Civil libertarians have warned for years that authorities were spying on people with devices that imitate cellphone towers. Now, it’s the authorities who may be in the crosshairs of the same secretive technology, renewing concern about privacy safeguards.
The Department of Homeland Security found indications that cell-site simulators capable of tracking nearby phones may have been used near the White House during President Trump’s first year in office. It’s unknown who may have used one of the devices or what they collected.
But as the technology has become increasingly accessible, there’s growing awareness that spies, criminals or law-breaking activists could be pointing an international mobile subscriber identity (IMSI) catcher toward the West Wing.
DHS’ National Protection and Programs Directorate acknowledged its findings in a recent letter to Sen. Ron Wyden, D-Ore., who along with Sen. Rand Paul, R-Ky., pushed for public disclosure.
Until recently, IMSI catchers were best known for their use by local law enforcement agencies. Police signed FBI non-disclosure agreements, resulting in courtroom standoffs with judges interested in learning more. IMSI catchers commonly are known as “stingrays,” after a model manufactured by Florida’s Harris Corp. for law enforcement use.
Inside the U.S., the Federal Communications Commission has strict rules limiting the sale of IMSI catchers, said Nathan Freed Wessler, an American Civil Liberties Union attorney who for years investigated use of the technology used by police.
“The typical uses people in the U.S. have been focused on have been uses by domestic law enforcement agencies just to track and locate cellphones,” he said. “[But] there absolutely are types of IMSI catchers that can intercept the content of communications — listen in on the contents of phone calls, or intercept text messages, or watch data connections in transit. There is even the capability with some types of this technology to surreptitiously install malware.”
A few years ago, a researcher gave congressional staff cellphones for a demonstration — then played back the content of their conversations.
Although it would be a crime to use an IMSI catcher to surveil neighbors or the president, it’s possible to purchase the devices from various overseas sources. The China-based, eBay-style marketplace Alibaba is the best-known source — several options are available on the site.
A $1,800 machine listed on Alibaba, made by the German company PKI, looks like an over-sized Internet router. It ships from Guangdong with an antenna and a laptop loaded with software. A larger model starting at $15,000 can fit in a laptop bag and ships from Hong Kong.
Russia-based Intercept Monitoring Systems, meanwhile, has many options, including a portable IMSI catcher that looks like a walkie talkie and “allows conducting close-up operations covertly.” The battery lasts 3.5 hours.
A representative of Intercept Monitoring Systems told the Washington Examiner the firm disables call, text and location-tracking functions for private buyers, but that the systems, starting at $65,000, still are useful for tracking shopping center traffic, or for blasting advertising messages to people within range.
The Chinese vendors did not respond to inquires.
Most new cellphones in the U.S. default to connecting to relatively secure 4G network towers. Surveillance devices that can pretend to be a 4G tower are expensive. Less-expensive IMSI catchers work by jamming 4G and 3G towers, which use different frequencies, forcing cellphones to instead connect to a fake 2G network.
Regulators have a variety of steps they could take to reduce risk, experts say, including FCC mandates affecting phone companies.
The FCC could direct carriers to use strong encryption by default for text messages and calls, or could force companies to modify new phones so they don’t support 2G, according to a cellular surveillance expert who asked not to be identified because they are involved in governmental review of policy options.
If the FCC mandated that new phones not work on 2G networks, it would create clear drawbacks, including reduced phone access in rural areas of the U.S. or in foreign countries. More limited alternatives would include a toggle option to block 2G towers in urban areas.
In another possible step, federal agencies could block importation of IMSI catchers from countries such as China, the expert said.
“The reason we’re even having this conversation is the FCC hasn’t forced phone companies to harden the security of their networks,” Wessler said. “There’s a policy and regulatory side to this. At the end of the day, it’s not just the president’s phone calls that are susceptible to eavesdropping. Potentially, it’s anyone who’s using the cellphone network.”
A spokesman for the FCC declined to comment.
Wessler said that without government action, “the best thing that a person can do is communicate using encryption” with applications such as Signal, which allows users to swap end-to-end encrypted messages and calls with other Signal users. Most people default to their phone’s standard messaging and calling applications, which are vulnerable to interception.
Concern about possible surveillance near the White House was augmented by President Trump’s reported phone habits. Politico reported last month that Trump uses two iPhones — one for tweets and another for calls. His phone for calls, which is periodically replaced, reportedly has a camera and microphone, though its GPS-tracking function is disabled.
“The news of a possible foreign stingray near the White House is of particular concern given reports that the President isn’t even using a secure phone to protect his calls,” Wyden said in a June 1 statement, calling for “the FCC and this administration to act immediately to protect American national security.”
The actual degree of any surveillance targeting the White House is unclear. In its letter to Wyden, DHS said some signals were determined to come from legitimate cellphone towers.
Piers O’Hanlon, a researcher who demonstrated last year, while working at Oxford University, that special IMSI catchers can track phones that use Wifi, said “IMSI catchers are now fairly easily available.” He said the available technologies could be bad news for people carrying cellphones around the White House.
The Wifi-based hack that O’Hanlon demonstrated can track the location of phones when they aren’t actively communicating, though it has not been shown to be capable of intercepting content. With a range of a few hundred meters, however, anyone who got one onto the White House grounds — for example, to press offices in the West Wing — would be within range of the Oval Office and presidential residence.
“It’s possible that individuals of interest could potentially be tracked in and around the White House, depending on how well they have secured their communications airspace,” O’Hanlon said.
