The Department of Homeland Security has finally confirmed what many security specialists have suspected for years: cell-phone tracking technology known as cell-site simulators (CSS) are being operated by potentially malicious actors in our nation's capital.

DHS doesn't know who's operating them or why, or whether these fake cell towers are installed elsewhere in the country. While EFF has its hunches, one thing is certain: the federal government and cell-service providers have been sitting on their hands for far too long. Now is the time to fix the underlying problems with our worldwide cellular communications infrastructure.

In November 2017, Sen. Ron Wyden sent DHS a letter [PDF] demanding information regarding the use of CSSs by foreign spies in Washington, D.C.  In March, DHS finally responded that it had indeed observed “anomalous activity…. That appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers.” Although this information was reported to other federal agencies, DHS investigators did not validate or attribute the activity to anyone or any specific device.

The DHS response continues:

[DHS] believes the use of these devices by malicious actors to track and monitor cellular users would be unlawful and threaten the security of communications, resulting in safety, economic, and privacy risks. [DHS] agrees that the use of IMSI catchers by foreign governments may threaten U.S. national and economic security.”

We agree with the concerns of DHS and Sen. Wyden, and furthermore, congratulate them for publicly acknowledging that IMSI catchers are being used by entities other than U.S. law enforcement and intelligence (a likelihood  which had already raised alarm in the security research community). IMSI catchers in the hands of criminals, corporate spies, and foreign intelligence agencies have the potential for massive privacy invasions that make us all less safe.

Anyone with the skill level of a hobbyist can now build their own passive IMSI catcher for as little as $7 or an active cell-site simulator for around $1000. Moreover, mobile surveillance vendors have displayed a willingness to sell their goods to countries who can afford their technology, regardless of their human rights records.

Cell-site simulators work by taking advantages of flaws in the mobile communications system. Older generations of IMSI catchers—such as Harris Corporation’s infamous Stingray—took advantage of flaws in previous generations of cellular technology; flaws that still exist. But now there is a new generation of IMSI catchers on the market that are able to exploit the latest mobile network technology to track and surveil mobile devices. These next generation CSSs are already in the hands of law enforcement and similar technologies are likely in the hands of spies and criminals as well.   

Law enforcement and the intelligence community would surely agree that these technologies are dangerous in the wrong hands, but there is no way to stop criminals and terrorists from using these technologies without also closing the same security flaws that law enforcement uses. Unlike criminals however, law enforcement can still obtain search warrants and work directly with the phone companies to get subscribers' location, so they would not lose any capabilities if the vulnerabilities CSSs rely on were fixed.

So far, mobile providers, the FCC, and members of Congress have been reticent to address the issue (other than a few notable standouts such as Sen. Wyden and former Rep. Jason Chaffetz). Whether this is because of a cozy relationship with law enforcement or because of a general complacence with the situation is unclear. What is clear is that the time has come for mobile providers and government officials to take these abuses of technology seriously and fix the security issues in this critical infrastructure. The alternative is to let the spies and criminals run wild.