The Anatomy of Cellphone Eavesdropping

The Chinese and Russians reportedly are eavesdropping on President Trump’s cell phone calls. The Chinese supposedly drew up a list of the President’s confidants, seeking to persuade them to persuade the President to go easy on China. China reportedly learned who the President confides in by eavesdropping on his cell phone calls. This leaked intelligence comes on the heels of a report from the Department of Homeland Security (DHS) that evidence of cell phone eavesdropping devices was found near the White House and other sensitive sites in Washington DC. In an earlier report on mobile security, DHS said “[a]s early as 1996, members of Congress experienced calls being illegally intercepted, however, no technological solution to this problem has been systematically deployed and it remains [so] to this day.”

Operations Performed by an ISMI-Catcher

The cellphone eavesdropping device is known as a cell-site simulator. Other names for the device include Dirtbox, StingRay and IMSI catcher. A cell-site simulator is a rogue base station (cell tower) that tricks mobile phones into divulging personal information. Commercial cell-site simulators range from the size of a large briefcase down to handhelds. These devices are mounted on poles or buildings, driven around in vehicles, flown overhead in airplanes or helicopters and carried on the person. The following summarizes some of the operations that can be performed by cell-site simulators, although specific techniques vary according to the circumstances and equipment involved. In general, attacks can be mounted in passive, semi-passive or active mode.

Passive Mode

In passive mode, an attacker sniffs over-the-air radio transmissions on cellphone channels. These radio transmissions are monitored without affecting the transmissions, and the user is not aware of the monitoring. In the United States, there are no regulations requiring wireless carriers to encrypt cellphone transmissions, and many 3GPP standards do not require encryption by default. For example, for LTE, encryption is mandatory for network control and signaling, but optional for subscriber transmissions. Encryption of customer phone calls is left to the discretion of the operator. If the operator has chosen not to encrypt over-the-air transmissions (and most do not encrypt customer traffic), or is using weak encryption, a sniffer operating in passive mode will pick up this traffic. The metadata and contents of the conversation can be decoded.

Even with encrypted LTE transmissions, the initial set-up messages may be unencrypted. For example, when the smartphone is first turned on, upon landing at an airport, the network often will require transmission of the IMSI number (international mobile subscriber identity) or the IMEI number (international mobile equipment identity) in the clear (unencrypted). A passive attack at an airport can capture IMSI numbers off of an LTE system, as well as 2G and 3G systems. The IMSI number is unique to the subscriber and is used to authenticate a person when moving from network to network. An attacker’s knowledge of the IMSI can lead to discovery of the subscriber identity and other customer information, which in turn facilitates tracking the individual.

Semi-passive mode

In semi-passive mode, the attacker triggers a network page for the targeted cellphone. This is done by very briefly calling the phone number of the target device or by initiating a social media (Facebook or WhatsApp) contact with the cellphone. Knowledge of the target’s telephone number is required. Upon receiving a phone call or social media contact for the target phone, the network “looks for” the target phone to determine the precise cell tower to which the call should be delivered. The network does so by broadcasting a page to the general geographic area in which the cellphone was last registered. The page will contain the IMSI of the target phone or its temporary identification. The target phone recognizes its IMSI and attaches to the network. This alerts the network to the location of the target phone. The network delivers the call to the appropriate cell tower. An attacker’s passive monitoring of the network picks up this exchange and tells the attacker the approximate location of the target cellphone.

Active mode

In active mode, the basic steps are traffic capture, jamming and downgrade to 2G, which has minimal security protections. The cell-site simulator preys on a smartphone’s attempt to find the best cellular signal. For LTE, the best signal is a combination of (1) transmission over the highest priority frequencies that are available, (2) transmission at a sufficiently high power to provide a clear signal, and (3) transmission of the network operator’s codes. The legitimate cellular network broadcasts in the clear (no encryption) a prioritization of frequencies, i.e., a ranking of the priority of each available frequency. Using the passive mode, an attacker obtains this ranking of frequencies, as well as the network operator’s identification codes which are also sent in the clear. The attacker sets one device (“the Jammer”) to transmit on the highest priority frequencies, and a second device (“the Collector”) to transmit on the second highest priority frequencies at a higher power level. The Jammer transmits RF noise on the top priority frequencies. This is like getting static on your car radio. It causes the cell phones in the area that are on the same cellular network (AT&T, Verizon, T-Mobile or Sprint) to search for a different cell site. Because the Collector is transmitting on frequencies that have been identified by the legitimate cell site – albeit lower priority frequencies – these phones attach to the Collector. The Collector broadcasts an Identification Request. In response, the affected phones usually will send their IMSI number to identify themselves. In this way, a large number of IMSI numbers can be harvested. An airplane flying over a metropolitan area could collect thousands or millions of IMSI numbers.

Upon receipt of the IMSI number that the attacker is looking for, the attacker can zero in and find the exact location of the IMSI number. If location and tracking of an individual was the objective of the attack, this objective will have been accomplished. However, the attacker could also send instructions specifically to the phone that has the IMSI number. This can result in a denial of service or receipt of malware.

The ultimate goal is to get the cellphone to operate on 2G frequencies, where security is the weakest. Even though AT&T and Verizon are discontinuing use of 2G, if the cellphone device has a 2G radio inside, the cellphone may revert to 2G anyway. Cellphone manufacturers continue to include 2G radios in order to assure connectivity in rural areas or overseas, where 2G is widespread. However, even if the target cellphone remains in LTE, the simple act of getting the cellphone to switch to a rogue cell site can compromise the IMSI number. As noted above, the initial set-up to a new network often requires the cellphone to transmit its IMSI number in the clear. These operations can be largely invisible to the cellphone user – cellphones are designed to seamlessly retain connectivity under adverse circumstances.

If the active attack continues for more than a few seconds, it can result in denial of service to the target and other, nearby phones operating on the same network. The Collector can reject the authentication request of the target cellphone and the nearby devices. Under certain circumstances, the cellphone disconnects from and completely disregards the legitimate network, resulting in a denial of service. The cellphone would need to be re-booted in order to regain legitimate cellular service. Typically, the cellphone user would only know that the phone does not work and would not understand the reason for the malfunction. Once again, this is only a general description. Details of an attack would depend on the cellular network involved, the manufacturer and version of the target cellphone, the goal of the attack, the capabilities of the attacker and other variables.

National Security, Fourth Amendment, Commercial, and Privacy Concerns

A cell-site simulator utilizes spy technology that takes advantage of security gaps in U.S. wireless systems. This technology has a variety of applications. Cell site simulators are used by foreign security services operating in the United States, by U.S. law enforcement operating domestically, by criminals, and by hobbyists. Cell-site simulators raise national security, constitutional, commercial and privacy concerns.

National security concerns

As noted above, the Department of Homeland Security observed “anomalous activity” consistent with the use of cell-site simulators near the White House, Capitol Hill and elsewhere in the national capitol region. This is not new. In 2014, a similar test was performed with similar results. Foreign governments use cell-site simulators extensively at their embassies. A few private contractors have claimed to locate cell-site simulators near the buildings of federal agencies and high-tech defense contractors. According to the Washington Post, “experts on cellular interception say that various IMSI catchers have distinctive designs, making it clear from the resulting cellular signals and behavior whether they were made by U.S. companies or by manufacturers in other countries.” Presumably, U.S. agencies would use U.S. equipment which is more reliable, but not available to a foreign intelligence service.

Foreign intelligence agencies can use cell-site simulators to launch other, potentially more destructive attacks. For example, spear phishing campaigns have targeted executives at defense and technology companies in order to gain access to the company’s technology files. A spear phishing campaign typically sends a tailored message to the target’s email address. This requires knowledge of the email address, which may be closely guarded for a high-level executive. One way to potentially obtain the target’s personal email address would be to position a cell-site simulator outside the target’s office and sniff for email and text traffic.

In another example, problems have been noted with Signaling System No. 7 (SS7) that potentially could give a foreign intelligence agency wide ranging access to U.S. mobile phone networks. DHS said there were reports that nefarious actors had used SS7 to target the communications of American citizens. Obviously, a high-value target of an SS7 attack would be the cellphone calls of President Trump, discussed above. However, in order to run an efficient SS7 attack, knowledge of the cellphone’s IMSI or telephone number is required. The New York Times reported that White House protocol is to have the President switch cellphones every thirty days. Once a new Presidential cellphone becomes operational, a foreign intelligence agency would need to learn the new IMSI or telephone number in order to attempt to eavesdrop via SS7. One way to potentially learn the new IMSI or telephone number would be through a cell-site simulator attack. Once again, the SS7 attack potentially would be more destructive but would have been facilitated by a cell-site simulator.

These examples demonstrate that denying foreign intelligence agencies the use of cell-site simulators help to bolster national security even if they do not solve broader problems of spear phishing or monitoring via SS7.

Fourth Amendment concerns

U.S. law enforcement makes widespread use of cell-site simulators. In December 2016, a Staff Report of the Oversight and Government Reform Committee of the U.S. House of Representatives reported that the U.S. Dept. of Justice had 320 cell-site simulators agency wide, the Dept. of Homeland Security had 124 such devices, and Dept. of Treasury had three. According to its website, as of November 2018, the ACLU “has identified 75 agencies in 27 states and the District of Columbia that own stingrays” but because of law enforcement secrecy, this “dramatically underrepresents the actual use of stingrays by law enforcement.” At the behest of the FBI, law enforcement agencies sign a non-disclosure agreement in order to obtain these devices. The stated reason is to protect sources and methods so that the bad guys don’t catch on and take evasive measures. Claiming to be bound by the NDA, law enforcement agencies have hidden or under-reported the use of cell-site simulators to courts. Traditionally, most law enforcement agencies deemed the use of a cell-site simulator to require a lower standard than probable cause and claimed they did not need a warrant.

In September 2015, DOJ changed its policy to require its constituent agencies to obtain a search warrant based on probable cause before using a cell-site simulator. The DOJ policy requires its agencies to fully inform the court in applying for a search warrant to use a cell-site simulator, to inform the defendant, to not use data collected from persons other than the suspect and to not access content of conversations. There is an exception for exigent circumstances. In October 2015, DHS adopted a similar policy. Several states have enacted state laws requiring a search warrant. However, according to the Committee Staff Report, state and local law enforcement agencies have a variety of policies. Many state and local agencies still believe that a lower standard than probable cause is necessary for use of a cell-site simulator, and that secrecy is the best policy. In a recent case, Washington DC police did not get any court order (not even a pen register/trap and trace order), before using a cell-site simulator to locate a defendant. This raises Fourth Amendment concerns, including: too low of a threshold to conduct a search; secrecy surrounding the use of stingrays, which encourages the police to use parallel construction to build a case; and Big Brother surveillance of the general population or targeted groups.

Commercial concerns

Banks and other consumer facing industries are embracing two-factor authentication in order to make online accounts more secure. The problems with using a password alone have been well publicized. The most common form of two-factor authentication is to send a one-time code via text to the consumer’s cellphone. A cell-site simulator can defeat this measure by intercepting the text message. This facilitates bank fraud and other kinds of theft.

Although U.S.-manufactured cell-site simulators are tightly controlled by the FBI, criminals can access these devices. Open-source software and do-it-yourself instructions are available on the Internet. One does not need programming skills – just a few thousand dollars to purchase off-the-shelf components, and the time and patience to assemble these devices.

Personal privacy concerns

Finally, personal privacy is invaded, and consumer confidence in U.S. wireless services is reduced by the widespread use of cell-site simulators.

Commonsense Measures to Combat Cell-Site Simulators

What can be done about cell-site simulators? Here are two commonsense measures. First, enforce the laws that are on the books. Second, require all U.S. law enforcement agencies to get a search warrant based on probable cause before using a cell-site simulator in the United States.

First, enforce the law. It should not be controversial to have a policy of enforcing the law. Section 333 of the Communications Act prohibits willful interference with licensed radio communications. This statute applies to a cell-site simulator’s jamming and other interference with the licensed radio communications of a cell phone carrier. The Electronic Communications Privacy Act (ECPA) prohibits willful interception of electronic communications, including by radio. The ECPA applies to the passive interception and semi passive querying and interception, as well as active interference, that are conducted by a cell-site simulator. Finally, the Federal Communications Commission tests and certifies radio equipment in the United States. Cell-site simulators that are used in the United States, and that have not undergone Federal Communication Commission (FCC) certification, violate the law.

The operation of illicit cell-site simulators to date has been mostly risk-free. There is no deterrent against this illegal activity. The FCC so far has declined to get involved, stating that “the FCC’s only role is certifying whether these devices meet our requirements for controlling radio interference and emissions. ... The FCC does not have jurisdiction relative to the legal authorization for use of the devices.” However, this characterization has been disputed. In other contexts, the FCC brings enforcement actions against those who intentionally jam licensed frequencies and companies selling jamming equipment into the United States. Similarly, DHS demurred, stating that it does not have the authority, technical ability and resources to go after rogue cell-site simulators.

The Department of Homeland Security (DHS), the FCC, or another appropriate agency should be given the mandate and resources to seek out and confiscate cell-site simulators, with the Department of Justice bringing criminal prosecutions. The technology reportedly is available to search for these devices. Stricter law enforcement would not stop all illicit activity, but it would make riskier the illegal operation of a cell-site simulator. This would help to protect national security and personal privacy. As described above, depriving foreign intelligence agencies of the use of cell-site simulators would cut off one way for the spies to obtain information that is vital to other, more destructive attacks.

Second, require a search warrant for all U.S. agencies to use a cell-site simulator in the United States. The ECPA should be amended to explicitly prohibit the use of a cell-site simulator, except where specifically authorized by a search warrant based on probable cause. Domestic counter-intelligence still could be conducted but would be subject to the warrant requirement. Law enforcement agencies should be required to be truthful and complete in their warrant applications, fully disclosing to the court the nature of activity for which authorization is sought (passive, semi passive, or active) and the possible collateral consequences of each such action. Law enforcement agencies should make full disclosure to a criminal defendant.

This too should not be controversial, as it essentially would codify existing federal law enforcement policy. However, there is a difference between department policy and a criminal statute. The DOJ can change its policy with a new Administration or even a new Attorney General. Or, an agency may disregard the policy and not seek a warrant in an individual case, often with minimal consequences. Placing the requirement of a warrant in a statute is more permanent.

Finally, the Communications Act may need to be amended so as to not prohibit state and local law enforcement from operating a cell-site simulator pursuant to a search warrant.

Julian Gehman is a telecommunications fellow at the Committee for Justice and a Washington, D.C. telecommunications lawyer who has been practicing for more than 25 years.