Communication security

One Small Fix Would Curb Stingray Surveillance

Law enforcement in the United States, international spies, and criminals have all used (and abused) the surveillance tools known as "stingrays" for more than a decade. The devices can track people's locations and even eavesdrop on their calls, all thanks to weaknesses in the cellular network. Today, researchers are detailing a way to stop them—if only telecoms would listen.

Stingrays derive their power by pretending to be cell towers, tricking nearby devices into connecting to them instead of the real thing. The same vulnerabilities that enable that behavior could also be used to, say, spoof emergency alerts on a large scale. At the USENIX Enigma security conference in San Francisco on Monday, research engineer Yomna Nasser will detail those fundamental flaws and suggest how they could finally get fixed.

"The point of my talk is to try and explain the root cause behind all these types of attacks, which is basically the lack of authentication when phones are first trying to find a tower to connect to," Nasser says. "If something looks like a cell tower, they will connect; that’s just a consequence of how cell network technology was designed decades ago. And it's really hard to redesign things to do security really well—the lack of authentication problem still exists in 5G."