A series of fake cell phone towers designed to intercept user
has been discovered throughout the U.S., according to the magazine Popular Science. The organization behind the towers' construction and their purpose remain mysteries.
In addition to listening in on encrypted phone calls, the surveillance network is able to read SMS messages and record individuals' location data. Nineteen such towers have been discovered throughout the U.S. in the last week, Popular Science reported.
The phony towers were discovered by ESD America, the company that makes the Cryptophone 500, a customized Android handset that runs encryption software allowing it to identify when it is being hacked. According to ESD, eight interceptor towers were discovered by just driving between North Carolina and Florida. A tower has also been discovered at the South Point Casino in Las Vegas.
The towers, technically known as IMSI-catchers, work by exploiting the weak security in the antiquated 2G communication technology. The towers fake the credentials of a phone carrier's own towers, then trick the handset into connecting through them. Once connected, the towers force the phones to disable their encryption, allowing whoever has constructed the tower to eavesdrop on phone calls, text messages, and other data.
The phones do not alert users that their encryption has been deactivated. However, the fake towers force phones to slow down to 2G from 4G, so a sudden decrease in download speed may be a clue that a phone is being tapped.
Several of the interceptors have been constructed near U.S. military bases. Although it is impossible to say for certain who is behind the phone-tapping scheme, the federal National Security Agency is, perhaps ironically, an unlikely culprit. According to a VentureBeat report quoting Andrew Jaquith, CTO of security provider SilverSky, the NSA can listen to virtually any phone call it wants to by having the carrier tap the call.
Joseph Hall, chief technologist for the Center for Democracy and Technology, said the discovery of the surveillance network is a troubling development for privacy concerns.
"This is by definition surveillance, eavesdropping and in the case of content, wire-tapping," Hall told us in an e-mail. Use of that kind of technology represents "activities that are criminally illegal without a warrant from a judge or consent of the user."
Local police departments in several U.S. cities, on the other hand, have been using similar technology, known as "stingray" towers. Like the phony towers discovered by ESD, police in cities such as Oakland use stingray towers to eavesdrop on the phone calls of anyone connecting through a fake tower. What police departments are doing with the evidence gathered through the phone tapping is difficult to determine, since departments often conceal the use of stingray towers in court cases.
Attempts by the American Civil Liberties Union to gain access to stingray records in Florida have been blocked by a state judge, who allowed the records to be seized by U.S. marshals. Like the mysterious tower network, stingray towers also force handsets to switch to the less secure 2G protocol.
DEF CON Conference
The proof of concept for this type of attack dates to the DEF CON 2010 hacking conference in Las Vegas, where Chris Paget demonstrated how a fake cell phone tower could mimic a real one to secretly tap phone calls. Paget was able to build his device for only around $1,500, which would make the technology affordable to nearly any organization or individual.
The FCC announced an investigation in August on the use of such towers by criminal organizations and foreign intelligence services, although it has been aware of the vulnerability since at least Paget's 2010 demonstration.
"If the U.S. government is the source of these [IMSI-catchers], we expect an explanation," Hall said. "If not, we expect an investigation and for the FCC to include this development in their ongoing investigation."
Although ESD has only been able to verify the existence of 19 such towers so far, the company said on its Facebook page that that number is likely to prove only the tip of the iceberg. Enterprise IT departments and other organizations looking to secure their personnel's communications do have some options, but they are not cheap. ESD's CryptoPhone 500, for example, is priced around $3,500.