Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

From Wired:

A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect.

Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government’s surveillance tool so that he could be located.

Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location.

Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI.

The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location.

In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then “broadcast a very strong signal” to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden’s location.

To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list.

Rigmaiden makes the assertions in a 369-page document he filed in support of a motion to suppress evidence gathered through the stingray. Rigmaiden collected information about how the stingray worked from documents obtained from the government, as well as from records obtained through FOIA requests filed by civil liberties groups and from open-source literature.

During a hearing in a U.S. District Court in Arizona on March 28 to discuss the motion, the government did not dispute Rigmaiden’s assertions about Verizon’s activities.

The actions described by Rigmaiden are much more intrusive than previously known information about how the government uses stingrays, which are generally employed for tracking cell phones and are widely used in drug and other criminal investigations.

The government has long asserted that it doesn’t need to obtain a probable-cause warrant to use the devices because they don’t collect the content of phone calls and text messages and operate like pen-registers and trap-and-traces, collecting the equivalent of header information.

The government has conceded, however, that it needed a warrant in his case alone — because the stingray reached into his apartment remotely to locate the air card — and that the activities performed by Verizon and the FBI to locate Rigmaiden were all authorized by a court order signed by a magistrate.

The Electronic Frontier Foundation and the American Civil Liberties Union of Northern California, who have filed an amicus brief in support of Rigmaiden’s motion, maintain that the order does not qualify as a warrant and that the government withheld crucial information from the magistrate — such as identifying that the tracking device they planned to use was a stingray and that its use involved intrusive measures — thus preventing the court from properly fulfilling its oversight function.

“It shows you just how crazy the technology is, and [supports] all the more the need to explain to the court what they are doing,” says EFF Staff Attorney Hanni Fakhoury. “This is more than just [saying to Verizon] give us some records that you have sitting on your server. This is reconfiguring and changing the characteristics of the [suspect's] property, without informing the judge what’s going on.”

The secretive technology, generically known as a stingray or IMSI catcher, allows law enforcement agents to spoof a legitimate cell tower in order to trick nearby mobile phones and other wireless communication devices like air cards into connecting to the stingray instead of a phone carrier’s legitimate tower.

When devices connect, stingrays can see and record their unique ID numbers and traffic data, as well as information that points to the device’s location.

By moving the stingray around and gathering the wireless device’s signal strength from various locations in a neighborhood, authorities can pinpoint where the device is being used with much more precision than they can get through data obtained from a mobile network provider’s fixed tower location.

Use of the spy technology goes back at least 20 years. In a 2009 Utah case, an FBI agent described using a cell site emulator more than 300 times over a decade and indicated that they were used on a daily basis by U.S, Marshals, the Secret Service and other federal agencies.

The FBI used a similar device to track former hacker Kevin Mitnick in 1994, though the version used in that case was much more primitive and passive.

A 1996 Wired story about the Mitnick case called the device a Triggerfish and described it as “a technician’s device normally used for testing cell phones.” According to the story, the Triggerfish was “a rectangular box of electronics about a half a meter high controlled by a PowerBook” that was essentially “a five-channel receiver, able to monitor both sides of a conversation simultaneously.” The crude technology was hauled around in a station wagon and van. A black coaxial cable was strung out of the vehicle’s window to connect the Triggerfish to a direction-finding antenna on the vehicle’s roof, which had four antenna prongs that reached 30 centimeters into the sky.

The technology has become much sleeker and less obtrusive since then, but still operates under the same principles.

Full article by Kim Zetter can be found here.