The Department of Homeland Security says it has seen activity in Washington, D.C., of what appear to be rogue surveillance devices that could be used to hijack cellphones, listen to calls and read texts.
But it says it’s not able to actually track down where they are, because that would require more funding.
It’s not clear who is deploying the unauthorized devices, which are known as IMSI catchers or Stingrays and may legally be sold only to public safety and law enforcement officials. The agency has previously warned that the devices could be used by hackers, criminals and spies to gather information.
This is believed to be the first time the U.S. government has publicly acknowledged the devices in Washington, according to The Associated Press.
In response to a query from Oregon Sen. Ron Wyden, DHS said that it has “observed anomalous activity in the National capital Region (NCR) that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers.”
The agency added that it believes “the malicious use of IMSI catchers is a real and growing risk.” Wyden wrote to DHS in November asking for information about the use of IMSI catchers by foreign intelligence agencies.
The devices, which can be as small as a suitcase, work by mimicking actual cell towers. NPR’s L. Carol Ritchie explains:
“IMSI catchers trick cellphones into thinking they’re connected, as normal, to a network like Verizon or AT&T. But the devices hijack the phone’s signal, and in some cases, intercept the contents of calls and texts. The IMSI catchers take advantage of a vulnerability built into the system. Phones using 3G or 4G technology can authenticate cell towers, but phones on older 2G systems cannot tell between real and fake towers.”
DHS also said that it was “aware of anomalous activity” outside of D.C. that “appears to be consistent with IMSI catchers,” though it isn’t able to pinpoint the activity to “specific entities or devices.” The letter also stated that the “use of IMSI catchers by foreign governments may threaten U.S. national and economic security.”
It’s not clear that anything has been done about this, aside from DHS reporting its findings to “federal partners.”
DHS told Wyden that it is “not aware of any current DHS technical capability to detect IMSI catchers.” That would require more funding, it said.
But companies who make the devices have for years been putting out maps that suggest a significant presence of the surveillance equipment in Washington.
For example, as Carol reported, a marketing executive from the company CryptoPhone drove around Washington looking for IMSI catchers in 2014 – and he says he found 18 in less than two days.
That map, released by The Washington Post, showed areas of surveillance clustered around government buildings such as the Capitol and the White House. It’s worth noting that “some security experts are skeptical that the CryptoPhone can pinpoint with accuracy the location of the IMSI catchers,” Carol reported.
According to the AP, “the Federal Communications Commission, which regulates the nation’s airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly.”
Wyden said in a statement that the FCC has not held phone companies accountable “despite repeated warnings and clear evidence that our phone networks are being exploited by foreign governments and hackers.”