Feeds

US Justice Department free to track mobile phone users

If you have nothing to hide...

Choosing a cloud hosting partner with confidence

The American Civil Liberties Union has revealed that the FBI no longer feels the need for judicial or operator oversight when deploying base station-faking technology to detect mobile phones.

This capability is nothing new, but previously it was assumed that a warrant was needed before the FBI started tracking phones and that the network operator would need to be informed. These are optimistic assumptions in this age of fear embodied in the USA's Patriot* Act, as shown in the documents obtained by the ACLU. Instead the FBI just gets a pen-trap order, granted under the Foreign Intelligence Surveillance Act, and Bob's your uncle.

The technology, known as Triggerfish, pretends to be a base station so that mobile handsets happily connect to it and identify themselves. A Triggerfish deployment can wait for a specific handset to pass by, or just grab nearby identities for later analysis.

When the GSM security model was created there was no attempt to confirm the identity of the base station - it never occurred to the designers that fake base stations would exist so all the authentication is one-way. Worse still, while the IMSI (unique to the subscriber) is not supposed to be sent over the network, the standard allows a base station to claim to have "lost" the corresponding TMSI (temporary equivalent) and thus ask the handset to resend the IMSI in the clear.

Setting up fake base stations is pretty rare, but clearly the US authorities aren't alone in doing it, which is why the 3G GSM standard requires base stations to authenticate themselves too - making Triggerfish once again inoperable without network operator collusion, at least where 3G is being used by default. ®

*Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, since you ask.

Secure remote control for conventional and virtual desktops

More from The Register

next story
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Ofcom snatches 700MHz off digital telly, hands it to mobile data providers
Hungry mobe'n'slab-waving Blighty swallows spectrum
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.