Http att com 3gmicrocell activate

Topic: Cybersecurity Policy Design

Cybersecurity Policy Design Issues

Describe cybersecurity policy features that are needed to protect against the Insider Threat, Operations Security, Access Control and Biometric Authentication
What features can be added to a business cybersecurity policy to help protect it against effects from possible upstream, Multi-Sector, cascade failures due to poor cybersecurity policy management in upstream organizations?

references if you need bellow

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1979857

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2404553

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678

Your Secret StingRay’s No Secret Anymore: The Vanishing Government Monopoly over Cell Phone Surveillance and its Impact on National

Security and Consumer Privacy

Stephanie K. Pell1 & Christopher Soghoian2

“. . . [T]hou wilt not trust the air with secrets.” — Shakespeare, Titus Andronicus.3

I. INTRODUCTION During a 1993 Congressional oversight hearing on the integrity of telephone networks,4 security researcher Tsutomu used a “software hack” to turn an analog cellular phone into a scanner that enabled all present in the hearing room to hear the live conversations of nearby cellular phone users.5 Shimomura had been granted congressional immunity to perform this demonstration under the watchful gaze of a nearby FBI agent.6 The event was a practical demonstration of what Subcommittee Chairman Ed M key c lled “t e s n ste s de of cybe sp ce.”7 The demonstration illustrated a significant security vulnerability impacting then- widely used analog cellular phone networks: calls were not encrypted as they were transmitted over the air and could, therefore, be intercepted with readily available equipment, such as an off-the-shelf radio scanner or a modified cellular phone.

The authors wish to thank Matt Blaze, Ian Brown, Alan Butler, Susan Freiwald, Allan Friedman, Jean- Pierre Hubaux, Eric King, Susan Landau, Linda Lye, Aaron K. Martin, Valtteri Niemi, Karsten Nohl, Brian Owsley, Christopher Parsons, Christopher Prince, John Scott-Railton, Greg Rose, Seth Schoen, Jennifer Valentino-DeVries, David Wagner, Nicholas Weaver, several individuals who have asked to remain anonymous, and the attendees of our session at the 2013 Privacy Law Scholars Conference. 1 Principal, SKP Strategies, LLC; Non- es dent Fell w t t nf d L w c l’s Cente f Inte net nd Society; former Counsel to the House Judiciary Committee; former Senior Counsel to the Deputy Attorney General, U.S. Department of Justice; former Counsel to the Assistant Attorney General, National Security Division, U.S. Department of Justice; and former Assistant U.S. Attorney, Southern District of Florida. 2 Principal Technologist, Speech, Privacy & Technology Project, American Civil Liberties Union and Visiting Fellow, Information Society Project, Yale Law School. The opinions expressed in this article e t s t ’s l ne, nd d n t eflect t e ff c l p s t n f s e pl ye . 3 William Shakespeare, Titus Andronicus, act IV, scene II, l. 1862. 4 Telecommunications Network Security: Hearing Before the Subcomm. On Telecommunications and Finance of the H Comm. On Energy and Commerce, 103rd Cong. (April 29 & June 9, 1993) [hereinafter Telecommunications Network Security Hearing]. 5 Id. at 8-9. 6 See Immunity Needed; Markey Panel Sees Dark Side of Electronic Frontier, Communications Daily, April 30, 1993, https://w2.eff.org/Privacy/Newin/Cypherpunks/930430.communications.daily 7 See Telecommunications Network Security Hearing, supra note **, Opening Statement of Chairman Markey at 4.

2

Although the threat demonstrated by Shimomura was clear, Congress and the Federal Communications Commission (FCC) took no steps to mandate improvements in the security of analog cellular calls.8 Such a technical fix would have required wireless carriers to upgrade their networks to support more secure telephone technology, likely at significant cost.9 Instead, Congress outlawed the sale of new radio scanners capable of intercepting cellular signals and forced scanner manufactures to add features to their products to prevent them from being tuned to frequencies used by analog cell phones.10 This action by Congress, however, did nothing to prevent the potential use of millions of existing interception-capable radio scanners already in the homes and offices of Americans to intercept telephone calls.11

8 See Telecommunications Network Security Hearing, supra note **, Statement of Chairman Markey t 12 (“L st ye we p ssed leg sl t n t b n sc nne s, b t we cle ly d d n t b n cell l p nes. However, cellular phones can be reprogrammed as a scanner with a relatively rudimentary kn wledge f t e tec n l gy. Tens f t s nds f pe ple kn w w t d t.”). In s b ss n t the FCC, the cellular industry association opposed proposals for the FCC to focus on the cellular interception vulnerabilities, rather than the availability of radio scanners capable of intercepting cellular phone calls. See Cellular Telecommunications Industry Association (CTIA) Reply Comments on Amending of Parts 2 and 15 to Prohibit Marketing of Radio Scanners Capable of Intercepting Cellular Telephone Conversations at 4 (March 8, 1993), http://apps.fcc.gov/ecfs/document/view;jsessionid=fTGkSn3c0CsJjGhv2ts5DQQktvyhfXkHpW2JPnr 9pPhxQ9sC88Cp!-1864380355!1357496456?id=1120040001 [hereinafter CTIA Reply Comments] at 4 (“R t e t n p p s ng t st engt en t e C ss n's p p sed les, weve , t ese p t es would have the Commission weaken or abandon its proposals and place the burden solely on cellular carriers or manufacturers to protect the pr v cy f cell l telep ne c lls… With the enactment of ect n 403( ), t e t e f s c n g ent s p st.”) 9 See Craig Timberg and Ashkan Soltani, By cracking cellphone code, NSA has capacity for decoding private conversations, Washington Post, December 13, 2013, available at http://www.washingtonpost.com/business/technology/2013/12/13/e119b598-612f-11e3-bf45- 61f69f54fc5f_st y. t l (“Upg d ng n ent e netw k t bette enc ypt n p v des s bst nt lly more privacy for users . . . But upgrading entire networks is an expensive, time-consuming nde t k ng.”). See also Babbage infra note ** (currently fn 256). Such network upgrades would also have neutralized analog interception devices then in use by US government agencies. 10 See FCC Report and Order, Amendment of Parts 2 and 15 to Prohibit Marketing of Radio Scanners Capable of Intercepting Cellular Telephone Conversations, adopted April 19, 1993, available at http://apps.fcc.gov/ecfs/document/view;jsessionid=CyspSn3R1KqpKlzyc9pwb5GyypnrQ4nnGMqFq tNpQyFYbhWZ2r1c!1357496456!-1864380355?id=1145780001, made in response to Sec. 403 of the Telephone Disclosure and Dispute Resolution Act, Pub. L. 102-556 (1992); codified at § 47 U.S.C. 302a(d) (requiring that within 180 days of enactment, the FCC shall prescribe and make effective regulations denying equipment authorization). However, as the FCC made clear in its report, this p b t n d es n t pply t c p n es t t “ ket[] [ n l g cell l nte cept n] tec n l gy t l w enf ce ent genc es.” See FCC Report and Order, at 7. Such a law enforcement exemption had been requested by the Harris Corporation, and supported by the cellular industry association. See CTIA Reply Comments, supra n te ** t 8 (“CTIA s pp ts t e H s C p t n's eq est t t t e Commission modify its proposed rules to clarify that scanning receivers that receive cellular t ns ss ns … y c nt n e t be n f ct ed f s le t [l w enf ce ent]”). 11 See CTIA Reply Comments, supra n te ** t 3 (“A n be f c ente s g e that the Commission's proposed rules are flawed because they will not effectively safeguard the privacy of cellular calls. These commenters point out that millions of scanning receivers capable of tuning cellular frequencies are already in use, and that such receivers will remain available for sale for n t e ye .”) See also Summary of Testimony Of Thomas E. Wheeler, Cellular Telecommunications

3

In 1997, four years after the FCC enacted Congressionally mandated regulations banning the sale of scanning equipment capable of intercepting cellular signals,12 a couple from Florida recorded a conference call between several senior Republican politicians, including then Speaker of the House Newt Gingrich, which they were able to intercept because one of t e c ll’s p t c p nts w s using a cellular phone.13 Although the couple did not intend to impact US communications policy when they turned on their radio scanner, their act was high-profile proof t t C ng ess’s response to the analog interception threat was not successful.14 What ultimately fixed the analog phone interception problem was not further congressional action but rather, t e w eless nd st y’s migration away from easily intercepted analog phone technology to digital cellular phones—a decision motivated in part by the increase in cellular phone cloning fraud.15 Digital phone conversations were, at the time, far less likely to be intercepted because the necessary equipment was prohibitively expensive and thus available to fewer potential snoops.16 Governments with significant financial resources, however, have owned and used cellular phone surveillance equipment for quite some time. Indeed, for nearly two Industry Association, February 5, 1997 at 1, House Commerce Committee, Subcommittee on Telecommunications, Trade and Consumer Protection. 1997 WL 49420 [hereinafter Summary of Wheeler testimony], (“[T]rying to ban a specific type of eavesdropping gear after it has already bec e w dely v l ble s d ff c lt.”). 12 See FCC Report and Order, supra note 10. 13 The participants of the call—who included Republican Majority Leader Dick Armey, Republican Whip Tom Delay, New York Congressman Bill Paxon John Boehner—were discussing an investigation by the Congressional Ethics Committee of Gingrich. The Florida couple gave the recording to the ranking Democratic member of the Ethics Committee (and thus the leader of the Gingrich investigation). See The Gingrich Cellular Phone Call, PBS NewsHour, January 14, 1997, http://www.pbs.org/newshour/bb/politics/jan-june97/cellular_01-14.html. 14 This was not the only opportunity in 1997 for Congress to observe that cellular communications were still not secure. See Committee Report, for H.R. 2396 the Wireless Privacy Enhancement Act of 1998, http://www.gpo.gov/fdsys/pkg/CRPT-105hrpt425/pdf/CRPT-105hrpt425.pdf at 5 (“T e Subcommittee on Telecommunications, Trade, and Consumer Protection held a hearing on cellular p v cy n Feb y 5, 1997…. P t t e w tnesses’ test ny, tec n l g c l de nst t n w s conducted to highlight the ease w t w c sc nn ng eq p ent c n be ‘‘ e d ly lte ed’’ t nte cept cell l c n c t ns.”). 15 Cell p ne cl n ng s p cess by w c ne p ne’s n q e cc nt n be c ld be c pt ed and programmed into another phone for purposes of billing one p ne’s c lls t n t e p ne. See generally Jeri Clausing, Congress Moving Quickly to Try to Curb Cell Phone Abuses, New York Times, March 2, 1998, available at http://www.nytimes.com/1998/03/02/business/congress-moving- quickly-to-try-to-curb-cell-phone-abuses.html. 16 See David Wagner, Bruce Schneier and John Kelsey, Cryptanalysis of the Cellular Message Encryption Algorithm, Advances in Cryptology - CRYPTO'97, available at http://www.schneier.com/paper-c e .pdf (“[T] e l test d g t l cellp nes c ently offer some weak protection against casual eavesdroppers because digital technology is so new that inexpensive d g t l sc nne s ve n t yet bec e w dely v l ble.”). See also Committee Report, for H.R. 2396 supra n te 13 t 3 (“While digital cellular and PCS are not immune from eavesdropping, they are currently more secure than analog cellular because the equipment for intercepting digital calls is vastly more expensive and complex than existing, off-the-shelf scanners that intercept analog communications (e.g., $200 vs. $10,000–$30,000).”).

4

decades, US federal, state and local law enforcement agencies have employed sophisticated cellular surveillance equipment that exploits vulnerabilities in cellular networks. Once only accessible to a few global powers at six-figure prices, similar technology is now available to any government—including those with a history of spying in the United States—and to any other interested buyer from surveillance companies around the world, often for as little as a few thousand dollars per device.17 Moreover, hobbyists can now build less advanced but functional interception equipment for as little as $100.18 The normal course of economics and innovation has destroyed the monopoly a select group of global powers once enjoyed over digital cellular surveillance technology, rendering surreptitious access to cellular communications as universally available as it once was in the analog world: surveillance has, once again, become democratized, this time with a much more expansive set of capabilities. During Congressional testimony in 1997, current Federal Communications Commission (FCC) Chairman Tom Wheeler, then the president of the cellular industry association (CTIA), warned the Committee of this outcome: “Unless Congress takes a forward-looking approach, history will likely repeat itself as digital scanners and decoders, though expensive now, drop in price in the future.”19 Mr. Wheeler’s prescient warning has come true. Although the technology has changed, we are rapidly approaching a future of widespread interception that feels much like the past, but with a much larger range of public and private actors with more diverse motives for snooping. Whoever employs this technology can obtain direct, unmediated access to information about and from a cellular phone without any aid from a wireless provider.20 In some cases, this technology can even intercept the contents of cellular phone calls, text messages and other communications data transmitted to and from the phone.21 In this Article, we will argue that policy makers did not learn the right lessons from the analog cellular interception vulnerabilities of the 90s: that is, the communications of Americans will only be secured through the use of privacy enhancing technologies like encryption, not with regulations prohibiting the use or sale of interception technology. Nearly two decades after Congress passed legislation intending to protect analog phones from interception by radio

17 See infra Part V. 18 See infra Part V. 19 See Summary of Wheeler Testimony, supra note ** at 2. 20 See John Kelly, Cellphone data spying: It's not just the NSA, USA Today, December 8, 2013, available at http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa- p l ce/3902809/ (“T e t ng y c n g b s e d t f cellp nes n e l t e nd w t t g ng t g t e w eless se v ce p v de s nv lved.”) See also Ability, IBIS II - In-Between Interception System - 2nd Generation, http://www.interceptors.com/intercept-solutions/Active-GSM- Inte cept . t l (“T e IBI –II is a stand-alone solution for off the air interrogation / interception / monitoring / deception of tactical GSM communication, in a seamless way, without any cooperation with the network provider.”) (e p s s dded). 21 See infra Part **.

5

scanners,22 the American public is poised, quite unknowingly, at the threshold of a new era of communications interception that will be unprecedented in its pervasiveness and variety. Foreign governments, criminals, the tabloid press and curious individuals with innumerable private motives can now leverage longstanding security vulnerabilities in our domestic cellular communications networks that were previously only exploitable by a few global powers. In spite of the security threat posed by foreign government and criminal use of cellular interception technology, US government agencies continue to treat practically everything about it as a closely guarded “source and method,”23 shrouding the technical capabilities, limitations and even the name of the equipment they use from public disclosure. The source and method argument is invoked to protect law enforcement genc es’ wn se f cell l nte cept n tec n l gy by preventing criminal suspects from learning how to evade surveillance.24 This secrecy is not only of questionable efficacy for that purpose, however, but it comes at a high collateral cost in that it keeps the American public in the dark about cellular network vulnerabilities and thus generally unaware of the need to secure their private communications. Indeed, at a time when cyber security threats are a top congressional priority, there has been no public discussion by policy makers about the exploitable vulnerabilities latent in our cellular networks and no corresponding policy debate about how to protect private communications from those threats. If the US and its close allies had a monopoly over this technology, policy makers could argue that certain national security interests furthered by the use of the technology—and thus the need to maintain the secrecy of all related information— trump the need to inform the American public about the vulnerability of cellular communications. This Article, however, dispels the myth that this technology is, in fact, secret at all. Indeed, it has been the subject of front page stories in leading newspapers,25 has been featured in Hollywood movies,26 television dramas27 and

22 See § 403 of the Telephone Disclosure and Dispute Resolution Act, Pub. L. 102-556 (1992); codified at § 47 U.S.C. 302a(d). 23 See infra Part IV. 24 See infra Part **. 25 See Jennifer Valentino-DeVries, 'Stingray' Phone Tracker Fuels Constitutional Clash, WALL ST. J., Sept. 22, 2011, http://online.wsj.com/article/SB10001424053111904194604576583112723197574.html. See also Ellen Nakashima, Little-known surveillance tool raises concerns by judges, privacy activists, The Washington Post, March 27, 2013, http://www.washingtonpost.com/world/national-security/little- known-surveillance-tool-raises-concerns-by-judges-privacy-activists/2013/03/27/8b60e906-9712- 11e2-97cd-3d8c1afe4f0f_story.html. 26 See Zero Dark Thirty (movie), at 83:00 27 See The Wire: Middle Ground, e s n 3, Ep s de 11 t XXX (HBO telev s n b dc st) (“Re e be those analog units we used to use to pull cell numbers out of the air? The C. F. something-something Ye , Cell F eq ency Ident f c t n Dev ce.” “T e t gge f s , ye .” “T t ne, t c ld fl g n be .” “R g t, b t t e ld n l g c nes? We sed t ve t f ll w t e g y und stay close while he sed t e p ne.” “New d g t ls b ng, we j st p ll t e n be g t ff t e cell t we s.”)

6

more ominously, can be purchased over the Internet from one of many non-US based surveillance technology vendors or even built at home by hobbyists. We therefore argue that the risks to the American public arising from the US g ve n ent’s continued suppression of public discussion of vulnerabilities in our cellular communications networks that can be exploited to perform unmediated interception outweigh the now-illusory benefits of attempting to keep details of the surveillance technology secret. Congress should address these network vulnerabilities and the direct interception techniques they enable, as well as the necessity for responsive privacy enhancing technologies like strong encryption,28 as part of the larger cyber security debate, to which they are all inextricably linked. To date, however, this policy debate is not occurring, which is not beneficial either to privacy or cellular network security. Part II of this Article begins by naming this “secret” interception technology and describing its capabilities. Part III will then go on to address the limited Department of Justice (DOJ) guidance and case law pertaining to this technology. Part IV will discuss what appears to be a concerted effort by the US government to prevent the public disclosure of information about this technology. Part V will reveal, however, that the existence of the technology is both publicly known and acknowledged by governments in other countries. Part VI will describe how foreign governments and criminals can and do use cellular surveillance equipment to exploit the vulnerabilities in phone networks, putting the privacy and security of Americans’ communications at risk. Part VII will argue that the public is paying a high price for t e U g ve n ent’s pe pet t n f fictional secrecy surrounding cell phone interception technology. Specifically, such fictional claims of secrecy prevent policy makers from publicly addressing the threats to the security of cellular communications. Part VIII will argue that cellular network vulnerabilities should be addressed publicly in the larger cyber security policy process Congress is currently undertaking. Finally, Part IX will examine possible technical avenues through which solutions could come. II. AN INTRODUCTION TO CELL PHONE INTERCEPTION TECHNOLOGY Because cellular telephones send signals through the air, cellular communications are inherently vulnerable to interception by many more parties than communications carried over a copper wire or fiber optic cable into a home or business.29 This increased exposure to interception exists because anyone wishing

28 See L be ty nd ec ty n C ng ng W ld: Rep t nd Rec end t ns f t e P es dent’s Review Group on Intelligence and Communications Technologies 22 (2013), http://www.lawfareblog.com/wp-content/uploads/2013/12/Final-Report-RG.pdf (advising the US g ve n ent t “s pp [t] eff ts t enc ge t e g e te se f enc ypt n tec n l gy f d t n transit, at rest, in the cloud, and in storage.”). 29 See Craig Timberg and Ashkan Soltani, By cracking cellphone code, NSA has capacity for decoding private conversations, Washington Post, December 13, 2013, available at http://www.washingtonpost.com/business/technology/2013/12/13/e119b598-612f-11e3-bf45- 61f69f54fc5f_st y. t l (“Cellp ne c nve s t ns l ng ve been c e s e t nte cept t n

7

to tap a traditional wireline telephone call must physically access the network infrastructure transporting that call—such as by attaching interception equipment to the telephone w es ts de t e e f t e t get t t e telep ne c p ny’s central office.30 In contrast, intercepting a cellular telephone call only requires sufficient geographic proximity to the handset of one of the callers and the right kind of wireless interception equipment. Moreover, the distance from which cellular calls are vulnerable to interception can be increased with bigger antennas and high- powered radio equipment.31 Cellular telephone calls can, of course, be intercepted by government agencies with the assistance of the wireless carriers via government mandated interception capabilities these companies have built into their networks.32 In fact, the vast majority of surveillance performed by law enforcement agencies in the United States is, almost certainly, carrier-assisted surveillance.33 But cellular phone transmissions can also be captured without the assistance, or even the knowledge, of the carriers. The unmediated nature of this kind of interception, combined with

ones conducted on traditional telephones because the signals are broadcast through the air, making f e sy c llect n.”) 30 See id. Carrier assisted wiretaps once required that the interception take place near the target, such as at a call switching center. Today, telephone carriers have modern interception equipment that permits intercepts to be remotely initiated and controlled by a single dedicated surveillance team within the companies. See, for example, Utimaco Lawful Interception of Telecommunication Services (sales brochure), available at http://lims.utimaco.com/fileadmin/assets/brochures_datasheets_whitepapers/UTIMACO_LIMS_DA TASHEET_EN.pdf, (Utimac ’s L wf l Inte cept n M n ge ent yste “ s p ven s l t n f network operators and service providers to automate the administrative and operative tasks related to lawful interception. The system is based on a central management platform for the surveillance of communication services and implements electronic interfaces to various authorized law enforcement genc es nd t e n t ng… Key fe t es [ ncl de] Cent l d n st t n f nte cepts nd t get ss gn ents.”). See also Elaman government solutions, product brochure, https://www.wikileaks.org/spyfiles/files/0/188_201106-ISS-ELAMAN3.pdf t p ge 6 (“Lawful Interception provides access to calls and call-related information (telephone numbers, date, time, etc.) within telecommunications networks and delivers this data to a strategic Monitoring Center (MC)... Such an MC gives access to an entire country's telecommunications network from one central place, but it needs t e s pp t f pe t s...”). 31 As with cellular interception, WiFi signals can also be intercepted from a greater distance with the right equipment. See US National Security Agency, NIGHTSTAND - Wireless Exploitation/ Injection Tool, January 7, 2008, http://leaksource.files.wordpress.com/2013/12/nsa-ant- nightstand.jpg?w=604&h=781 ("Use of external amplifiers and antennas in both experimental and operational scenarios have resulted in successful NIGHTSTAND [WiFi] attacks from as far away as eight miles under ideal environmental conditions.") See also Xeni Jardin, DefCon WiFi shootout champions crowned: 125 miles, Boing Boing, July 31, 2005, http://boingboing.net/2005/07/31/defcon-wifi-shootout.html (describing a successful, record- setting 125 mile WiFi transmission by a team using 12 foot and 10 foot diameter satellite dishes). 32 See generally The Communications Assistance for Law Enforcement Act (CALEA), Pub. L. No. 103- 414, 108 Stat. 4279, codified at 47 U.S.C. §§ 1001-1010. 33 See Eric Lichtblau, Wireless Firms Are Flooded by Requests to Aid Surveillance, New York Times, July 8, 2012, available at http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in- requests-to-aid-surveillance.html (describing the 1.3 million requests the wireless carriers received in 2011 from law enforcement agencies).

8

the growing ease of access to cellular surveillance technology, makes the universe of private parties that can intercept a cellular call inestimably larger, and the range of their motives correspondingly broader, than the pool of potential law enforcement and national security actors who have both the legal capacity and technical capability to initiate a traditional wiretap of a wireline phone. The technologies that enable the direct interception of cellular phone calls without the assistance of a wireless carrier generally fall into two categories: passive and active.34 The former merely intercepts the signals sent between nearby phones and t e w eless p v de s’ network, while the latter transmits data to, and directly interacts with, the cellular phones under surveillance. Passive interception technology functions in two stages. First, the signals transmitted between a cellular phone and the wireless carrier’s netw k are intercepted as they are transmitted over the air. This process does not disrupt the signals in transit. Second, once intercepted, if the communications are encrypted, they must be must be decrypted for analysis.35 Not all communications are encrypted in transmission but, if they are, the ease of decryption varies based on the strength of the encryption algorithm chosen by the wireless carrier.36 As described in greater detail in Part V of this Article, t e j “G M” netw k pe t s n t e US, such as AT&T and T-Mobile, still use extremely weak encryption algorithms for t e lde “2G” netw ks w c can be easily deciphered with widely available

34 See Karsten Nohl and Chris Paget, GSM — SRSLY ?, 26th Chaos Communication Congress (26C3), December 27, 2009, page 11, http://events.ccc.de/congress/2009/Fahrplan/attachments/1519_26C3.Karsten.Nohl.GSM.pdf. 35 Encrypted cellular communications must be decrypted before they can be listened to, at least when encryption is used. In some countries, like India, encryption between phones and the network base stations is disabled. In India, this is a result of legislation prohibiting the use of encryption, likely intended to make interception by the government easier. See Pranesh Prakash, How Surveillance Works in India, New York Times India Ink blog, July 10, 2013, available at http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in- nd / (“p v de s n Ind have been known use A5/0, t t s, n enc ypt n”). ee also Nehaluddin Ahmad, Restrictions on cryptography in India – a case study of encryption and privacy, Computer Law & Security Review, Volume 25, issue 2, pp173- 180, 2009. In the United States, there is no law requiring the carriers to use encryption to protect calls. The choice is left entirely up to the wireless carriers, who do use encryption in some cases, but not always. See supra Part V. 36 A number of encryption algorithms are supported by modern cellular telephone systems, but the spec f c lg t sed t enc ypt c n c t ns between telep ne nd t e c e s’ netw k s c sen by t e w eless c e . In t e Un ted t tes, t e A5/1 lg t nd A5/0 (t e “NULL” encryption option) are still used by the major GSM carriers, AT&T and T-Mobile for their 2G networks. See supra Part V. The major CDMA carriers, Sprint and Verizon, use different encryption algorithms for their 2G and 3G networks. The Long Term Evolution (LTE) 4G cellular standard, which is the next generation technology adopted by all US carriers, includes support for encryption algorithms that are much stronger. However, as with prior generations of cellular technology, w eless c e s c n st ll c se t n t se ny enc ypt n (t e “NULL” pt n) w th LTE. See http://business.verizonwireless.com/content/dam/b2b/resources/LTE_FutureMobileTech_WP.pdf (“T e 128-b t AE lg t s t e p efe ed pt n n t e Ve z n W eless 4G LTE netw k… AE s preferred because it has undergone more public scrutiny t n t e enc ypt n pt ns.”).

9

software or purpose-built hardware.37 Moreover, although the competing “CDMA” cellular networks (operated by Verizon and Sprint) use different, incompatible cellular technology and encryption algorithms, surveillance companies offers products capable of intercepting and tracking CDMA phones too.38 Active interception, performed with a device known as an IMSI catcher or cell site simulator, works by impersonating a wireless base station—the carrier owned equipment installed at a cell tower to which cellular phones connect—and tricking t e t get’s phone into connecting to it.39 For some surveillance capabilities, such as intercepting communications content, the IMSI catcher can also impersonate the c e ’s network infrastructure, such that calls and text messages are transmitted through the IMSI catcher, once again without disrupting the communication and thus remaining imperceptible to the target.40 Depending on the particular features of the surveillance device and how they are configured by the operator, IMSI catchers can be used to identify nearby phones,41 to locate them with extraordinary

37 See supra Part V for a discussion of the software tools and commercial products now available to crack cellular encryption algorithms. 38 These include the Harris Corporation, and Elaman. See Lin Vinson, Major Account Manager, Wireless Products Group, Harris Corporation, letter to Raul Perez, City of Miami Police Department, August 25, 2008, http://egov.ci.miami.fl.us/Legistarweb/Attachments/48003.pdf t p ge 2 (“The Harris StingRay and KingFish systems are compatible with the CDMA standard...”). See Harris StingRay product sheet, http://files.cloudprivacy.net/Harris_Stingray_product_sheet.pdf at 1 (Desc b ng ne ve s n f t e H s t ngR y s “Transportable CDMA Interrogation, Tracking and Location, and Signal Collection Inf t n C llect n yste ”). See also Elaman government solutions, product brochure, https://www.wikileaks.org/spyfiles/files/0/188_201106-ISS- ELAMAN3.pdf t p ge 14 (“For operational field usage, off-air GSM monitoring systems are very powerful and essential....Systems for ... CDMA e [ ls ] v l ble.”). See http://en.intercept.ws/catalog/2197.html and http://www.ewa- gsi.com/Fact%20Sheets/Arrow%20CDMA%20Fact%20Sheet.pdf. 39 See Daehyun Strobel. IMSI Catcher, Seminar Work, Ruhr-Universitat Bochum, 2007, ttp://www.e sec. b.de/ ed /c ypt / tt c ents/f les/2011/04/ s _c tc e .pdf t 17 (“An IMSI Catcher exploits [the lack of authentication in GSM] weakness and masquerades to a Mobile [P ne] s B se t t n.”) 40 Ability Limited (Hong Kong), In-Between Interception System, Product Description, at page 4, ttp://www.t pl nkp c.c /pdf/IBI _B c e.PDF (“It s t e M n-In-The-Middle (MitM) attack n G M c n c t n w c s f lly ple ented n t e IBI ….D ng t e eg st t n nd authentication process compact BTS requests mobile phones to implement encryption A5/2 which they do. Real-time A5/2 decipher decrypts the information exchange and calculates Kc (ciphering Key). F t s ent IBI c n f lly t te t get’s p ne nd t lks w t GSM network on its behalf. So the target communicates with compact BTS which poses to be a real GSM network. The real GSM network talks to clone of the target phone. Computer collects information from the compact BTS and the clone. Such a scheme makes possible interception of incoming and outgoing calls.”) (e p s s added). 41 Cellxion, UGX Series 330, Transportable Dual GSM/ Triple UMTS Firewall and Analysis Tool, page 7 http:// s3.documentcloud.org/documents/810703/202-cellxion-product-list-ugx-optima- platf .pdf (“C p e ens ve dent f c t n f IM I, IMEI, nd TM nf t n ... s lt ne s g speed cq s t n f ndsets ( p t 1500 pe n te), c ss p t f ve netw ks.”). See also Septier IM I C tc e , ttp://www.sept e .c /146. t l (“ ept e IMSI Catcher allows its user to extract the IM I nd IMEI f G M M pe t ng n ts c ve ge e ”)

10

precision,42 to intercept outgoing calls and text messages,43 as well as to block service, either to all devices in the area, or to particular devices.44 Cellular interception technology, by its very nature, tends to be invasive and overbroad in its collection of data.45 Active interception devices send signals, often indiscriminately, through the walls of homes,46 vehicles, purses and pockets in order to probe and identify the phones located inside.47 Both active and passive devices also pick up the signals of other phones used by innocent third parties, particularly when government agencies using them do not know the exact location of their target and thus must drive through cities and neighborhoods while deploying cellular interception equipment in order to locate her. Both passive and active telephone surveillance technologies exploit security flaws in cellular telephones. Passive devices exploit the weak or, in some cases, lack of any encryption used to protect calls, text messages and data transmitted between

42 See Anchorage Police Department, Memorandum, Sole Source Proprietary Purchase Request Harris KingFish Dual Mode System, June 24, 2009, http://files.cloudprivacy.net/anchorage-pd-harris- memo.pdf ("The system allows law enforcement agencies ... the ability to ... Identify location of an ct ve cell l dev ce t w t n 25 feet f ct l l c t n nyw e e n t e Un ted t tes”) See also Harris AmberJack product sheet, http://egov.ci.miami.fl.us/Legistarweb/Attachments/34769.pdf at 2 (“A be J ck s p sed y d ect n-finding (DF) antenna system capable of tracking and locating mobile phone users. The DF antenna array is designed to operate with Harris' Loggerhead nd t ngR y p d cts.”) See also “G M Cell l M n t ng yste s” b c e by PKI Elect n c Intell gence G bH t 12 (dev ce c n “l c t[e]... t get b le p ne w t n n cc cy f 2 [ete s]”), v l ble t http://www.docstoc.com/docs/99662489/GSM-CELLULAR-MONITORING-SYSTEMS---PKI- Electronic-#. 43 See Ability (infra fn 36)(noting the ability to intercept “ nc ng nd tg ng c lls”); See also Verint Sales Brouchure, 2013, http://s3.documentcloud.org/documents/885760/1278-verint- product-list-engage-gi2-engage-pi2.pdf t 15 (“Listen to, read, edit and reroute incoming and outgoing calls and text messages”). 44 See CellX n, UGX Opt Pl tf , nf (fn 37) t p ge 2 (“Gl b l Den l f e v ce: D s ble ll handsets except operationally friendly”) See also See Anchorage Police Department, Memorandum, Sole Source Proprietary Purchase Request Harris KingFish Dual Mode System, June 24, 2009, http://files.cloudprivacy.net/anchorage-pd-harris-memo.pdf ("The system allows law enforcement agencies ... the ability to ... Interrupt service to active cellular connection ... Prevent connection to dent f ed cell l dev ce”) 45 In some cases, this may be a selling point. See Verint Sales Brouchure, 2013, http://s3.documentcloud.org/documents/885760/1278-verint-product-list-engage-gi2-engage- pi2.pdf t 7 (“c llect ss G M t ff c ve w de e ”). 46 T e dev ces send s gn ls l ke t se e tted by c e ’s wn b se st t ns. T se s gn ls, f c se, “penet te w lls” (necess ly, t p v de c nnect v ty indoors). What You Need to Know About Your Network, AT&T, http://www.att.com/gen/press-room?pid=14003; see also E.H. Walker, Penetration of Radio Signals Into Buildings in the Cellular Radio Environment, 62 THE BELL SYSTEMS TECHNICAL JOURNAL 2719 (1983), available at http://www.alcatel- lucent.com/bstj/vol62-1983/articles/bstj62-9-2719.pdf. 47 See John Kelly, Cellphone data spying: It's not just the NSA, USA Today, December 8, 2013, available at http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa- p l ce/3902809/ (“Typ c lly sed t nt s ngle p ne's l c t n, t e syste nte cepts d t f ll p nes w t n le, f t e , depend ng n te n nd ntenn s.”)

11

phones and the w eless c e s’ base stations. Active surveillance devices, on the other hand, exploit the lack of authentication of the base station by cellular phones.48 As a result, phones have no way to differentiate between a legitimate base st t n wned pe ted by t e t get’s w eless c e nd g e device impersonating a carrier’s base station.49 Passive wireless surveillance devices do not transmit any signals.50 These devices are thus far more covert in operation—indeed effectively invisible51—but they can only detect signals of nearby phones when those phones are actually transmitting data.52 Active surveillance devices have the disadvantage of being relatively less covert because they produce tell-tale signals that are detectable using sophisticated, counter-surveillance equipment,53 but they possess a corresponding advantage in that they can rapidly identify and locate all nearby phones that are turned on, even if they are not transmitting any data.54

48 See Strobel infra n te ** t 17 (“An IM I C tc e expl ts [the one sided authentication] weakness [ n G M] nd sq e des t M b le t t n s B se t t n”). 49 More recent cellular phone systems, including so-called 3G and 4G networks, now include the capability for phones to authenticate the network base stations. See generally Muxiang Zhang; Yuguang Fang, Security analysis and enhancements of 3GPP authentication and key agreement protocol, Wireless Communications, IEEE Transactions on, vol.4, no.2, pp.734,742, March 2005, available at http://islab.iecs.fcu.edu.tw/GroupMeeting/PowerPoint/20050506_1.pdf. However, even the latest smartphones are backward compatible with older, vulnerable phone network technologies, which allows the phone to function if it is taken to a rural location or foreign country where the only service offered is 2G. As a result, modern phones remain vulnerable to active surveillance via a protocol rollback attack in which the nearby 3G and 4G network signals are first jammed. See Matthew Green, On cellular encryption, A Few Thoughts on Cryptographic Engineering, May 13, 2013, http://blog.cryptographyengineering.com/2013/05/a-few-thoughts-on-cellular- enc ypt n. t l (“T e b ggest s ce f c nce n f 3G/LTE s t t y y n t be s ng t. M st phones are programmed to gracefully 'fail over' to GSM when a 3G/4G connection seems unavailable. Active attackers exploit this feature to implement a rollback attack — jamming 3G/4G connections, and thus re- ct v t ng ll f t e G M tt cks.”). 50 See Ability, GTReS – GSM Traffic Recording System, http://www.interceptors.com/intercept- solutions/Passive-GSM-Inte cept . t l (“GTRe s lt -band fully passive GSM interception system designed to record the entire traffic occurring between Base Transmitting Stations (BTS) and Mobile Stations (MS) located w t n t e syste ’s pe t n l nge. T s e ns l te lly tens even nd eds f s lt ne s c lls…. GTRe d es n t ve ny t ns tt ng p ts… GTRe ’ pe t n s c pletely ndetect ble.”) 51 See Verint Sales Brouchure, 2013, http://s3.documentcloud.org/documents/885760/1278-verint- product-list-engage-gi2-engage-pi2.pdf t 7 (“Operate undetected leaving no electromagnetic signature”). 52 Any phone that is connected to a cellular network will regularly transmit data to nearby base stations, even if it is not making calls, sending text messages or using the Internet. Locating a phone that is not currently transmitting data with a passive interception device may, however, require w t ng s e t e nt l t e dev ce “c ecks n” w t t e cell l netw k r otherwise engages in a communication with a nearby base station. 53 T ese dev ces e kn wn s “IM I c tc e c tc e s”. See CatcherCatcher, Security Research Labs, https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/CatcherCatcher, (“T e C tc e C tc e t l detects b le netw k eg l t es nt ng t f ke b se st t n ct v ty…F IM I c tc e s t c eve t e g ls t ey w ll need t s w be v d ffe ent f n l b se st t ns”). 54 See Cellxion, supra note 38.