- Cell Phone Call Interception Software
- Cell Phone Call Interception
- Cell Phone Transmission Interception
- Cell Phone Call Interception Software Suite 1
- Cell Phone Call Interception Software Suite
Call intercept is just one of the many features you get with FlexiSPY and it's available for EXTREME users. The sophisticated software makes it easy for you to spy on phone calls with compatible rooted Android, jailbroken iPhone, Blackberry and Symbian devices. Cell Phone Spy is an undetectable monitoring software which allows you to secretly record all activities of your phone and GPS positions.Cell Phone Spy records every SMS and logs every calls. See more at www.cell-phone-spy.com. May 11, 2015 How to intercept mobile communications (calls and messages) easily without hacking. Posted on May 11, 2015 Updated on May 11, 2015. Monitoring cell phones without their knowledge is growing rapidly in Latin America countries like Argentina.
The StingRay is an IMSI-catcher, a controversial cellular phone surveillance device, manufactured by Harris Corporation. Initially developed for the military and intelligence community, the StingRay and similar Harris devices are in widespread use by local and state law enforcement agencies across Canada, the United States, and in the United Kingdom.Stingray has also become a generic name to describe these kinds of devices.
- 1.3Active (cell site simulator) capabilities
- 1.4Passive capabilities
- 2Usage by law enforcement
The StingRay is an IMSI-catcher with both passive (digital analyzer) and active (cell-site simulator) capabilities. When operating in active mode, the device mimics a wireless carrier cell tower in order to force all nearby mobile phones and other cellular data devices to connect to it.
The StingRay family of devices can be mounted in vehicles, on aeroplanes, helicopters and unmanned aerial vehicles. Hand-carried versions are referred to under the trade name KingFish.
Active mode operations
- Extracting stored data such as International Mobile Subscriber Identity ('IMSI') numbers and Electronic Serial Number ('ESN'),
- Writing cellular protocol metadata to internal storage
- Forcing an increase in signal transmission power
- Forcing an abundance of radio signals to be transmitted
- Forcing a downgrade to an older and less secure communications protocol if the older protocol is allowed by the target device, by making the Stingray pretend to be unable to communicate on an up-to-date protocol
- Interception of communications data or metadata
- Using received signal strength indicators to direction find the cellular device
- Conducting a denial of service attack
- Radio jamming for either general denial of service purposes[failed verification (See discussion.)] or to aid in active mode protocol rollback attacks
Passive mode operations
- conducting base station surveys, which is the process of using over-the-air signals to identify legitimate cell sites and precisely map their coverage areas
Active (cell site simulator) capabilities
In active mode, the StingRay will force each compatible cellular device in a given area to disconnect from its service provider cell site (e.g., operated by Verizon, AT&T, etc.) and establish a new connection with the StingRay. In most cases, this is accomplished by having the StingRay broadcast a pilot signal that is either stronger than, or made to appear stronger than, the pilot signals being broadcast by legitimate cell sites operating in the area. A common function of all cellular communications protocols is to have the cellular device connect to the cell site offering the strongest signal. StingRays exploit this function as a means to force temporary connections with cellular devices within a limited area.
Extracting data from internal storage
During the process of forcing connections from all compatible cellular devices in a given area, the StingRay operator needs to determine which device is the desired surveillance target. This is accomplished by downloading the IMSI, ESN, or other identifying data from each of the devices connected to the StingRay. In this context, the IMSI or equivalent identifier is not obtained from the cellular service provider or from any other third-party. The StingRay downloads this data directly from the device using radio waves.
In some cases, the IMSI or equivalent identifier of a target device is known to the StingRay operator beforehand. When this is the case, the operator will download the IMSI or equivalent identifier from each device as it connects to the StingRay. When the downloaded IMSI matches the known IMSI of the desired target, the dragnet will end and the operator will proceed to conduct specific surveillance operations on just the target device.
In other cases, the IMSI or equivalent identifier of a target is not known to the StingRay operator and the goal of the surveillance operation is to identify one or more cellular devices being used in a known area. For example, if visual surveillance is being conducted on a group of protestors, a StingRay can be used to download the IMSI or equivalent identifier from each phone within the protest area. After identifying the phones, locating and tracking operations can be conducted, and service providers can be forced to turn over account information identifying the phone users.
Forcing an increase in signal transmission power
Cellular telephones are radio transmitters and receivers much like a walkie-talkie. However, the cell phone communicates only with a repeater inside a nearby cell tower installation. At that installation, the devices take in all cell calls in its geographic area and repeat them out to other cell installations which repeat the signals onward to their destination telephone (either by radio or landline wires). Radio is used also to transmit a caller's voice/data back to the receiver's cell telephone. The two-way duplex phone conversation then exists via these interconnections.
To make all that work correctly, the system allows automatic increases and decreases in transmitter power (for the individual cell phone and for the tower repeater, too) so that only the minimum transmit power is used to complete and hold the call active, 'on', and allows the users to hear and be heard continuously during the conversation. The goal is to hold the call active but use the least amount of transmitting power, mainly to conserve batteries and be efficient. The tower system will sense when a cell phone is not coming in clearly and will order the cell phone to boost transmit power. The user has no control over this boosting; it may occur for a split second or for the whole conversation. If the user is in a remote location, the power boost may be continuous. In addition to carrying voice or data, the cell phone also transmits data about itself automatically, and that is boosted or not as the system detects need.
Encoding of all transmissions ensures that no cross talk or interference occurs between two nearby cell users. The boosting of power, however, is limited by the design of the devices to a maximum setting. The standard systems are not 'high power' and thus can be overpowered by secret systems using much more boosted power that can then take over a user's cell phone. If overpowered that way, a cell phone will not indicate the change due to the secret radio being programmed to hide from normal detection. The ordinary user can not know if their cell phone is captured via overpowering boosts or not. (There are other ways of secret capture that need not overpower, too.)
Just as a person shouting drowns out someone whispering, the boost in RF watts of power into the cell telephone system can overtake and control that system—in total or only a few, or even only one, conversation. This strategy requires only more RF power, and thus it is more simple than other types of secret control. Power boosting equipment can be installed anywhere there can be an antenna, including in a vehicle, perhaps even in a vehicle on the move. Once a secretly boosted system takes control, any manipulation is possible from simple recording of the voice or data to total blocking of all cell phones in the geographic area.
Tracking and locating
A StingRay can be used to identify and track a phone or other compatible cellular data device even while the device is not engaged in a call or accessing data services.
A Stingray closely resembles a portable cellphone tower. Typically, law enforcement officials place the Stingray in their vehicle with a compatible computer software. The Stingray acts as a cellular tower to send out signals to get the specific device to connect to it. Cell phones are programmed to connect with the cellular tower offering the best signal. When the phone and Stingray connect, the computer system determines the strength of the signal and thus the distance to the device. Then, the vehicle moves to another location and sends out signals until it connects with the phone. When the signal strength is determined from enough locations, the computer system centralizes the phone and is able to find it.
Cell phones are programmed to constantly search for the strongest signal emitted from cell phone towers in the area. Over the course of the day, most cell phones connect and reconnect to multiple towers in an attempt to connect to the strongest, fastest, or closest signal. Because of the way they are designed, the signals that the Stingray emits are far stronger than those coming from surrounding towers. For this reason, all cell phones in the vicinity connect to the Stingray regardless of the cell phone owner’s knowledge. From there, the stingray is capable of locating the device, interfering with the device, and collecting personal data from the device.
Denial of service
The FBI has claimed that when used to identify, locate, or track a cellular device, the StingRay does not collect communications content or forward it to the service provider. Instead, the device causes a disruption in service. Under this scenario, any attempt by the cellular device user to place a call or access data services will fail while the StingRay is conducting its surveillance. On August 21, 2018, Senator Ron Wyden noted that Harris Corporation confirmed that Stingrays disrupt the targeted phone's communications. Additionally, he noted that 'while the company claims its cell-site simulators include a feature that detects and permits the delivery of emergency calls to 9-1-1, its officials admitted to my office that this feature has not been independently tested as part of the Federal Communication Commission’s certification process, nor were they able to confirm this feature is capable of detecting and passing-through 9-1-1 emergency communications made by people who are deaf, hard of hearing, or speech disabled using Real-Time Text technology.'
Interception of communications content
By way of software upgrades, the StingRay and similar Harris products can be used to intercept GSM communications content transmitted over-the-air between a target cellular device and a legitimate service provider cell site. The StingRay does this by way of the following man-in-the-middle attack: (1) simulate a cell site and force a connection from the target device, (2) download the target device's IMSI and other identifying information, (3) conduct 'GSM Active Key Extraction' to obtain the target device's stored encryption key, (4) use the downloaded identifying information to simulate the target device over-the-air, (5) while simulating the target device, establish a connection with a legitimate cell site authorized to provide service to the target device, (6) use the encryption key to authenticate the StingRay to the service provider as being the target device, and (7) forward signals between the target device and the legitimate cell site while decrypting and recording communications content.
The 'GSM Active Key Extraction' performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider. While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device. Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail.
GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1. However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time. While A5/1 and A5/2 use different cypher strengths, they each use the same underlying encryption key stored on the SIM card. Therefore, the StingRay performs 'GSM Active Key Extraction' during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key. Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.
A rogue base station can force unencrypted links, if supported by the handset software. The rogue base station can send a 'Cipher Mode Settings' element (see GSM 04.08 Chapter 10.5.2.9) to the phone, with this element clearing the one bit that marks if encryption should be used. In such cases the phone display could indicate the use of an unsafe link - but the user interface software in most phones does not interrogate the handset's radio subsystem for use of this insecure mode nor display any warning indication.
In passive mode, the StingRay operates either as a digital analyzer, which receives and analyzes signals being transmitted by cellular devices and/or wireless carrier cell sites or as a radio jamming device, which transmits signals that block communications between cellular devices and wireless carrier cell sites. By 'passive mode,' it is meant that the StingRay does not mimic a wireless carrier cell site or communicate directly with cellular devices.
Base station (cell site) surveys
A StingRay and a test phone can be used to conduct base station surveys, which is the process of collecting information on cell sites, including identification numbers, signal strength, and signal coverage areas. When conducting base station surveys, the StingRay mimics a cell phone while passively collecting signals being transmitted by cell-sites in the area of the StingRay.
Base station survey data can be used to further narrow the past locations of a cellular device if used in conjunction with historical cell site location information ('HCSLI') obtained from a wireless carrier. HCSLI includes a list of all cell sites and sectors accessed by a cellular device, and the date and time each access was made. Law enforcement will often obtain HCSLI from wireless carriers in order to determine where a particular cell phone was located in the past. Once this information is obtained, law enforcement will use a map of cell site locations to determine the past geographical locations of the cellular device.
However, the signal coverage area of a given cell site may change according to the time of day, weather, and physical obstructions in relation to where a cellular device attempts to access service. The maps of cell site coverage areas used by law enforcement may also lack precision as a general matter. For these reasons, it is beneficial to use a StingRay and a test phone to map out the precise coverage areas of all cell sites appearing in the HCSLI records. This is typically done at the same time of day and under the same weather conditions that were in effect when the HCSLI was logged. Using a StingRay to conduct base station surveys in this manner allows for mapping out cell site coverage areas that more accurately match the coverage areas that were in effect when the cellular device was used.
Usage by law enforcement
In the United States
The use of the devices has been frequently funded by grants from the Department of Homeland Security. The Los Angeles Police Department used a Department of Homeland Security grant in 2006 to buy a StingRay for 'regional terrorism investigations'. However, according to the Electronic Frontier Foundation, the 'LAPD has been using it for just about any investigation imaginable.'
In addition to federal law enforcement, military and intelligence agencies, StingRays have in recent years been purchased by local and state law enforcement agencies.
In 2006, Harris Corporation employees directly conducted wireless surveillance using StingRay units on behalf the Palm Bay Police Department — where Harris has a campus — in response to a bomb threat against a middle school. The search was conducted without a warrant or Judicial oversight.
The American Civil Liberties Union, commonly referred to as the ACLU, confirmed that local police have cell site simulators in Washington, Nevada, Arizona, Alaska, Missouri, New Mexico, Georgia, and Massachusetts. State police have cell site simulators in Oklahoma, Louisiana, and Pennsylvania, and Delaware. Local and state police have cell site simulators in California, Texas, Minnesota, Wisconsin, Michigan, Illinois, Indiana, Tennessee, North Carolina, Virginia, Florida, Maryland, and New York . The police use of cell site simulators is unknown in the remaining states. However, many agencies do not disclose their use of StingRay technology, so these statistics are still potentially an under-representation of the actual number of agencies. According to the most recent information published by the American Civil Liberties Union, 72 law enforcement agencies in 24 states own StingRay technology in 2017. Since 2014, these numbers have increased from 42 agencies in 17 states . The following are federal agencies in the United States that have validated their use of cell site simulators: Federal Bureau of Investigation, Drug Enforcement Administration, US Secret Service, Immigration and Customs Enforcement, US Marshals Service, Bureau of Alcohol, Tobacco, Firearms, and Explosives, US Army, US Navy, US Marine Corps, US National Guard, US Special Command, and National Security Agency .
Several court decisions have been issued on the legality of using a Stingray without a warrant, with some courts ruling a warrant is required and others not requiring a warrant.
Outside the United States
Police in Vancouver, BC, Canada admitted after much speculation across the country that they had made use of a Stingray device provided by the RCMP. They also stated that they intended to make use of such devices in the future. Two days later, a statement by Edmonton's police force had been taken as confirming their use of the devices, but they said later that they did not mean to create what they called a miscommunication.
Privacy International and The Sunday Times reported on the usage of StingRays and IMSI-catchers in Ireland, against the Irish Garda Síochána Ombudsman Commission (GSOC), which is an oversight agency of the Irish police force Garda Síochána. On June 10, 2015 the BBC reported on an investigation by Sky News about possible false mobile phone towers being used by the London Metropolitan Police. Commissioner Bernard Hogan-Howe refused comment.
Between February 2015 and April 2016, over 12 companies in the United Kingdom were authorized to export IMSI-catcher devices to states including Saudi Arabia, UAE, and Turkey. Critics have expressed concern about the export of surveillance technology to countries with poor human rights records and histories of abusing surveillance technology.
The increasing use of the devices has largely been kept secret from the court system and the public. In 2014, police in Florida revealed they had used such devices at least 200 additional times since 2010 without disclosing it to the courts or obtaining a warrant. One of the reasons the Tallahassee police provided for not pursuing court approval is that such efforts would allegedly violate the non-disclosure agreements (NDAs) that police sign with the manufacturer. The American Civil Liberties Union has filed multiple requests for the public records of Florida law enforcement agencies about their use of the cell phone tracking devices.
Local law enforcement and the federal government have resisted judicial requests for information about the use of stingrays, refusing to turn over information or heavily censoring it. In June 2014, the American Civil Liberties Union published information from court regarding the extensive use of these devices by local Florida police. After this publication, United States Marshals Service then seized the local police's surveillance records in a bid to keep them from coming out in court.
In some cases, police have refused to disclose information to the courts citing non-disclosure agreements signed with Harris Corporation. The FBI defended these agreements, saying that information about the technology could allow adversaries to circumvent it. The ACLU has said 'potentially unconstitutional government surveillance on this scale should not remain hidden from the public just because a private corporation desires secrecy. And it certainly should not be concealed from judges.'
In 2015 Santa Clara County pulled out of contract negotiations with Harris for StingRay units, citing onerous restrictions imposed by Harris on what could be released under public records requests as the reason for exiting negotiations.
In recent years, legal scholars, public interest advocates, legislators and several members of the judiciary have strongly criticized the use of this technology by law enforcement agencies. Critics have called the use of the devices by government agencies warrantless cell phone tracking, as they have frequently been used without informing the court system or obtaining a warrant. The Electronic Frontier Foundation has called the devices “an unconstitutional, all-you-can-eat data buffet.”
In June 2015, WNYC Public Radio published a podcast with Daniel Rigmaiden about the StingRay device.
Cell Phone Call Interception Software
In 2016, Professor Laura Moy of the Georgetown University Law Center filed a formal complaint to the FCC regarding the use of the devices by law enforcement agencies, taking the position that because the devices mimic the properties of cell phone towers, the agencies operating them are in violation of FCC regulation, as they lack the appropriate spectrum licenses.
A number of countermeasures to the StingRay and other devices have been developed, for example crypto phones such as GMSK's Cryptophone have firewalls that can identify and thwart the StingRay's actions or alert the user to IMSI capture.
- Kyllo v. United States (lawsuit re thermal image surveillance)
- United States v. Davis (2014) found warrantless data collection violated constitutional rights, but okayed data use for criminal conviction, as data collected in good faith
- ^'Notice, Acceptance, Renewal'. Harris/US PTO. Retrieved 23 January 2016.
- ^ abcdZetter, Kim (2014-03-03). 'Florida Cops' Secret Weapon: Warrantless Cellphone Tracking'. Wired.com. Retrieved 2014-06-23.
- ^'RCMP reveals it uses cellphone trackers in wake of CBC report'. CBC News. Retrieved 2017-07-25.
- ^'Stingray Tracking Devices: Who's Got Them?'. aclu.org. American Civil Liberties Union. Retrieved 29 September 2016.
- ^'New York Police Are Using Covert Cellphone Trackers, Civil Liberties Group Says'. New York Times. Retrieved 29 September 2016.
- ^'Revealed: Bristol's police and mass mobile phone surveillance'. The Bristol Cable. Retrieved 2016-11-01.
- ^'Stingrays bought, quietly used by police forces across England'. Ars Technica UK. Retrieved 2017-04-30.
- ^Gallagher, Ryan (September 25, 2013). 'Meet the machines that steal your phone's data'. Ars Technica. Condé Nast. Retrieved August 22, 2014.
- ^ abValentino-Devries, Jen (Sep 22, 2011). ''Stingray' Phone Tracker Fuels Constitutional Clash'. The Wall Street Journal. Retrieved Aug 22, 2014.
- ^ abHarris WPG (November 29, 2006). 'StingRay Cell Site Emulator Datasheet'. Archived from the original(PDF) on August 29, 2014. Retrieved August 29, 2014.
- ^Harris WPG (November 29, 2006). 'StingRay Cell Site Emulator Datasheet'. Archived from the original on August 29, 2014. Retrieved August 29, 2014.
- ^Harris WPG. (Aug. 25, 2008). Harris Wireless Products Group catalog, available at https://www.documentcloud.org/documents/1282631-08-08-25-2008-harris-wireless-products-group.html [PDF p. 4] (last accessed: Aug. 29, 2014), archived from original at http://egov.ci.miami.fl.us/Legistarweb/Attachments/48000.pdf[permanent dead link] [PDF p. 4] (last accessed: Mar. 8, 2011) (Airborne DF Kit CONUS for StingRay)
- ^Harris WPG. (Nov. 29, 2006). KingFish, KingFish GSM S/W, Pocket PC GSM S/W & Training Sole Source Justification for Florida, available at https://www.documentcloud.org/documents/1282625-06-11-29-2006-harris-kingfish-sole-source.html [PDF p. 1] (last accessed: Aug. 29, 2014), archived from original at http://egov.ci.miami.fl.us/Legistarweb/Attachments/34768.pdf [PDF p. 1] (last accessed: Aug. 29, 2014) ('The KingFish system is the only man-portable battery powered CDMA & GSM Interrogating, Active Location, and Signal Information Collection system currently available.').
- ^ abUnited States v. Rigmaiden, CR08-814-PHX-DGC, Dkt. #0674-1 [Declaration by FBI Supervisory Agent Bradley S. Morrison], ¶ 5, p. 3 (D.Ariz., Oct. 27, 2011), available at https://www.documentcloud.org/documents/1282619-11-10-17-2011-u-s-v-rigmaiden-cr08-814-phx-dgc.html [PDF p. 3] (last accessed: Aug. 30, 2014) ('During a location operation, the electronic serial numbers (ESNs) (or their equivalent) from all wireless devices in the immediate area of the FBI device [(i.e., the StingRay)] that subscribe to a particular provider may be incidentally recorded, including those of innocent, non-target devices.').
- ^Florida v. James L. Thomas, No. 2008-CF-3350A, Suppression Hearing Transcript RE: Harris StingRay & KingFish [testimony of Investigator Christopher Corbitt], p. 17 (2nd Cir. Ct., Leon County, FL, Aug. 23, 2010), available at https://www.documentcloud.org/documents/1282618-10-08-23-2010-fl-v-thomas-2008-cf-3350a.html [PDF. p. 17] (last accessed: Aug. 30, 2014) ('[O]nce the equipment comes into play and we capture that handset, to make locating it easier, the equipment forces that handset to transmit at full power.')
- ^Hennepin County, MN. (Feb. 2, 2010). FY2011 FEDERAL APPROPRIATIONS REQUESTS [Cellular Exploitation System (Kingfish) - $426,150], available at https://www.documentcloud.org/documents/1282634-10-02-02-2010-kingfish-appropriations-request.html [PDF p. 6] (last accessed: Aug. 30, 2014), archived from original at http://board.co.hennepin.mn.us/sirepub/cache/246/5hnnteqb5wro1fl4oyplzrqo/10628008302014015243634.PDF[permanent dead link] [PDF p. 6] (last accessed: Aug. 30, 2014) ('The system acts as a mobile wireless phone tower and has the capability to... deny mobile phones service.').
- ^Florida v. James L. Thomas, No. 2008-CF-3350A, Suppression Hearing Transcript RE: Harris StingRay & KingFish [testimony of Investigator Christopher Corbitt], p. 12 (2nd Cir. Ct., Leon County, FL, Aug. 23, 2010), available at https://www.documentcloud.org/documents/1282618-10-08-23-2010-fl-v-thomas-2008-cf-3350a.html [PDF. p. 12] (last accessed: Aug. 30, 2014) ('In essence, we emulate a cellphone tower. so just as the phone was registered with the real Verizon tower, we emulate a tower; we force that handset to register with us.').
- ^Hardman, Heath (May 22, 2014). 'THE BRAVE NEW WORLD OF CELL-SITE SIMULATORS'. Albany Law School: 11–12. doi:10.2139/ssrn.2440982. SSRN2440982.
For a cell-site simulator operator to induce a cell phone to camp on his or her cell-site simulator (CSS), all he or she needs to do is become the strongest cell in the target cellphones preferred network.
- ^'Stingray Tracking Devices - A Tool For Mass Surveillance?'. broadbandlanding.com. Retrieved 2017-04-13.
- ^Florida v. James L. Thomas, No. 2008-CF-3350A, Suppression Hearing Transcript RE: Harris StingRay & KingFish [testimony of Investigator Christopher Corbitt], p. 13 (2nd Cir. Ct., Leon County, FL, Aug. 23, 2010), available at https://www.documentcloud.org/documents/1282618-10-08-23-2010-fl-v-thomas-2008-cf-3350a.html [PDF. p. 13] (last accessed: Aug. 30, 2014) ('The equipment will basically decode information from the handset and provide certain unique identifying information about the handset, being a subscriber identity and equipment identity.... We compare that with the information provided from Verizon to ensure that we are looking at the correct handset.').
- ^Id., p. 14 ('And as the equipment is evaluating all the handsets in the area, when it comes across that handset -- the one that we're looking for, for the information that we put into the box -- then it will hang onto that one and allow us to direction find at that point.').
- ^In the Matter of The Application of the United States of America for An Order Authorizing the Installation and Use of a Pen Register and Trap and Trace Device, 890 F. Supp. 2d 747, 748 (S.D. Tex. 2012) (Law enforcement sought to use StingRay 'to detect radio signals emitted from wireless cellular telephones in the vicinity of the [Subject] that identify the telephones (e.g., by transmitting the telephone's serial number and phone number)...' so the '[Subject's] Telephone can be identified.' (quoting order application)).
- ^Eördögh, Fruzsina (Jun 13, 2014). 'Are Chicago Police Spying on Activists? One Man Sues to Find Out'. Mother Jones. Archived from the original on 2014-08-26. Retrieved Aug 24, 2014.
Martinez, who works in the software industry, first wondered about police surveilling his phone in 2012 while he was attending the NATO protests. 'I became suspicious because it was really difficult to use our phones[.]'
- ^'Stingray, IMSI Catcher: FBI Documents Shine Light On Cellphone Tracking Tool'. Sagacious News Network. 2013-01-18. Retrieved 2017-05-27.
- ^Adam Bates January 25, 2017, and PDF (292.42 KB) EPUB (117.68 KB) MOBI (298.06 KB). 'Stingray: A New Frontier in Police Surveillance.' Cato Institute. N.p., 25 Jan. 2017. Web. 26 May 2017
- ^United States v. Rigmaiden, CR08-814-PHX-DGC, Dkt. #0674-1 [Declaration by FBI Supervisory Agent Bradley S. Morrison], ¶ 4, p. 2-3 (D.Ariz., Oct. 27, 2011), available at https://www.documentcloud.org/documents/1282619-11-10-17-2011-u-s-v-rigmaiden-cr08-814-phx-dgc.html [PDF pp. 2-3] (last accessed: Aug. 30, 2014) ('[T]he [StingRay] used to locate the defendant's aircard did not capture, collect, decode, view, or otherwise obtain any content transmitted from the aircard, and therefore was unable to pass any information from the aircard to Verizon Wireless.').
- ^United States v. Rigmaiden, CR08-814-PHX-DGC, Doc. #723, p. 14 (D.Ariz., Jan. 5, 2012) (Noting government concession that the StingRay 'caused a brief disruption in service to the aircard.').
- ^Quintin, Cooper (2018-08-27). 'Sen. Wyden Confirms Cell-Site Simulators Disrupt Emergency Calls'. Electronic Frontier Foundation. Retrieved 2019-03-25.
- ^ abcdDrug Enforcement Administration. (Aug. 29, 2007). FY2011 FEDERAL APPROPRIATIONS REQUESTS [Sole Source Notice of Harris StingRay FishHawk GSM encryption key extraction and intercept upgrade], available at https://www.documentcloud.org/documents/1282642-07-08-29-2007-dea-purchase-of-stingray-fishhawk.html [PDF p. 1] (last accessed: Aug. 30, 2014), archived from the original at https://www.fbo.gov/index?s=opportunity&mode=form&id=9aa2169a324ae7a1a747c2ca8f540cb3&tab=core&_cview=0 (last accessed: Aug. 30, 2014).('The Harris StingRay system w/FishHawk GSM Intercept S/W upgrade is the only portable standard + 12VDC powered over the air GSM Active Key Extraction and Intercept system currently available.')
- ^Harris WPG. (Aug. 25, 2008). Harris Wireless Products Group catalog, available at https://www.documentcloud.org/documents/1282631-08-08-25-2008-harris-wireless-products-group.html [PDF p. 4] (last accessed: Aug. 29, 2014), archived from original at http://egov.ci.miami.fl.us/Legistarweb/Attachments/48000.pdf[permanent dead link] [PDF p. 4] (last accessed: Mar. 8, 2011) (GSM Software Intercept Package for StingRay and StingRay II)
- ^ abGreen, Matthew. 'On cellular encryption'. A Few Thoughts on Cryptographic Engineering. Retrieved Aug 29, 2014.
- ^ abBarkan, Elad; Biham, Eli; Keller, Nathan. 'Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communications'(PDF): 12–13.
- ^Schneier, Brude. 'Cryptanalysis of A5/1'. Schneier on Security. Retrieved Aug 29, 2014.
- ^ abId.
- ^'Police use cellphone spying device'. Associated Press. 2014-05-30. Archived from the original on 2014-07-01. Retrieved 2014-06-23.
- ^Campbell, John (2013-01-24). 'LAPD Spied on 21 Using StingRay Anti-Terrorism Tool'. LA Weekly. Retrieved 2014-06-23.
- ^'As Secretive 'Stingray' Surveillance Tool Becomes More Pervasive, Questions Over Its Illegality Increase'. Electronic Frontier Foundation. 2013-02-12. Retrieved 2017-03-12.
- ^Nail, Derrol (23 February 2015). 'Harris Corporation opens new tech center in Palm Bay'. myfoxorlando.com. WOFL, Fox Broadcasting Company. Archived from the original on 9 April 2015. Retrieved 4 April 2015.
- ^Farivar, Cyrus (25 February 2015). 'Powerful 'stingrays' used to go after 911 hangup, ATM burglary'. Ars Technica. Retrieved 25 March 2015.
...Palm Bay Police Department simply borrowed a stingray directly from its manufacturer, the Harris Corporation—located down the road in Melbourne, Florida—to respond to a 2006 bomb threat at a school, absent any judicial oversight.
- ^Detective M. J. Pusatere. '03.05.2014 PBPD Stingray Records (Bates Stamped) redacted'(PDF). aclu.org. Palm Bay Police Department, American Civil Liberties Union. p. 3. Retrieved 24 March 2015.
- ^Aaronson, Trevor (23 February 2015). 'ACLU Releases Florida StingRay Documents'. fcir.org. Florida Center for Investigative Reporting. Retrieved 4 April 2015.
- ^Rivero, Daniel (18 March 2015). 'It's now a trend: third court orders the release of phone-tracking Stingray documents'. fusion.net. Fusion. Retrieved 4 April 2015.
- ^Stingray Tracking Devices: Who's Got Them?' American Civil Liberties Union. American Civil Liberties Union, n.d. Web. 24 May 2017
- ^Fenton, Justin. 'Key evidence in city murder case tossed due to stingray use'. baltimoresun.com. Retrieved 2017-09-23.
- ^Emmons, Alex (2016-03-31). 'Maryland Appellate Court Rebukes Police for Concealing Use of Stingrays'. The Intercept. Retrieved 2017-09-23.
- ^Jackman, Tom (2017-09-21). 'Police use of 'StingRay' cellphone tracker requires search warrant, appeals court rules'. Washington Post. ISSN0190-8286. Retrieved 2017-09-23.
- ^'Appeals court: It doesn't matter how wanted man was found, even if via stingray'. Ars Technica. Retrieved 2017-09-23.
- ^'Vancouver police admit'. Canadian Broadcast Corp (CBC). 9 August 2016.
- ^'Edmonton police backtrack after admitting to using controversial cellphone surveillance device'. Edmonton Journal. 12 August 2016. Retrieved 11 December 2016.
- ^Mooney, John (9 February 2014). 'GSOC under high-tech surveillance'. The Sunday Times.
- ^Tynan, Dr. Richard (15 February 2014). 'Beirtear na IMSIs: Ireland's GSOC surveillance inquiry reveals use of mobile phone interception systems'. Privacy International. Archived from the original on 2014-06-24. Retrieved 2014-08-25.
- ^'Mass snooping fake mobile towers uncovered in UK'. British Broadcasting Corporation. 10 June 2015.
- ^Cheshire, Tom (10 June 2015). 'Fake Mobile Phone Towers Operating In The UK'. Sky News.
- ^Cox, Joseph (26 August 2016). 'British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes'. Motherboard. Vice. Retrieved 1 May 2017.
- ^Fenton, Justin (April 20, 2015). 'Baltimore judge allows police use of Stingray phone tracking in murder case'. The Baltimore Sun. Retrieved April 22, 2017.
Police outlined for the first time this month their usage of the stingray, pegging it at more than 4,300 times — a figure experts called a 'huge number' compared to a trickle of disclosures in other cities.
- ^Monahan, Torin (2016) Built to Lie: Investigating Technologies of Deception, Surveillance, and Control. The Information Society 32(4): 229-240.
- ^Wessler, Nathan Freed. 'U.S. Marshals Seize Local Cops' Cell Phone Tracking Files in Extraordinary Attempt to Keep Information From Public'. American Civil Liberties Union. Retrieved 2014-06-23.
- ^ abGillum, Jack (2014-03-22). 'Police keep quiet about cell-tracking technology'. News.yahoo.com. Retrieved 2014-06-23.
- ^Wessler, Nathan Freed (2014-06-03). 'Transcription of Suppression Hearing (Complete)'(PDF). American Civil Liberties Union. Retrieved 2014-06-23.
- ^Zetter, Kim (2014-06-03). 'U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU'. Wired.com. Retrieved 2014-06-23.
- ^ ab'A Police Gadget Tracks Phones? Shhh! It's Secret'. The New York Times. March 15, 2015.
- ^Florida Department of Law Enforcement; Harris Corporation (8 June 2010). 'FDLE non-disclosure agreement with the Harris Corporation'(PDF). American Civil Liberties Union. Retrieved 28 March 2015.
- ^Farivar, Cyrus (7 May 2015). 'In rare move, Silicon Valley county gov't kills stingray acquisition'. Ars Technica. Retrieved 9 May 2015.
What happened was, we were in negotiations with Harris, and we couldn't get them to agree to even the most basic criteria we have in terms of being responsive to public records requests
- ^Timm, Trevor (2013-02-12). 'As Secretive 'Stingray' Surveillance Tool Becomes More Pervasive, Questions Over Its Illegality Increase'. Electronic Frontier Foundation. Retrieved 2014-06-23.
- ^Zomorodi, Manoush (2015-06-19). 'When Your Conspiracy Theory Is True'. WNYC. Retrieved 2015-07-03.
- ^Farivar, Cyrus (August 16, 2016). 'Baltimore police accused of illegal mobile spectrum use with stingrays'. Ars technica. Retrieved 2016-08-16.
- ^Zetter, Kim (2014-09-03). 'Phone Firewall Identifies Rogue Cell Towers Trying to Intercept Your Calls'. Wired. Condé Nast. Retrieved 13 July 2016.
- Lye, Linda (2014). 'StingRays: The Most Common Surveillance Tool the Government Won't Tell You About'(pdf). Northern California: ACLU.
- IMSI catchers and specifically, the Harris Stingray, are extensively used in the Intelligence Support Activity / Task Force Orange thriller written by J.T. Patten, a former counterterrorism intelligence specialist. Patten, J.T., Buried in Black, A Task Force Orange Novel, Lyrical Press / Penguin, 2018.
Signaling System No. 7 (SS7) is a set of telephonysignaling protocols developed in 1975, which is used to set up and tear down telephone calls in most parts of the world-wide public switched telephone network (PSTN). The protocol also performs number translation, local number portability, prepaid billing, Short Message Service (SMS), and other services.
Cell Phone Call Interception
In North America SS7 is often referred to as Common Channel Signaling System 7 (CCSS7). In the United Kingdom, it is called C7 (CCITT number 7), number 7 and Common Channel Interoffice Signaling 7 (CCIS7). In Germany, it is often called Zentraler ZeichengabeKanal Nummer 7 (ZZK-7).
The SS7 protocol is defined for international use by the Q.700-series recommendations of 1988 by the ITU-T. Of the many national variants of the SS7 protocols, most are based on variants standardized by the American National Standards Institute (ANSI) and the European Telecommunications Standards Institute (ETSI). National variants with striking characteristics are the Chinese and Japanese Telecommunication Technology Committee (TTC) national variants.
The Internet Engineering Task Force (IETF) has defined the SIGTRAN protocol suite that implements levels 2, 3, and 4 protocols compatible with SS7. Sometimes also called Pseudo SS7,it is layered on the Stream Control Transmission Protocol (SCTP) transport mechanism for use on Internet Protocol networks, such as the Internet.
- 4SS7 protocol suite
Signaling System No. 5 and earlier systems used in-band signaling, in which the call-setup information was sent by playing special multi-frequency tones into the telephone lines, known as bearer channels. As the bearer channel was directly accessible by users, it was exploited with devices such as the blue box, which played the tones required for call control and routing. As a remedy, SS6 and SS7 implemented out-of-band signaling, carried in a separate signaling channel,:141 thus keeping the speech path separate. SS6 and SS7 are referred to as common-channel signaling (CCS) protocols, or Common Channel Interoffice Signaling (CCIS) systems.
Since 1975, CCS protocols have been developed by major telephone companies and the International Telecommunication Union Telecommunication Standardization Sector (ITU-T); in 1977 the ITU-T defined the first international CCS protocol as Signaling System No. 6 (SS6).:145 In its 1980 Yellow Book Q.7XX-series recommendations ITU-T defined the Signaling System No. 7 as an international standard. SS7 replaced SS6 with its restricted 28-bit signal unit that was both limited in function and not amendable to digital systems.:145 SS7 also replaced Signaling System No. 5 (SS5), while R1 and R2 variants are still used in numerous countries.
The Internet Engineering Task Force (IETF) defined SIGTRAN protocols which translate the common channel signaling paradigm to the IP Message Transfer Part (MTP) level 2 (M2UA and M2PA), Message Transfer Part (MTP) level 3 (M3UA) and Signaling Connection Control Part (SCCP) (SUA). While running on a transport based upon IP, the SIGTRAN protocols are not an SS7 variant, but simply transport existing national and international variants of SS7.[clarification needed]
Signaling in telephony is the exchange of control information associated with the setup and release of a telephone call on a telecommunications circuit.:318 Examples of control information are the digits dialed by the caller and the caller's billing number.
When signaling is performed on the same circuit as the conversation of the call, it is termed channel-associated signaling (CAS). This is the case for earlier analogue trunks, multi-frequency (MF) and R2 digital trunks, and DSS1/DASSPBX trunks.
In contrast, SS7 uses common channel signaling, in which the path and facility used by the signaling is separate and distinct from the signaling without first seizing a voice channel, leading to significant savings and performance increases in both signaling and channel usage.
Because of the mechanisms used by signaling methods prior to SS7 (battery reversal, multi-frequency digit outpulsing, A- and B-bit signaling), these older methods could not communicate much signaling information. Usually only the dialed digits were signaled during call setup. For charged calls, dialed digits and charge number digits were outpulsed. SS7, being a high-speed and high-performance packet-based communications protocol, can communicate significant amounts of information when setting up a call, during the call, and at the end of the call. This permits rich call-related services to be developed. Some of the first such services were call management related, call forwarding (busy and no answer), voice mail, call waiting, conference calling, calling name and number display, call screening, malicious caller identification, busy callback.:Introduction xx
The earliest deployed upper layer protocols in the SS7 suite were dedicated to the setup, maintenance, and release of telephone calls. The Telephone User Part (TUP) was adopted in Europe and the Integrated Services Digital Network (ISDN) User Part (ISUP) adapted for public switched telephone network (PSTN) calls was adopted in North America. ISUP was later used in Europe when the European networks upgraded to the ISDN. As of 2015 North America has not accomplished full upgrade to the ISDN, and the predominant telephone service is still the older Plain Old Telephone Service. Due to its richness and the need for an out-of-band channel for its operation, SS7 is mostly used for signaling between telephone switches and not for signaling between local exchanges and customer-premises equipment.
Because SS7 signaling does not require seizure of a channel for a conversation prior to the exchange of control information, non-facility associated signaling (NFAS) became possible. NFAS is signaling that is not directly associated with the path that a conversation will traverse and may concern other information located at a centralized database such as service subscription, feature activation, and service logic. This makes possible a set of network-based services that do not rely upon the call being routed to a particular subscription switch at which service logic would be executed, but permits service logic to be distributed throughout the telephone network and executed more expediently at originating switches far in advance of call routing. It also permits the subscriber increased mobility due to the decoupling of service logic from the subscription switch. Another ISUP characteristic SS7 with NFAS enables is the exchange of signaling information during the middle of a call.:318
SS7 also enables Non-Call-Associated Signaling, which is signaling not directly related to establishing a telephone call.:319 This includes the exchange of registration information used between a mobile telephone and a home location register database, which tracks the location of the mobile. Other examples include Intelligent Network and local number portability databases.:433
Apart from signaling with these various degrees of association with call set-up and the facilities used to carry calls, SS7 is designed to operate in two modes: associated mode and quasi-associated mode.
When operating in the associated mode, SS7 signaling progresses from switch to switch through the Public Switched Telephone Network following the same path as the associated facilities that carry the telephone call. This mode is more economical for small networks. The associated mode of signaling is not the predominant choice of modes in North America.
When operating in the quasi-associated mode, SS7 signaling progresses from the originating switch to the terminating switch, following a path through a separate SS7 signaling network composed of signal transfer points. This mode is more economical for large networks with lightly loaded signaling links. The quasi-associated mode of signaling is the predominant choice of modes in North America.
SS7 separates signaling from the voice circuits. An SS7 network must be made up of SS7-capable equipment from end to end in order to provide its full functionality. The network can be made up of several link types (A, B, C, D, E, and F) and three signaling nodes – Service Switching Points (SSPs), Signal Transfer Points (STPs), and Service Control Points (SCPs). Each node is identified on the network by a number, a signaling point code. Extended services are provided by a database interface at the SCP level using the SS7 network.
The links between nodes are full-duplex 56, 64, 1,536, or 1,984 kbit/s graded communications channels. In Europe they are usually one (64 kbit/s) or all (1,984 kbit/s) timeslots (DS0s) within an E1 facility; in North America one (56 or 64 kbit/s) or all (1,536 kbit/s) timeslots (DS0As or DS0s) within a T1 facility. One or more signaling links can be connected to the same two endpoints that together form a signaling link set. Signaling links are added to link sets to increase the signaling capacity of the link set.
In Europe, SS7 links normally are directly connected between switching exchanges using F-links. This direct connection is called associated signaling. In North America, SS7 links are normally indirectly connected between switching exchanges using an intervening network of STPs. This indirect connection is called quasi-associated signaling, which reduces the number of SS7 links necessary to interconnect all switching exchanges and SCPs in an SS7 signaling network.
SS7 links at higher signaling capacity (1.536 and 1.984 Mbit/s, simply referred to as the 1.5 Mbit/s and 2.0 Mbit/s rates) are called high speed links (HSL) in contrast to the low speed (56 and 64 kbit/s) links. High speed links are specified in ITU-T Recommendation Q.703 for the 1.5 Mbit/s and 2.0 Mbit/s rates, and ANSI Standard T1.111.3 for the 1.536 Mbit/s rate. There are differences between the specifications for the 1.5 Mbit/s rate. High speed links utilize the entire bandwidth of a T1 (1.536 Mbit/s) or E1 (1.984 Mbit/s) transmission facility for the transport of SS7 signaling messages.
SIGTRAN provides signaling using SCTP associations over the Internet Protocol.:456 The protocols for SIGTRAN are M2PA, M2UA, M3UA and SUA.
SS7 protocol suite
|SS7 protocols by OSI layer|
|Application||INAP, MAP, IS-41...|
01114855421TCAP, CAP, ISUP, ...
|Network||MTP Level 3 + SCCP|
|Data link||MTP Level 2|
|Physical||MTP Level 1|
The SS7 protocol stack may be partially mapped to the OSI Model of a packetized digital protocol stack. OSI layers 1 to 3 are provided by the Message Transfer Part (MTP) and the Signalling Connection Control Part (SCCP) of the SS7 protocol (together referred to as the Network Service Part (NSP)); for circuit related signaling, such as the BT IUP, Telephone User Part (TUP), or the ISDN User Part (ISUP), the User Part provides layer 7. Currently there are no protocol components that provide OSI layers 4 through 6. The Transaction Capabilities Application Part (TCAP) is the primary SCCP User in the Core Network, using SCCP in connectionless mode. SCCP in connection oriented mode provides transport layer for air interface protocols such as BSSAP and RANAP. TCAP provides transaction capabilities to its Users (TC-Users), such as the Mobile Application Part, the Intelligent Network Application Part and the CAMEL Application Part.
The Message Transfer Part (MTP) covers a portion of the functions of the OSI network layer including: network interface, information transfer, message handling and routing to the higher levels. Signaling Connection Control Part (SCCP) is at functional Level 4. Together with MTP Level 3 it is called the Network Service Part (NSP). SCCP completes the functions of the OSI network layer: end-to-end addressing and routing, connectionless messages (UDTs), and management services for users of the Network Service Part (NSP). Telephone User Part (TUP) is a link-by-link signaling system used to connect calls. ISUP is the key user part, providing a circuit-based protocol to establish, maintain, and end the connections for calls. Transaction Capabilities Application Part (TCAP) is used to create database queries and invoke advanced network functionality, or links to Intelligent Network Application Part (INAP) for intelligent networks, or Mobile Application Part (MAP) for mobile services.
BSS Application Part (BSSAP) is a protocol in Signaling System 7 used by the Mobile Switching Center (MSC) and the Base station subsystem (BSS) to communicate with each other using signalling messages supported by the MTP and connection-oriented services of the SCCP. For each active mobile equipment one signalling connection is used by BSSAP having at least one active transactions for the transfer of messages.
Cell Phone Transmission Interception
BSSAP provides two kinds of functions:
- The BSS Mobile Application Part (BSSMAP) supports procedures to facilitate communication between the MSC and the BSS pertaining to resource management and handover control.
- The Direct Transfer Application Part (DTAP) is used for transfer of those messages which need to travel directly to a Mobile equipment from MSC by passing any interpretation by BSS. These messages are generally pertaining to Mobility management (MM) or Call Management (CM).
Protocol security vulnerabilities
In 2008, several SS7 vulnerabilities were published that permitted the tracking of cell phone users.In 2014, the media reported a protocol vulnerability of SS7 by which anybody can track the movements of cell phone users from virtually anywhere in the world with a success rate of approximately 70%. In addition, eavesdropping is possible by using the protocol to forward calls and also facilitate decryption by requesting that each caller's carrier release a temporary encryption key to unlock the communication after it has been recorded. The software tool SnoopSnitch can warn when certain SS7 attacks occur against a phone, and detect IMSI-catchers that allow call interception and other activities.
In February 2016, 30% of the network of the largest mobile operator in Norway, Telenor, became unstable due to 'Unusual SS7 signaling from another European operator'.
The security vulnerabilities of SS7 have been highlighted in U.S. governmental bodies, for example when in April 2016 US congressman Ted Lieu called for an oversight committee investigation.
In May 2017, O2 Telefónica, a German mobile service provider, confirmed that the SS7 vulnerabilities had been exploited to bypass two-factor authentication to achieve unauthorized withdrawals from bank accounts. The perpetrators installed malware on compromised computers, allowing them to collect online banking account credentials and telephone numbers. They set up redirects for the victims' telephone numbers to telephone lines controlled by them. Confirmation calls of two-factor authentication procedures were routed to telephone numbers controlled by the attackers. This enabled them to log into victims' online bank accounts and effect money transfers.
In March 2018, a method was published for the detection of the vulnerabilities, through the use of open-source monitoring software such as Wireshark and Snort. The nature of SS7 normally being used between consenting network operators on dedicated links means that any bad actor's traffic can be traced to its source.
- ^ abcITU-T Recommendation Q.700
- ^ abcRonayne, John P (1986). The Digital Network Introduction to Digital Communications Switching (1 ed.). Indianapolis: Howard W. Sams & Co., Inc. ISBN0-672-22498-4.
- ^RFC 2719 - Framework Architecture for Signaling Transport
- ^ abcdefRussell, Travis (2002). Signaling System #7 (4 ed.). New York: McGraw-Hill. ISBN978-0-07-138772-9.
- ^ITU-T Recommendation Q.700,03/93, Section 3.2.1, p. 7.
- ^ITU-T Recommendation Q.700, p. 4.
- ^(Dryburgh 2004, pp. 22–23).
- ^(Dryburgh 2004, p. 23).
- ^ITU-T Recommendation Q.700, Section 2.2.3, 'signaling modes', pp. 4-5.
- ^ ab'ITU-T Recommendation Q.703, Annex A, Additions for a national option for high speed signaling links'. International Telecommunication Union. pp. 81–86.
- ^'Understanding the Sigtran Protocol Suite: A Tutorial EE Times'. EETimes. Retrieved 2016-06-30.
- ^ITU-T Recommendation Q.711, Section 1, 'Scope and field of application', pp 1-2.
- ^3GPP TS 48.008 Mobile Switching Centre - Base Station System (MSC-BSS) interface; Layer 3 specification
- ^Engel, Tobias (27 December 2008). 'Locating Mobile Phones using SS7'(Video). Youtube. 25th Chaos Communication Congress (25C3). Retrieved 19 April 2016.
- ^Timburg, Craig (24 August 2014). 'For sale: Systems that can secretly track where cellphone users go around the globe'. The Washington Post. Retrieved 27 December 2014.
- ^Timburg, Craig (18 December 2014). 'German researchers discover a flaw that could let anyone listen to your cell calls'. The Washington Post. Retrieved 19 December 2014.
- ^SnoopSnitch is for rooted Android mobile phones with Qualcomm chip
- ^Karsten Nohl (2014-12-27). 'Mobile self-defence'(PDF). Chaos Communication Congress.
- ^'SnoopSnitch'. Google Play. August 15, 2016.
- ^'Feilen i mobilnettet er funnet og rettet' (in Norwegian). Telenor ASA.
- ^'SS7 signalering – Et ondsinnet angrep mot Telenor ville hatt samme konsekvens' (in Norwegian). digi.no / Teknisk Ukeblad Media AS.
- ^'US congressman calls for investigation into vulnerability that lets hackers spy on every phone'. The Guardian. April 19, 2016.
- ^Khandelwal, Swati. 'Real-World SS7 Attack — Hackers Are Stealing Money From Bank Accounts'. The Hacker News. Retrieved 2017-05-05.
- ^Corletti Estrada, Alejandro. 'Análisis de ataques/vulnerabilidades SS7/Sigtran empleando Wireshark (y/o tshark) y Snort'. Metodología de detección de vulnerabilidades SS7/Sigtran (in Spanish). Retrieved 2018-03-31.
- ^Corletti Estrada, Alejandro. 'Analysis of attacks/vulnerabilities SS7/Sigtran using Wireshark (and/or tshark) and Snort'. Vulnerability detection methodology SS7/Sigtran. Retrieved 2018-03-31.
Cell Phone Call Interception Software Suite 1
- Dryburgh, Lee; Hewitt, Jeff (2004). Signaling System No. 7 (SS7/C7): Protocol, Architecture, and Services. Indianapolis: Cisco Press. ISBN1-58705-040-4.
- Ronayne, John P. (1986). 'The Digital Network'. Introduction to Digital Communications Switching (1st ed.). Indianapolis: Howard W. Sams & Co., Inc. ISBN0-672-22498-4.
- Russell, Travis (2002). Signaling System #7 (4th ed.). New York: McGraw-Hill. ISBN978-0-07-138772-9.