The US Department of Homeland Security (DHS) says it has detected strange fake cellphone towers – known as IMSI catchers – in America's capital.
These devices, which can masquerade as real phone masts to track people's movements and potentially eavesdrop on calls and texts, represent a real and growing security risk, the agency said.
And whoever is operating them in Washington DC is, we're told, a mystery to Uncle Sam's g-men.
DHS official Christopher Krebs dropped this mild bombshell in a a March 26 letter sent to Senator Ron Wyden (D-OR), a memo that was made public this week.
On November 17 last year, Wyden sent several questions to Homeland Security about whether it had any evidence of foreign IMSI catchers operating in the Washington DC area.
International Mobile Subscriber Identity (IMSI) catchers, such as Harris Corporation's StingRay, are devices that pretend to be cell towers in order to collect device identifiers (metadata) and potentially communication data – some devices can force phones to downgrade to 2G mode to make content interception easier. Security researchers have demonstrated that texts and calls can be collected using this type of gear.
They're used around the country by the cops and Feds, but concern has been growing that they're also used for eavesdropping by foreign spies, private miscreants, and other malicious parties.
In answer to Wyden's query, the DHS said its National Protections and Programs Directorate (NPPD) "has observed anomalous activity in the National Capital that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers."
But beyond that, NPPD hasn't yet identified specific devices nor attributed their use to specific entities. The agency says it has made other federal agencies aware of its findings.
The Federal Communications Commission has been aware of the issue since at least 2014 when it formed a task force to crack down on unauthorized use of cell tower simulators. The escalating concerns about unknown parties eavesdropping on public and government communications suggest the FCC inquiry hasn't accomplished much.
Senator Wyden also asked whether the DHS has the capability to detect 4G/LTE IMSI catchers, capable of surveilling recent model phones.
The NPPD responded that it's not aware how it would detect such technology and that if detection tech exists, the DHS would require funding for software, hardware, and personnel to do so.
According to the American Civil Liberties Union, 73 agencies in 25 states and the District of Columbia own IMSI catchers, though the advocacy organization suggests the devices may be more widespread because government agencies often conceal such purchases.
As for the number of devices operated by foreign spies and the like, that's still being worked out. ®