Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

Rigmaiden was arrested in 2008 on charges that he was the mastermind behind an operation that involved stealing more than $4 million in refunds from the IRS by filing fraudulent tax returns. He and others are accused of using numerous fake IDs to open internet and phone accounts and using more than 175 different IP addresses around the United States to file the fake returns, which were often filed in bulk as if through an automated process. Rigmaiden has been charged with 35 counts of wire fraud, 35 counts of identify theft, one count of unauthorized computer access and two counts of mail fraud.

The surveillance of Rigmaiden began in June 2008 when agents served Verizon with a grand jury subpoena asking for data on three IP addresses that were allegedly used to electronically file some of the fraudulent tax returns. Verizon reported back that the three IP addresses were linked to an air card account registered in the name of Travis Rupard — an identity that Rigmaiden allegedly stole. The air card was identified as a UTStarcom PC5740 device that was assigned a San Francisco Bay Area phone number.
A court order was then submitted to Verizon Wireless requiring the company to provide historical cell site data on the account for the previous 30 days to determine what cell towers the air card had contacted and determine its general location. Verizon responded by supplying the government with information that included the latitude and longitude coordinates for five cell sites in San Jose and Santa Clara cities, in the heart of Silicon Valley.
In July, the government served Verizon Wireless with another court order directing the company to assist the FBI in the use and monitoring of a mobile tracking device to locate an unidentified suspect. The order directed Verizon Wireless to provide the FBI with any “technical assistance needed to ascertain the physical location of the [air card]….”
The government has fought hard to suppress information about how it uses stingrays, but in his motion to suppress, Rigmaiden lays out in great detail how the surveillance occurred and the nature of the technical assistance Verizon provided the FBI.

On the morning of July 14, 2008, FBI Agent Killigrew created a cell tower range chart/map consisting of a street map, plotted Verizon Wireless cell site sectors belonging to cell site Nos. 268, 139, and 279, and a triangulated aircard location signature estimate represented by a shaded area. On the chart/map, the total land area collectively covered by cell site Nos. 268, 139, and 279 is approximately 105,789,264 ft2. FBI Agent Killigrew used triangulation techniques and location signature techniques to eliminate 93.9% of that 105,789,264 ft2 area resulting in the location estimate being reduced to 6,412,224 ft2 represented by the shaded area. The shaded area on the cell tower range chart covers the location of apartment No. 1122 at the Domicilio apartment complex.

On July 15, agents with the FBI, IRS and US Postal Service flew to San Jose to triangulate Rigmaiden’s location using the stingray. They worked with technical agents from the San Francisco FBI’s Wireless Intercept and Tracking Team to conduct the real-time tracking.
According to Rigmaiden, the agents drove around the cell site areas gathering information about signal range and radio frequencies for each cell site sector. “The radio frequency information was needed so that the FBI technical agents could properly configure their StingRay and KingFish for use in cell site emulator mode,” Rigmaiden writes. “By referencing a list of all the radio frequencies already in use, the FBI was able to choose an unused frequency for use by its emulated cellular network that would not interfere with the various FCC licensed cellular networks already operating in the noted area.”
The next day, Verizon Wireless surreptitiously reprogrammed Rigmaiden’s air card so that it would recognize the FBI’s stingray as a legitimate cell site and connect to it “prior to attempting connections with actual Verizon Wireless cell sites.” The FBI needed Verizon to reprogram the device because it otherwise was configured to reject rogue, unauthorized cell sites, Rigmaiden notes.
On July 16, the FBI placed 32 voice calls to the air card between 11am and 5pm. Each time the air card was notified that a call was coming in, it dropped its data connection and went into idle mode. At the same time, it sent real-time cell site location information to Verizon, which forwarded the information to the FBI’s DCS-3000 servers, part of the elaborate digital collection system the FBI operates for wiretapping and pen-registers and trap-and-traces. From the FBI’s servers, the location data was transmitted wirelessly through a VPN to the FBI’s technical agents “lurking in the streets of Santa Clara” with the StingRay.

At this point, the StingRay took over and began to broadcast its signal to force the air card — and any other wireless devices in the area — to connect to it, so that agents could zoom-in on Rigmaiden’s location.
“Because the defendant attempted to keep his aircard continuously connected to the Internet, the FBI only had a very short window of time to force the aircard to handoff its signal to the StingRay after each surreptitious voice call [and] the FBI needed to repeatedly call the aircard in order to repeatedly boot it offline over the six hours of surreptitious phone calls,” Rigmaiden writes. “Each few minute window of time that followed each denial-of-service attack (i.e., surreptitious phone call) was used by the FBI to move its StingRay, while in cell site emulator mode, to various positions until it was close enough to the aircard to force an Idle State Route Update (i.e., handoff).”
Rigmaiden maintains that once the connection was made, the StingRay wrote data to the air card to extend the connection and also began to “interrogate” the air card to get it to broadcast its location. The FBI used the Harris AmberJack antenna to deliver highly-directional precision signals to the device, and moved the StingRay around to various locations in order to triangulate the precise location of the air card inside the Domicilio Apartments complex.
According to Rigmaiden, agents also transmitted Reverse Power Control bits to his air card to get it to transmit its signals at “a higher power than it would have normally transmitted if it were accessing cellular service through an actual Verizon Wireless cell site.”
Once agents had tracked the device to the Domicilio Apartments complex, they switched out the StingRay for the handheld KingFish device to locate Rigmaiden’s apartment within the complex.
Around 1am on July 17, an FBI agent sent a text message to another FBI agent stating, “[w]e are down to an apt complex….” By 2:42 am, one of the FBI technical agents sent a text message to someone stating that they had “[f]ound the card” and that agents were “working on a plan for arrest.”
Agents still didn’t know who was in the apartment — since Rigmaiden had used an assumed identity to lease the unit — but they were able to stake out the apartment complex and engage in more traditional investigative techniques to gather more intelligence about who lived in unit 1122. On August 3, while the apartment was still under surveillance, Rigmaiden left the unit. Agents followed him a short distance until Rigmaiden caught on that he was being followed. After a brief foot chase, he was arrested.
Rigmaiden and the American Civil Liberties Union and Electronic Frontier Foundation have argued that the government did not obtain a legitimate warrant to conduct the intrusive surveillance through the stingray. They say it’s indicative of how the government has used stingrays in other cases without proper disclosure to judges about how they work, and have asked the court to suppress evidence gathered through the use of the device.
U.S. District Court Judge David Campbell is expected to rule on the motion to suppress within a few weeks.

Source: http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard/all/

Shopping Cart
Scroll to Top