IMSI | chriscrook.io

After The Sun revealed massive use of IMSI catchers in Baltimore City over the 8 years, I decided to try to FOIA BPD. Well, first road block is that their submission form online doesn’t even work. The SMTP server is jacked up. Further, the CAPTCHA code at the bottom of the page never changes and can be copied and pasted.

The idea that an NDA that a private company forces a police department into trumps court orders is utterly insane and must be stopped. Many of the claims made in the NDA do not hold up to scrutiny anymore either, so I’m considering it null and void on those grounds and intend to take this to court if necessary.

Here’s my request:

Dear Custodian of Records,

I am writing, pursuant to Maryland Public Information Act laws and regulations, that any and all usage of IMSI/IMEI catcher, cell phone tower simulators, or devices similar to models known as “Stingray” or “Hailstorm” devices be provided.

This information should include how many times devices were employed and whether or not a warrant was obtained for their use, and if so, which judge authorized such warrants. No information that would be exempt under seciton 3 (Court Rules) is requested, just a broader amount of counts of use, and number of warrants broken down by which judge ordered them.

Separately, any records derived from the above devices that include my IMEI number (REDACTED) are also requested to ensure my privacy has not been unduly invaded in the course of business by Baltimore City Police’s excessive use of the aforementioned devices over the past 8 years.

Further, I request to know if Foxtrot (BPD’s helicopter) is capable of carrying an IMSI/IMEI/Cell phone simulator/stingray/hailstorm device, and if so, whether it has been employed.

Further, I also request information pertaining to the number of the aforementioned devices the Baltimore Police has purchased, and at what cost.

I expect this request to be honored individually among its parts rather than approved or denied wholesale. Information may be provided through digital or hard copy (digital preferred). If the cost exceeds $50 please contact me.

This request is not exempt from the Maryland Public Information Act as the NDA entered into by Baltimore City Police with Harris Corp is unlawful in that it is at odds with the public interest and prevents me from determining if my Constitutional right to privacy was violated. There is no non-public information about these devices and the counter-party to the NDA does not even hold a patent to such technology, as it is the same technology as a cell phone tower, thus no trade secrets or confidential information can possibly exist.

Thus, the non-disclosure agreement regarding the equipment is invalid, and as a basis of denial of records and court orders to that effect is purposefully deceptive and unlawful. Now that the public knows these devices have been in use for 8 years, the NDA’s claims to protecting the lives of officers is no longer valid, nor is the claimed benefit of concealing information valid any longer as the public is aware of such devices and actions by the police. The conclusions drawn no longer hold.

In the event any part of this request is denied, the requester intends to fully invoke the remedies in the Maryland Public Information Act to the fullest extent, up to and including holding the custodian of records legally accountable for improper denial.

Looking forward to your response,
Chris Crook

Should be interesting to see if I get a response. Had to guess some email addresses @baltimorepolice.org – apparently webmaster and legal got through. Next step: Building a mesh network of counter-detectors. If they won’t give me the information, I’ll find a way to provide it.

I had picked up a GSM/GPRS shield for my Arduino a while back without any specific plans for it — I just thought it would be cool to have a project in the future that was able to communicate wireless over the Internet for either report purposes or to react to events (texts, tweets, etc).

After reports came out regarding local law enforcement’s use of IMSI catching devices like the Harris Stingray, I decided to start experimenting with the shield as means of at least detecting the use of IMSI catching devices. Since I believe in the balance of power between law enforcement and citizens, and strongly believe in privacy rights, I wish there were countermeasures (blacklisting after discovery?) that could be developed, but perhaps that is the next step after accurate detection of the devices in the first place. The project is still under development, but so far here are my assumptions and how they figure into my plan of action.

Assumptions & Background Knowledge

IMSI catchers generally broadcast an extraordinarily strong signal in order to ensure that target cell phones in the area opt to connect to it versus other, real, cell phone towers. This means signal strength analysis is important to identifying an IMSI catcher.

Further, most, if not all IMSI catchers interrupt service to some degree. Since they aren’t part of the true cell phone network, typically issues arise when receiving calls and/or texts. This information should also be possible to leverage during the IMSI catcher identification process. I’m thinking an SMS notification service like Amazon’s SNS could be useful in this case to have the Arduino trigger texts to itself (since data typically still operates even when connected to an IMSI catcher) and see if they are actually delivered in a timely manner or not. This could indicate whether the Arduino is connected to a false tower.

We also know there are multiple physical deployment options for IMSI catchers, from stationary devices, to ground-based semi-mobile (i.e. surveillance vans), to airborne (i.e. drones & specially equipped planes (with assistance from the CIA). Since may of these can be mobile, I think my detection of the devices will have to be from stationary position(s) such that it is possible to detect the movement of the “tower” through signal strength changes and/or triangulation.

It may also be an interesting exercise to toggle through a number of directional antennae (or a single, rotating directional antenna) to see if the direction of the tower or IMSI device could be deduced, potentially leading to the ability to confront and shame law enforcement personnel utilizing the device (say, from a surveillance van) against innocent individuals’ devices (i.e. my Arduino “phone” which has never even made a call).

Out of convenience, and for lack of an adapter for my phone’s existing nano SIM card, I picked up a prepaid GSM SIM from the local Dollar General for about $10 for the kit, and $35 for the first month of service.

Next Steps

I plan to get acquainted with the GSM shield and commands to see what I need to do to create a device that can alert to and log the presence of potentially fake GSM towers, preferably with GPS coordinates marking the location of detection, and possible base station locations.

More to come as this project progresses. I also recently picked up an RTL-SDR device that should allow straight up spectrum analysis in GSM frequency ranges, so that may change the direction of this project as well.

Since novel legal techniques are being used to suppress information regarding the use of these devices by law enforcement (non-disclose agreements between law enforcement and the manufacturer, which somehow trump Constitutional concerns, WTF?) it is time for this citizen to take matters into his own hands to at least reveal the extent of surveillance being performed on the average American using Stingray-like IMSI capturing devices. It has become clear from the Snowden revelations that the court system cannot be relied upon to protect citizens, or even to provide information with respect to FOIA requests. The only alternative is to play the same game the government is playing, utilizing technology, but play it back harder in order to force transparency in these programs.

chriscrook.io

Codified.

Tag Archives: IMSI

Baltimore City: IMSI Hell

Catching IMSI Catchers: Part 1