back to article Build your own IMSI slurping, phone-stalking Stingray-lite box – using bog-standard Wi-Fi

Wi-Fi networks can tease IMSI numbers out of nearby smartphones, allowing pretty much anyone to wirelessly track and monitor people by their handsets' fingerprints. Typically, if you want to stalk and identify strangers via their IMSI numbers, you use a Stingray-like device, or any software-defined radio, that talks to …

  1. Anonymous Coward
    Black Helicopters

    Don't want to be tracked?

    Turn it off....the only way these days. Although I'm sure some phone probably don't actually turn off and still harvest data, y'know, for convenience.

    1. Jim Mitchell

      Re: Don't want to be tracked?

      The problem here is that a phone that is off is not very useful.

      1. 404

        Re: Don't want to be tracked?

        Well hopefully you left your phone, wallet, and tax information folder home before you went out doing nefarious things... but some don't so there you go,

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't want to be tracked?

        "The problem here is that a phone that is off is not very useful."

        I find it stops people pestering me with unwanted phone calls, which is very useful indeed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't want to be tracked?

          If you don't want phone calls, then why do you have a phone?

          1. Uffish

            Re: "why do you have a phone?"

            I have a phone to make phone calls, receiving them is incidental.

            ( Yes, I do lead a rather quiet life now, why do you ask? )

    2. Terry Cloth

      Re: Don't want to be tracked?

      Isn't it sufficient to turn off the Wi-Fi? Who needs it if she's not actually surfing?

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't want to be tracked?

        I would think so. I use my phone as little as humanly possible, especially when I have access to a proper computer. The last time I used mobile data was to look up the electric company's phone number when the power went out.

      2. Don Dumb
        Terminator

        Re: Don't want to be tracked?

        @Terry Cloth - "Isn't it sufficient to turn off the Wi-Fi? Who needs it if she's not actually surfing?"

        The article does mention WiFi calling in passing and the clue is The Underground. WiFi calling is becoming handy for many to receive phone calls when one's mobile network is weak/non-existent, especially true in places like The Tube. So it's becoming more useful to keep WiFi on and allow the phone to join apparently known networks as one walks around, simply in order to use the phone as a phone, not just an internet browsing device.

        Of course 'useful' in this context is a synonym for 'very dangerous'.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't want to be tracked?

          The article does mention WiFi calling in passing and the clue is The Underground. WiFi calling is becoming handy for many to receive phone calls when one's mobile network is weak/non-existent, especially true in places like The Tube.

          There's also the whole play of location services which use WiFi to be more accurate - somewhere there must be a feedback loop there as well. I know that anything using location facilities immediately starts to whinge when I kill off WiFi.

          That said, being out of reach was actually one of the benefits of Tube travel :(. I personally only have WiFi on when I actively need it (and usually I don't as I prefer a decent keyboard for online use).

          1. Anonymous Coward
            Anonymous Coward

            Re: Don't want to be tracked?

            > There's also the whole play of location services which use WiFi to be more accurate - somewhere there must be a feedback loop there as well.

            Ah, that. I suspect that Google maps WiFi APs by collecting 'telemetry' from Android phones with WiFi and GPS both enabled. Some years ago they got busted for doing that with their Streetview cars, but their wifi location services are accurate even in neighborhoods never mapped by Streetview, so it's probably phones now.

            I guess most people have already learned to turn off GPS and WiFi to avoid wasting battery on being tracked. And the rest won't be swayed this latest news, unfortunately.

        2. Robert Carnegie Silver badge

          How dangerous -

          If the result of location sniffing is "I'm on a train"?

          1. Anonymous Coward
            Anonymous Coward

            Re: How dangerous -

            The last person who thought he might be safe on the Tube was Juan de Menezes. Ask him. Oh wait, you can't. The State killed him.

      3. Jason Bloomberg Silver badge

        Re: Don't want to be tracked?

        Isn't it sufficient to turn off the Wi-Fi? Who needs it if she's not actually surfing?

        Leaving WiFi on is convenient as it auto-disconnects when one leaves home and reconnects when one gets back. That is handy for getting email, alerts, news, weather and app updates without having to remember to switch WiFi back on.

        My phone has an expired SIM, is only used as an internet device, so it's convenient for me to have it auto-connect to all the freebie hotspots it can when out shopping. I get almost unlimited free WiFi and that suits me fine.

    3. DNTP

      How do you know your phone's wi-fi is off?

      The phone tells you so, of course! I'm sure it's telling you the truth. You're the phone's owner, with full control over every aspect of your device, not the multitude of corporate and government interests who are stakeholders in your phone's ability to gather personal data.

    4. Anonymous Coward
      Anonymous Coward

      Re: Don't want to be tracked?

      You mean turn it off and take the battery out.

      If you have a phone where you cannot remove the battery, get yourself a phone-sized Faraday cage.

      You might get away with wrapping it in Aluminium foil or woven copper mesh.

      Anon: they don't want you to know this.

  2. Herby
    Joke

    Might as well...

    Implant the whole device in our bodies, and use them to run the device. No exploding batteries is a bonus to boot. Then we'll have antennae poking out of our heads and everybody will know as much as they want.

    Sounds like a future described in books, so it must be good.

    1. Anonymous Coward
      Anonymous Coward

      Re: Might as well...

      Implant the whole device in our bodies, and use them to run the device. No exploding batteries is a bonus to boot. Then we'll have antennae poking out of our heads and everybody will know as much as they want.

      I think prisoners are ahead of you. But they don't have the aerial sticking out of their head..

  3. Pen-y-gors

    Viva Ned Ludd

    Sometimes I do worry about the march of technology. Do you think when Hengist Pod was demonstrating his wonderful new wheel, any of the neighbours were heard to mutter, ah yes, what could possibly go wrong? And won't someone think of the children...

  4. -tim
    Pint

    Two factor authentication?

    So my computer's built in wifi could do two factor authenticate with out me even knowing about. I'm not sure if that is cool or scary or both.

    1. Pascal Monett Silver badge

      Can't see that happening

      2FA is you on your computer going to a web page that sends an SMS with a code to your phone, code that you have to type in on your computer keyboard to access the web site. I fail to see how your computer could capture the SMS and get the code and use it on its own. The procedure described a method to get your phone's IMSI code, but the article specifically and clearly indicates that it cannot be used to spy on your messages or calls.

      So no, your computer is not going to self-2FA. Not without growing some arms to grab your phone and some eyes to find the SMS and the code it contains. If it does have those functional extensions, I would be very interested in the software that would make them accomplish such an act.

      Personally, I only have wi-fi activated when I am using it to connect to the Internet. I can't leave it on like that or my battery will be flat in half a day. Funnily enough, using the 3G connection does not deplete my battery so fast.

      1. David Roberts

        Re: Can't see that happening - 2FA

        Most phones have a built in web browser. So software with enough access could connect to a web site, invoke 2FA, catch the incoming SMS and paste the code back into the web site.

        Which is why 2FA using SMS is not a fully secure system because you need two clearly different delivery channels for the two factors, not just two applications on the same device.

        1. Mookster

          Re: Can't see that happening - 2FA

          Pascal and Dave clearly don't understand that the two factors aren't restricted to the set of [SMS, password]. Authentication from a SIM is relatively strong

          1. David Roberts

            Re: Can't see that happening - 2FA

            The response was specific to the SMS/website scenario.

            However the broader point remains; not good to have all your eggs on one device.

        2. Pascal Monett Silver badge

          @Dave Roberts

          I totally agree with you, but my response was to a poster that said "computer", not mobile phone.

          The PC will not self-2FA any time soon.

          Mobile phones are a walking security disaster case, so who knows ?

  5. Anonymous Blowhard

    Hotspot 2.0

    Worth knowing that this feature is sometimes labelled "Hotspot 2.0".

    Windows Mobile allows you to turn this off (not sure what the default is), so I'm guessing Android and iOS also do.

    More info here.

  6. tiggity Silver badge

    WiFi

    Quite frankly if you use some random WiFi hotspot from your mobile you are always taking a potentially big risk.

    So a trade off of security vs how much you really want to see those cat vids (or whatever).

    Plus no mobile signal on the train has the advantage of plausible deniability when you say you never received that text to pick up a carton of milk / loaf of bread / whatever on your way home that you forgot / CBA to do

  7. Wibble

    Upset the spooks

    This publicity must really piss off the spooks as this is the sort of thing they would have dreamt up for their use.

  8. Anonymous Coward
    Anonymous Coward

    You might be able to use an IMSI number to social engineer a PAC code out of a mobile network operator. If a victum used text message as a form of two factor authentication for any online accounts it would be game over for them.

    1. Mookster

      Surely the only thing worth having would be the Kid? As for tracking - isn't the phone's WLAN MAC address exposed anyway?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like