DHS detects stingrays in DC, but can't find the surveillance devices

The Department of Homeland Security says rogue stingrays, or unauthorized cell-site simulators, have been used in Washington, D.C., but it is incapable of finding them.

DHS detects stingrays in DC, but can't find the surveillance devices
IDGNS

For the first time, the Department of Homeland Security (DHS) formally admitted that rogue stingrays, or unauthorized cell-site simulators, have been used in Washington, D.C., but the agency has no way to find them.

The Associated Press got its hands on a letter sent to Sen. Ron Wyden (D-Ore.) in which DHS official Christopher Krebs said “anomalous activity” that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers had been detected in National Capital Region.

DHS’ National Protection and Programs Directorate (NPPD) did not know which type of devices were being used or who was operating the stingrays, which can track phones as well as intercept calls and messages. Yet “NPPD believes the use of these devices by malicious actors to track and monitor cellular users would be unlawful and threaten the security of communications, resulting in safety, economic and privacy risks.”

In the March 26 letter, Krebs was answering questions asked by Wyden in November 2017. Krebs did not specify how many devices were detected or where in D.C. they were located. DHS was also “aware” of stingrays being used in other cities but didn’t specify which ones.

DHS lacks the 'technical capability' to find the stingrays

In fact, even though stingrays used by foreign spies “may threaten U.S. national and economic security,” Krebs indicated that DHS couldn’t find the stingrays because it lacks the “technical capability” to do so. Instead, the findings were shared with “federal partners.”

For DHS to detect the stingrays being used in Washington and other cities, it would “require funding to procure, deploy, operate and maintain the capability, which includes the costs of hardware, software and labor.”

Although NPPD “believes the malicious use of IMSI catchers is a real and growing risk,” the Associated Press pointed out that shutting down malicious stingrays would require expensive wireless network upgrades and “could also lead to conflict with US intelligence and law enforcement,” which happily use stingrays for their own purposes.

Sen. Wyden said, “Leaving security to the phone companies has proven to be disastrous,” yet “the FCC has refused to hold the industry accountable ‘despite repeated warnings and clear evidence that our phone networks are being exploited by foreign governments and hackers.’”

The FCC formed a task force in 2014 to look into the unauthorized use of stingrays, but it never produced so much as a report.

That was the same year when security researchers performed public sweeps to identify unauthorized cell tower simulators being used near the White House, Supreme Court, Pentagon, and other locations.

Aaron Turner, president of Integricell, took part in the conducted sweeps. He told the Associated Press that every embassy “worth their salt” had installed a stingray. “They use them ‘to track interesting people that come toward their embassies.’ The Russians’ equipment is so powerful it can track targets a mile away, he said.”

Granted, Washington, D.C., is full of people who work for three-letter agencies, and it could pose a national security threat if foreign governments are using stingrays for spying purposes. However, stingrays — which trick mobile devices into connecting to them instead of a cell tower — are used by most U.S. intelligence agencies and at least 25 police departments. Over the years, we’ve learned the devices are often used without first obtaining a warrant for dragnet surveillance.

Is anyone really surprised to learn that type of surveillance is being used against the agencies using the devices on regular people? AP pointed out that the “surveillance-savvy” encrypt their phones and communications; you should, too.

Related:
NEW! Download the Winter 2018 issue of Security Smart