How Cell-Site Simulators Work

In order for a cell phone to work—to send and receive data—it must connect with a cellular network, usually via a cell tower. Cell-site simulators take advantage of a phone’s preference for the strongest cell signal in the area by broadcasting signals that are either stronger than the legitimate cell tower sites around them, or are made to appear stronger. This and other tricks convince devices to disconnect from their service providers’ cell towers and instead establish a new connection with the CSS; thus actively interfering with users’ 
communications with their networks. CSSs also have passive capabilities, such as identifying legitimate cell sites, mapping out their coverage areas, and intercepting metadata being sent using old, insecure cellular technologies such as 2G.

A cell-site simulator can intercept an alarming amount of private information for all the cell phones within range that connect to it. This information is delivered to a CSS operator—typically a law enforcement officer—even if the cell phone user is not suspected of a crime or related to the target of the investigation. Once a connection has been made, CSSs can reveal a cell phone’s location, unique IMSI number, the metadata of communications, and possibly even the content of unencrypted phone calls, emails and text messages.

At this point, there is no way for a phone to be configured to avoid sharing its unique identifying number with a CSS, aside from turning the device off or placing it in a Faraday bag. However, end-to-end encrypted apps, which encrypt messages between senders, should still provide some protection. It is very difficult to tell from the cell phone itself whether its information has been captured by a CSS. Some cell-site simulators are reported to have the ability to disrupt service for innocent bystanders within range or even inject a device with malware.

There are several companies that make different models of CSSs. Harris Corporation is one of the biggest sellers of CSSs; and their Stingray device was one of the most popular models used by law enforcement. Harris has since introduced several new products with similar capabilities under the model names of: Harpoon, Hailstorm, Arrowhead, AmberJack, and Kingfish. The flight engineering company Boeing has a Digital Receiver Technology division, which also sells CSSs commonly referred to as “DRT boxes.” Other CSS manufacturers include Atos, Rayzone, Martone Radio Technology, Datong (Seven Technologies Group), Gamma Group, KeyW Corp, Rohde & Schwarz, Meganet Corporation, PKI Electronic Intelligence, Ability Computers and Software Industries, and Septier Communication.

Back to top

What the Technology Looks Like When It’s Used

CSSs can be as small as a shoebox, or even small enough to fit in your pocket, and may easily fit into most law enforcement vehicles. Some more powerful models may be much larger and can be affixed to aerial vehicles that fly over a given area to scoop up data from every cell phone within range that connects to it.

In late 2015, the Intercept obtained and published a catalogue of surveillance devices used by law enforcement agencies across the United States. The catalogue includes photos and details about several Harris Corp. devices, including the Stingray, Kingfish, and Blackfin. The catalogue also includes several photos of the multiple “DRT box” devices, including the DRT 1101B, DRT 1183B, DRT 1201C, DRT 1301C, DRT 1301B3, and DRT 4411B.

Criminal defense lawyers who believe their clients may have been subject to a CSS search should be on the lookout for some of the following signs:

  •      Any mention of common terms used to describe a CSS such as: “stingray,” “IMSI catcher,” “digital analyzer,” or “DRT box.”
  •      Any mention of CSS brands or models such as: “Stingray,” “Hailstorm,” “Harpoon,” “ArrowHead,” “AmberJack,” “Blackfin,” “KingFish,” “Thoracic”, “Stargazer,” and "Dream Catcher."
  •      Any mention of companies that sell CSSs, including Harris Corporation, Digital Receiver Technology (a division of Boeing), Atos, Rayzone, Martone Radio Technology, Datong (Seven Technologies Group), Gamma Group, Rohde & Schwarz, Meganet Corporation, PKI Electronic Intelligence, KeyW Corporation, Ability Computers and Software Industries, and Septier Communication.
  •      Any mention of the term “WITT,” which is the FBI’s “Wireless Intercept Tracking Team" charged with overseeing CSS deployment and use by the FBI.
  •      If police found your client by “pinging” their phone, but there are no CSLI records from the cell service provider.
  •      Any language that tracks the DOJ’s model CSS warrant application, which uses terms or phrases like: “target cell phone”, “monitoring” or “collecting” signals to “precisely determine location." 
  • In some jurisdictions, agencies are required to make public disclosures when they track a cell phone. However, whether a CSS was used may not be clear. In California, a disclosure that indicates real-time phone location data was obtained may indicate use of a cell-site simulator. In Washington state, agencies must disclose to the court when they use a pen register, trap and trace, or cell-site simulator, but they are not required to specify which of three technologies was used. 

Back to top