Proceedings on Privacy Enhancing Technologies ; 2017 (3):39–56 Peter Ney*, Ian Smith*, Gabriel Cadamuro, and Tadayoshi Kohno SeaGlass: Enabling City-Wide IMSI-Catcher Detection 1 Introduction Abstract: Cell-site simulators, also known as IMSI- catchers and stingrays, are used around the world by Cell-site simulators, also known as IMSI-catchers or governments and criminals to track and eavesdrop on stingrays, act as rogue cellular base stations that can cell phones. Despite extensive public debate surround- surveil cellphone locations and often eavesdrop on cellu- ing their use, few hard facts about them are available. lar communications. These devices are used extensively For example, the richest sources of information on U.S. by governments and law enforcement, with devices com- government cell-site simulator usage are from anony- ing in a wide range of capabilities. According to the mous leaks, public records requests, and court proceed- Surveillance Catalogue, leaked by the Intercept, differ- ings. This lack of concrete information and the diffi- ent models claim to intercept and record digital voice, culty of independently obtaining such information ham- geo-locate targets, and capture thousands of phones at pers the public discussion. To address this deficiency, we once [27]. A series of open records requests and inves- build, deploy, and evaluate SeaGlass, a city-wide cell- tigative journalism show that many U.S. police depart- site simulator detection network. SeaGlass consists of ments used them extensively, including Anaheim, CA; sensors that measure and upload data on the cellular Baltimore, MD; Milwaukee, WI; New York, NY; and environment to find the signatures of portable cell-site Tacoma, WA [8, 13, 20, 22, 33]. The U.S. Marshal’s simulators. SeaGlass sensors are designed to be robust, service has used airplane-mounted “DRT Box”’ cell- low-maintenance, and deployable in vehicles for long site simulators to track fugitives since 2007 [3]. Other durations. The data they generate is used to learn a countries are using cell-site simulators as well, e.g., city’s network properties to find anomalies consistent Ukraine’s use of cell-site simulators to send a mass text with cell-site simulators. We installed SeaGlass sensors to protesters during the Euromaidan protests [17]. into 15 ridesharing vehicles across two cities, collect- Given their clear privacy implications, there is vig- ing two months of data in each city. Using this data, we orous public discussion on their proper use and regula- evaluate the system and show how SeaGlass can be used tion. A key question and important topic among jour- to detect signatures of portable cell-site simulators. Fi- nalists, policy makers, and the legal community, is how nally, we evaluate our signature detection methods and often and in what context cell-site simulators are used, discuss anomalies discovered in the data. and whether they are being used responsibly. For the Keywords: cellular surveillance, cell-site simulator, present, the public relies on data obtained from pub- IMSI-catcher, stingray, ridesharing, crowdsource lic records requests, court documents, and leaks to the press to understand government usage. We argue that DOI 10.1515/popets-2017-0027 Received 2016-11-30; revised 2017-03-15; accepted 2017-03-16. the community — and those engaged in the policy de- bate surrounding cell-site simulator usage — would ben- efit from additional, independent sources of information on cell-site simulators. To facilitate this goal, we developed SeaGlass, a sys- tem designed to detect cell-site simulators by longitu- † The first two authors contributed equally to this work. dinally measuring and analyzing the cellular environ- *Corresponding Author: Peter Ney: University of Wash- ment across any city. SeaGlass collects data about cel- ington, E-mail: [email protected] lular networks using portable sensors that are placed in *Corresponding Author: Ian Smith: University of Wash- ington, E-mail: [email protected] ridesharing vehicles. We designed sensors to be highly Gabriel Cadamuro: University of Washington, E-mail: robust to failure, enabling long-term deployment in ve- [email protected] hicles owned and operated by others. Each sensor col- Tadayoshi Kohno: University of Washington, E-mail: lects data when the vehicle is powered on and uploads [email protected] it to a cloud server for aggregation. We use this data to Brought to you by | University of Washington Libraries Authenticated Download Date | 8/8/17 7:43 PM SeaGlass 40 develop methods for detecting anomalies or signatures A network base station broadcasts its identifiers and that we expect from cell-site simulators. other configuration properties to phones on a Broadcast To evaluate SeaGlass, and to iteratively refine our Control Channel (BCCH). Phones generally choose to analysis pipeline, we deployed SeaGlass for two months camp on the BTS in the network that has the highest in two cities: (1) Seattle, WA using nine drivers for eight received signal strength and best combination of BCCH weeks and (2) Milwaukee, WI using six drivers for eight properties. To register with the network, each GSM sub- weeks. Over the course of these deployments we col- scriber has a smart card, called a Subscriber Identity lected 2.1 million unique cellular scans from locations Module (SIM), which contains unique subscriber in- across both cities. We then applied our analysis meth- formation, such as the International Mobile Subscriber ods to our real data set and found that they detected Identity (IMSI). The IMSI is transmitted to base sta- base stations with anomalous signatures that might be tions to identify the phone to the network. Because IM- expected from cell-site simulators. Our results suggest SIs are sent in the clear and can be linked to individ- that if SeaGlass was deployed in a city where cell-site ual subscribers, phones typically negotiate a Temporary simulators are frequently used that they would be de- Mobile Subscriber Identity (TMSI) to attempt some pri- tected. vacy of the IMSI. The network can renegotiate a TMSI This paper contributes the following: at any time, such as when a subscriber moves to a new – We developed SeaGlass, a cost-effective, low- geographical area — indicated by a BTS with a different maintenance system to collect cellular environment Location Area Identity (LAI). data for detecting cell-site simulators on a city-wide scale using sensors in vehicles. – We deployed SeaGlass in ridesharing vehicles in two 2.2 Cell-Site Simulators U.S. cities, Seattle and Milwaukee, for nine and eight weeks respectively to evaluate our collection Cell-site simulators have a variety of features. In their system. most basic form, they coax phones in the vicinity to – We designed methods to detect the identifying be- reveal their IMSIs by imitating legitimate base stations. haviors of cell-site simulators, and evaluated those Once a target IMSI is retrieved, they may use directional methods using the data collected from the two antennas and received signal strengths gathered from SeaGlass deployments. multiple locations to localize a phone. More advanced models give users the capabilities of a network provider. Many models offer active at- 2 Basic Concepts tacks like voice, SMS, and data traffic eavesdropping; injection; denial of service; cloning; and SMS spam- This section provides high-level background information ming [27, 37]. GSM networks (2G) make these attacks and terminology on the GSM protocol and cell-site sim- possible because the network does not authenticate it- ulators. It also includes a discussion of signatures that self to phones. To exploit higher-level network protocols cell-site simulators exhibit, which were used to develop that support network authentication (3G and 4G LTE), our detection methods, and a list of publicly available some cell-site simulators take advantage of protocol vul- sources of cellular network data. nerabilities to downgrade to GSM before the network authenticates or jam on 4G/3G frequencies [5, 35]. In all protocol levels (2G, 3G, and 4G LTE), the IMSI is 2.1 The GSM Protocol still transmitted as plaintext before network authentica- tion, enabling some cell-site simulator functionality [32]. GSM, also known as 2G, is a cellular protocol first de- A recent leak of documents from the Harris Corpo- ployed in 1991 that remains in widespread use today. ration (a cell-site simulator manufacturer known to sell In the U.S. and Canada, it operates on 850 MHz and to police departments) sheds some light on the strate- 1900 MHz, and in most other countries on 900 MHz gies that common cell-site simulators use to capture and 1800 MHz. These bands contain uplink-downlink phones [4]. Manuals for their RayFish product family, channel pairs, called Absolute Radio Frequency Chan- which includes the Stingray and Hailstorm models, indi- nel Numbers (ARFCNs), on which phones communicate cate that these devices exploit a phone’s cell reselection with Base Transceiver Stations (BTS), more generally decision procedure by mimicking the weakest neighbor known as base stations. being advertised by a strong nearby base station. The Brought to you by | University of Washington Libraries Authenticated Download Date | 8/8/17 7:43 PM SeaGlass 41 cell-site simulator then “transmits modified system in- Geographic inconsistency. Base stations advertise formation messages, including a modified Location Area attributes determined by their network provider and Identifier (LAI) causing [a phone] to