Late last month, federal officials in Washington issued a rare acknowledgement of one of the worst kept secrets inside the Beltway – the place is lousy with cellular spy gear. For one security professional in particular, the news from the nation’s capital came with more than just a disheartening sense of déjà vu.
Aaron Turner has been ringing the alarm over cellular interceptors and IMSI catchers for nearly a decade with varying degrees of success. While Turner admits some frustration at yet another breathless revelation about rogue cellular interlopers in Washington, he’s mildly encouraged by the opportunity to raise awareness of cellular vulnerabilities and the prospects for improving mobile security for all users, even on networks that were never designed to be very secure. “Any attention and any progress in this area is a good thing,” said Turner. “We need to move to an approach where everyone goes into this with eyes wide open saying, ‘I'm going to do what I need to do to protect myself even if my communications are intercepted and manipulated.’ Because for sure, they’re going to be.
“It's not like the Internet has ever been a safe and happy place where you can trust things. We just have to make sure that everyone understands that cellular networks are just an extension of that, and, in fact, have even more vulnerabilities that we need to think about as well.”
Turner is a former security strategist at Microsoft and the Idaho National Laboratory and president of IntegriCell, a consultancy specializing in security for enterprise and public sector mobile and Internet of Things (IoT) systems. He said the latest dustup over cellular eavesdropping in Washington is part of a regular cycle of political maneuvering among lawmakers, regulators and law enforcement, but that doesn’t make the issue less important to private citizens and business technology users.
Cellular Interception Redux
Last month, in response to a November 2017 request from Sen. Ron Wyden (D-Ore.), the Department of Homeland Security (DHS) acknowledged “anomalous activity … that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers,” in the nation’s capital.
“Use of IMSI catchers by malicious actors to track and monitor cellular users is unlawful and threatens the security of communications, resulting in safety, economic, and privacy risks,” wrote Christopher Krebs, head of DHS’ National Protection and Programs Directorate (NPPD). “Overall, NPPD believes the malicious use of IMSI catchers is a real and growing risk.”
The statement marked the first official acknowledgement from the feds that unauthorized IMSI catchers and cellular interceptors were at work in the U.S.
Quoting an anonymous DHS source, the Associated Press said NPPD detected the devices earlier this year during a three-month trial of counter-surveillance equipment from Las Vegas-based DHS contractor, ESD America, a firm Turner worked closely with in 2014 during the development of its IMSI catcher-detecting GSMK CryptoPhone.
IMSI catchers, commonly called StingRays after a particularly popular name-brand model made by Harris Corp., are the “fake news” providers of cellular communications. They broadcast irresistible-but-false signals mimicking legitimate cell phone towers, luring users off their official carrier networks long enough to capture identifying information about the phone’s location and how it is communicating. And that’s just the stock version. IMSI catchers and companion interceptors are often paired with other attack methods to thwart encryption, intercept data and communications, or act as a vector for malware delivery.
National intelligence and law enforcement agencies use the snooping devices to effectively, if indiscriminately, scoop up location data and other communications metadata from investigatory targets and anyone they associate with. That’s made IMSI catchers unpopular with privacy advocates who say the technology is often employed to harvest evidence and ensnare participants far beyond the scope of even the most liberal search warrant.
Foreign agents and other bad actors, meanwhile, favor StingRay-like units for both clandestine surveillance and more run-of-the-mill criminal mischief. From a security perspective, combining cellular interception with things like man-in-the-middle attacks that rely on certificate spoofing introduces many risks, from exposure of confidential data and intellectual property to the leaking of personal information and user credentials to common crooks, identity thieves, social engineers and corporate fraudsters.
In his response to Wyden, Krebs added that DHS currently lacks the funds for the hardware, software, and personnel necessary to detect most illicit IMSI catcher use in Washington.
“Leaving security to the phone companies has proven to be disastrous,” Wyden said in a statement issued earlier this week. The senior member of the Senate Select Committee on Intelligence complained that the Federal Communications Commission (FCC) failed to push cellular carriers to bolster their defenses “despite repeated warnings and clear evidence that our phone networks are being exploited by foreign governments and hackers.”
Indeed, there have been sporadic efforts by federal officials to address IMSI catchers since at least 2014. In response to news reports sparked in part by Turner’s work unearthing IMSI catchers in Washington, the FCC under then-Chairman Tom Wheeler commissioned a task force to root out unauthorized use of the devices without overtly acknowledging their presence – in Washington or anyplace else. The task force quietly came and went and accomplished little, Turner said.
Learning the Ropes
Turner’s experience and fascination with cellular shenanigans began in 2001 when, as a security strategist in Microsoft’s still budding infosec unit, he was sent to Washington to work with the Department of Justice to help implement the USA PATRIOT Act. His job was to figure out what data could lawfully be extracted from products like Hotmail in response to requests triggered by the anti-terrorism law.
“I worked with several groups who ran lawful intercepts in the cellular world and I got exposed to all of that technology,” he said. “I loved it. I mean, hey, I’m a geek. It was fun.”
By 2006, Turner was working at the Department of Energy’s Idaho National Laboratory, which had its own fully functioning wireless test range. Turner described the INL systems as “an interesting playground” with “lots of different problems in the confidentiality and integrity side of the cellular networks that I hadn’t thought about before.”
His work took him to places like Cyprus and the Caribbean – places with few laws against mobile intercepts – where he and his team were free to experiment with a variety of ways to capture and record wireless communications. “It was very intellectually stimulating,” he said.
Ultimately, Turner came around to the question of detecting and preventing the kinds of intercepts he spent so much effort helping to develop. Favoring individual sensors that could detect network anomalies’ and warn the user, he crafted an enterprise trial in 2014 with a large global company that involved arming travelling employees with intercept detectors.
“We just gathered information about the relative integrity of cellular networks as these employees travelled throughout the world,” said Turner.
The sensors made it into some 20 countries including Saudi Arabia, Dubai, China, even Iran. The place with the most hostile cellular environment?
“London. Specifically, the financial district. Down by the wharves. Brutal.”
In other places, such as Beirut, competing intelligence agencies created a cellular tug-of-war with such powerful intercept capabilities that legitimate network use was next to impossible. “People have to realize that the cellular airwaves are a digital warfare zone,” said Turner. “It’s a place where nation state operators play and do dirty tricks.”
Staring Down the Cellular Problem
Rather than be discouraged by the ubiquity of menace in the cellular environment, Turner said he’s arrived at what he feels is a sensible approach to risk mitigation. He’s quick to add that it’s not akin to Sen. Wyden’s tack of hammering away at regulators and network operators to crank up their defenses.
“This all traces back to a general security principle that when you architect a system for availability at all costs, you will suffer confidentiality and integrity problems,” Turner said. “That's what cellular networks have been designed to do, to be available at all cost.
“You’d have to fundamentally change the architecture of the cellular network to address this. We’re talking about tower upgrades, handset upgrades, software upgrades. There's a whole bunch of technical stuff needed.”
Such modifications are hindered on networks that must not only continue to be transparent and accessible for legitimate law enforcement and regulatory uses, but also continue to be functional for users still enamored of their 20-year-old Motorola flip-phones, he said.
“You have this very, very long legacy tail that you have to service,” said Turner. “Beyond that, carriers don’t want to get sideways with regulators or law enforcement in a business where margins are already tight. This is a function of business risk, for them.”
Turner does hold the carriers responsible for one key flaw, however. He blames them for perpetuating the false narrative of security where security never really existed.
“This is a perception the carriers built when they refused to acknowledge that their networks are cesspools, easily accessible by both law enforcement and unauthorized individuals,” he said. “It created a completely false expectation of privacy and security. And we’ve been left to deal with that.”
Cellular Defense at the Edge
The banner headlines about spies and snoops and cellular chicanery notwithstanding, the biggest problem for private users and enterprises with legions of corporate-owned or corporate-managed mobile devices is the cellular environment’s inherent vulnerability combined with the cryptographic Roots of Trust (RoT) shortcomings that exist in many common smartphones. Rather than making wholesale changes to the networks, Turner advocates hardening devices and adjusting mobile device management approaches to improve security posture.
“As far as mitigating the risk from cellular interceptors there is nothing that can be done. You are completely a slave to the network,” he said. “You deal with this by moving toward a zero-trust network architecture. You have to assume your mobile activity is going over a network that is fundamentally and inherently compromised. If you do not take steps to protect yourself you will be leaking credentials and leaking information.
“What you have to do is say, ‘Well, if the network is not to be trusted and the cryptographic ecosystem is blown, then I need to implement my enterprise apps with an alternate cryptographic infrastructure, like certificate pinning.’”
Turner’s advice in a nutshell: Patch your device, make sure it’s running the most up-to-date operating system, make sure you are using applications that leverage certificate pinning, do not trust RoT on the device, and perhaps most importantly, understand that when you talk on your phone or communicate via a text message, it can probably be heard or read by people you don’t know.
One thing Turner does not recommend is any of the numerous applications available in the app stores that claim to detect IMSI catchers and alert users to unusual network activity. “Too many false positives and way too many false negatives,” he said. “A good operator will know how to avoid detection by these things. They are toys, mostly. Interesting for research, but not practical as a control for end users.”
Truly robust cellular anomaly detection like the GSMK CryptoPhone is still much too expensive for most organizations and is rarely deployed outside select government agencies, he added.
As for what the future holds, Turner expects that spies will continue to spy, law enforcement and national security investigators will continue to examine cellular traffic as part of their work, and Moore’s Law will continue to make StingRay-like devices smaller, cheaper, and more readily available to organized criminals.
“I'm kind of cynical about what the future holds,” Turner said. “As we make our systems more complex, we necessarily inject more vulnerabilities into them. 5G networks have a ton of potential. The new distributed network will move at much higher speeds. It’s great.
“But it also has a lot of potential for badness because of this distributed nature,” he said. “It is what it is.”