Continuing a sort of cross-country tour to detect phony cell towers, also known as interceptors or IMSI catchers, researchers associated with the security firm ESD America have detected 15 of the covert devices in Washington D.C., plus three more in nearby Virginia.
The company used their ultrasecure CryptoPhone 500 to search for the interceptors, which can compromise phones through baseband hardware and are believed to have a range of roughly 1 mile. ESD America‘s phones allegedly detected telltale signs of call interception in the vicinity of the White House, the Russian Embassy, the Supreme Court, the Department of Commerce, and the Russell Senate Office Building, among other landmark buildings.
Les Goldsmith, ESD America’s CEO, stresses that he can’t be sure who runs these surveillance devices. But he points out that the U.S. government already has the ability to listen to or track calls through domestic networks, thanks to the 1994 Communications Assistance for Law Enforcement Act (CALEA).
“The U.S. government can listen to calls without deploying interceptors on the street,” says Goldsmith. “That’s why I think these are from foreign governments.”
Popular Science previously reported that the CryptoPhone 500’s builders had detected 17 interceptors around the country in July. Security experts said that at least 12 different federal agencies own versions of the technology, along with 43 state and local police forces in 18 states.
Precisely because of the shroud of secrecy around the devices, security experts cannot rule out the possibility that a foreign government is running at least some of the interceptors. Essentially a radio peripheral attached to a computer, interceptors or IMSI-catchers can be placed in a vehicle for portability, or in some cases, carried by hand.
The less complex of these devices, known as “IMSI catchers,” briefly connect with any phone that comes within range, collect the mobile subscriber number, and then ping periodically to see where the phone (and the person carrying it) goes. In short, they can be used as tracking tools. More sophisticated interceptors, which cost roughly $100,000, are capable of eavesdropping on calls or texts, or even carrying out exotic over-the-air attacks that install spyware. Advanced attacks can even take control of phone functions.
The CryptoPhone 500 is capable of discerning between an IMSI-catcher and an interceptor, Goldmsith says. An IMSI catcher connects only briefly, and looks fishy to the phone because — unlike a normal cell tower — it has no neighboring towers on its network. An interceptor, on the other hand, will stay paired with a phone as long as it is in range, and will try to force the phone down to a less secure 2G protocol, and also turn off encryption.
“If I was an embassy, I might use an IMSI catcher for counter-surveillance, to see if there were a certain cell phone constantly nearby,” says Goldsmith. “And once I pulled that number, that’s when I’d turn on the interceptor.”
Goldsmith says that ESD America is cooperating fully with the Federal Communications Commission’s investigation of the possible use of interceptors and IMSI catchers by foreign governments or criminal enterprises.