British Companies Sell StingRays To Oppressive Governments

Andrew Orr In the News

Since 2015, a dozen companies in the United Kingdom have exported devices like StingRays to oppressive regimes around the world.

Further Reading

Apple Responds To Scary Zero Day Exploits Found On iOS

Stingrays Another Poison to Privacy

Surveillance Tech

In a time when the internet brings freedom and equality to billions of people, oppressive governments use the Internet to control their citizens. We reported last week how some governments target activists or jail people for using VPNs. And our own government is just as guilty of using surveillance technology as everyone else.

The UK’s government gave permission to some of the companies to export their products to countries like Saudi Arabia, the United Arab Emirates, Turkey, and Egypt. As we’ve pointed out, all of these countries rank as the top ten worst in the world for internet freedom. But to have British companies selling some of these tools is surprising to say the least.

The Department for Business, Innovation and Skills (BIS) published data [PDF] about selling this technology. Some of the tech includes IMSI-catchers, also called Stingrays.

Stingrays

ACLU map of Stingray use

ACLU map of Stingray use

An IMSI-catcher, sometimes called StingRays, is a type of device that law enforcement use. It’s a device that mimics a wireless carrier cell tower. This forces your phone to connect to it. Once connected, it tracks your movement and collects information about your phone, like the IMSI number.

StingRays have two modes: active (digital analyzer) and passive (cell site simulator). Under active mode, some of the operations are:

  • Stealing stored data such as IMSI and ESN numbers
  • Writing cellular protocol metadata to internal storage
  • Forcing an increase in signal power
  • Transmitting many radio signals all at once
  • Stealing texts and calls
  • Tracking and finding phone users
  • Using a denial-of-service attack
  • Encrypting key extraction
  • Radio jamming

In passive mode, the device pretends to be a cell tower. This operation involves using over-the-air signals to identify cell sites and map their coverage areas. The StingRay forces phones in a given area to disconnect from a legitimate carrier and connect to the StingRay.

UK Companies

The companies include a subsidiary of BAE Systems, Pro-Solve International, ComsTrac, CellXion, Cobham and Domo Tactical Communications (DTC). Most of these companies sell StingRays. About 33 licenses given to these companies were for exporting to Turkey and Indonesia. Cobham has at least one license and advertises IMSI-catchers that can intercept SMS messages and voice calls from smartphones.cobham voice intercept

Claudio Guarnieri, a technologist at Amnesty International, said,

“IMSI catchers are probably one of the most controversial and yet more demanded pieces of surveillance technology marketed today. They are of dubious legality and their use raises serious ethical and privacy concerns due to their invasiveness and wide reach.”

Some of the other licenses for exporting StingRays were “temporary”. According to the Department of International Trade, if a product’s license is temporary, it has to be returned to the UK in a year. Some uses for these licenses are product demos or trade fairs.

Two temporary licenses discuss a device called “DNA Tracker.” Megablue Technologies Limited makes this product. This device tracks phone locations via their IMSI number, and also other devices via MAC addresses. The company had two successful license applications to bring the device to China and Kuwait.

Another product called Marlin, can steal calls made on satellite phone networks like IsatPhone, Immarsat, and Thuraya. TRL Technology Limited makes this product.

Brochure showing the Marlin system

Brochure showing the Marlin system

Motherboard, who first reported this issue, created a spreadsheet for the data they found.