Exclusive: Lead Seaglass Researcher Peter Ney On Police Stingray

US (Pontiac) – Last year, Washington University researchers announced an ambitious development in tracking police surveillance. The team led by researcher Peter Ney developed a system, called Seaglass, to identify spoof cell phone towers. Aiming to learn more, Pontiac Tribune talked to Ney and got an insiders look at secretive surveillance gadgets.

For their study, Ney’s team targeted cell site simulators used by both federal and local police. Also called Stingrays or Hailstorms after specific brands, or IMSI catchers—after a unique identifying number for every phone it captures—the devices are highly guarded, expensive government assets.

They perform “man-in-the-middle” attacks by masquerading as cell phone towers your phone communicates through. After connecting, Stingrays can access anything from personal messages and calls, to your exact location. Various models, however, have different capabilities and are in no way uniform from agency to agency.

Stingrays can be affixed to planes, buried in the ground, hidden in a car trunk or book bag. Different models have different functions, and can be fitted with various after-market modifications. One model, Ney noted during his interview, is called a Dirt Box. It’s essentially a very powerful Stingray capable of capturing data from thousands of phones at once. Currently, the expensive unit is most likely contained to federal agency’s. Although purposed for top tier criminal investigations, Stingrays have trickled down to be used to find more petty criminals. Numerous civil rights groups also fear the devices are regularly monitoring protests, activists, and journalists.

Strict non-disclosure agreements bar agency’s from disclosing their use, even to judges. Warrants are mandated, though the devices are totally unaccountable. Sometimes even common officers themselves are shielded from the dealings of specialized units.

Peter Ney’s team out of U-Washington aimed to develop a way citizens could track Stingray activity. Seaglass launched last summer with early trials in Seattle and Milwaukee. Both cities have police departments known to utilize Stingrays, with documents having surfaced over the years. Ney’s team employed a device which analyzed cell tower activity, using ride-share companies like Uber to broaden scans.

One of their biggest hurdles was first creating a reliable model for local cell tower activity. Once a reasonable idea of local activity was created, they looked for anomalies. Both cities had different results, with more promising signals in Seattle. In one instance, a tower’s signal overpowered the others nearby. Another cycled several channel frequencies in a short period of time. Milwaukee’s trial was brief and, besides signals which disappeared– or possibly moved around–there wasn’t much.

Ney admitted the team has barely scratched the surface. Stingrays are open secrets of sorts, people know they’re being used but don’t know anything about them. It was only recently that journalists at The Intercept obtained manuals for operation of the devices. However, unless you’re tech savvy and have the time, it’s all difficult to digest. Luckily, Peter Ney welcomed journalists at TFC Network to a phone call.

Almost immediately, Peter expressed regret over having left Milwaukee when he did. Shortly afterward the city erupted in protests and riots over the shooting of Syville Smith by a Milwaukee Police Officer. What followed were days of surveillance including circling planes, military presence and intense unease. The author filmed some of the air traffic from Wauwatosa, a nearby suburb simultaneously dealing with it’s own shooting. “That’s the kind of situation”, Ney told Pontiac, “where you’d expect IMSI to actually be used.”

The family of the man killed by Wauwatosa officers also protested that same summer. Shortly afterward, 25 year old Jay Anderson Jr.’s entire family reported identical cell phone malfunctions. They’d struggle to receive incoming calls, send outgoing calls or texts, and emails. Linda Anderson, Jay’s mother, claimed every picture on her phone disappeared then reappeared days later. Similarly unusual activity was reported a couple years earlier during a teen-focused drug crackdown in Wauwatosa.

Although “technically possible”, Peter Ney was dubious as to how often Stingrays would be deployed against ordinary citizens. Using them puts police departments at risk of getting caught. For that, Ney feels departments may hesitate to use Stingrays especially if the same information could be obtained by another means.

“I am also a believer that if you give someone a hammer”, he explained, “they’re going to look for nails.” The door is always open though and according to Ney, Stingrays can be used to hack phones. “You could imagine that an IMSI catcher could be used to push malware to cell phones”, he told Pontiac.

“Part of the reason is that the cell phone typically trusts the cell towers it’s communicating with, it’s kind of the way we design these systems. And so, if it’s an IMSI catcher it’s basically a rouge cell tower, if it knows the phone it’s connected to is vulnerable to a particular kind of hack, it might take advantage of that. That being said, my guess is that those types of hacks would be very highly valuable. So kind of zero day hacks, kind of never been used, I just doubt that local law enforcement would have access to those types of attacks. That’s the kind of thing you’d expect from maybe FBI, or maybe a federal agency for a really high value target. Whether they’re using those against normal people, I’d be a little skeptical. But, you know, it’s technically possible.”– Peter Ney, lead researcher for Seaglass Washington University

 

Instead, Ney found the idea of Stingrays being used to deny phone service more likely. “Basically jam all cell phone frequencies”, he explained, “that’s not so hard. For example, if there’s a riot, or there’s a big protest and you don’t want people to communicate, that might be a good way to do it. I have no idea if they’re actually doing that, but that is something that we have seen in other countries. Other repressive governments like Russia and Ukraine, and places like that.”

His team also attended the Dakota Access Pipeline protests, though didn’t find much. “Now let me say that was a crazy place, there was so much surveillance there.” Due to the remote area, cell phone signals were already spotty. “It’s not very clear to me why you’d use an IMSI catcher there”, the researcher explained.

Ney assured Stingrays can “do all kinds of crazy stuff” including send fake texts, or pretend to be someone else’s phone. “The thing I’m interested in is if law enforcement is using the full set of capabilities, or are they using kind of a sub-set of these capabilities”, he told Pontiac Tribune. He noted “we can make IMSI catchers” in a lab setting, but its unknown if these models are anything like what law enforcement is using.

Clearly we’re sitting at the cusp of a rabbit hole world few people ever explore, and fewer understand. Peter Ney’s Seaglass project is an important step in bringing IMSI catcher surveillance into account. It’s still just one of the first stepping stones, however, and a lot of questions remain. This dynamic of uncertainty seems intensified by the current presidential administration, and it’s possible successors.