• United States



Senior Staff Writer

Rogue cell towers discovered in Washington, D.C.

Sep 17, 20145 mins
Access ControlCritical InfrastructureData and Information Security

A simple drive with a CryptoPhone reveals fifteen new rogue sites

Towards the end of July, ESD America, the makers of the ultra-secure CryptoPhone, said that their engineers and customers had discovered more than a dozen rogue cell towers (also known as interceptors or IMSI catchers) around the U.S.

New information shows that the discovered towers might only represent a small fraction of the whole, and what’s been discovered doesn’t account for the mobile base stations that are only active on a limited basis.

Interceptors are a huge risk if used by a malicious actor. That’s because once a device connects to them, the interceptor’s operator can perform a number of tasks, including eavesdrop on calls or text messages, or in some cases push data (spyware for example) to the device. This is why they’re only supposed to be used by law enforcement or the government.

However, that doesn’t mean that the government or law enforcement haven’t found themselves in the hot seat for abusing an interceptor’s functionality. The potential for abuse and wide availability of the technology, including home-grown versions that work just as well as their commercial counterparts, means that the existence of unknown interceptors are a major concern.

In an interview with Popular Science last month, Les Goldsmith, the CEO of ESD America, said that it’s suspicious many of the interceptors discovered in July were “on top of U.S. military bases.”

“So we begin to wonder – are some of them U.S. government interceptors? Or are some of them Chinese interceptors? Whose interceptor is it? Who are they, that’s listening to calls around military bases? Is it just the U.S. military, or are they foreign governments doing it? The point is: we don’t really know whose they are.”

The unknown is what prompted questions from Congress, who grilled the FCC on their plans to address the interceptor issue.

The agency, responding to Congress in a letter dated Aug. 1, said that a task force had been created “in order to combat the illicit and unauthorized use of IMSI catchers.”

“The mission of this task force is to develop concrete solutions to protect the cellular network systemically from similar unlawful intrusions and interceptions,” the letter added.

On Tuesday, Aaron Turner, president of IntegriCell, along with Buzz Burner, director of applications at ESD America, and Goldsmith drove around Washington, D.C. in order to see if they could detect any interceptors.

The trip was a live test of sorts, as Turner’s company plans to take the CryptoPhone and put it in the enterprise market. Using the CryptoPhone as a guide, the trio discovered 15 new interceptors, including three on Pennsylvania Avenue, arguably the most famous street in the district when it comes to tourism.

In the areas where the interceptors were discovered, they generated more than 40 alerts on the CryptoPhone.

While their most recent findings could raise alarm, this isn’t a moment where the public should freak out, said Turner during an interview with CSO.

“This is a moment to say look, if you’re a high value target, or if you have high-value information inside of your company, then you need to take precautions to protect your communications while you’re on [cellular networks].”

Unfortunately, Turner added, not everyone can afford to go and buy a CryptoPhone, so an application-based solution could be a better fit. But details as to when IntegriCell would be releasing an enterprise version of the CryptoPhone base were not immediately available.

As mentioned, the problem of random interceptors existing on the cellular network is a major one. The FCC’s task force is a step forward, but realistically, they might not be the best resource to deal with the issue.

This is because the FCC is not properly resourced to tackle the interceptor problem. If anything it would be up to the carriers (e.g. Verizon, AT&T, or T-Mobile) to maintain and secure the spectrum they’re using.

“Unfortunately, right now, the carriers are focused on revenue and availability…With all technology decisions, you always have to balance between integrity, availability, and confidentiality, and in this case the carriers have defaulted to availability,” Turner said.

Moreover, their promised task force still isn’t up and running at full speed.

“From what we can gather right now, the task force isn’t very operational yet. At least, at this point, what we’re seeing is they’re showing a keen interest in gathering whatever technology they can in order to further their assessment of these sites to see whether or not they can locate these devices close [in real-time],” said Goldsmith, when asked about expectations.

“They’re taking some steps, hopefully in a positive direction. But even if the FCC does locate them [the interceptors], I don’t know whether their enforcement arm is really the one that would be dealing with the perpetrators.”

It’s possible that if the FCC detects something, the issue would require the involvement of other federal agencies, like the FBI, in order to determine if the interceptor is related to economic or industrial espionage.

“It’s not going to be just the FCC going out there and dealing with potentially a spy ring or something,” Goldsmith added.

Tuesday’s test was just the first of many. Based on the successful testing in Washington, D.C., there are now plans to conduct more concentrated testing in other parts of the country.

“We think we’ve uncovered the tip of the iceberg,” said Turner.

“The solution is, people are going to have to protect themselves, the government’s not going to come and protect you. They may, in some strange, crazy and massive breach situation, but the everyday enterprise, for the everyday high-value individual, this is something where they’re going to have to be self-sufficient and protect themselves.”