Washington DC “awash” with fake cell towers

Cell towers

Rogue stingrays – spy kits that can track people’s locations by tricking phones into thinking they’re connecting to cell towers and which can then intercept calls and messages – have been found in Washington and beyond, the Department of Homeland Security (DHS) has confirmed.

The Associated Press reports that this is the first time the government has publicly acknowledged the presence of stingrays, possibly being used by spies and/or criminals, in the capital.

(StingRay is the brand name of an International Mobile Subscriber Identity (IMSI) locator, also known as an IMSI catcher, that’s targeted and sold to law enforcement. The term stingray has also come into use as a generic term for these devices.)

DHS said in a 26 March letter to Oregon Sen. Ron Wyden – a politician known as a privacy hawk – that agents came across unauthorized cell-site simulators in the Washington, DC, area last year.

The letter was written in response to specific questions (PDF) Wyden asked DHS in November. In his letter, Wyden referenced how security researchers in 2014 had detected a number of IMSI catchers in the capital region that they suggested may have been operated by foreign governments.

At the time, the Federal Communications Commission (FCC) responded by establishing a task force to investigate the threat posed by foreign governments or criminals using stingrays, which are “widely available from surveillance vendors around the world,” Wyden noted. But since then, the FCC hasn’t issued any public findings or guidance.

So, Wyden wanted to know, what’s the deal? Has DHS detected foreign IMSI catchers in the capital? If so, did it report the discovery to any Congressional committees? Does the department have the technological capability to detect the catchers? Has DHS detected the devices being used in other cities?

From DHS’s response:

[T]he National Protection and Programs Directorate (NPPD) has observed anomalous activity in the National Capital Region that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers.

DHS said it’s also aware of IMSI use outside the Beltway.

In a separate letter accompanying his response, DHS official Christopher Krebs, the top official leading the NPPD, added that use of IMSI catchers by malicious actors to track and monitor cellular users “is unlawful and threatens the security of communications, resulting in safety, economic and privacy risks.”

The letter included answers to Wyden’s specific questions. As far as DHS’s technical capability to detect IMSI catchers goes, Krebs said his department doesn’t have any budget for the pricey endeavor:

NPPD is not aware of any current DHS technical capability to detect IMSI catchers. To support such a capability, DHS would require funding to procure, deploy, operate and maintain the capability, which includes the costs of hardware, software, and labor.

The Associated Press talked to Aaron Turner, president of the mobile security consultancy Integricell. He was one of the experts who conducted the 2014 sweeps that turned up the rogue stingrays. He said that little has changed since: Washington, like other major world capitals, is “awash” in unauthorized interception devices.

[Every embassy] worth their salt [has a cell tower simulator installed] to track interesting people that come toward their embassies.

Canada’s still trying to figure out who’s behind mystery stingrays found throughout its capital. Last year, after Mounties admitted to using stingrays, a CBC News investigation found that the devices had also been planted at Montreal’s Trudeau airport… and that somebody was also using IMSI catchers in the area around Parliament Hill in Ottawa.

As of October, an investigation into who was behind the planting of stingrays in Ottawa hadn’t come up with anything concrete. Instead, it revealed a lot of confusion over whether the responsible party might have been the Canadian Security Intelligence Service (CSIS), which is Canada’s electronic spy agency.

CBC quoted an email from Christiane Fox, then the assistant secretary to the cabinet:

Can we be categorical on security agencies NOT being involved?

The reply from a director at Public Safety Canada:

I don’t know that we can say that categorically.

The day after, Public Safety Minister Ralph Goodale said that it was not a Canadian agency responsible for the spying.

Interesting that the question was hard to answer, isn’t it? Interesting, but not surprising. Law enforcement has a tendency to keep its use of IMSI catchers quiet. That secretiveness was borne out by the US government swooping in to snatch mobile phone tracking records away from the American Civil Liberties Union (ACLU) in 2014.

Mere hours before the ACLU was going to review the records, the Feds seized them. US Marshals then moved the physical records 320 miles away, preventing the ACLU from learning how, and how extensively, police use snooping devices.