Last week, the Department of Homeland Security confirmed for the first time that it is aware of unauthorized cell-site simulators, the surveillance tools often called stingrays or IMSI Catchers, in various parts of Washington DC.
While it’s not surprising that foreign intelligence groups or criminal actors would be cell-snooping in the nation’s capital, the DHS statement is the first US government acknowledgement that sensitive political communications, not to mention those of anyone in DC, are at risk of interception by devices that are currently unaccounted for. In spite of this step, though, observers find it unlikely that any group will move to defuse the threat in the foreseeable future.
The DHS statement came in the form of a response to senator Ron Wyden, who had inquired about rogue cell-site simulators in a November letter. DHS acting undersecretary Christopher Krebs wrote, “Use of IMSI catchers by malicious actors to track and monitor cellular users is unlawful and threatens the security of communications, resulting in safety, economic, and privacy risks. … Overall, [DHS’s National Protection and Programs Directorate] believes the malicious use of IMSI catchers is a real and growing risk.” The agency added that NPPD “has observed anomalous activity in the Nation Capital Region that appears to be consistent with IMSI catchers. NPPD has not validated or attributed such activity to specific entities or devices.”
After the DHS admission, three ranking House members sent a letter to the Federal Communications Commission on Thursday, demanding that the FCC “take immediate action under federal law to address the prevalence of what could be hostile, foreign cell-site simulators—or stingrays—surveilling Americans in the nation’s Capital.” But that seems unlikely, to say the least, thanks to how stingray devices are used—and by whom.
Cell-site simulators, called IMSI catchers because they capture devices’ International Mobile Equipment Identity codes, masquerade as legitimate mobile network cell towers to trick nearby cell phones into connecting. Once linked, they can track a cell phone’s location, or even surveil its messages and phone calls.
‘We can try to legislate the use of the technology, but criminals have access to it and they are going to use it.’
Ang Cui, Red Balloon
They’re powerful tools that leverage flaws in wireless network protocols and cell phone software. And while the telecom industry could significantly reduce their efficacy by plugging holes in various wireless standards, incentives to do so are mixed. In the US and around the world, law enforcement and intelligence agencies use stingrays for investigations, often under opaque circumstances. Which may explain DHS reticence to this point: While rogue cell-site simulators like those in Washington are a potential national security threat, the US government uses those very same tools.
“The law enforcement and intelligence communities want to have their cake and eat it too,” says Cooper Quintin, a staff technologist at the Electronic Frontier Foundation. “They want a way to stop a so-called ‘bad guy’ from using IMSI catchers, while still allowing ‘good guys’ to use them.”
Quintin and others argue that if law enforcement and intelligence agencies encouraged the telecom industry to fix the vulnerabilities that facilitate stingray surveillance, they could still use legally obtained warrants and their relationships with telecoms to obtain information about specific devices. Stingrays wouldn’t be nearly as effective, but law enforcement could maintain many of the same investigative capabilities—using channels bad actors can’t access.
“This was very expensive, controlled technology a decade ago, but today a motivated hobbyist can pull it together using open source software and hardware with a few hundred dollars,” says Ang Cui, CEO of the internet of things security firm Red Balloon. “We can try to legislate the use of the technology, but criminals have access to it and they are going to use it. The real solution is to build technology that mitigates against IMSI catchers and stingrays.”
In practice, though, it seems that the desire to preserve this shady surveillance capability has outweighed the risks. “Unfortunately, I think there’s going to be an impasse for a long time,” says EFF’s Quintin. “But we as constituents need to make the case to our representatives that the risk to public safety and national security is far greater than the bit of tracking that police get from using these technologies.”
Watching the Detectives
Even if DHS wanted to do something about DC’s stingrays, it would have a difficult time. DHS claimed in its recent statements that it doesn’t have the technology to consistently detect the devices, or financial means to acquire or develop this capability. And while some researchers have made progress on developing stingray-sniffing techniques, technologists agree that it is still a hurdle.
“It’s often challenging to determine whether something you’re detecting is an anomaly, a fluke of the cellular system or radio physics, or whether it’s actually an IMSI catcher,” Quintin says. “And then it’s even harder to do attribution. Who is running this IMSI Catcher? Where is its signal coming from? It’s actually not a super easy problem to solve.”
‘It’s actually not a super easy problem to solve.’
Cooper Quintin, EFF
The number of foreign embassies in Washington, DC is also a hurdle, because these institutions operate with impunity on sovereign soil. It is difficult to police what goes on inside those walls. Other agencies that could crack down on rogue cell-site simulators have also been hesitant to do so. FCC spokesperson Neil Grace told WIRED that the Commission, “continues to monitor any developments for IMSI devices. The FCC’s only role is certifying whether these devices meet our requirements for controlling radio interference and emissions. … The FCC does not have jurisdiction relative to the legal authorization for use of the devices.” But the ranking House members who demanded that the FCC act dispute this characterization. Likewise, Senator Wyden said this week, “Despite repeated warnings and clear evidence that our phone networks are being exploited by foreign governments and hackers, FCC Chairman Pai has refused to hold the industry accountable.”
For now, citizens in Washington DC and around the country can only go about their business knowing with increased certainty that their cell phones are at risk of surveillance by rogue cell-site simulators. On some devices, users can turn off their 2G and 3G connections as a way of reducing the number of stingrays that will be able to interact with their device, because IMSI catchers targeting 4G are still less common. But not all mobile devices offer this feature or even the options to access these controls. “Making software on cellphones more resilient to rogue towers and IMSI catchers is a good way to go,” Red Balloon’s Cui says. “But getting the software update on all the old phones is hard, and it won’t stop IMSI catchers a hundred percent.”
The only other consolation is that stingrays have geographic limits. Though some can scan up to a mile radius, most are fairly localized. But even this isn’t much consolation in Washington, where embassies and government buildings are everywhere.