News: Reports of SIGINT sabotage at Standing Rock. An analysis.

You may of heard of the protests at Standing Rock, the site of a future Oil Pipeline. Large protests have developed which have gotten 24/7 media attention. But apparently the media and the DAPL constructors aren’t the only ones giving the protestors such close attention.

This article will be focusing on the technical side of the reports we’ve been given. View the full Cracked.com article on their investigation.

The moment you hit this camp from the highway, the signal goes to [nothing].” (…) Camera apps were opened out of nowhere, and batteries would drain by enormous percentages, killing the phones in minutes, rather than the steady decline of any device pinging back and forth searching for a signal.

This report, along with other reports regarding cellphones dropping coinciding with overhead planes, seems to indicate that the government is up to no good using its well-known Stingray capability, which allows the owner of the device to manipulate cell-tower connections.

The particular capability being used here is ‘Forcing an increase in signal transmission power’ which abuses the communication between user and cell tower. Imagine you are far away from your friend and you are communicating via yelling. Obviously you don’t want to yell too loud, lest you strain your voice. However if you yell to quietly, your friend may not hear you very well. To combat this, your friend may yell back ‘LOUDER’ and get you to increase the volume.

Cell-tower communications work in much the same way. Your phone will attempt to use the minimum possible power to communicate with a given cell tower. If the cell tower is detecting that your signal is weak, it will self-report that back to your phone, causing an increase in your transmission power. The implications are obvious. The Stingray device mimics a cell tower and can thus make your phone’s transmitters go into max power mode, causing your batteries to drain very quickly as reported.

Following the yelling analogy, this can also be extended into a generalized denial-of-service (DoS) attack. Imagine you’re having a quiet conversation in the library, and then your ‘friend’ bursts in and starts screaming. You and your conversation partner are immediately going to have trouble hearing eachother. Very much in the same way, the stingray device also has a setting such that it can be used to ‘jam’ cell communications in a localized area, by simply broadcasting white noise, or ‘nothing’, at an extreme ‘volume’ or amplitude.

Stingray can also be used to perform Man-in-the-Middle attacks, although it would appear cell communications aren’t the only thing being targeted…

Eventually, a press liaison named Michael explained that the open WiFi networks were basically a honeypot. “There are a number of unsecured WiFi networks within an eighth of a mile” of the camp. (…) Michael also reported that the WiFi at the press tent “gets DDoS’d every couple of hours.”

So what is happening here is people are luring unsuspecting protesters to use insecure WiFi by disrupting the service of reputable providers. Note that the ‘insecure’ part of this isn’t so important as the ‘luring’ part. Secure WiFi only protects your communications to and from the router, and does nothing against the people who control it.

If you control the network gateway, you can control the conversation. User Alice sends an insecure HTTP request for http://insecurelogin.com/login.html, and gets back the familiar-looking form, only when she clicks ‘submit’ the data goes to the ‘Man in the Middle’ or ‘MitM’ rather than the site she wanted.

Apparently, this is exactly what happened to some people:

Those who connected would discover that their email passwords had been changed and they were temporarily locked out of their accounts.

Note that it says their passwords were changed and their accounts temporarily locked out. I’m going to speculate and explain this discrepancy by saying that the ‘and’ is an ‘or’. This meets our current understanding of how most users will try to login.

There exists a technology called TLS, more commonly called OpenSSL which encrypts your communications to and from a site and makes them immune to precisely this kind of Man-in-the-Middle attack. However, TLS only protects you if you’re using it. Regular non-secure connections that don’t use TLS are open to hijacking.

Most apps these days will automatically use HTTPS if available, and many web services don’t even offer HTTP in the first place, however there is a narrow gap where a password-retrieval attack is possible.

To make sure clients connect with HTTPS, a technology, called “Strict-Transport-Security” or HSTS exists. The standard for HSTS was only approved late 2012, or almost exactly four years ago, and has been undergoing a steady rollout since that time.

This means that there exist clients out there (probably on older, poorly updated devices), that will connect to a given HTTP version of a site if a insecure MitM’d router presents it. User enters in details and voila! Password stolen. Other users will try to connect with TLS, fail, and the owner of the router (some gov employee) will then lock out that person’s username by repeatedly trying to login.

These two possibilities explain the discrepancy of “passwords changed” or “temporarily locked out”. While of course it is completely possible that the ‘temporarily locked out’ refers to what happens when you enter an incorrect password, that doesn’t change the mechanics of MitM attack.

Summary


All of this points to a comprehensive and well-executed attack on the protestors at Standing Rock. Jamming, Stingray, honeypot routers, and general MitM are being deployed against protestors. While it is speculated that the attacks are nothing more than black-hat opportunits, I think it is clear that the level of attacks – as well as the use of planes revealed by cracked – indicate rather clearly that the government is instigating them.

My advice to the people at Standing Rock is to be more security conscious. Keep 3G disabled, turn data off and only use the secure WiFi networks that you can confirm in person are owned by trustworthy people. Ensure your devices are using TLS to connect to web services such as twitter, reddit, facebook, google, etc by looking for a (usually green colored) lock in the address bar.

Oh and, I hope you guys win.

5 thoughts on “News: Reports of SIGINT sabotage at Standing Rock. An analysis.

  1. You have to wonder if purposefully killing everyone’s batteries in a protest area, and jamming their signals, and hacking their network traffic, constitutes a severe violation of the 1st Amendment. They are trying to prevent people from simply speaking.

    Like

  2. […] Though we libertarians often find ourselves defending corporations for actions deemed unsuitable by the more left of crowds, this is an issue we can all unite on – corporate influence in government has reached absurd levels. The corporate cronies in the Dakotas wanted a pipeline, and they would do anything from mass application of eminent domain, force against peaceful protestors, and now recently, suppressing information. […]

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s