Unauthorized cell-site simulators, also known as International Mobile Subscriber Identity catchers, IMSI catchers, or Stingrays, have long been suspected to exist in and around the nation's capital. In 2014, researchers with the security firm ESD America identified 15 hidden devices in the nation's capital and three others in nearby Virginia.DHS confirms unauthorized Cell-Site Simulators in Washington, DC.
— Alex Rubinstein (@RealAlexRubi) April 4, 2018
Stingrays have been increasingly utilized in domestic law enforcement in recent years. The ACLU has identified 73 police departments in 25 states with the technology, as well as 13 federal agencies. They work as a dragnet by sending out a signal to every cell phone in the area, as opposed to sending one only to a individually targeted device. The Stingray then tries to convince the phones that they can get a better connection through its signal, essentially intercepting information that was meant to be delivered to the nearest cell tower.
While police officers are believed to be the most frequent users of the technology, they are required to work with the FBI prior to obtaining one. Nonetheless, ESD America CEO Les Goldsmith, whose company tracked down the devices in Washington, said after the discovery that "it's highly unlikely that federal law enforcement would be using mobile interceptors near the Senate," adding that he suspects foreign actors to be behind the devices.
Stingrays come in a variety of forms: big ones can be attached to planes, smaller ones might be the size of a briefcase attached to a tower or in the back of a police van; they even come as small as a cellphone. The devices can cost anywhere from $1,000 to $200,000 depending on their strength. IMSI catchers are "widely available from surveillance vendors around the world and can be constructed using open source software," US Senator Ron Wyden (D-OR) wrote to DHS late last year, demanding answers on the unauthorized devices identified by ESD America.
Freddie Martinez, executive director of the Lucy Parsons Lab, an organization that spearheaded the effort to get the Chicago Police Department to release records pertaining to its use of Stingrays, which culminated in 2016, told Sputnik Stingrays can be put into use for surveillance at the drop of a hat. "We found that they had no policies for warrant requirement, because there was a lower threshold and they had no policy and procedures for even checking this equipment out for the lower evidentiary requirement they were relying on," Martinez said.
— Alex Rubinstein (@RealAlexRubi) September 21, 2017
DHS's Christopher Krebs wrote back to Sen. Wyden on March 26, 2018, saying that the department's National Protection and Programs Directorate (NPPD) "has observed anomalous activity in the National Capital Region that appears to be consistent with the International Mobile Subscriber Identity catchers."
"Maybe in 2014, 2015, people began buying these upgrades to use cell-site simulators… [what's] really important here is just that the price has gone down so much just because of how the price of technology is always falling," Martinez told Sputnik. "So we're in 2018 now, the price has probably dropped 50 percent or something."
Krebs said that "NPPD is not aware of any current DHS technical capability to detect IMSI catchers," adding that to do such a thing, the agency would need additional funding.
"NPPD agrees that the use of IMSI catchers by foreign governments may threaten US national and economic security," Krebs said in an attachment to his letter to Wyden meant to address his questions.
Martinez explained the economic threat posed by Stingray surveillance: "If you have metadata that the CEO of a large company is working late at the office with a group of attorneys, you can maybe imagine that there's a big lawsuit that's about the be announced or a merger. Or if you're a nation-state — and the United States does this in other countries as well — you can infer some amount of data. So there's a significant risk just on the metadata traffic alone." Martinez also said the technology could even be used to predict the Federal Reserve changing interest rates.
The letter warned of the risks to Americans' privacy posed by "malicious actors" with IMSI catchers. The "Department of Homeland Security, the FBI and CIA are maybe not experts on like, risks to Americans' privacy," Martinez told Sputnik. "You gotta take them with a grain of salt here. You shouldn't take them seriously when they say that stuff anyways. There are risks, real concerns."
Nonetheless, Martinez said, "We should have the same concerns regardless of whether it's an American Telecom or a foreign [one]… the amount of just metadata your phones generate should concern you anyway, regardless of this latest DHS finding."
"Overall, NPPD believes the malicious use of IMSI catchers is a real and growing risk," the letter to Sen. Wyden concluded.
Another DHS official who spoke anonymously with AP told the outlet that IMSI catchers were in fact detected during a 90-day trial in January 2017, whereas the letter from Krebs merely stated the agency had picked up on activity consistent with such devices.
The anonymous official also told AP that the agency's sweep of DC was done in partnership with ESD America. Goldsmith has declined to respond to the official's claim.
Wyden said in a statement Tuesday, after the arrival of the letter from the DHS, that "leaving security to the phone companies has proven to be disastrous."
Martinez echoed Wyden's concern, but elaborated: "There's two parallel concerns. The telecom companies have known about these issues for essentially decades and they seem to have no appetite for fixing these issues. It doesn't really hurt their bottom line, right? So without that financial incentive, there's probably never going to be an appetite for that."
While telecommunications companies have remained largely silent on cell-site simulators, DHS's statement to Wyden and the anonymous officials' admission to AP marks the first time the intelligence community has publicly picked a bone with the industry.
"They're probably concerned about not burning their own sources," Martinez said of the intelligence community. "This is also a huge volume of information that they use themselves to sort of gather targets and things like that… if they wanted to fix this stuff, it's hard to say what the would look like. I don't know what their concerns could be because they use the same sources that they're worried about."
Martinez indicated that real reform could be difficult regardless of the lack of financial incentive and the intelligence community's apprehension in addressing the topic. "One of the things that did come out of the report was basically that Congress had not be told about these issues," whereas Wyden "seems to be the only person that knew or had been briefed."
"That's significant for things Congress should be regulating," Martinez said.