Are your calls being intercepted? 17 fake cell towers discovered in one month

Credit: Image credit: flickr/devra

CryptoPhone users found 17 fake “cell towers” in a month, but don’t know who deployed them or why. If you think you'd know if your calls are being intercepted by seeing the phone connect to "2G," then think again.

You wouldn't likely know if you are under cell phone surveillance, but you would if you were about to make a call and your phone displayed an unencrypted connection warning that states, "Caution: The mobile network's standard encryption has been turned off, possibly by a rogue base station (IMSI Catcher'). Unencrypted calls not recommended."

Through notifications such as that, CryptoPhone users found and mapped 17 fake "cell towers" in the U.S. during the month of July. While most phones can't find those interceptors, a $3,500 CryptoPhone 500 can. The phone has a Samsung Galaxy SIII body, but unlike the Android OS that comes standard on the Galaxy SIII and "leaks data to parts unknown 80-90 times every hour," ESD America hardened the Android OS by removing 468 vulnerabilities.

"Interceptor use in the U.S. is much higher than people had anticipated," said Les Goldsmith, the CEO of ESD America. He told Popular Science, "One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip.  We even found one at South Point Casino in Las Vegas." He added, "What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases. Whose interceptor is it?  Who are they, that's listening to calls around military bases?  The point is: we don't really know whose they are."

Privacy groups have been fighting unconstitutional stingray surveillance for several years, yet there's still a great deal citizens don't know about the portable devices known as IMSI catchers, also known by the generic term "stingray." It acts like a fake cell tower and tricks your mobile device into connecting to it even if you are not on a call. It is used for real time location tracking; some can pinpoint you within two meters as well as eavesdrop and capture the contents of your communications.

Goldsmith conducts testing on his company's "baseband firewall" while driving by an unnamed government facility in the Nevada desert that runs an interceptor. "As we drove by, the iPhone showed no difference whatsoever. The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree."

You might know your phone is being intercepted if it shows 2G, instead of 3G or 4G, but some interceptors claim to be "undetectable." The VME Dominator, for example, is marketed only to government agencies. It promises that it allows "you to intercept, block, follow, track, record and listen to communications using unique triangulation and other advanced technology," but "cannot be detected. It allows interception of voice and text. It also allows voice manipulation, up or down channel blocking, text intercept and modification, calling and sending text on behalf of the user, and directional finding of a user during random monitoring of calls."

VME Dominator is not the only 4G interceptor on the market. Martone Radio Technology also advertises 4G interception, and SS8 describes solutions for "Integrating Lawful Intercept into the Next Generation 4G LTE Network" (

pdf
). According to Goldsmith, "If you've been intercepted, in some cases it might show at the top that you've been forced from 4G down to 2G. But a decent interceptor won't show that.  It'll be set up to show you [falsely] that you're still on 4G. You'll think that you're on 4G, but you're actually being forced back to 2G."

Yet Ars Technica reported that law enforcement agencies are trying to come up with the funds to upgrade their "stingray" cellular surveillance systems before 2G and their ability to unconstitutionally spy on people becomes obsolete. AT&T, for example, will shut down its 2G network in 2017, but Verizon's network will support 2G until the "end of the decade."

Although it will be a long time before cell phones no longer support 2G, Johnny Law is working on upgrading Harris Corporation "Stingray" systems, with "Hailstorm," to support 4G LTE interception. The News Tribune in Tacoma reported on a March 2014 purchase order from the DEA, which stated, "The Hailstorm upgrade is necessary for the Stingray system to track 4G LTE phones."

According to Ars Technica, the Oakland Police Department, Fremont Police Department, and the Alameda County District Attorney joined forces by applying for a DHS grant to pay for the Hailstorm upgrade. "The entire upgrade will cost $460,000--including $205,000 in total Homeland Security grant money, and $50,000 from the Oakland Police Department (OPD)." In theory, more documents are being gathered and will be released this month by the Alameda County DA's office.

While the FCC seems to have known about cellular network vulnerabilities that stingrays exploit, last month it established a "task force" to investigate the "illicit and unauthorized use" use of stingrays. Instead of investigating law enforcement's use of such interceptors, the FCC "plans to study the extent to which criminal gangs and foreign intelligence services are using the devices against Americans." The FCC also refused the ACLU's FOIA request for stingray documents.

Meanwhile innocent Americans may be subjected to the "invasive surveillance technology" without ever knowing it is happening. ACLU technologist Christopher Soghoian said of stingray surveillance, "They are essentially searching the homes of innocent Americans to find one phone used by one person. It's like they're kicking down the doors of 50 homes and searching 50 homes because they don't know where the bad guy is."

If the framers of the Constitution could see how technology is being used against us, they would roll over in their graves.

This story, "Are your calls being intercepted? 17 fake cell towers discovered in one month" was originally published by Computerworld.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies