A Department of Homeland Security program discovered evidence of the surveillance devices, called IMSI catchers, as part of federal testing last year, according to a letter from DHS to Sen. Ron Wyden (D-Ore.) on May 22. The letter didn't specify what entity operated the devices and left open the possibility that there could be alternative explanations for the suspicious cellular signals collected by the federal testing program last year.
The discovery bolsters years of independent research suggesting that foreign intelligence agencies use sophisticated interception technology to spy on officials working within the hub of federal power in the nation’s capital. Experts in surveillance technology say that IMSI catchers — sometimes known by one popular brand name, StingRay — are a standard part of the tool kit for many foreign intelligence services, including for such geopolitical rivals as Russia and China.
A DHS spokesman confirmed the contents of the letter to Wyden but declined further comment.
"This admission from DHS bolsters my concern about stingrays and other spying devices being used to spy on Americans’ phones," Wyden said in a statement on Thursday. "Given the reports of rogue spying devices being identified near the White House and other government facilities, I fear that foreign intelligence services could target the president and other senior officials."
The DHS letter came in response to a meeting last month in which Wyden pushed for a more aggressive federal response to cellular system insecurity. IMSI catchers are widely used by local, state and federal police, as well as foreign intelligence agencies.
The devices work by simulating cell towers to trick nearby phones into connecting, allowing the IMSI catchers to collect calls, texts and data streams. Unlike some other forms of cellphone interception, IMSI catchers must be near targeted devices to work.
When they are in range, IMSI catchers also can deliver malicious software to targeted devices for the purpose of stealing information stored on them or conducting longer-term monitoring of communications.
The same May 22 letter revealed that DHS was aware of reports that a global cellular network messaging system, called SS7, was being used to spy on Americans through their cellphones. Such surveillance, which can intercept calls and locate cellphones from anywhere in the world, is sometimes used in conjunction with IMSI catchers.
ESD America, a defense and law enforcement technology contractor based in Las Vegas, has reported detecting IMSI catchers throughout the Washington area while conducting testing for private clients.
The company, which said it has federal contracts, declined to comment on work it has done for the U.S. government but said in a statement, “ESD America has several corporate and foreign government clients whom we have assisted in the detection of potential IMSI Catcher operation across many cities including Washington, D.C.”
In the tests that ESD conducted for private clients, which took place over the past three years, the company said it had detected signs of IMSI catchers near the White House, the FBI headquarters, the Senate, the Pentagon, the Russian Embassy and along the collection of other foreign embassies in an area known as Embassy Row in Northwest Washington.
The Washington area’s dense collection of U.S. officials and sensitive facilities makes it prime real estate for cellular interception, experts say.
“For any large intelligence agency, the United States, especially now, is a high-value target,” said Thomas Rid, a political-science professor at the Johns Hopkins School of Advanced International Studies. “They get paid to go after high-value targets. It’s their job. … It’s a complete no-brainer.”
The letter said DHS officials, during a pilot program last year, “did observe anomalous activity that appeared consistent with IMSI catcher technology” within the Washington area, including near the White House. It cautioned that DHS “has neither validated nor attributed such activity to specific entities, devices or purposes” and said that some of the suspicious signals may have been “emanating from legitimate cell towers.”
Experts on cellular interception say that various IMSI catchers have distinctive designs, making it clear from the resulting cellular signals and behavior whether they were made by U.S. companies or by manufacturers in other countries.
Civil liberties groups have long warned that IMSI catchers are used with few limits by U.S. authorities, who collect calls, texts and other data from innocent bystanders as they conduct surveillance on criminal suspects or other legitimate targets. Increasingly, though, critics have sought to portray the technology as posing threats to national security because foreign intelligence services use them on Americans, both while in the United States and abroad.
"This is a huge concern from a national security perspective," said Laura Moy, deputy director of Georgetown Law's Center on Privacy and Technology. "People have been warning for years … that these devices were used by foreign agents operating on American soil."
The surveillance devices are hard to counteract, although encrypted calling and messaging apps — such as Signal, WhatsApp or Apple's FaceTime — provide protection against IMSI catchers. Some experts advocate wider deployment of such encrypted communication tools within the U.S. government, along with a move away from traditional cellular calling and texting.
Wyden and others also have called on the Federal Communications Commission, which along with DHS oversees the security of U.S. cellular networks, to institute stronger protections against IMSI catchers, including possible technical fixes that cellular carriers or devicemakers could implement to resist surveillance.
The FCC said in response to questions about the discovery of IMSI catchers in Washington: "We continue to monitor reports of the use of IMSI devices and to coordinate closely with our counterparts at DHS, DOJ, and the FBI. The FCC strenuously enforces its rules against the unauthorized use of licensed radio spectrum and harmful interference with licensed users of the airwaves."
Correction: The IMSI testing that took place over three years was conducted by ESD America for private clients. A previous version of this story said incorrectly that DHS conducted the tests. DHS commissioned separate tests during 2017.