[UPDATE-2] Cellphone Surveillance Used on Black Lives Matter Protesters at Fourth Precinct in Minneapolis

[UPDATE-2] Cellphone Surveillance Used on Black Lives Matter Protesters at Fourth Precinct in Minneapolis

By: Sam Richards, Jason Hernandez and Jerod MacDonald-Evoy

Cellphone surveillance technology was deployed against protesters at the occupation of the Fourth Precinct in North Minneapolis an investigation by the North Star Post has found. The investigation shows the presence of an IMSI Catcher which was programmed to reveal location and identification data of cellphone users within the vicinity of the protest encampment.

During our investigation the test phone we used “was asked for its IMSI and told to connect to a new tower twice in eight seconds,” according to North Star Post technology expert Jason Hernandez, who analyzed the data collected with SnoopSnitch. SnoopSnitch is an open source application for detecting attempts at cellphone surveillance, created by Security Research Labs Berlin.

International Mobile Subscriber Identity (IMSI) numbers are used to identify the user of a cellular network. IMSI Catchers can retrieve these numbers from all phones in range of the device, which in this case, would give a list of all protesters when matched against subscriber data from cellular carriers and unrelated people nearby.

Even without subscriber data, IMSIs can be tracked to identify regular protesters, groups of people who associate in the same area, and track patterns of movement. More advanced IMSI Catchers can impersonate cellular carriers to the point of routing calls and text messages (and capturing a copy). IMSI catchers can also trick phones into using obsolete protocols that allow calls and text messages to be intercepted and decoded by any hobbyist in range. Our data does not show that the IMSI catcher attempted to intercept or weaken the security of calls during this incident, which could be due to limited sampling.

Nekima Levy-Pounds President of the local NAACP and protest organizer reacted to these revelations by saying, “I think it’s despicable that officers in the Fourth Precinct and other law enforcement agencies would use these powerful tools on non-violent, peaceful protesters. We need to ensure that the right to protest is free of unnecessary infringements on our civil liberties and privacy.”

IMSI Catchers, which were first acquired by the Minnesota Bureau of Criminal Apprehension (BCA) in 2005 and in 2010 by the Hennepin County Sheriffs Office (HCSO), trick cellular phones into connecting and giving up specific information. Read more about this technology in Minnesota here.

John Elder, public information officer with the Minneapolis Police Department, denied ownership, use of and coordination with other agencies for the use of cellphone surveillance tools.

Jill Oliveira, with the Department of Public Safety under the Bureau of Criminal Apprehension denied their department deployed any such hardware and stated that “the BCA does not lend equipment of any kind to other agencies.”

Rebecca Gilbuena public information officer with the Hennepin County Sheriffs Office denied that their office has used or shared this technology with Minneapolis Police in relation to the protests.

The Federal Buerau of Investigations Minneapolis office stated over the phone they were not involved in any investigations in the area at the time, according to Chief Division Council Kyle Loven. “It was not us,” Loven said, adding they are “not certain what the situation was and we are not certain who else was in that area.” When asked if the data could suggest a cyber threat instead of possibly law enforcement involvement, Loven stated the FBI has not “received any reports of that nature,” adding they are “not certain what to make of your information.”

Protester Ali Abdirahman, 20, said his phone was acting strange whenever he was around the Fourth Precinct.

“When I was near the Precinct my phone would shut down and restart,” Abdirahman said, adding that it “happened on a consistent basis.”

Abdirahman stated other protesters were having a similar issue and he eventually powered his phone down entirely.

A bill was signed into law and became effective in 2014 that was hailed as “nation leading” for the high requirements it demanded of law enforcement for the use of these cellphone surveillance tools. SF2466, authored by former state senator Branden Petersen of Andover, boosted the requirements for issuing a warrant to deploy cellphone surveillance technology from “reasonable suspicion” to “probable cause” and implemented other strong privacy safeguards.

According to SF2466, “A tracking warrant granting access to location information must be issued only if the government entity shows that there is probable cause the person who possesses an electronic device is committing, has committed, or is about to commit a crime.” The bill offers only a few exemptions to this warrant requirement including, “[I]n an emergency situation that involves the risk of death or serious physical harm to a person who possesses an electronic communications device…”

“They’re testing out their tactics, their armor and their equipment on us,” Adbirahman said about the IMSI Catchers, adding, “it worries me.”

The state court administrator must be informed when requests for tracking warrants have been made among other details. The North Star Post is pursuing this and more information and will be publishing updates as new information comes our way. The Minnesota Bureau of Criminal Apprehension have yet to comment on this story and it is unclear who was utilizing the IMSI Catcher and for what purpose. We will post updates following their commentary.

AT&T was contacted and asked if maintenance was being performed on the nearby cell tower, which can look similar to an IMSI Catcher, but no maintenance was performed in the area, according to AT&T Minnesota spokesman Mark Giga.

Below is the technical information obtained through our investigation.

The IMSI catcher sent the following set of packets (repeated twice, 8 seconds apart):
– Location update request – this communication normally happens when a phone moves between towers. An IMSI catcher must force a location update to start communications with a target phone. Our phone was stationary at the time.
– Routing area update requests (2) – one packet is identified as malformed packet by Wireshark and requires further analysis. Malformed packets can be used to exploit software bugs and exploit devices, although it is not clear if this was such an attempt. A second packet comes through normally.
– Identity request – The IMSI catcher requests our phone provide its IMSI
– Identity response (2) – Our phone responds, providing its IMSI twice in separate packets
– Location update reject – The IMSI catcher rejects traffic from our phone so it re-associates with a legitimate AT&T base station.

Link to traffic log: here We encourage technical readers to review the packet log we collected from our phone and provide comments. This file is readable in recent versions of Wireshark.

If you have technical information you want to share, you can contact Jason Hernandez. Jason’s PGP key is available here and his PGP fingerprint is 6FDE 19C2 B533 093D D3C0 6CFB 240D 0B36 9A5E AA4A. He can follow up via other channels that better support forward secrecy.

Follow Sam Richards, Jason Hernandez and Jerod MacDonald-Evoy on twitter.