The recent announcement that the DEA (Drug Enforcement Agency) was authorized to conduct covert surveillance on protestors got me thinking about how one could protect oneself against that kind of mass surveillance both in general and specifically in the context of attending or documenting (or just being near) a protest. It made me particularly thankful that we designed the Librem 5 to have a cellular hardware kill switch and in this post I’m going to give a quick overview of Stingray technology, the implications of its use at a protest, how the use of aerial stingrays (aka “dirtboxes”) extends its mass-surveillance capabilities, and how the Librem 5’s hardware kill switches give you control over where, when and how you are surveilled.
Our customers are from all walks of life and as such face a wide range of threats ranging from every-day risks from using the Internet all the way to customers concerned about nation state actors. We develop our security measures with all this in mind and try to strike the right balance between strong security (like our anti-interdiction services and PureBoot) and convenience (hardware kill switches). We also believe strongly that the customer, not us nor anyone else, should be in control of their computers and in control of their privacy, and this along with our commitment to Free Software guides all of our design decisions.
Your phone is the most personal of your personal computers and contains sensitive files like photos, videos, contact lists and message logs. It is also packed full of sensors that are incredibly useful when used for your benefit, but incredibly damaging to your privacy when used against you. This risk is why we not only included hardware kill switches in the Librem 5 to disable the cellular modem, WiFi/Bluetooth, and the cameras and microphone, we added the ability to combine all the hardware kill switches to enter “lockdown mode” and disable all of the remaining sensors. This article on lockdown mode elaborates on the potential threats with the sensors on a phone and describes how lockdown mode can help.
This past week has seen nationwide protests in the United States over the death of George Floyd and along with it, state and federal responses. One of the more concerning developments from a privacy perspective came on June 2nd when it was reported by BuzzFeed News that the DEA (Drug Enforcement Agency) had been authorized to extend their traditional jurisdiction over drug enforcement to “conduct covert surveillance” on people participating in protests. There is speculation that this includes the use of aerial Stingray technology (known as “dirtboxes”) that extends the surveillance power of a traditional Stingray device housed inside of a van to the range of an aircraft to identify which phones (and therefore which people) attended a protest, potentially city-wide.
A Stingray (or IMSI catcher or cell site simulator) is essentially a cellular man-in-the-middle device that allows the attacker to identify all of the phones in the area around the Stingray. The device is often used by the DEA to track an individual who is under surveillance. Of course Stingray use isn’t limited to the DEA and the ACLU maintains a list of states and departments who own the technology. The EFF has a great guide that describes Stingrays in more detail, but in summary Stingrays work by pretending to be a cellular tower. Phones are designed to connect to the cellular tower with the strongest signal, so when a Stingray is near, all of the phones within its range automatically connect to it and the Stingray then forwards on their connection to the real cellular tower. Each phone has a unique set of identifiers including an IMEI number that identifies that specific phone hardware and an IMSI number that identifies the SIM card (the specific cellular plan including phone number) and this is how the Stingray can tell who it is monitoring.
To surveil a particular suspect, Stingrays are used inside of a van that drives around an area and by measuring the changing signal strength of the suspect as they drive around, they are able to pinpoint their location with much more accuracy than they can get strictly from pulling location information from a cellular provider.
A Wired article on the subject of Stingrays and dirtboxes describes it this way:
Stingrays are often deployed by law enforcement from cars and vans. By driving the stingray around in a vehicle and gathering a wireless device’s signal strength from various locations in a neighborhood, authorities can pinpoint where the device is being used with much more precision than they can get through data obtained from a mobile network provider’s fixed tower location. The tools can pinpoint a phone’s location down to an apartment building or complex. At that point agents can switch to a handheld device that operates in the same way but lets them move inside to determine the exact apartment or office location of the targeted phone.
Of course Stingrays aren’t selective in terms of who connects. It forces all phones in the area to connect so their use becomes a dragnet that sweeps up everyone else in the area. This would make them particularly effective as a way to monitor protests as they can capture information about all of the protestors who are within range of the device. Indeed there is evidence that the Chicago Police Department used a Stingray to monitor protestors, in particular a protest organizer, during the 2014 protests of the Ferguson grand jury decision.
This week’s story that the DEA has been authorized to conduct covert surveillance of protestors, likely with dirtboxes, extends the power and range of the traditional Stingray in a van to surveil a few city blocks to the ability to surveil a whole city from the air. This means that not only can they track all of the people who attend a protest, they can track all of the people who break curfew orders and along with them any essential workers or other bystanders who happen to be walking home.
There are a number of countermeasures against Stingray surveillance ranging from putting the phone in a pouch that acts as Faraday cage, to attending protests with a burner phone or SIM. Each of these approaches presents their own issues, especially given that in a protest phones are often used to document violence whether from looters or law enforcement.
With the Librem 5 hardware kill switches, you have a convenient way to shut down the cellular modem completely and quickly, yet retain the ability to use the rest of the phone as normal. If you are documenting a protest this means you can safely record video to upload at a later time, or even leave the WiFi on and stream video over local wireless access points while still not being tracked by mass surveillance. If you are walking home from work you can flip the cellular switch off and still listen to music on the walk home on a Bluetooth headset. In the event you need to make an emergency call where you are willing to be tracked, you can always flip the switch back on and quickly reconnect to the cellular network.
Another option in place on all modern phones is the ability to enter airplane mode. With airplane mode the OS asks the cellular modem and WiFi card to power themselves off. While this, in theory, would prevent that phone from being tracked with a Stingray, it’s not without its risks. The first risk is that this approach depends on software, not hardware, to succeed. The cellular modem could, in theory, simply ignore the request. A compromised OS could also pretend to enter airplane mode without sending any signals to the hardware. Also while on some phones the cellular modem and the CPU are on different chips, on many phones the cellular modem is integrated and is always on, even if it’s not necessarily transmitting. The second risk is related to convenience. Many phones do allow you to enter airplane mode from the lock screen but that doesn’t necessarily extend to other sensors like the GPS. Being able to disable the cellular modem with a switch (or all sensors when triggering lockdown mode with all switches) allows you to trigger it without looking, even when the phone is still in your pocket.
At Purism we think that you should be in control of your computer and in control of your privacy. You should have control over where and when you are tracked. By adding convenient security features like hardware kill switches into our Librem laptops and the Librem 5 phone we ensure that the control over whether your cameras or microphones are recording or whether your WiFi, Bluetooth or cellular modems are broadcasting is completely in your hands.