A slew of federal agency heads and the nation’s top intelligence official are being pressed to respond to what one influential senator is calling an “abysmal failure” by the U.S. government to defend its own employees from unauthorized cellphone surveillance.
“It has been a matter of public record for decades that phones can be tracked and calls and text messages intercepted using a device called a cell site simulator, which exploits long-standing security vulnerabilities in phones by impersonating a legitimate phone company’s cell towers,” Sen. Ron Wyden wrote Thursday in a letter to the director of national intelligence; heads of the FBI and CISA—the agency charged with defending critical systems; and the presumptive next chair of the Federal Communications Commission.
“While the threat posed by this technology has been clear for years,” Wyden wrote, “the U.S. Government has yet to meaningfully address it.”
Among other concerns in the letter, both the Departments of State and Defense have confirmed to Wyden’s office, he said, “that they lack the technical capacity to detect cell site simulators in use near their facilities.”
Cell-site simulators are cellphone surveillance devices that can sometimes fit in a suitcase and effectively hack phones remotely by exploiting a number of common design features. One such feature is the tendency hardcoded into a cellphone to always seek out the cell tower that’s emanating the strongest signal. While this is crucial to saving battery power and ensuring calls are properly routed, it can also be a critical weakness. By transmitting an even stronger signal—or in the case of LTE networks, on a higher priority frequency—cell-site simulators can force nearby phones to drop their connections to real networks and connect instead directly to the simulator.
This kind of attack is not as easy as it used to be. The “handshake” between a phone and a cell tower is a multi-step protocol, which the simulator must emulate perfectly. Older technology standards, such as 2G, require fewer steps. On a 2G network, for example, cell towers will always act to verify that a phone is authorized to join a network; the phone, however, does not require such proof of the tower. Thus, another common attack relies on the capability of impersonating a service provider and then spoofing a secret message telling the phone it’s not permitted on newer networks with better security. Downgrading the quality of the connection may grant the attacker greater power over the device—including the ability to intercept actual conversations.
Cell-site simulators, also known as “IMSI catchers,” are more commonly called “stingrays” (after a well-known model once widely purchased by U.S. law enforcement). Previous models sold to local police agencies have included software that inhibit advanced features like call interception while still permitting phone tracking. Phones can be tracked within an area the size of an apartment bedroom with the use of a radio direction-finding antenna. Home-brew devices built by researchers for around $1000 have demonstrated a broader range of capabilities, such as malware injection and denial-of-service attacks that force networks to reject devices for up to 72 hours. Federal authorities like the U.S. Marshals Service have mounted stingray-like devices called DRT (the “dirt box”) made by a Boeing subsidiary to aircraft, which allows for the tracking of up to 10,000 targets.
Among other calls to action—such as requiring federal workers to use end-to-end encryption for messages and calls—Wyden has asked the FCC to require phone manufacturers to include an easy method whereby consumers can disable their phones’ support for 2G and 3G networks. (Questions from Gizmodo sent Wednesday about whether the FCC supported this idea have so far gone acknowledged.)
Stingrays, which are widely in use by U.S. law enforcement, are controversial because they work by forcing connections with up to thousands of phones simultaneously. Hunting for a single criminal’s phone, therefore, means also finding the phones of basically anyone within a few hundred meters; the acquired location data is harvested and stored under rules that lack any measure of public oversight. But the effects of these attacks on bystanders are not limited to violations of their privacy. They can also rapidly drain phone batteries, potentially impacting safety in an emergency, and past demonstrations have shown they can also create blackout zones, hindering bystanders from placing calls, even to police.
Another downside is that the devices are also cheap and easy to assemble. Software to carry out the attacks is also not difficult to code, relying entirely on knowledge of cellular equipment and network protocols that are easy to research online. Researchers in the past have assembled devices for as little as $1,000, and have been able to carry out sophisticated attacks beyond the power of those licensed by state and local agencies. In recent years, international vendors have marketed versions small enough to wear undetected, allowing them to slip into the middle of a protest, for example, without raising alarm.
Tests conducted by the Department of Homeland Security around the Washington, DC, metropolitan area as recently as 2017 detected signals consistent with stingray technology, heightening concerns among national security experts and lawmakers such as Wyden about the potential for criminals and spies to track and launch attacks on federal employees serving in sensitive areas of the government.
“After consecutive administrations failed to address this counterintelligence threat, President Biden now has the opportunity to finally secure America’s phone networks,” Wyden added, calling specifically on the FBI and the director of national intelligence to deploy “counter-surveillance sensors” around sensitive government installations, including overseas consulates, embassies, and military bases.
A section of the National Defense Authorization Act, the law authorizing the nation’s defense budget, empowers the national intelligence director and the FBI to undertake efforts to identify rogue stingray devices, whether operated by criminals or hostile foreign governments, and to develop countermeasures against them.
The existence of stingrays was first brought to light in earnest in 2011—bizarrely by a man in prison for tax fraud. (Similar devices were known to the public well before then, such as the Triggerfish, famously used to catch fugitive hacker Kevin Mitnick in 1995 and featured in a 2003 episode of The Wire.) By that time, it was learned, stingrays had already been in use by federal, state, and local law enforcement agencies for nearly a decade. This closely guarded secret was maintained for years through the collaborative efforts of, among others, the CIA, Justice Department, and U.S. Marshals Service.
The government undertook considerable steps to prevent knowledge of the devices from leaking—going as far as to provide police departments with templates for writing warrant applications that obscure the device’s capabilities and the risks they pose to bystanders from the very judges authorizing their use. In one infamous case, marshals effectively raided a Florida police department in 2014 and seized any records related to the use of stingrays; an effort to stop lawyers at the American Civil Liberties Union (ACLU) from obtaining the information legally under Florida’s notably liberal open records statute.
Gizmodo reported last year that Harris Corporation, the maker of the notorious “StingRay” device, had discontinued sales of its surveillance equipment to local police departments, opening a gap in the marketplace. It was quickly filled by a Canadian company called Octasic, which exports cell-site simulators to a police vendor in North Carolina.
“The government has long acknowledged that Americans’ privacy is at risk because of known vulnerabilities in the security of our cell phone network,” said Nathan Wessler, deputy project director of ACLU’s speech, privacy, and technology project. “These vulnerabilities allow malicious hackers and spies to intercept information about the movements and sensitive communications of anyone, including federal employees. They are also exploited by police to track people’s phones in investigations. ”
Wessler added: “The federal government could have mandated fixes to cellular network security that would protect all of us—including civil servants engaged in sensitive work—from surveillance. Instead, the government has let the problem fester, making the self-defeating choice to privilege its own desire to engage in surveillance over the pressing need to protect federal employees and other Americans from being spied on. It is high time to fix these problems once and for all.”
The State Department said in an email that its Diplomatic Security Service works to ensure a safe and secure environment conducive to diplomacy, including by deploying technical surveillance countermeasures. The department does not publicly comment on specific security matters.
DNI and the FBI did not respond to requests for comment.
Pentagon spokesperson Lt. Col. Uriah Orland said that surveillance countermeasures and knowledge of mobile device vulnerabilities are constantly drilled into service members and civilian employees and contractors. “The rapid emergence of technology requires constant refinement of policies and procedures to enhance [operational security] and the protection of information. We are continually adapting to new technologies and adjusting our policies accordingly to fulfill our mission to defend the nation,” he said.
The Department of Homeland Security (DHS) first acknowledged detecting tell-tale signs of rogue stingrays around the Washington, DC, area in March 2018; “anomalous activity,” that DHS said was “consistent with IMSI catchers.” The disclosure came in a letter to Wyden from Christopher Krebs, then the acting head of DHS’s main cybersecurity unit. Krebs, who today runs a private security firm, added that DHS was further aware of suspicious signals being detected outside of the Capitol region.
According to the letter, the DHS unit—which gained new authorities months later and was renamed the Cybersecurity and Infrastructure Security Agency (CISA)—agreed “that the use of IMSI catchers by foreign governments may threaten U.S. national and economic security.” In the hands of “malicious actors,” rogue stingrays pose a further threat, Krebs said, to “the security of communications, resulting in safety, economic, and privacy risks.”
It was then revealed that a separate DHS unit, charged with monitoring threats to the nation’s emergency communications, had given a briefing about potential stingrays in the wild to various federal agencies that year. Wyden and four other senators demanded that the presentation, which had not been classified, be made available to the public. After DHS refused, Wyden responded by blocking Krebs’ nomination to lead its cybersecurity protection division.
The tactic appears to have bore fruit.
After a meeting with Krebs in May 2018, Wyden withdrew his objection—but not before Krebs produced a second letter shedding even more light on the government’s belief that rogue surveillance devices had been activated around the capital. Krebs disclosed that over an 11-month period in 2017, his unit had conducted a “limited pilot program” that involved deploying sensors around the DC metropolitan area. The goal, he said, was to “identify and better understand potential IMSI catcher activity.”
While Krebs reiterated that DHS had observed signals seemingly originating from one or more stingrays—including at locations “in proximity to sensitive facilities like the White House”—it was ultimately unable to verify their source. “Some” of the signals, he said, counterintelligence officials had determined “were emanating from legitimate cell towers.”
What’s more, Krebs revealed that the DHS briefing about the signals had been presented before a mobile security “tiger team” operating under the auspices of a council comprised of chief information officers from dozens of U.S. agencies. DHS’s reluctance to openly share the presentation publicly stemmed from it not containing any “final, validated assessment.” The presentation, he said, contained only “pre-decisional information.” (The government routinely keeps secret unclassified information comprised of opinions and recommendations under the argument that secrecy promotes “open, frank discussions on matters of policy.”)
Nevertheless, the ACLU managed to acquire the presentation, though with heavy redactions, after suing Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) last year under the Freedom of Information Act. “There can’t be accountability without transparency,” the group said. “The release of these records—albeit with redactions—provides some helpful insights into what was previously an extremely secretive surveillance practice.”
Added the ACLU: “We know that despite claiming not to use Stingrays for civil immigration enforcement, ICE does use the technology in its ever-expanding category of ‘criminal’ immigration investigations, including arrests for the crimes of illegal entry and reentry. And although the requirement to get a warrant is positive, we still don’t know what the agency believes qualifies as an ‘exigent’ or ‘exceptional’ circumstance that lets agents avoid the warrant requirement. Those are just a few of the outstanding questions.”
An attempt to reach Krebs on Wednesday via the company he founded this year with former Facebook security chief Alex Stamos was unsuccessful.
A spokesperson for CISA declined to answer any questions. The agency, which was founded to streamline cybersecurity enhancements throughout the government, declined to say whether safeguarding federal workers from rogue stingray attacks was within its power or purview.
Correction: A prior version of this article mistakenly said IMSI catchers were “first brought to light” in 2015. This was a typo. IMSI catchers, which are distinct from other cellphone surveillance technology known to the public in the 1990s, first became the subject of public reporting in 2011.