Cell site simulators, known as “stingrays,” impersonate cell towers and can capture information about any phone in its range — including in some cases calls, messages and data. Police secretly deploy stingrays hundreds of times a year across the United States, often capturing the data on innocent bystanders in the process.
Little is known about stingrays, because they are deliberately shrouded in secrecy. Developed by Harris Corp. and sold exclusively to police and law enforcement, stingrays are covered under strict nondisclosure agreements that prevent police from discussing how the technology works. But what we do know is that stingrays exploit flaws in the way that cell phones connect to 2G cell networks.
Most of those flaws are fixed in the newer, faster and more secure 4G networks, though not all. Newer cell site simulators, called “Hailstorm” devices, take advantage of similar flaws in 4G that let police snoop on newer phones and devices.
Some phone apps claim they can detect stingrays and other cell site simulators, but most produce wrong results.
But now researchers at the Electronic Frontier Foundation have discovered a new technique that can detect Hailstorm devices.
Enter the EFF’s latest project, dubbed “Crocodile Hunter” — named after Australian nature conservationist Steve Irwin who was killed by a stingray’s barb in 2006 — helps detect cell site simulators and decodes nearby 4G signals to determine if a cell tower is legitimate or not.
Every time your phone connects to the 4G network, it runs through a checklist — known as a handshake — to make sure that the phone is allowed to connect to the network. It does this by exchanging a series of unencrypted messages with the cell tower, including unique details about the user’s phone — such as its IMSI number and its approximate location. These messages, known as the master information block (MIB) and the system information block (SIB), are broadcast by the cell tower to help the phone connect to the network.
“This is where the heart of all of the vulnerabilities lie in 4G,” said Cooper Quintin, a senior staff technologist at the EFF, who headed the research.
Quintin and fellow researcher Yomna Nasser, who authored the EFF’s technical paper on how cell site simulators work, found that collecting and decoding the MIB and SIB messages over the air can identify potentially illegitimate cell towers.
This became the foundation of the Crocodile Hunter project.
Crocodile Hunter is open-source, allowing anyone to run it, but it requires a stack of both hardware and software to work. Once up and running, Crocodile Hunter scans for 4G cellular signals, begins decoding the tower data, and uses trilateration to visualize the towers on a map.
But the system does require some thought and human input to find anomalies that could identify a real cell site simulator. Those anomalies can look like cell towers appearing out of nowhere, towers that appear to move or don’t match known mappings of existing towers, or are broadcasting MIB and SIB messages that don’t seem to make sense.
That’s why verification is important, Quintin said, and stingray-detecting apps don’t do this.
“Just because we find an anomaly, doesn’t mean we found the cell site simulator. We actually need to go verify,” he said.
In one test, Quintin traced a suspicious-looking cell tower to a truck outside a conference center in San Francisco. It turned out to be a legitimate mobile cell tower, contracted to expand the cell capacity for a tech conference inside. “Cells on wheels are pretty common,” said Quintin. “But they have some interesting similarities to cell site simulators, namely in that they are a portable cell that isn’t usually there and suddenly it is, and then leaves.”
In another test carried out earlier this year at the ShmooCon security conference in Washington, D.C. where cell site simulators have been found before, Quintin found two suspicious cell towers using Crocodile Hunter: One tower that was broadcasting a mobile network identifier associated with a Bermuda cell network and another tower that didn’t appear to be associated with a cell network at all. Neither made much sense, given Washington, D.C. is nowhere near Bermuda.
Quintin said that the project was aimed at helping to detect cell site simulators, but conceded that police will continue to use cell site simulators for as long as the cell networks are vulnerable to their use, an effort that could take years to fix.
Instead, Quintin said that the phone makers could do more at the device level to prevent attacks by allowing users to switch off access to legacy 2G networks, effectively allowing users to opt-out of legacy stingray attacks. Meanwhile, cell networks and industry groups should work to fix the vulnerabilities that Hailstorm devices exploit.
“None of these solutions are going to be foolproof,” said Quintin. “But we’re not even doing the bare minimum yet.”
Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: firstname.lastname@example.org
Judge Alsup said that home confinement would “[give] a green light to every future brilliant engineer to steal trade secrets. Prison time is the answer to that.”
During court proceedings today, Levandowski also agreed to pay $756,499.22 in restitution to Waymo and a fine of $95,000.
“Today marks the end of three and a half long years and the beginning of another long road ahead. I’m thankful to my family and friends for their continued love and support during this difficult time,” Levandowski said in a statement provided by his attorneys after the sentencing.
The U.S. District Attorney’s office had recommended a 27-month sentence, arguing in court today that Levandowski had committed the crime for ego or greed, and that he remained a wealthy man. Levandowski had sought a fine, 12 months home confinement and 200 hours of community service.
“It was wrong for him to take all of these files, and it erases the contributions of many, many other people that have also put their blood, sweat and tears into this project that makes a safer self-driving car,” prosecutor Katherine Wawrzyniak said in her closing statement. “When someone as brilliant as Mr Levandowski and as focused on his mission to create self driving cars to make the world safer and better, and that somehow excuses his actions, that’s wrong.”
Waymo agreed with Wawrzyniak’s statement.
“Anthony Levandowski’s theft of autonomous technology trade secrets has been enormously disruptive and harmful to Waymo, constituted a betrayal, and the effects would likely have been even more severe had it gone undetected,” a Waymo spokesperson said in an emailed statement, adding that the company echoed Wawrzyniak’s sentiment that this theft ‘erases the contributions of many.’ The spokesperson said Alsup’ decision “represents a win for trade secret laws that promote cutting-edge technology development.”
Levandowski spoke briefly on his behalf: “The last three and a half years have forced me to come to terms with what I did. I want to take this time to apologize to my colleagues at Google for betraying their trust, and to my entire family for the price they have paid and will continue to pay for my actions.”
The sentencing is the latest in a series of legal blows that have seen Levandowski vilified as a thieving tech bro, unceremoniously ejected from Uber, and forced into bankruptcy by a $179 million award against him.
And yet, Levandowski is not skulking away. Even as he faced years in prison, the maverick engineer was plotting a comeback that could see him netting upwards of $4 billion from Uber.
TechCrunch has learned that Levandowski recently filed a lawsuit making explosive claims against Waymo and Uber that, if proven, could turn his fortunes around with a multi-billion dollar payout. Whether this is a last-ditch effort by a desperate man whose career has been upended by his own poor choices or a viable claim against a double-dealing tech titan, will be up to the courts to decide.
This new lawsuit, filed as part of Levandowski’s bankruptcy proceedings, mostly focuses on Uber’s agreement to indemnify Levandowski against legal action when it bought his self-trucking company, Otto Trucking. It also includes new allegations concerning the settlement that Waymo and Uber reached over trade secret theft claims.
“No new comment on this most recent desperate filing,” an Uber spokesperson said in an email.
The quick backstory
The criminal case that led to Levandowski’s sentencing Tuesday, as well as related civil proceedings and this new lawsuit, are part of a multi-year legal saga that has entangled Levandowksi, Uber and Waymo, the former Google self-driving project that is now a business under Alphabet.
Levandowski was an engineer and one of the founding members in 2009 of the Google self-driving project, which was internally called Project Chauffeur. Levandowski was paid about $127 million by Google for his work on Project Chauffeur, according to the court documents.
In 2016, Levandowski left Google and started Otto with three other Google veterans: Lior Ron, Claire Delaunay and Don Burnette. Uber acquired Otto less than eight months later.
Two months after the acquisition, Google made two arbitration demands against Levandowski and Ron. Uber wasn’t a party to either arbitration. However, under the indemnification agreement between Uber and Levandowski, the company was compelled to defend him.
While the arbitrations played out, Waymo separately filed a lawsuit against Uber in February 2017 for trade secret theft and patent infringement. Waymo alleged in the suit, which went to trial but ended in a settlement in 2018, that Levandowski stole trade secrets, which were then used by Uber.
Under the settlement, Uber agreed to not incorporate Waymo’s confidential information into their hardware and software. Uber also agreed to pay a financial settlement that included 0.34% of Uber equity, per its Series G-1 round $72 billion valuation. That calculated at the time to about $244.8 million in Uber equity.
Startling allegations in new lawsuit
This history matters because it is at the center of this new lawsuit that Levandowski filed in July.
He claims that the terms of the Uber-Waymo settlement – which have never been made public – included an agreement that Uber would never hire or work with him again. Levandowski says that resulted in Uber also reneging on its promises to support his trucking business.
At closing of the Otto acquisition, an earnout plan would have given its owners “a percent interest of billions in profit for Uber’s new trucking business,” the lawsuit alleges. Levandowski would be made a non-executive chairman and control the new trucking business. Alternatively, Uber could decline to close on the transaction but instead grant Levandowski an exclusive license to Otto’s and Uber’s self-driving technology.
The lawsuit says that neither occurred, and that Uber “threatened to leave the transaction in limbo and force Mr. Levandowski to engage in protracted litigation to enforce his rights under the Otto Trucking Merger Agreement.” Uber then “coerced Mr. Levandowski to resign from Otto Trucking and to sell his interest in the company at a significant discount,” the lawsuit alleges.
The upshot: Levandowski believes and claims in the lawsuit that he should be awarded earnouts associated with the profits of Uber Freight — the new name of Otto Trucking — an amount that “should be at least $4.128 billion.” Uber made Uber Freight a separate business unit in August 2018. It has since set up a headquarters in Chicago and pursued an aggressive expansion even as it suffers losses. Bloomberg recently reported Uber Freight was seeking investment at a valuation of $4BN. In short, Levandowski wants the whole company.
In addition, Levandowski hopes to force Uber to pay the $179 million sum that was awarded to Google in arbitration. (Google, for its part, is keen for Levandowski to prevail. A filing it made in the new lawsuit states: “[Levandowski] cannot come close to fully repaying Google (or his other creditors) in this bankruptcy without recovering on his indemnification claim against Uber.”)
The lawsuit also contains the remarkable accusation that Levandowski may not have been the only Google employee to take the company’s self-driving car secrets with them when they left. It notes an independent expert found that Uber’s self-driving software contained problematic functions that might require it to enter into a license agreement for use of Waymo’s intellectual property.
The lawsuit claims that Levandowski did not work on software at Google or Uber, and thus “those trade secrets did not come from Mr. Levandowski, but rather a different former Google employee.” It goes on to claim that Waymo and Uber “settled issues relating to theft of trade secrets by individuals who are not Levandowski.” It does not identify any such person.
Crime and punishment
In August 2019, the U.S. District Attorney charged Levandowski alone with 33 counts of theft and attempted theft of trade secrets while working at Google. The charges disrupted Levandowski’s most recent project and prompted him to step down as CEO from a startup he co-founded called Pronto.ai that is developing an advanced driver assistance system product for trucks.
Levandowski and the U.S. District Attorney reached a plea deal in March 2020 that allowed him to avoid a protracted legal fight and a potentially lengthy prison sentence. Under the plea agreement, Levandowski admitted to downloading thousands of files related to Project Chauffeur. Specifically, he pleaded guilty to count 33 of the indictment, which is related to taking what was known as the Chauffeur Weekly Update, a spreadsheet that contained a variety of details including quarterly goals and weekly metrics, the team’s objectives and key results as well as summaries of 15 technical challenges faced by the program and notes related to previous challenges that had been overcome, according to the filing.
Levandowski said in the plea agreement that he downloaded the Chauffeur Weekly Update to his personal laptop on or about January 17, 2016, and accessed the document after his resignation from Google, which occurred about 10 days later.
In a victim impact statement, Waymo wrote that Levandowski’s “misconduct was enormously disruptive and harmful to Waymo, constituted a betrayal,” and requested that his sentence include “a substantial period of incarceration.”
With no end to the COVID-19 pandemic in sight, it is possible that Levandowski’s latest lawsuit will be resolved before he even reports to jail. He may have been sentenced as a bankrupt, but he could enter prison a billionaire.