The fear is back! Just in time for a long queasy October, the Washington Post did a ride-along with the CEO of mobile security firm Integricell, who was mapping the locations of fake cell phone towers surveilling D.C.; What they found, the Post reports, was like "a primer on the geography of Washington power."
Over a dozen counterfeit cell towers were found—as you can see on the map at left, generated by members of Integricell and ESD America, the two firms responsible for the privacy-protecting Cryptophone. (This map shows 15, but the companies say they have found 18 so far.) Tell-tale signs of these surveillance devices, according to the Post, were found near the White House, Capitol Hill, D.C.'s many foreign embassies, and the offices of several federal contractors located near Dulles International Airport.
"I think there's even more here," ESD America's CEO, Les Goldsmith, said. "That was just us driving around for a day and a half."
This past summer, in a previous (and wildly successful) publicity stunt/important public service announcement, Goldsmith released a map showing that these "interceptor" fake cell towers, known technically as IMSI catchers, appeared to be popping up near army bases all across the United States.
Also known as cell site simulators, or stingrays, IMSI catchers are computer-controlled radio transmitters designed to perform "man in the middle attacks" on mobile devices in a cellular network. They've actually been in existence since 1993, when they were first designed to steal nearby phones' International Mobile Subscriber Identities (IMSIs), an ID that can be used to request other personal information about the phone. Since then, much like you, their capabilities have expanded impressively: IMSI catchers can be used to intercept calls and SMS texts, including two-factor authentication information; They can track a phone's location; Deploy geo-targeted spam; Issue operator messages that reconfigure the phone, installing permanent backdoor mechanisms; and/or probe the phone's SIM card for its encryption key and other stored information. (All SIM cards have an encryption key; It is pretty standard.)
Readers of anti-Socialist denim entrepreneur Glenn Beck, and his personal internet website, The Blaze, learned this month that these "interceptor" towers need not actually be physical towers. (Truly doing the Lord's work, The Blaze is always willing to write charitable "explainers" for the least of our people.) And you should listen to your friends at Glenn Beck's The Blaze: IMSI catchers, have gone from being bulky car-mounted things to devices so small that they could be comfortably worn undercover like an old-school wire. This time last year, some brave soul leaked the brochures for a body-worn IMSI catcher (pictured) put out by GammaGroup: the Eurotrash makers of that odious commercial spyware package FinFisher, favored surveillance tool of repressive dictatorships and ostensible democracies alike. (Any boho chic stranger in a baggy sweater could be stealing personal data from your phone, thanks to this vest.)
Alerting users that their mobile device is being subjected to a potential attack is only part of what the CryptoPhone does, but here's how it does it: The CryptoPhone monitors three activities between itself and cellular phone towers as indicators of an IMSI catcher posing as part of its network. First, it records when a tower attempts to downshift the phone from a better-secured 3G network to the lower, less-protected 2G network. Second, it monitors when a cell tower begins requesting unencrypted communications. Third, it flags when a cell tower declines to list neighboring cell towers, in an effort to maintain its hold on the phone.
In a paper written for the Annual Computer Security Applications Conference this December in New Orleans, researchers described roughly ten suspicious activities like these that might indicate a phone is communicating with an IMSI catcher instead of a normal tower. However, one of the paper's co-authors, Adrian Dabrowski, a graduate student researcher at the SBA Research consortium in Vienna, told the Post that the simultaneous appearance of the three indicators tracked by the CryptoPhone would be enough to highly imply the presence of an IMSI catcher.
You can see the Cryptophone monitoring these in this short clip from the Washington Post, in which reporter Ashkan Soltani and Integricell CEO Aaron Turner drive the device past the Russian Embassy:
It is cute and fun—very sexy spy stuff—much like it was cute and fun last time, when ESD's CEO, Les Goldsmith, suggested that the IMSI catchers discovered outside U.S. army bases might actually be Chinese, the skullduggerous work of our superpower frenemies to the East.
And: That may be true.
A creepy thing about these fake cell phone towers is that it's almost impossible to know who or what is responsible for each specific one without capturing each specific one.
But being real for a moment: A very nontrivial amount of these IMSI catchers are almost assuredly just being run by the cops.
Local, state, and federal law enforcement have have been prancing around, abusing this technology for years now, most notably an IMSI catcher produced by Florida-based Harris Corp. called the StingRay, which has sorta become the Google or Kleenex of the industry, in that it's a brand whose market share is so immense that it often lexically overshadows the generic name for the product itself. According to the ACLU, police in Maryland and Virginia both have access to stingrays, and while it's unknown if this is also true in D.C., like: Why would anyone assume otherwise?
Pursuant to the regulatory authority of the FCC, for some godforsaken reason, the FBI has had law enforcement agencies sign nondisclosure agreements pertaining to their acquisition of stingrays, with the primary purpose of these NDAs being, near as anyone can tell, to prevent people like the ACLU from finding out when and why the StingRays have been used—or if they are being used legally. Police in Brevard County, Florida; Tuscon, Arizona and Sacramento, California have all used the NDAs as a pretext for withholding documents from the nonprofit group.
A software developer and activist named Phil Mocek, working through MuckRock, recently got his hands on one of these NDAs, specifically a copy from the local police in Tacoma, Washington. It's a quick read; Four of the six pages have been completely redacted.
The secrecy is worrisome on its own, but what little information that has emerged has only cast darker, scarier shadows on those gaps in the record. This June, the Florida branch of the ACLU released a set of internal police emails showing that the U.S. Marshalls Task Force in Tampa was asking police to seal court affidavits mentioning the use of stingrays and to file new, intentionally disingenuous affidavits listing the information obtained from stingrays as coming from "a confidential source." You don't have to be an ACLU lawyer to understand how terrible that is; It essentially prevents defendants from being able to challenge potentially unlawful, warrantless surveillance.
Even in cases where law enforcement isn't out-and-out lying about the provenance of evidence pulled with stingrays, there is the dangerous reality that there currently exists no statutory, regulatory, or constitutional frameworks to dictate how they are to be used. Fourth Amendment advocates, defense attorneys, and the rest of us, largely have no idea whether or not warrants are being pursued and granted under the veil of secrecy created by this NDA system.
Generously assuming that warrants are issued in every single case, there's still also the weird legal matter of how to view the rights of all the innocent people whose phones will inevitably be caught up in the radius of a stingray's search. About a year ago, Linda Lye, an attorney for the ACLU in Northern California, compared this to police getting a warrant to search one tenant's apartment and then searching the whole complex, because if it sounds crazy and wrong in a corporeal world analogy, you should feel free to assume it's crazy and wrong in the virtual world.
The fact that these IMSI catchers in D.C. and elsewhere could belong to the local cops, state troopers, U.S. Marshals, Secret Service agents, the FBI, CIA, Russian SVR, the Chinese, the Mossad, Saudi Intelligence, Germany BND, French BRGE, Ancient Aliens, Contemporary Aliens, run-of-the-mill cyber criminals, God, ISIS, 4chan, expensive private spooks doing corporate espionage for Japan, Iran, or Rupert Murdoch is, perhaps, one of the best reasons why the U.S. government should start rolling back the surveillance state. America can't have it both ways; It cannot have an infrastructure that is at once thoroughly exploitable by U.S. intelligence firms for sprawling, panoptical espionage, and simultaneously an infrastructure that is safe from foreign espionage threats.
Bruce Schneier's name may or may not be familiar to you. He's a veteran security researcher, frequent WIRED contributor, and the author of some of the major urtexts in our cyber security system, like Applied Cryptography and Cryptography Engineering. In a blog post this past weekend, Schneier's reaction to this Washington Post story practically sounded like he was choking back tears of rage:
We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I'm tired of us choosing surveillance over security.
This is correct.
Everyone should feel sick and tired, about this, if not completely exhausted and terminally ill.
[photo of an unmarked Chevy Van in Takoma Park, MD near D.C., modified by author, via takomabibelot under a creative commons license; other photos via EDS America/Integricel, GammaGroup, and "the police," in order of appearance; h/t the Washington Post]