Ice Is Using Fake Cell Towers to Spy on People's Phones
Posted4 months agoActive4 months ago
forbes.comOtherstoryHigh profile
heatednegative
Debate
80/100
SurveillancePrivacyGovernment Overreach
Key topics
Surveillance
Privacy
Government Overreach
The story reports on ICE's use of fake cell towers to track individuals, sparking concerns about government surveillance and privacy, with the discussion debating the implications and potential countermeasures.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
24m
Peak period
74
0-3h
Avg / period
13.3
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 9, 2025 at 12:27 PM EDT
4 months ago
Step 01 - 02First comment
Sep 9, 2025 at 12:51 PM EDT
24m after posting
Step 02 - 03Peak activity
74 comments in 0-3h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 11, 2025 at 1:34 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45184368Type: storyLast synced: 11/22/2025, 11:47:55 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
>At 8:58 a.m., just before the protest began, SAN began monitoring eight LTE bands present in the area and found no anomalous behavior. At 9:06 a.m., however, a burst of 57 IMSI-exposing commands was detected.
>Other bursts, present on four of the LTE frequency bands, appeared roughly every 10 minutes over the next hour, causing Marlin to issue numerous real-time alerts. A post-scan analysis confirmed the detection of 574 IMSI-exposing messages.
>It also flagged two “attach reject” messages, a type of cellular rejection sent when a cell phone tries to connect to a network. Attach rejects can occur for valid reasons, such as when a phone with an expired SIM card tries to connect to a network but such messages are rare on properly configured networks. IMSI catchers may use attach reject messages to block or downgrade connections and obtain an IMSI before it is encrypted. SAN observed the two suspicious messages at 9:55 a.m. and 10:04 a.m. at the height of the protest but did not encounter others before or after the demonstration ended.
>SAN conducted a follow-up scan during the same time period, the following day, when no protesters were present. Unlike the day prior, Marlin did not issue real-time alerts.
> "A post-scan analysis confirmed the detection of 574 IMSI-exposing messages."
That's roughly 574 unique protestors, give or take.
Full-on autocratic tyranny—this is also what Putin's oligarchs did to Ukranians at the Maidan Protests, in Kyiv in 2014. Used IMSI-catchers to assemble lists of everyone present, and intimidate them.
https://slate.com/technology/2014/01/ukraine-texting-euromai... ("How Did Ukraine’s Government Text Threats to Kiev’s EuroMaidan Protesters?" (2014)).
Maybe you missed it when you read the article?
[0] https://san.com/cc/exclusive-evidence-of-cell-phone-surveill...
Remember Kavanaugh's confirmation vote in 2018 was 50-48, Lisa Murkowski (R-AK) voted against, Susan Collins for, Joe Manchin (D-WV) also for [0]. Susan Collins' reluctant-voice-of-moderation act has run out of steam, finally, probably decades overdue
[0]: https://en.wikipedia.org/wiki/Brett_Kavanaugh_Supreme_Court_...
Which I suppose is another thing that was predicted but not acted upon: the establishment of political parties.
[1] Bush 2000, and less directly but far more dangerously, by making Trump unprosecutable in the run-up to 2024.
This broad dragnet nature of Stingray collection has always been why it's been a major privacy issue. Like doing a wiretap by tapping the whole neighbourhood and filtering phone calls for a certain address.
I'd like to leave the question of why that's true as an exercise for the reader, but your comment makes it sound as if you have trouble with this concept, so let's be explicit - a state operating autocratically can, and often will, rubberstamp whatever it decides it wants to do.
Had a quick look for the numbers from FISA to give you an example of this. https://www.motherjones.com/criminal-justice/2013/06/fisa-co... says that they denied 11 requests for surveillance warrants out of 33,900 requests over 33 years of operation.
That's a pass rate of 99.07%!
So allow me to say - a warrant wouldn't have changed anything, they give them out like nothing.
In the article though, it does say: "ICE did not respond to requests for comment from SAN. It is not clear whether ICE or any other law enforcement agency obtained a warrant to use an IMSI catcher — commonly referred to as a “Stingray” — to conduct surveillance."
On the contrary, I don't think there's anything more relevant.
That such action can be legal speaks volumes about the state of what is legal and tolerated within the US. This, like pretty much everything about the current administration, is not explicitly about Trump, but something that has been cooking for at the very least the past two decades.
I think the parent poster is saying that the present of a warrant does not make the action not autocratic. And you are disagreeing with a different idea (that the presence of a warrant doesn't matter at all), by saying it does matter, but in the opposite way -- if a warrant is present that indicates the state is losing checks and balances.
That is, a high pass rate could also indicate that it is a well functioning system with few spurious requests and none that are lacking required information.
Does requiring a warrant guarantee best behavior? No. But it does provide a solid path for accountability and a path to codify better rules, when abused.
Point me to an article if I’m wrong, but I haven’t heard even a single credible rumor that these Stingrays aren’t being used for exactly what authorities say they are - trying to find particular individuals is a general area. Have you heard of whistleblower accounts or accidentally leaked details about large scale storage ordata mining of location data from Stingrays?
If your argument is simply that law enforcement agencies don’t have the right to conduct a dragnet when pursuing a fugitive murderer, as is the case here, you’re going to need something more persuasive than a rant against authoritarianism.
If this government has not proven that they had one, you'd be mad to trust that they did.
There are no consequences to it for lying, or for not following the law, or not acting in good faith. It has a well-documented history of doing all three, and is headed by a convicted criminal.
They clearly don't care for legality, constitutionality, anything positive or good.
I see those quite frequently, the bulk of them are phones trying to roam in a network they're not allowed to though, and some cause the cell is a bit overloaded, some cause the phone sends a wrong tracking area - not sure that's a phone bug or a common scenario where the phone retains an old tracking area, then it tries to connect to the same tracking area - then the phone discovers it's is now in a different tracking area, and after being rejected, it connects with the correct one.
Could the regular mobile tower operators collect subscriber identities at will via their regular gear, with no stingray vans or warrants required, and save the information for later? That seems to be how it's done with the other subscriber location and communication contents that they collect.
"In a recently-unsealed search warrant reviewed by Forbes, ICE used such a cell-site simulator in an attempt to track down an individual in Orem, Utah. The suspect had been ordered to leave the U.S. in 2023, but is believed to still be in the country. Investigators learned last month that before going to Utah, he’d escaped prison in Venezuela where he was serving a sentence for murder, according to the warrant. He’s also suspected of being linked to gang activity in the country, investigators said.
When the government got the target’s number, they first got a warrant to get its location. However, the trace wasn’t precise–it only told law enforcement that the target was somewhere in an area covering about 30 blocks. That led them to asking a court for a Stingray-type device to get an accurate location.
The warrant was issued at the end of last month and it’s not yet known if the fugitive was found."
https://san.com/cc/exclusive-evidence-of-cell-phone-surveill...
This particular article was about using Stringray with a warrant. I'm sure that the government is abusing Stingray but it'd be nice to have evidence first.
Like license plate readers and facial recognition, you're out in the world without the expectation of privacy but I think for most people that feels different when a giant automated system is sucking everything up without recourse.
https://www.cise.ufl.edu/~butler/pubs/ndss25-tucker-marlin.p...
Ideally, this is something I could hack together in the next few days since ICE is prepping to invade my city.
Not usually that I’m aware of as a single data point in any system but if there are other reasons to thing you’re trying to act surreptitiously you are going to be very close to the top of the list of people of interest.
There’s a lot to be said in 2025 for appearing uninteresting to anyone who might be watching.
Here’s something [1] that’s was public almost 20 years ago at this point. Things have advanced a lot since then. I don’t think you quite understand just how much of a pipeline there was for this kind of technology that went almost directly from quite classified SIGINT stuff in the GWOT to casual LEO / domestic stuff.
I know the whole no phone thing sounds like a real high speed operator move but it’s very literally a signal they go looking for when trying to sift through large amounts of data.
[1] https://www.pnnl.gov/main/publications/external/technical_re...
Btw, to help understand the technical challenges involved with this, the whole reason Tesla focused on vision-only for its self-driving was the difficulty of integrating sensor data from multiple sources, e.g. lidar + vision would be significantly more difficult to achieve. It’s not that this isn’t possible in theory - it’s just that there’s no evidence of anyone having done it for “lack of phone” detection, and that’s probably because it’s not really a requirement that’s in high demand.
They realised that technology had changed for them even that long ago that all it was doing was just making a really clear signal for the opposition as to who they were and that they were someone interesting.
I think the advice you have is very literally decades out of date.
If you have an hour or two to kill I’d recommend taking a look at this for a real no bullshit modern way of thinking about this problem space: https://youtu.be/0_04-lTu2wg?feature=shared
But the OP article is about a Stingray operation covering 30 blocks, and other discussion in this thread is about protests such as the anti-ICE protest which gathered cellphone info from the protestors. In those kinds of environments, if you don’t want to show up on surveillance, you’re much better off not carrying a phone.
Being more specific, this comment of yours is not supported by evidence:
> No phone actually stands out a lot in real life surveillance systems and will very quickly get you a bunch of additional attention because it’s so unusual.
But, if you’re getting your information from videos like the one you linked, I can see why you have these beliefs.
I have very good reasons to know what I’m talking about here but again, I’m not here to argue with you.
Is this too extreme? How expansive are the queries theyre running on these identifiers? Are they running algos to detect burner phones based on the highly anomalous activity patterms described above?
It's becoming common practice for protesters to store their phones in faraday bags. I don't think "no phone" would stand out as much as you think it would.
Just turning the phone off and wrapping it tight in aluminum foil is almost certainly better.
They can and do have the ability to MITM traffic though. There is not anything to stop someone with the hardware from doing it and everyday that passes it seems the rules matter less and less.
The entire modern game is very literally, don’t be interesting and don’t do weird shit that normal people wouldn’t do. It’s a needle in a haystack problem so don’t go and start creating a really weird signature of whatever it might be: behaviour, communication, RF emissions etc. The anomaly is the signature and has been for about 20 years now.
The fact that there are a lot of people there is actually the strength of it.
I’d probably think carefully about what you want to use it for and what I had on there though. I wouldn’t recommend bringing a device with a a bunch of incriminating evidence to an event like that.
I think a good threat model is just operate on the assumption that maybe someone stops you and asked to look at your phone. Go ahead and also assume that they will ask at the most inconvenient point in the day also. Act accordingly and I wouldn’t anticipate much in the way of trouble from having one.
Also, look at it through the eyes of the opposition, what are their goals here…
1. Fix the signal to noise ratio in a crowd
2. Identify people
3. Map out networks
And your goal is to not to be “invisible” (you can’t anyways) but to be uninteresting. They aren’t the same thing and the difference is important.
For the overwhelming majority of people I don’t think there is much yet to worry about in simply attending a protest (Assuming you’re a citizen and you act sensibly because otherwise that’s an entirely different threat model and you probably shouldn’t be there at the moment).
But I would leave you with this bit of advice also… they very much want you to think they are the all knowing, all seeing and ever present 50ft tall enemy. That isn’t true. There is also no shortage of people who really seem to get off on pretending things are more dangerous than they really are but that shit turns into paranoia real quickly and then people become terrified to do anything or you start making bad decisions. Fight both of those things when you run into them.
You can and should feel good about getting out in the streets at the moment, it’s not going to get easier the longer it goes on just be sensible.
That seems a tad naive. I think being recorded by local/Federal agencies at a protest, especially one critical of current government actions, is a legitimate concern. Especially since those tools are being brought out specifically for the protest, not because they are looking for some murderer that happens to be a block away from you.
Also, the word "yet" is doing a lot of work there. Considering that data can be stored indefinitely with little oversight, there is little to stop police from searching through the database and looking for "targets of interest" like phones that showed up to multiple protests.
Being at a protest is already known to make you interesting, which is why those tools are being brought out in the first place, why police are "friending" protest organization FB pages to gather membership data, etc. Keeping yourself out of databases that could be used later to jam you up is reasonable. There is also no way for police to tell who has a phone and who doesn't at a protest, so you aren’t highlighting yourself anymore by not bringing your phone (or turning it off), unlike say wearing a mask and sunglasses to reduce facial recognition visually highlights you.
Sounds like "no phone" is the winner
You can remove the battery, put it in a Faraday cage and charge it turned off (or in another device/out of one). It can be on only when you need it.
Because that 1000% is a real capability you will have to deal with and like sure, do what you can to make the costs associated with that as hard as possible but don’t get confused into thinking it’s a technical solution that is going to fix this problem.
Fully patched iOS in lockdown mode isn’t going to save you from someone physically making you open it in front of them.
Think something a lot closer to this xkcd comic: https://xkcd.com/538/
Alles klar, Herr Kommissar?
However, my endeavor here is more focused on awareness and transparency for the masses than subterfuge for the individual.
<https://www.timesofisrael.com/israel-targeted-top-iranian-le...>
I'm listing the Times of Israel first as it's an Israeli publication, though it cites the following NY Times article which researched the story:
"Targeting Iran’s Leaders, Israel Found a Weak Link: Their Bodyguards"
Despite all the precautions, Israeli jets dropped six bombs on top of the bunker soon after the meeting began, targeting the two entrance and exit doors. Remarkably, nobody in the bunker was killed. When the leaders later made their way out of the bunker, they found the bodies of a few guards, killed by the blasts.
The attack threw Iran’s intelligence apparatus into a tailspin, and soon enough Iranian officials discovered a devastating security lapse: The Israelis had been led to the meeting by hacking the phones of bodyguards who had accompanied the Iranian leaders to the site and waited outside...
<https://www.nytimes.com/2025/08/30/us/politics/israel-iran-a...>
(Archive / paywall: <https://archive.is/XdZet>)
It's not just your phone, it's the phones of those around you. Whether or not you have a security detail.
This is one factor which makes pervasive surveillance so absolutely insidious.
There are IMSI catchers - but they all require GSM. At least on Google Pixels you can turn off 2G with a switch. The phone even shows a message about its insecurity.
In Germany I'm running 100% on LTE/5GNR-only for many months now without having a single coverage gap.
looks like iPhones will need to enable Lockdown Mode to disable 2G, at least for iOS 17+ per https://ssd.eff.org/module/attending-protest
You can't get the IMSIs passively anymore, but LTE doesn't make these attacks impossible, just less practical, especially for criminals that don't have warrants on their side.
No big need to dig down deep into the radio and protocol layer.
You can just jam everyone in the area and see who reconnects.
>In its most basic functionality, the [LTE] IMSI catcher receives connection/attach request messages from all mobiledevices in its vicinity. These attach messages are forced to disclose the SIM’s IMSI, thus allowing the IMSI catcher to retreive the IMSI for all devices in its vicinity... a fully LTE-based IMSI catcher is possible, very simple and very cheap to implement without requiring to jam the LTE and 3G bands to downgrade the service to GSM. [2]
Exploits on 5G to retrieve the IMSI. [3]
[1] https://theintercept.com/2016/09/12/long-secret-stingray-man...
[2] https://arxiv.org/abs/1607.05171
[3] https://arxiv.org/abs/1809.06925
Your IMEI will never be send in clear over the network. Not even back in old 2G networks.
If the gov needs your data they can use standardized lawful interception interfaces. This interface offers all juicy data - not only voice, SMS and your phone number.
Which is another reason I simply just stopped carrying a cell phone a few years ago. Absolute freedom.
----
I paid my vehicle off early just so I could disable the infotainment's cell-link. My city has OCR cameras on every 4-lane highway (so I'm still tracked) but it sure is wild how important locations are these days.
Whoops, I hope no other country in conflict with the US gets this idea, that pool has expanded significantly lately!
I recall reading about the people who slammed planes into the World Trade Center towers. They were not hell bent on destroying buildings, they were hell bent on destroying society of the US, destroying buildings was just a stepping stone. And, sure seems like they succeeded.
https://factually.co/fact-checks/politics/border-wall-paint-...
Citizens on the streets don't need to show their papers to ICE, but that's been worked around by yesterday's SCOTUS. Being brown at Home Depot is now sufficient cause to get arrested by ICE.
But the US is not in decline because of whatever anyone from outside does. It's following the same cycle all Hegemons go through over 100-200 years. Whether its Greece, Babylon, Eygpt, Rome, Islamic Caliphates or all the later European powers. They all went through a similar a cycle - rise - dominate - decline. See Oswald Spengler - Rise and Fall of the West written 100 years ago.
nah someone made all that up after the fact
https://www.nbcnews.com/news/amp/rcna206917
> Mexico’s security chief confirmed Tuesday that 17 family members of cartel leaders crossed into the U.S. last week as part of a deal between a son of the former head of the Sinaloa Cartel and the Trump administration.
I don't know how Republicans continue to support this administration. Maybe they just don't know he's aiding criminals?
I mean, our president is a criminal himself. Repeatedly violating the law and the constitution while in office. At this point those supporting the regime must doing it out of either cowardice or malice
Allegedly. No convictions have come from any of the accusations as POTUS.
I'm not sure we'll ever see one since the supreme court is in his pocket and has already ruled that that the president is allowed to commit crimes as long as it was an "official act" as determined on a case by case basis by the court
> “It is evident that his family is going to the U.S. because of a negotiation or an offer that the Department of Justice is giving him,” Garcia Harfuch said.
Looks like they're getting protection in exchange for testimony against other cartels.
Then, just do whatever the hell you want all the name of protecting people from crime and protecting jobs.
What am I saying, that's completely ridiculous and could never happen in a "law and order" country like the US.
Nobody really gives a shit about the constitution it is all about ideology. ICE is going after immigrants so nobody cares about the razzias.
https://news.ycombinator.com/item?id=45184758
https://github.com/EFForg/rayhunter/
Microsoft has billions of dollars in US intelligence-cloud contracts and should leap at a chance to get an edge in on those. They've done things like this before; they provided incredible (and illegal!) cooperation with the NSA back at the time of the Snowden Leaks[0].
[0] https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-... ("Microsoft handed the NSA access to encrypted messages" (2013))
Isn't a git commit trail basically a Merkle tree of checksums? If any developer tried to do a pull or fetch they'd suddenly get a bunch of strange commit messages, wouldn't they?
Also: code signing is / can become a thing.
That Merkle tree prevents the naive case where the adversary tries to serve a version of a repo, to a client who already has an older version, differing in a part the client already has. (The part the client has local checksums for). They shouldn't do that. The git client tells the server what commits it doesn't have, so this is simple to check.
Code signing could be a safeguard if people did it, but here they don't so it's moot. I found no mention of a signing key in this repo's docs.
The checksum tree could be a useful audit if there were a transparency log somewhere that git tools automatically checked against, but there isn't so it's moot. We put full trust in Microsoft's versions.
Lots of things could be helpful, but here and now in front of us is a source tree fully in Microsoft's control, with no visible safeguards against Microsoft doing something evil to it. Just like countless others. It's the default state of trust today.
Git is a distributed vcs after all. Every checkout is its own complete git "hub".
Git may be designed as a distributed VCS; and it'd be a different situation if it were used that way in practice. For many projects, GitHub has a full MITM. They could even—forget about the checksums—bifurcate the views in between devs—accept commits from one dev, send over those commits with translated Merkle trees to another dev who has a corrupted history, and they'd never figure it out.
I think the point is they don't have complete control over it. Sure, they have complete control over the version that is on GitHub. But git is distributed, and the developers will have their own local copies. If Microsoft screwed with the checksums, and git checks them. The next developer pull or push would blow up.
If they're pushing or pulling to/from GitHub, then GitHub has a total MITM and is able to dynamically translate checksum trees in between devs' incompatible views of the repo.
Those checksums would seem valid to the victims, as they're a self-consistent history of checksum trees they got directly from GitHub. The devs would be working with different checksum trees. GitHub would maintain both versions, serving different content and different checksums depending on who asks.
That might work for a while if dev isn't active. He would, for example have to not notice there was a new release, with an incremented version number that triggers updates. Even that doesn't work forever. Down stream dev's often look at the changes - for example a Debian maintainer usually runs his eye over the changes.
But if the dev is active this is going to be noticed pretty quickly. The branches will diverge, commit messages, feature announcements, bug reports, line numbers not matching up. It would require a skilled operator to keep them loosely in sync, and that's the best they could do.
Either way, sooner or later Microsoft's subterfuge would be discovered, and that is the death knell for this scenario. The outrage here and elsewhere would boil over. Open source would leave github en masse, Microsoft's reputation would be destroyed, they would lose top engineers. I don't have a high opinion of Microsoft's technical skills and leadership as they have been consistently demonstrated themselves to be inconsistent and unreliable. But the company too large and too successful to be psychotic. The shareholders, customers, and lawyers would have someones guts for garters if they pulled a stunt like that.
That won't work. The first thing the client does is ask the server for list of references with their oids (ls-refs). It only asks for oids and reports what oids it has after the server responds.
You'd need another way to identify that the client asking for references was the same one you vended the tampered source tree to, otherwise, you'd need to respond with the refs' real oids and the fetch would fail since there's no way to get from the oid the user has to the real one.
But it's written in rust.
I think the release files is the place they could most easily tamper - generally they're stored on Github infra so the files could be changed, and the checksum on the download page also altered (or different files and different checksums provided to different people if targeted).
Unless the builds are totally reproducible it'd be tricky to catch.
To that end, I started a project last month so that code signing can be done in multiple geographical locations at once: https://github.com/soatok/freeon
I wonder what their lawyers think of this.
https://bja.ojp.gov/program/it/privacy-civil-liberties/autho...
96 more comments available on Hacker News