Dirtbox - Devices on Planes Used by Government to Target Cellphones

November 14, 2014

By Mark Rasch

They’re heeeeere.  Look overhead.  That plane circling slowly above you is collecting information about you.  And about just about everyone else.  

The Wall Street Journal reported that the Justice Department and its various component agencies (including the U.S. Marshal’s Service and the FBI) are using a technology called “Dirtbox” to collect information from the users of at least thousands and possibly millions of cell phone users.  

But don’t worry, they say.  It’s all legal.

And that’s the problem.

The program described by the Wall Street Journal uses a “box” developed by a company called Digital Receiver Technology (DRT), now a wholly owned subsidiary of Boeing.  DRTI notes that “Due to the sensitive nature of our work, we are unable to publicly advertise many of our products” but markets and sells products designed for “collection and direction finding” of various radio signals.  In practical terms, the DRT boxes (hence the term Dirtbox) can be used to find out the identity and location of people’s cell phones.  

A cell phone is nothing more than a two way radio.  It looks for a cell tower to take and send a signal.  The radio is designed to find the “strongest available signal” and to do so seamlessly.  So what the DRT box does is to send out a signal as if it was a cell tower of AT&T, Verizon, T-Moblie, Sprint or whomever, and say “hey -- hook up with me.”  When the phone hooks with the cell tower, the phone transmits information to that tower which indicates the unique indtifying information (IMSI) of the phone and its precise location (within a 3 meter radius.)  It’s essentially a “man in the middle” attack.  

The phone attaches to the dirtbox rather than to the real network, and attempts to transmit data through the dirtbox.  If the dirtbox is not linked to a cell network, the user gets no “real” signal and the attempt fails -- but can still be used to collect whatever the user attempts to transmit.  The same system can also be used to actually connect the user to the cell network -- it would go from user to dirtbox to cell network and back again -- and allow the dirtbox owner to actually intercept the contents of communications (voice and data) in real time, together with phone identity and location.  

But the phone company already collects this information anyway.  So what’s the big deal?

The phone company collects information for its own purposes -- principally to ensure that the calls are connected and to bill for those calls.  If the government (or private litigant) wants those records, they have to get a court order, a warrant, or a subpoena for them, and the phone company can challenge the scope of the warrant or order.  

Kinda, sorta.  But that’s too slow for the DOJ.  Why bother with pesky phone companies when we can serve a warrant on ourselves?

The way the DRT program is described is that the government flies airplanes equipped with the device over large metropolitan areas.  The Dirtbox collects the cellular IDs and locations of every phone within range as it circles overhead.  In a city like New York, this would quickly collect data on millions of cell phone users.  The operator, equipped with a “court order” (more on this shortly) would enter the data on the phone or phones they are interested in (Dr. Richard Kimble) and the phone and locatoin associated with that person would be displayed or otherwise stored.  

Theoretically, the location and ID information on the millions of innocent people would be discarded -- or at least not searched without an additional warrant or order.  

The government tags these phones as “of interest” and “not of interest” and retains the records of those which are “of interest.”  Of course, it collects all of the records -- even briefly.  Much like the NSA’s “haystack” argument, the government has to scan everyone’s cell records to find the ones it wants.   But it doesn’t actually “collect” the records of the innocent people.  It merely forces those phones to connect with the fake flying cell tower, ping their IMEI number, have the government computer analyze it to see if that’s a phone “of interest” and then “release” the connection -- hang up.  

But no FBI agent reviews it.  It’s done by a computer.  So no harm no foul.  The DOJ has your cell number and location, but only briefly.

This is done by the police, in real time, without the knowledge or assistance of the phone company, and interferes with the phone company’s transmission of data from and to your phone (causing call or data drop offs.)  In fact, the WSJ reported that the DOJ had to specifically engineer the program so it wouldn’t cause a drop off of 911 calls.  Everything else is fair game.  The program is similar to, but more extensive than a truck or mobile based fake cell tower program called “Stingray” after the device used for it.  In fact, the Immigrations and Customs Enforcement agency indicated years ago that it was putting these Stingray devices on airplanes.  

So it’s an easier way for the government, equipped with a court order, to get location data on dangerous people faster and more accurately than relying on the cell phone companies.  If they are trying to find a kidnap victim or an armed fugitive, don’t you want them to be able to do this?

Sure we do.  That’s why we should have a debate about the scope and merits of the program.  It may be just awesome and we all give a cheer and pin a medal on the chests of the valiant DOJ employees who think this up.

Problem is, there won’t be such a debate.  Just as with the NSA suveillance programs, DOJ is saying, “hey, if bad guys knew we had this capability, they would do different things.  We can’t tell anyone anything about this.  Not Congress.  Not the phone companies.  And certainly not the millions of citizens whose cell records we might be collecting.”  Wrong answer.  According to  the Wall Street Journal:

A Justice Department official would neither confirm nor deny the existence of such a program. The official said discussion of such matters would allow criminal suspects or foreign powers to determine U.S. surveillance capabilities. Justice Department agencies comply with federal law, including by seeking court approval, the official said.

And that’s where, even if the DOJ program is reasonable and limited, they go off the deep end.

Of course if criminal suspects and foreign powers know our surveillance capabilities, they could circumvent them.  But last time I checked, binoculars were not outlawed. We use a host of technologies in furtherance of law enforcement and intelligence gathering.  These range from drug sniffing dogs to infrared sensors, to motion detectors, license plate readers, GPS devices, and thousands of others.  Each of these have the potential to impact the balance between the needs of the government to conduct surveillance and the genuine privacy and liberty interests of the citizenry.

Thus, when the government attempted to use an Agema Thermovision 210 thermal imager to peer inside a suspect’s apartment to see whether or not he was growing pot in his apartment, the Supreme Court had to address the capabilities of the device to determine whether its use constituted a “search” under the Fourth Amendment, and whether that search was reasonable. Justice Scalia noted:

It would be foolish to contend that the degree of privacy secured to citizens by the Fourth Amendment has been entirely unaffected by the advance of technology. …[T]he technology enabling human flight has exposed to public view (and hence, we have said, to official observation) uncovered portions of the house and its curtilage that once were private. ...The question we confront today is what limits there are upon this power of technology to shrink the realm of guaranteed privacy.

But if the government classifies and prevents public debate on the nature of the technology it is using (and at least in general terms its capabilities) there can be neither meaningful discussion nor meaningful legal analysis about the use of that technology.  

It is doubtful (and I would be willing to bet that it didn’t happen) that the DOJ in seeking legal approval for the use of the Dirtbox device actually explained to the Court what the device did, and how it did it.   In the heat sensor case, it was precisely the ability of the Thermovision device to peer inside the home that lead the court to conclude that its use required a search warrant supported by probable cause.

Similarly, when the government installed a Key Logger System on Nicy Scarfo’s computer the question of whether they needed a search warrant or a Title III wiretap order hinged on how the device worked.  And the FBI refused to say because such a disclosure would impact national security.

A piece of advice.  Stop using classified tools to catch ordinary criminals.  Just stop. We need a public debate on the scope and use of these technologies precisely because they are new.  

We cannot and should not trust the law enforcement agencies to be the sole arbiter of the reasonableness of their use.  We may not need to know the precise capabilities of the surveillance technologies, but we do need to know whether the government is “collecting” cell records on millions of innocent people, and if so, how and why, and what it does with those records.  And we need to have an open and public debate about this.  

Every. Single. Time.

The DOJ also claims that the use of the technology is “legal.”  Not exactly.  A better expression is to say that it “complies with the law.”  In the sense that the government seeks and obtains a court order permitting its use.  Maybe.

See, we’re not really sure what kind of court order is needed to conduct this kind of surveillance.  We don’t know what kind of “warrant” the government has sought or obtained.  Presumably, because the Dirtbox is not designed to capture the “contents” of communicaitons (not saying that it can’t be configured to do so, just that the indication is that it didn’t) the government would likely seek either a “trap and trace” order, a “pen register” order, a “tracking device” order, or something else.  So that’s the first problem.  What is the government collecting?

Under the law, a “pen register” is “a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted…”  If the government wants a “pen register” all they have to do is go to a court and certify that the information is “relevant” to an investigation.  The court then MUST issue the order, and oh, the subject of the pen register never ever knows about it.  Ever.  Since the “routing, signaling, etc.” information is not theirs, but that of the phone company.   

Similarly, a “trap and trace device” is “a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication.”   Basically the same deal to get an order for this data.  So there’s no requirement of probable cause or even reasonable suspicion.  

There’s no need that the trap and trace or pen register be issued to or about a person who is a suspect.  Anyone’s records can be subject to a trap and trace or pen register if “the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency.”  So theoretically (and I am not saying this is what they are doing) the government could simply say, “hey, we don’t know exactly what we are looking for, but we need the records of a few million people cause all of them are likely to be relevant.”

Or, like they did in the NSA case, “we need to collect the records of everyone to FIND the records that are likely to be relevant.”  And remember, with a trap and trace or pen register, the Court MUST issue the order upon a facially valid certification, and the use of the device would then comply with the law.

That is, if this is a pen register or trap and trace.  Which is not clear.  Is the Dirtbox (1) a device or process; (2) which records or decodes; (3) signalling information transmitted by; (4) an instrument from which wire or electronic communications is transmitted?  A lot of this hinges on what we mean by “signalling information.”   The government frankly isn’t the least bit interested in the signaling information.  It wants to know the location of the owner of the phone.  If you want to know what numbers I am calling, that’s signalling information. What the government seeks to do here is to effectively install a “tracking device” on every cell phone user by converting their phones into tracking devices.

The normal way the government gets cell phone location data doesn’t apply to Dirtbox either.  The Electronic Communicaitons Privacy Act provides a mechanism for the government to order “a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service.”  Well, the government is not seeking production of records -- it’s creating them itself.

So the govenment isn’t installing a “trap and trace” and isn’t installing a “pen register.” It’s not compelling a phone company to produce cell records.  Maybe it’s “installing a tracking device?”  The Supreme Court held that a warrant is required to install a tracking device on a suspect’s car because to install the device you have to “trespass” on the person’s property.  But the Dirtbox isn’t “installed.”  It just monitors the cell phone.  So under the precedent, no warrant is required, right?

So when the DOJ says that its use of the Dirtbox or Stingray is “legal” it may just be saying that there’s no law prohibiting it, so it’s fair game.  

At least one Federal Court of Appeals has found that to get cell-phone location data you need a search warrant supported by probable cause. But the government didn’t seek cell phone location data from a cell phone company. It created it.  So maybe that law doesn’t apply either.

But wait, there’s more.  Even if the government sought a search warrant for the cell location data for Dr. Kimball, and showed probable cause to believe that he was a fugitive, and that the location data was relevant, that’s the START of the inquiry, not the end.  On whom would the government serve such a warrant?  The warrant also has to meet the specificity requirements of the Fourth Amendment (“specifying the place to be searched and the things to be seized…” )  In the case of Dirtbox, the government is “searching” the entirely of Manhattan, and “seizing” everyone’s location data -- even if briefly.  I am not sure that this would satisfy the minimization requirements of the Fourth Amendment.  So should we assume that the government got search warrants supported by probable cause when it used Dirtbox?  

So that’s the problem with the DOJ secrecy.  We will never know.  The suspect is never served a copy of the warrant, since the government “seizes” the information from itself.  The Court never gets to find out how the seizure works, and whether it is reasonable.    We can’t know if the searches are “reasonable” or “lawful” without knowing what the device does and what kind of warrants are sought.  

And DOJ says they can’t comment.  

So much for public debate.  

comments powered by Disqus

The Human Factor: Gain new insight into the ways attackers exploit end-users' psychology​​

About Security Current | Privacy Policy | Subscribe to our newsletter