The Russian Embassy, White House, Supreme Court, and other landmarks have some nosy neighbors, claims the maker of an ultrasecure mobile phone.
Continuing a sort of cross-country tour to detect phony cell towers, also known as interceptors or IMSI catchers, researchers associated with the security firm ESD America have detected 15 of the covert devices in Washington D.C., plus three more in nearby Virginia.
The company used their ultrasecure CryptoPhone 500 to search for the interceptors, which can compromise phones through baseband hardware and are believed to have a range of roughly 1 mile. ESD America's phones allegedly detected telltale signs of call interception in the vicinity of the White House, the Russian Embassy, the Supreme Court, the Department of Commerce, and the Russell Senate Office Building, among other landmark buildings.
Les Goldsmith, ESD America's CEO ( http://esdamerica.com/ ), stresses that he can't be sure who runs these surveillance devices. But he points out that the U.S. government already has the ability to listen to or track calls through domestic networks, thanks to the 1994 Communications Assistance for Law Enforcement Act (CALEA). “The U.S. government can listen to calls without deploying interceptors on the street,” says Goldsmith. “That’s why I think these are from foreign governments.”
http://www.popsci.com/article/gadgets/washington-dc-littered-phony-cell-towers
[Editor's note: see also our earlier story: Secure Android Phone Finds 'Fake' Cellphone Towers in U.S.]
Related Stories
WeLiveSecurity is reporting on mystery cellphone towers found in the U.S. near military bases. Not only is it unknown who these towers belong to (though we can surely speculate with a high degree of accuracy given the context) but the real concern comes from these towers launching wireless attacks on cellphones. The existence of these towers has been discovered by ESD, the makers of a secure Android phone.
Despite its secure OS, Les Goldsmith of the handset’s US manufacturer ESD found that his personal Android security handset’s firewall showed signs of attack “80 to 90” times per hour.
The leaks were traced to the mysterious towers. Despite having some of the functions of normal cellphone towers, Goldsmith says their function is rather different. He describes them as “interceptors” and says that various models can eavesdrop and even push spyware to devices. Normal cellphones cannot detect them – only specialized hardware such as ESD’s Android security handsets.
“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
(Score: 4, Interesting) by Tork on Thursday September 18 2014, @06:43PM
I wonder how long before people start flooding gov't monitored systems with noise that sounds like something interesting but is really just garbage. A while ago I was tinkering with the idea of writing a script that'd take my emails* and randomly replace some words in it with other words in the dictionary, leaving something that, to a computer, would appear intelligible, but useless to a human. Instead of sending one email, send a hundred of similar but incorrect messages. The trick I haven't worked out is is figuring out how to get the intended recipient to find the one un-garbaged message.
* Yes, I know we're talking about voice communications. A similar technique may be applicable, however.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by LaminatorX on Thursday September 18 2014, @06:48PM
As a friend in the business once said to me, "This new Bush CD is the bomb."
(Score: 2, Interesting) by basicbasicbasic on Thursday September 18 2014, @06:54PM
Spam Steganography! Send out thousands of emails to thousands of different addresses to disguise the one email you are sending to the intended recipient.
(Score: 1) by Tork on Thursday September 18 2014, @06:59PM
Nah, that's not what I'm describing, and it wouldn't work for the same reason the 'metadata' the NSA claimed they were only capturing was valuable to them.
On a side note: Imagine the fun Google'd have trying to mine your inbox for ads.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 1) by basicbasicbasic on Thursday September 18 2014, @07:00PM
I know it's not what you described. It's better. It obfuscates the metadata as well as the content.
(Score: 2) by bob_super on Thursday September 18 2014, @08:05PM
Related: http://www.youtube.com/watch?v=zP3jksgr_V0 [youtube.com]
(Score: 2) by opinionated_science on Thursday September 18 2014, @07:01PM
steganography 101: Generate a DVD's worth of random bits. From some true random source. Copy it and give to a friend. Run everything though an XOR mask and pad to standard length, and you will probably not be spied on, well , more than normal! For text, this could last a very long time. If you only use it for one person, you dont even need a reference pointer, though probably a good idea e.g. "start on byte 140405", and padding will hide your real length.
Of course, this is why they invented PGP and you can use GPG!!
(Score: 3, Insightful) by Tork on Thursday September 18 2014, @07:42PM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by MrGuy on Thursday September 18 2014, @07:16PM
Which is great, until your random noise generator accidentally puts together a series of words that are seen as a threat, and you wind up in a small windowless room with some splainin' to do.
Why not use PGP? Or, write your e-mail in a text editor and print to a PDF, rather than include text? What's the benefit to you of putting "noise" in someone's theoretical data set? This feels like a lot of effort for a fairly small "benefit" of stickin' it to the man...
(Score: 3, Insightful) by deimtee on Friday September 19 2014, @12:11AM
If you're using a PDF don't forget to put in a background image and then rasterize the whole thing. No point making it easy for machines to read.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Tork on Thursday September 18 2014, @07:20PM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 3, Interesting) by morgauxo on Thursday September 18 2014, @08:17PM
no idea. I've noticed that today though. lot's of posts moded down for no obvious reason.
(Score: -1, Troll) by Anonymous Coward on Thursday September 18 2014, @10:54PM
When I moderate I do it randomly !
(Score: 5, Interesting) by Anonymous Coward on Thursday September 18 2014, @06:47PM
I think it was Schneier who wrote a column a few weeks ago about how law enforcement's use of "stingray" interceptors degrades security for everyone because stingray works by exploiting security vulnerabilities. That means the government has a perverse incentive in keeping the systems vulnerable rather then getting them fixed. But there is no way the government can stop anyone else from exploiting those same vulnerabilities, which this story suggests is now a rampant problem even for the government.
(Score: 2) by SlimmPickens on Thursday September 18 2014, @07:24PM
This is what's wrong with the entire security apparatus.
Nevermind that all this "security" is to deal with threats largely of our own making.
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @06:56PM
When I lived in Washington DC a long time ago, before hardly anyone was using a mobile phone or the Internet, I noticed radio antennae conspicuously propped up over a boy's school across the street from the Soviet embassy.
Anybody who works at a foreign embassy anywhere in the world probably gets trained to think that all of their telecommunication and data traffic will probably be monitored by the host country. Well, maybe not in Aruba.
(Score: 4, Insightful) by MrGuy on Thursday September 18 2014, @07:22PM
First, under CALEA it's possible for the government to listen on certain calls under certain circumstances - CALEA isn't a blanket wiretap order for every phone conversation (no matter how much the Feds try to stretch it).
Second, there are layers of law inforcement that are NOT the U.S. Government that don't have the same access, EVEN IF it were true CALEA was a blanket wiretap order. There's a reason there's a market for the Stingray device, and it's not "local governments are dumb and don't realize they already can do that."
Third, there are groups within the US Government (hello, Three Letter Acronyms!) that might want to listen in on certain calls without necessarily leaving a record, which is yet another plausible avenue for this.
Don't get me wrong - I think non-US governments want to do intelligence in the US, and this is certainly a tool they could (and probably do) use. But the assertion that "this is probably foreign intel gathering!" isn't terribly well supported.
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @11:47PM
Interestingly enough the Defense Mapping Agency used to be located almost exactly where one of those fake towers is located on the map. It is possible that they are still there but the buildings were gutted and rebuilt within the past several years. So who knows what is in there now. The tower I reference is the one just east of Dulles Airport on the first map in the PopSci article. The one farther east of that on the GW Parkway is real close to CIA headquarters.
(Score: 2) by stormwyrm on Friday September 19 2014, @05:19AM
Indeed. The nice thing about using one of these interceptors is that the user has no accountability to anyone. CALEA on the other hand requires the agency wanting to listen in to get warrants and things like that, leaving behind a trail of accountability. The FBI for instance would need to explain to a judge somewhere why they need to listen in Mr. John Doe's cellular communications to satisfy CALEA. I suppose this is one reason why until now over the air encryption for cellular communications are in general still of questionable security. A5/1 is still in wide use, and it's long been known to be easily breakable, and the Kasumi and Snow ciphers used in the newer 3G and LTE standards don't exactly inspire the same level of confidence even AES does.
Certainly intelligence agencies of non-US governments would want to make use of the same technology to listen in, and most likely they form a certain percentage of the interceptors in Washington DC, but the fact that there is a legal route for some US agencies to listen in on cellular traffic does not mean that all of the interceptors must necessarily be foreign. The NSA could be setting up their own such systems in accordance with their "grab everything, let the computers sort it out" policy of blanket surveillance.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Interesting) by _NSAKEY on Thursday September 18 2014, @07:57PM
China is having trouble with fake towers being used for SMS-based phishing scams [theverge.com]. Subtract the for-profit motive and add nation state actors in its place and you have a recipe for disaster. With AT&T's plan to shut down its 2G network in the U.S. in 2017 [cepro.com] (With other providers apparently dragging their feet), there's still a pretty big window of time for these attacks to still be useful to anyone who happens to be doing them.
(Score: 2) by Leebert on Thursday September 18 2014, @09:35PM
As a person who works in DC, this is nice, as long as they provide reasonably fast 4G service. I encrypt everything anyhow, and we can never have enough 4G coverage. ;)
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @09:40PM
I'm pretty sure you can't encrypt SMS and phone calls.
The other half of this is that it is relatively easy to download a trojan to the baseband processor on a phone, if you control the cell tower. The baseband processor generally has full access to system memory so it can bypass all security in the regular operating system.
(Score: 2) by Leebert on Thursday September 18 2014, @09:54PM
Fair point, but I already consider SMS, voice, iMessage, and similar services to be swiss cheese anyway. I was more thinking of my 4G hotspot.
(Score: 3, Interesting) by arslan on Thursday September 18 2014, @11:01PM
Actually you can encrypt SMS at the application level, I've done this long time ago using MIDP with bouncy castle as a POC for some clients - this was before we had smartphones. There are limitations, one being the length of the SMS message depending on your carrier, but there are ways around it. I'm not at all familiar with the U.S. carriers so I can't comment on that.
All communicating parties will have to have the app though and SMS through it and have to exchange keys through other channels.
The POC I wrote was using PKCS5 to prompt for the passphrase and is never kept on the phone.