Seven Years After Discovering Rogue Stingray Devices In DC, The Federal Gov't Still Doesn't Have Any Idea What To Do About It
from the tfw-when-you-love-surveillance-way-more-than-countersurveillance dept
Seven years ago, wardriving security researchers discovered rogue cell tower simulators being operated near sensitive locations in Washington, DC, presumably by foreign governments.
The company used their ultrasecure CryptoPhone 500 to search for the interceptors, which can compromise phones through baseband hardware and are believed to have a range of roughly 1 mile. ESD America‘s phones allegedly detected telltale signs of call interception in the vicinity of the White House, the Russian Embassy, the Supreme Court, the Department of Commerce, and the Russell Senate Office Building, among other landmark buildings.
Three years later, Senator Ron Wyden sent a letter to DHS Undersecretary Christopher Krebs, asking him to look into this report. The DHS was told to find out where these were located, who was running them, whether the DHS was already aware of this problem, and what, if anything, the DHS planned to do about it.
The answer -- arriving four months later -- was "not much." The DHS agreed the possible use of Stingray-type devices by foreign operatives was indeed the sort of thing it should be concerned about (what with it being in the business of securing the homeland), but didn't appear to believe it should do much about it itself. It said it had detected several devices during a 90-day operation using ESD America equipment, but had no staffing or funding to do anything more than confirm what ESD America had discovered four years earlier.
Another three years have passed and nothing has changed but the list of federal entities that are apparently unable to do anything about these obvious threats to national security. Dell Cameron has the latest on the federal government (in)activity for Gizmodo:
It has been a matter of public record for decades that phones can be tracked and calls and text messages intercepted using a device called a cell site simulator, which exploits long-standing security vulnerabilities in phones by impersonating a legitimate phone company’s cell towers,” Sen. Ron Wyden wrote Thursday in a letter to the director of national intelligence; heads of the FBI and CISA—the agency charged with defending critical systems; and the presumptive next chair of the Federal Communications Commission.
“While the threat posed by this technology has been clear for years,” Wyden wrote, “the U.S. Government has yet to meaningfully address it.”
Among other concerns in the letter, both the Departments of State and Defense have confirmed to Wyden’s office, he said, “that they lack the technical capacity to detect cell site simulators in use near their facilities.”
"For years." That's the problem here. The threat to national security has been at least implied since 2014, when security researchers discovered cell site simulators that didn't appear to be operated by US agencies. That so many were clustered around sensitive areas of Washington DC suggested surveillance by inappropriately curious, if not actually malevolent, foreign agents or operatives.
And the tech itself is no secret either. Not only are Stingray devices widely used by US government agencies, they're also widely used by foreign governments -- many of which have no legal or moral compunction preventing them from using them as more than phone-tracking devices. The devices can also intercept communications and create attack vectors for cellphone-targeting malware. This is the sort of thing that should have been more than shrugged at by federal agencies.
And it doesn't take a government to get this dirty work done. Individuals and members of extremist groups can knock together cell tower simulators on the cheap -- powerful tools that don't rely on a support team of techs or a nondescript host vehicle to engage in tracking, eavesdropping, or hacking.
Researchers in the past have assembled devices for as little as $1,000, and have been able to carry out sophisticated attacks beyond the power of those licensed by state and local agencies. In recent years, international vendors have marketed versions small enough to wear undetected, allowing them to slip into the middle of a protest, for example, without raising alarm.
While it's true the government's offensive options might be limited, as attempts to knock out unknown cell site simulators might result in cell service disruptions in the immediate area, that doesn't mean the government is unable to mount a better defense.
Wyden's letter [PDF] asks who's really in charge out there, if anyone? While there may be no perfect agency to oversee the security of phone networks, one agency needs to step up and assume some responsibility while the details are sorted out. His letter hints that the FCC may be able to assist here.
If it can't oversee the entire process, it could at least institute requirements for cell phone providers that would make phones less susceptible to tracking and interception by these devices. Wyden suggests making it easier for phone users to locate and terminate support for 2G and 3G networks, which are more easily exploited by cell site simulators.
Wyden also suggests something practical that could be implemented quickly and at a minimum of expense: encrypting all voice and text communications by federal employees, which would make interception by Stingray devices mostly worthless.
Finally, Wyden wants to know who's doing anything to protect US government employees and facilities from these attacks, whether they occur in Washington DC, or elsewhere in the world.
These questions need answers. But they also need action. It's been seven years and we've seen very little of either from federal agencies that express their strong concerns about national security when they're playing offence (engaging in broad, intrusive surveillance, violating/ignoring citizens' rights) but seem far less concerned when they're asked to actually, you know, secure the goddamn nation from known threats.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: imsi catcher, stingray, washington dc
Reader Comments
Subscribe: RSS
View by: Time | Thread
surprising the differences 'kick backs' make!
[ link to this | view in chronology ]
This total inaction as compared to the effort expended against encryption should tell you a lot about the actual priorities of the surveillance state.
[ link to this | view in chronology ]
Re:
"...priorities of the surveillance state."
Now you're getting to something. There is likely a reason nothing is being done...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The American Dream
The American dream since the 1980s (maybe since the 1849 Gold Rush) has been to find the Bronze Ring or Genie of the Lamp and exploit the snot out of it for personal gain, maybe even to become emperor or a billionaire or President of the United States.†
We even have whole runs of speculative fiction in which a charming but sad boy finds a magical alien or something and has adventures, sometimes seeking his fortune (or at least getting laid).
But yes, when the NSA and our National Security departments have all respectively decided to actually ignore national security concerns rather to bolster the power and wealth of their own, it's no surprise the technology abused by them would ultimately trickle into the private sector to be used by other interests.
† This is a much more satisfying explanation of how George W. Bush and Donald J Trump got elected than the Electoral College and SCOTUS shenanigans.
[ link to this | view in chronology ]
They lie.
I found that in less than 30 seconds. What's their excuse?
[ link to this | view in chronology ]
Re:
No excuse. The lie is a cover for who is actually operating those cell site simulators. If it's that easy to construct one of these, then it's equally easy to construct a cell site simulator interceptor It's also remarkably easy to modify a radio receiver to eavesdrop on cell calls. Slightly more complex to make one that records all calls in about a one mile circle. Makes you wonder who has the money and the contractors to build a bunch of those...
[ link to this | view in chronology ]
Re: Re:
Someone with 100k? But where would you find someone like that
[ link to this | view in chronology ]
Is it paranoid to think that maybe they have a nsl saying they can't even look, and in fact are required not to spend funds on it? Maybe they signed an NDA and can't talk about it...
[ link to this | view in chronology ]
Re: NSLs
Dear Coward:
I don't think you are paranoid ENOUGH... the probability of a secret cat and mouse game going on right now and causing these encryption wars is close to unity.
Radio is inherently insecure -- the bits can be prevented from arriving, captured, and spoofed by anyone with a grand or so and some wits. It's no different than caller ID spoofing and the text messaging problems also covered here, and the technical end is pretty well understood: Encrypt as much as possible, encrypt end to end, encrypt in multiple layers, and be aware of the endpoint you are communicating with and with what level of encryption and audit what they tell you at the end of the month/week.
That leaves everyone doing traffic analysis, ideally only from the phone to the endpoint, unless they can compromise the phone company itself. In practice, the phones/computers are all susceptible to malware and in-person side channel analysis, but these, too, can be made difficult.
[ link to this | view in chronology ]
'So what if they're listening in, so are we.'
Wyden also suggests something practical that could be implemented quickly and at a minimum of expense: encrypting all voice and text communications by federal employees, which would make interception by Stingray devices mostly worthless.
I don't see that one going anywhere for the simple fact that it would make it harder for US agencies to listen in as well, and what with the various and continued attacks against encryption I'd say it's been pretty clear for a while now that numerous individuals and agencies are perfectly fine with people other than them being less safe and secure so long as they have an easier time grabbing as much data as they can get their hands on.
[ link to this | view in chronology ]
Huh? What?
"terminate support for 2G and 3G networks, which are more easily exploited by cell site simulators. "
"encrypting all voice and text communications by federal employees, "
Strange.
Are they stating that most cellphones Dont send encrypted data, or that its already broken so that it dont matter?
Or that unless you Encrypt your data In your Own phone with Programs you are vulnerable.
But there are things that Cant be encrypted to get your data thru to the towers, which means they can still track your signal and good chance know who you are?
And the solution is to got 4g and 5g(expensive).
Why not have the Corps tell us where THEY have cell towers so we can cut them from the list, and track all the other signals, cause they have to send a return signal to keep connection with YOUR PHONE.
Unless they already have a dedicated list of the phones they are looking for to intercept. But then we can look for THOSE people, and get the signals to intercept, and track them Back.
The only thing about any of this, is if the receivers, only record and are waiting for pickup.
There is an added trick to this, remote access to the recording and Boost downloading it on Another signal, WHICH isnt easy to catch.
Isnt it nice when agencies are only dedicated to specific purposes and WONT expand it beyond what is regulated? Or are they just keeping quiet about what they are doing.
And the perpetrators, noticed and dropped doing anything.
[ link to this | view in chronology ]
Re: Huh? What?
https://en.wikipedia.org/wiki/The_Thing_(listening_device)
The Thing, also known as the Great Seal bug, was one of the first covert listening devices (or "bugs") to use passive techniques to transmit an audio signal. It was concealed inside a gift given by the Soviet Union to W. Averell Harriman, the United States Ambassador to the Soviet Union, on August 4, 1945. Because it was passive, needing electromagnetic energy from an outside source to become energized and active, it is considered a predecessor of radio-frequency identification (RFID) technology.[1][2][3]
[ link to this | view in chronology ]
Re: Huh? What?
Are they stating that most cellphones Dont send encrypted data, or that its already broken so that it dont matter?
The second. We knew that the cellular network security had the strength of wet tissue in the early 90s, and have made no real improvements since then.
And the solution is to got 4g and 5g(expensive).
Those have no more effective security than 3g, which had no more effective security than the various 2g systems whose weaknesses were well studied in the 90s. Congragulations, you don't need to complain about the expense after all.
[ link to this | view in chronology ]
Re: Huh? What?
2G has weak encryption and no authentication. 3G-5G all fall back on 2G when communication fails on 3G-5G. One can take advantage of the problems with 2G by disabling communication at 3G-5G. https://www.eff.org/deeplinks/2020/06/your-phone-vulnerable-because-2g-it-doesnt-have-be
[ link to this | view in chronology ]
Re: Huh? What?
The federal government's data should be encrypted such that phone providers cannot read it. The standard cellphone encryption is not end-to-end, which means it doesn't protect against providers (who are sometimes compromised, and always untrustworthy).
By contrast, when federal employees access federal computer networks from outside their offices, they have to use an ISP-independent VPN. The feds do not simply trust the ISPs not to spy.
[ link to this | view in chronology ]
Why not the FCC?
I would have expected anyone operating a cell-site simulator to need a license from the FCC to do that, so why isn’t this firmly in their court? The cellphone companies pay lots of money for licenses to use frequencies in those wave-bands after all, so if this isn’t their jurisdiction to chase did someone write the associated regulations without this kind of thing in mind? Or is it just that their funding doesn’t allow them to actually enforce those regulations…
[ link to this | view in chronology ]
Re: Why not the FCC?
In Soviet Russia all your bands are belong to us.
They can't actually locate the boxes (it looks like they didn't bother trying at all) they are mobile, clandestine, and well diplomatic stuff...
DHS is much more concerned that if a nursing mother brings .05 oz to much breast milk on a plane she could be part of a terror cell where various nursing mothers have been drinking various chemicals that could then be combined in the lav to make a nuclear bomb.
Who needs to compromise Solar Winds to get data when you can just tap the burner phones Congress uses to get paid by corporate sponsors & gather enough to own them. No one can deny Congress is bought & paid for by corporations, knowing when they call the escort for playtime really lowers the cost of ownership.
[ link to this | view in chronology ]
Re: Re: Why not the FCC?
Dear anon,
I would make it simpler.
Infect a person or group, give them 25 hours, then just let them on an airplane.
Best way to prove this works? ask the current virus how it got around the world.
the interesting part of this, is what countries DONT monitor heath as people come into the country.
Love those against Medical for illegal S. Americans, And I suggest it would take only 1 person, getting sick and not being able to goto a hospital. MOST of those I talk to, SHUT UP quick.
[ link to this | view in chronology ]
This is the same country that let its serious crimes investigatory department host and run a child pornography website in the hopes of catching some users... they don't care about sealing up the holes in phone security if that means they cant use it. They'd clearly prefer the "problem"/solution to remain open to them, in case they need to use it, than prevent serious threats to national security.
[ link to this | view in chronology ]
Well...
I know for a fact that Israel operates at least once Stingray on a regular basis in DC. That's all I'm saying.
[ link to this | view in chronology ]