Category Archives: Electronic Freedom

Baltimore City: IMSI Hell

After The Sun revealed massive use of IMSI catchers in Baltimore City over the 8 years, I decided to try to FOIA BPD.  Well, first road block is that their submission form online doesn’t even work.  The SMTP server is jacked up.  Further, the CAPTCHA code at the bottom of the page never changes and can be copied and pasted.

The idea that an NDA that a private company forces a police department into trumps court orders is utterly insane and must be stopped.  Many of the claims made in the NDA do not hold up to scrutiny anymore either, so I’m considering it null and void on those grounds and intend to take this to court if necessary.

Here’s my request:

Dear Custodian of Records,

I am writing, pursuant to Maryland Public Information Act laws and regulations, that any and all usage of IMSI/IMEI catcher, cell phone tower simulators, or devices similar to models known as “Stingray” or “Hailstorm” devices be provided.

This information should include how many times devices were employed and whether or not a warrant was obtained for their use, and if so, which judge authorized such warrants. No information that would be exempt under seciton 3 (Court Rules) is requested, just a broader amount of counts of use, and number of warrants broken down by which judge ordered them.

Separately, any records derived from the above devices that include my IMEI number (REDACTED) are also requested to ensure my privacy has not been unduly invaded in the course of business by Baltimore City Police’s excessive use of the aforementioned devices over the past 8 years.

Further, I request to know if Foxtrot (BPD’s helicopter) is capable of carrying an IMSI/IMEI/Cell phone simulator/stingray/hailstorm device, and if so, whether it has been employed.

Further, I also request information pertaining to the number of the aforementioned devices the Baltimore Police has purchased, and at what cost.

I expect this request to be honored individually among its parts rather than approved or denied wholesale. Information may be provided through digital or hard copy (digital preferred). If the cost exceeds $50 please contact me.

This request is not exempt from the Maryland Public Information Act as the NDA entered into by Baltimore City Police with Harris Corp is unlawful in that it is at odds with the public interest and prevents me from determining if my Constitutional right to privacy was violated. There is no non-public information about these devices and the counter-party to the NDA does not even hold a patent to such technology, as it is the same technology as a cell phone tower, thus no trade secrets or confidential information can possibly exist.

Thus, the non-disclosure agreement regarding the equipment is invalid, and as a basis of denial of records and court orders to that effect is purposefully deceptive and unlawful. Now that the public knows these devices have been in use for 8 years, the NDA’s claims to protecting the lives of officers is no longer valid, nor is the claimed benefit of concealing information valid any longer as the public is aware of such devices and actions by the police. The conclusions drawn no longer hold.

In the event any part of this request is denied, the requester intends to fully invoke the remedies in the Maryland Public Information Act to the fullest extent, up to and including holding the custodian of records legally accountable for improper denial.

Looking forward to your response,
Chris Crook


Should be interesting to see if I get a response.  Had to guess some email addresses – apparently webmaster and legal got through.  Next step: Building a mesh network of counter-detectors.  If they won’t give me the information, I’ll find a way to provide it.

Catching IMSI Catchers: Part 1

I had picked up a GSM/GPRS shield for my Arduino a while back without any specific plans for it — I just thought it would be cool to have a project in the future that was able to communicate wireless over the Internet for either report purposes or to react to events (texts, tweets, etc).

After reports came out regarding local law enforcement’s use of IMSI catching devices like the Harris Stingray, I decided to start experimenting with the shield as means of at least detecting the use of IMSI catching devices.  Since I believe in the balance of power between law enforcement and citizens, and strongly believe in privacy rights,  I wish there were countermeasures (blacklisting after discovery?) that could be developed, but perhaps that is the next step after accurate detection of the devices in the first place.  The project is still under development, but so far here are my assumptions and how they figure into my plan of action.

Assumptions & Background Knowledge

IMSI catchers generally broadcast an extraordinarily strong signal in order to ensure that target cell phones in the area opt to connect to it versus other, real, cell phone towers.  This means signal strength analysis is important to identifying an IMSI catcher.

Further, most, if not all IMSI catchers interrupt service to some degree.  Since they aren’t part of the true cell phone network, typically issues arise when receiving calls and/or texts.  This information should also be possible to leverage during the IMSI catcher identification process.  I’m thinking an SMS notification service like Amazon’s SNS could be useful in this case to have the Arduino trigger texts to itself (since data typically still operates even when connected to an IMSI catcher) and see if they are actually delivered in a timely manner or not.  This could indicate whether the Arduino is connected to a false tower.

We also know there are multiple physical deployment options for IMSI catchers, from stationary devices, to ground-based semi-mobile (i.e. surveillance vans), to airborne (i.e. drones & specially equipped planes (with assistance from the CIA).  Since may of these can be mobile, I think my detection of the devices will have to be from stationary position(s) such that it is possible to detect the movement of the “tower” through signal strength changes and/or triangulation.

It may also be an interesting exercise to toggle through a number of directional antennae (or a single, rotating directional antenna) to see if the direction of the tower or IMSI device could be deduced, potentially leading to the ability to confront and shame law enforcement personnel utilizing the device (say, from a surveillance van) against innocent individuals’ devices (i.e. my Arduino “phone” which has never even made a call).

Out of convenience, and for lack of an adapter for my phone’s existing nano SIM card, I picked up a prepaid GSM SIM from the local Dollar General for about $10 for the kit, and $35 for the first month of service.

Next Steps

I plan to get acquainted with the GSM shield and commands to see what I need to do to create a device that can alert to and log the presence of potentially fake GSM towers, preferably with GPS coordinates marking the location of detection, and possible base station locations.

More to come as this project progresses.  I also recently picked up an RTL-SDR device that should allow straight up spectrum analysis in GSM frequency ranges, so that may change the direction of this project as well.

Since novel legal techniques are being used to suppress information regarding the use of these devices by law enforcement (non-disclose agreements between law enforcement and the manufacturer, which somehow trump Constitutional concerns, WTF?) it is time for this citizen to take matters into his own hands to at least reveal the extent of surveillance being performed on the average American using Stingray-like IMSI capturing devices.  It has become clear from the Snowden revelations that the court system cannot be relied upon to protect citizens, or even to provide information with respect to FOIA requests.  The only alternative is to play the same game the government is playing, utilizing technology, but play it back harder in order to force transparency in these programs.

DoJ Cognitive Dissonance: StingRay vs. StealthGenie

Today the Department of Justice announced the arrest of a Pakistani man for writing and selling the StealthGenie spyware app that can monitor all communication from a cell phone, and can do so undetected.  The grounds for the arrest was based on the fact that it was advertised for spying on one’s spouse, enabling stalkers and domestic abusers:

“StealthGenie has little use beyond invading a victim’s privacy” said U.S. Attorney Boente. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners.”

“This application allegedly equips potential stalkers and criminals with a means to invade an individual’s confidential communications,” said FBI Assistant Director in Charge McCabe.

While that is understandable, I can think of a scenario in which the software would be otherwise useful, not to mention similar to other phone recovery programs that allow users to look up the current location of their device, have similar features and are simply marketed differently.  If my phone was stolen, it could be immensely useful to be able to see what the individual using it is doing with it, including who they’re calling and what they’re accessing via the data connection. Some parents may also want to monitor what their children are doing as well (whether or not you agree with that as being good parenting is another question…).

Also included in the press release was an additional statement from McCabe:

“They do this not by breaking into their homes or offices, but by physically installing spyware on unwitting victim’s phones and illegally tracking an individual’s every move. As technology continues to evolve, the FBI will investigate and bring to justice those who use illegal means to monitor and track individuals without their knowledge.”

It would seem that accessing a system to which you are not legally provided permission (i.e. someone else’s cell phone in order to install this app) would already be against the law, and has been for decades.  It’s also interesting that this statement is referencing users of the software, rather than anything regarding the creator who was arrested.

The ultimate irony of this statement is that the FBI itself has been illegally monitoring and tracking individuals without warrants.  The device they use is manufactured by Harris Corporation and goes by a number of names including Stingray.  Basically, the device is a fake cell tower that any cell phone will automatically connect to since phones constantly look for the best cell signal possible — even if they don’t connect they’ll still handshake with the tower.  Law enforcement is then able to collect all individually-identifying IMSI/IMEI codes of the phones that have connected and are able to locate individuals based on this information.

The FBI, US Marshalls and local law enforcement agencies have gone to extreme lengths to keep the program secret and out of the court system, including the FBI even using non-disclosure agreements with local law enforcement agencies using the surveillance product.  The Marshalls, after the ACLU drew attention to their use of the device, seized local law enforcement records to prevent them from being exposed in court proceedings. Considering the recent discovery that there are many fake cell towers across the country, and it is unknown who is operating them, a reasonable assumption would be that it is local or federal law enforcement.

So how exactly does the DoJ and FBI rationalize arresting a man for creating a product that could be used in nefarious ways, when the FBI itself contracts with a private company that makes an even more invasive and privacy-eliminating product?  We shall see: I left a message with the DoJ’s press office asking for a statement regarding usage of Stingray in the face of this arrest.  My guess will be that my call will not be returned, or if it is, it will be “No Comment”.  Feel free to give them a call: 202-514-2007.

Will the CEO of Harris Corp be arrested for creating a product that has “little use beyond invading an individual’s privacy”?  The device they manufacture literally has no other purpose than to violate the civil rights of Americans by law enforcement when used for blanket data collection with or without a warrant.  It has no other valid use.  How can we trust our law enforcement when they arrest people for doing the same thing they do?  How can we trust them when they won’t even get a warrant to utilize such a device?  How can we trust them when they do everything in their power to suppress how the device has actually been used from coming to light in court?

Perhaps we should go back to the tried and true reasons for arresting and convicting:  an actor commits a crime against a specific victim or victims.  Creating software that can be used by those with ill intent is not a crime; using the software in a malicious fashion is.

I don’t believe anyone is suggesting we arrest the manufacturers of encryption software or hardware because it can be used to cover up evidence of criminal activity, yet that’s what we’re doing in this case despite heavy feature overlap between this product and many others currently available.

  • If the major difference is marketing, is it really a crime?
  • If I use innuendo instead or marketed the same exact product with a different stated purpose, is it still a crime?
  • If I suggest that you could re-purpose a Square card reader to steal credit card numbers, am I liable for marketing an identity theft device?

Simple marketing has no victim.  The people who would buy such a product and use it against another are the ones committing a crime.

I’ll post an update if and when I hear back from the DoJ regarding their comment.  This pissed me off enough to make an inaugural blog post about it.  More to come on technology, personal projects, and freedom.