Who Is Running Phony Cell Phone Towers Around The United States?
A multitude of opinions
On August 29, Popular Science published a map of interceptor towers — surveillance devices that masquerade as cell phone towers to intercept voice and data transmissions from every cell user in an area. 19 of the interceptors were found in the United States in August, and two more popped up on September 5: one in Garden City, NY, and another in downtown Las Vegas. They were spotted by owners of the CryptoPhone 500 device, a roughly $3,500 ultra-high-end phone that allows ordinary, if well-heeled, citizens to see surveillance invisible to standard phones.
Though the F.B.I. has been using a basic mobile phone interceptor that tracks phone location, known colloquially by the brand name of “Stingray” since at least 2008, federal, state, and local officials have tried to say as little as possible about use of the technology, even in court proceedings. This angers civil libertarians such as the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), who view the use of interceptors without a warrant as an unlawful search. The government’s silence has helped generate an information vacuum filled by conspiracy theory: one fringe news site recently claimed that the interceptors are a source of “smart grid mind control” made possible by “voice to skull technology.”
Nathan Wessler, a staff attorney at the ACLU’s Speech, Privacy and Technology Project, says that while it’s “impossible” for him to definitively determine ownership of any given interceptor, he can offer some informed speculation.
“Two in Florida,” he says, after taking a look at the 19 interceptors detected around the U.S. in August. “We know that a lot of Florida law enforcement agencies use these devices. A couple of sites right on the U.S.-Mexico border — we know that U.S. Customs and Immigration uses these devices. A couple of pings in Arizona, California, one location near Seattle — we know that law enforcement agencies in those areas have these technologies.”
August GSM Interceptor Map
Since filing an amicus brief with the EFF on the first case in the country challenging the constitutionality of “Stingray” surveillance in 2012, the ACLU has used press reporting and analysis of government records to establish that 43 different state and local law enforcement agencies in 18 states have the technology. On the federal level, at least 12 agencies have purchased interceptors, including the National Security Agency, the Federal Bureau of Investigation, the Drug Enforcement Administration, the Bureau of Alcohol, Tobacco, Firearms, and Explosives, and all the branches of the U.S. military. But amidst this thicket of government and police surveillance, security experts cannot rule out the possibility that foreign spies or criminal hackers are also using the cell tower simulators in the United States. The most sophisticated interceptors cost roughly $100,000, though a skilled, determined hacker could cobble together a basic interceptor for less than $2,000.
ESD America CEO Les Goldsmith says that we don’t know for sure who’s using the interceptors, but he speculates that owners might be the U.S. government, foreign spies, or possibly criminal hackers.
When asked about the interceptor detected on July 30 near the Mayport Naval Air Station, in eastern Florida, near Jacksonville, the Navy declined comment.
“We really don’t have anything to say about that,” says William Townsend, a spokesperson for the Mayport Naval Air Station.
“I haven’t seen evidence that the military is using [interceptors] inside the U.S., but it is more than plausible that they could be using them to protect bases,” says Wessler.
A shroud of secrecy surrounds the technology, with the government trying to avoid admitting usage of interceptors, even in criminal trials where cell phone surveillance has provided key pieces of evidence.
In June, an ACLU of Florida public records request in Sarasota, Florida, showed that the police there had a policy to conceal the use of “Stingray” tech used to track suspects — preventing “the criminal element,” as well as judges and defense attorneys, from knowing the source of the surveillance. In March, police officers in Tallahassee admitted to using the technology at least 200 times since 2010 without telling a judge, due to a non-disclosure agreement signed with the technology manufacturer Harris Corporation. The Wall Street Journal reported in 2011 that the FBI has a longstanding policy to expunge any mention of “Stingray” use from official reports.
“The justification [government lawyers] put forward publicly, is if they were to disclose their use of this technology, it would allow criminals to evade detection, and hamper their ability to fight crime,” says Wessler. “To think that a savvy criminal won’t have figured out that their cell phone might get tracked is kind of silly at this point.”
Given the proximity of some of the interceptors to military bases, the portability and sub-$100,000 price tag for sophisticated devices has raised fears of foreign governments using them for espionage. (Here are a range of interceptors offered to government and defense industry clients by a company based in Soghi, India). Many are small enough to be driven in a car or even carried by hand.
“There’s nothing preventing some foreign government from rolling these out throughout the United States,” says Mathew Rowley, a mobile security expert for Matasano Security. “Who knows? I don’t want to say that ‘it is the case that it’s foreign governments’ — but I can’t say ‘it’s not the case.'”
The Federal Communications Commission has formed a task force to investigate usage of interceptors on American soil by foreign spy services or criminal organizations.
There is also the possibility that a particularly skilled hacker could build a DIY interceptor using off-the-shelf components. A rudimentary cell tower combined with a radio peripheral connected with a PC running open-source base tower software can be built for less than $2,000. Doing so might allow the theft of credit card numbers, or allow tracking of a famous person’s subscriber number as she traveled near the interceptor.
“It’s possible for someone who has enough free time on their hands” to build a DIY interceptor using off-the-shelf components, says Rowley. “You have to understand how things are configured, how GSM networks work, how to communicate with backend systems legitimately. All the data is encrypted. And to decrypt it is the hard part. That’s not to say it’s not possible.”
So should we worry about interceptors?
The most expensive interceptors are capable of sophisticated attacks that eavesdrop on calls or texts, push spyware to the phone, or even spoof calls or texts. But in court, Wessler has only seen the state introduce evidence from the simpler “Stingray” devices capable solely of geolocation tracking. In other words, the interceptor pairs with the suspect’s phone’s subscriber number and pings to see where the phone goes, so long as the device remains within the interceptor’s range.
As to the dangers to law-abiding citizens posed by police or government geo-location surveillance, Wessler points to the example of the interceptor found in downtown Las Vegas.
“You can imagine quite sensitive information that the location of someone’s phone can reveal,” says Wessler. “You can tell it was my phone that was at the casino until 2 am, drove out to the brothel at 4 am, and then back to the casino at 6 am. Or someone goes to an abortion clinic. Or an NRA meeting. Or an AA meeting.”
“It looks a whole lot like a dragnet search.”
Rowley, a security expert who studies the hacking of mobile phones, considers interceptor use more of an anomalous “edge case” than something the average person should fear.
“I don’t think this means that this means that our current model of how cell phone communication works is flawed. From what I know about GSM, it’s pretty secure, assuming everything is configured properly. I think there [are] edge cases for just about everything in technology. In my opinion, this shouldn’t bother the general public.”
Wessler also points out that it’s impossible to target just one phone — instead, the interceptor tricks all phones in the vicinity into connecting.
“When police are using it to track the location of a phone, it inherently collects information not just about that phone, but about every phone in the area. It looks a whole lot like a dragnet search,” says Wessler. “A second and related problem is they’re not just sending signals out through the open air, but in houses, offices, other private spaces. So you end up tracking people to different rooms in the house or apartment building….within a meter or two of where the phone is.”
Oliver Day, the president of Securing Change, a privacy-minded non-profit that provides technology services to other non-profits, objects to indiscriminate surveillance of all citizens — what Wessler characterizes as a “dragnet search.” Day makes a distinction between targeted surveillance of a particular suspect, and mass surveillance, in which the government gathers information about everyone, without a warrant, and then seeks usable intel after the fact.
“My dad was in the Army, I totally understand the need for intelligence. The NSA needs to exist — the CIA needs to exist. They just need to be controlled and monitored,” says Day. “But targeted surveillance is a whole different thing. Everyone is a worthwhile target when you’re doing mass surveillance.”