GOS and stingrays

GeorgeSoros

Does GoS provide extra (or any) protection against stingray/dragnet equipment?

GrapheneOS

GeorgeSoros It doesn't place trust in the network and doesn't even trust it to obtain the time like the stock OS. We strongly recommend using end-to-end encrypted messaging apps and avoiding carrier-based calls and texts so you're not trusting the network with them. We recommend only thinking about our 4G-only feature as an attack surface reduction feature and not treating it as providing any protection against interception which is not the purpose and it cannot do much to resolve how weak cellular encryption/authentication is for that purpose. Interception can also be done through the network itself by people with access to it or governments able to exert control over it. Lawful interception support is built into the design of cellular and there's little to stop any of it being abused for unlawful purposes too.

OutbackJack

GeorgeSoros
Disabling 2G will negate 2G Stingrays.
Settings > Network and internet > SIMs > (your SIM name) > Allow 2G - OFF

Adding a "Private DNS provider hostname" will negate mailicious DNS servers.
Settings > Network and internet > Private DNS > Private DNS provider hostname. I use "security.cloudflare-dns.com" (without the quotes)

If a malicious actor has SS7 access there's nothing you can do.

GeorgeSoros

GrapheneOS thanks, so GoS would send back scrambled data to the device, or would the stingray device not receive anything since GOS doesn't trust the dragnet's network?

de0u

GeorgeSoros Then why did grapheneos say this: " It doesn't place trust in the network and doesn't even trust it to obtain the time like the stock OS."

That post contains other important material, including:

GrapheneOS We strongly recommend using end-to-end encrypted messaging apps and avoiding carrier-based calls and texts so you're not trusting the network with them.

...and:

GrapheneOS Lawful interception support is built into the design of cellular and there's little to stop any of it being abused for unlawful purposes too.

I would say that GrapheneOS tries to avoid placing trust in the cellular network, but does not stop users from using it and exposing themselves to the normal consequences of using it. Aside from cellular location tracking, the project is transparent about Wi-Fi calling detouring around Android VPNs. I also think the forum moderators have been repeatedly clear that the way to avoid normal cellular location tracking is to turn the cellular modem off via airplane mode.

A general "stingray defense" for cellular devices isn't feasible, so naturally GrapheneOS doesn't provide one (aside from turning the cellular modem off via airplane mode).

Probably9857

GeorgeSoros
No. A stingray would see exactly the same data that a regular cell tower would see. GrapheneOS would not be able tell the difference.

GeorgeSoros

Probably9857 No. A stingray would see exactly the same data that a regular cell tower would see.

Then why did grapheneos say this: " It doesn't place trust in the network and doesn't even trust it to obtain the time like the stock OS."

Making it seem otherwise?

What's the truth?

p338k

GeorgeSoros
It doesn't trust the regular cell networks.

Probably9857

GeorgeSoros Then why did grapheneos say this: " It doesn't place trust in the network and doesn't even trust it to obtain the time like the stock OS."

Well...I would have stated that a little differently.

GrapheneOS doesn't trust the network any more than necessary, while still giving you the ability to use the network if you choose to do so.

The fact is, that cellular networks are inherently insecure, and simply by connecting to it you are likely to be identifiable (unless you have very good opsec), you will definitely be trackable, and if you use voice calls or SMS your communications can be intercepted.

All of that is true, regardless of whether you are connecting to a stingray or a normal cell tower. The only difference is, "by whom?"

spamrisku2jqqrfh

Integrating something like https://f-droid.org/en/packages/de.srlabs.snoopsnitch/
would still be handy

de0u

spamrisku2jqqrfh I would be surprised if the GrapheneOS developers were to ship an app in this class.

But this particular one is GPLv3, which the developers have previously said they view as incompatible with the project's goals.

spamrisku2jqqrfh

I guess I'll carry a mobile hotspot instead then

SgtSurehand

spamrisku2jqqrfh and through that mobile hotspot you will connect to the very same network. What difference will it make?