Photo: U.S. Patent and Trademark Office

The US Department of Homeland Security (DHS) has acknowledged for the first time that cellphone surveillance equipment may have been deployed in the nation’s capital by foreign actors seeking to track cellphone and potentially intercept calls and messages.

In a March 26th letter to Sen. Ron Wyden, Democrat of Oregon, DHS acknowledged it has not determined the type of device used or the identity of the persons who may be operating it, but said it has detected “anomalous activity” consistent with cell-site simulator use.

Cell-site simulators, sometimes called “Stingrays” after one of the more popular models produced by the Harris Corporation, are a type of phone-surveillance technology used by police throughout the United States. Roughly the size of a suitcase, they are capable of tracking cellphones and may also be used in some cases to intercept the content of calls, text messages, and other forms of data.

They also known as “IMSI catchers” because they track suspects by identifying a cellphone’s unique International Mobile Subscriber Identity number.

Cell-site simulators were previously deployed by US troops in the Middle East but were later modified for domestic law enforcement use. The Federal Bureau of Investigation, the US Marshals office, and the Secret Service are known to employ cell-site simulators; however, today they are used in secret at almost every level of law enforcement.

Advertisement

Asked by Wyden in November if DHS had detected evidence of “foreign IMSI catchers” operating in the Washington, DC, area, DHS replied:

The Department of Homeland Security’s (OHS) National Protection and Programs Directorate (NPPD) has observed anomalous activity in the National Capital Region (NCR) that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers. NPPD has not validated or attributed such activity to specific entities or devices. This information was reported to our Federal partners at the time it was observed.

Although it said the reports had not been verified, the NPPD, a DHS component that specializes in eliminating threats to the nation’s critical physical and cyber infrastructure, further acknowledged that it was also aware of “anomalous activity” outside the DC area “consistent with IMSI catchers.” The agency added that it lacked the funding to “procure, deploy, operate, and maintain” the technical capability to detect cell-site simulators targeting phones on modern 4G/LTE networks.

Advertisement

In a letter to Wyden, DHS official Christopher Krebs said that the use of cell-site simulators by malicious actors “threatens the security of communications, resulting in safety, economic, and privacy risks.”

Wyden told Gizmodo in a statement that leaving phone companies to safeguard Americans’ private information had proved “disastrous,” and that stronger encryption was needed to protect against these forms of attack. “Despite repeated warnings and clear evidence that our phone networks are being exploited by foreign governments and hackers, FCC Chairman Pai has refused to hold the industry accountable and instead is prioritizing the interests of his wireless carrier friends over the security of Americans’ communications,” Wyden said.

How cell-site simulators operate

Cell-site simulators work by emulating base transceiver stations, commonly known as “cell towers.” When activated, nearby phones will automatically connect to these devices due to an inherent functionality: All cellphones are programmed to constantly seek out the nearest cell tower to preserve battery power. (The further the cell tower, the more signal strength is required.)

Advertisement

To function, modern cell-site simulators must perform a series of complex protocols to trick cellphones into establishing a connection. In the old GSM networks, a phone only had to authenticate itself to a cell tower, proving that it was a device authorized to be on the network. Modern LTE networks, however, require two-way authentication. In other words, cell-site simulators today must reciprocate by performing a “handshake” that tells a connecting cellphone they are a real cell tower.

Due to this function, it is fair to classify modern cell-site simulators as phone hacking devices. Most devices come equipped with a handheld apparatus that allows them to zero in on phones by measuring a cellphone’s signal strength.

Once connected to the simulator, phones lose the ability to send or receive calls and text messages. This is known to cause blackouts that last as long as the device is active. Tests performed by the Royal Mounted Canadian Police in 2016 showed that safeguards intended to allow bystanders to make emergency calls often failed to work properly. For this reason, Canadian authorities limited the use of cell-site simulators to 3-minute intervals.

Advertisement

In the US, the use of the devices are highly guarded secrets. State and local law enforcement agencies typically sign a non-disclosure agreement with the FBI whenever they procure one. Federal grants are often used by smaller agencies to obtain the device—some are known to cost upwards of $200,000.

The measures US authorities take to conceal their use is extreme. In fact, US Marshals once seized records from a Florida police department to prevent documentation about cell-site simulators from falling into the hands of the American Civil Liberties Union, which had requested them under public records law.

What’s more, the Department of Justice often coaches state and local law enforcement on how to avoid disclosing details about cell-site simulator capabilities when seeking a warrant for their use, typically by classifying them in warrant applications as a “trap-and-trace/cell-site simulator.” This may distort a judge’s perception of the device’s capabilities, concealing their true nature, which is both invasive and disruptive to bystanders. (A trap-and-trace device is more or less a sophisticated caller ID for identifying a suspect’s incoming calls.)

Advertisement

Warrants obtained by agencies generally require non-essential data to be deleted once use of the device is no longer needed to track a specific suspect.

The devices shared with state and local agencies are thought to be far more limited than those used by federal agencies, though the hardware is likely similar. The version used by the FBI for example may be capable of intercepting not only the caller’s metadata—phone numbers, locations, and times of calls—but the content of calls, messages, and other types of transmitted data as well.

Advanced versions of the device constructed by researchers have been capable of far more dangerous attacks, including malware injection. They may also force devices to transmit fake reject messages, booting them from cellphone networks for up to 72 hours. It may also be possible to intercept the precise GPS coordinates of a cellphone by forcing it to quietly transmit a signal reserved for emergency services.

Advertisement

At present, there’s no evidence of law enforcement using these advanced capabilities domestically, though researchers have easily duplicated this functionality using homebrewed devices in overseas tests.