the FBI but also by the Marshals Service, the Secret Service, and other agencies.

 

Recent documents obtained by the ACLU also indicate that between 2017 and 2019, the Department of Homeland Security’s Homeland Security Investigations unit has used stingrays at least 466 times in investigations.

​

Aside from the potential for widespread surveillance, are there other problems with the technology?

​

The other controversy with stingrays involves secrecy and lack of transparency around their use. Law enforcement agencies and the companies that make the devices have prevented the public from obtaining information about their capabilities and from learning how often the technology is deployed in investigations. Agencies sign nondisclosure agreements with the companies, which they use as a shield whenever journalists or others file public records requests to obtain information about the technology. Law enforcement agencies claim criminals could craft anti-surveillance methods to undermine the technology if they knew how it worked. The companies themselves cite trade secrets and proprietary information to prevent the public from obtaining sales literature and manuals about the technology.

​

For years, law enforcement used the devices without obtaining a court order or warrant. Even when they did seek approval from a court, they often described the technology in misleading terms to make it seem less invasive. They would often refer to stingrays in court documents as a “pen register device,” passive devices that sit on a network and record the numbers dialed from a certain phone number. They withheld the fact that the devices force phones to connect to them, that they force other phones that aren’t the target device to connect to them, and that they can perform more functions than simply grabbing an IMSI number. Most significantly, they withheld the fact that the device emits signals that can track a user and their phone inside a private residence. After the FBI used a stingray to track Rigmaiden (the identity thief in San Jose) in his apartment, Rigmaiden’s lawyers got the Justice Department to acknowledge it qualified as a Fourth Amendment search that would require a warrant.

​

Law enforcement agents have not only deceived judges, however; they’ve also misled defense attorneys seeking information about how agents tracked their clients. In some court documents, law enforcement officials have indicated that they obtained location information about the defendant from a “confidential source,” when in truth they used a stingray to track them.

To address this deception, the Justice Department in 2015 implemented a new policy requiring all federal agents engaged in criminal investigations to obtain a probable cause search warrant before using a stingray. It also requires agents and prosecutors to tell judges when the warrant they are seeking is for a stingray; and it requires them to limit the use of the stingray’s capabilities to tracking the location of a phone and logging the phone numbers for calls received and made by the phone. They cannot collect the contents of communication, such as text messages and emails.  And agents are required to purge the data they collect from non-targeted phones within 24 hours or 30 days, depending on the circumstances.

​

The problem, however, is that Justice Department policy is not law.  And although the policy includes state and local law enforcement agencies when they are working on a case with federal agents and want to use the devices, it does not cover those agencies when they are working on cases alone. To address this loophole, lawmakers would need to pass a federal law banning the use of stingrays without a warrant, but efforts to do so have so far been unsuccessful.

​

One bigger issue with the Justice Department policy is that, as noted above, it only applies to criminal investigations, not national security ones, and it also includes a carve-out for “exigent circumstances” that are not clearly defined. Federal agents are not required to seek a warrant to use the technology in cases involving such circumstances. Whether the government has used the technology against Black Lives Matter protesters without a warrant is likely something that will remain a secret for some time.

​

​