As a black sedan pulled into downtown Washington traffic earlier this week, a man in the back seat with a specially outfitted smartphone in each hand was watching for signs of surveillance in action. “Whoa, we’ve just been hit twice on this block,” he said, excitement rising in his voice, not far from FBI headquarters.
Then as the car passed the Federal Trade Commission’s limestone edifice, “Okay, we just got probed.” Then again, just a few minutes later, as the car moved between the Supreme Court and the Capitol, he said, “That’s the beginning of an interception.”
The man was Aaron Turner, chief executive of Integricell, a mobile security company. The specially outfitted smartphones, he said, are designed to act like high-tech divining rods that warn users of suspicious mobile activity, potentially indicating surveillance equipment used by police, intelligence agencies and others to track people and snoop on their calls.
Known as IMSI catchers, for the unique identifying phone code called an IMSI, the surveillance devices trick mobile phones into thinking they have logged onto legitimate cell networks, such as Verizon or AT&T, when in fact the signals have been hijacked.
For years, researchers have warned of the growing prevalence of the equipment, and Turner said the spygear is rife throughout the Washington area.
How rife? Turner and his colleagues assert that their specially outfitted smartphone, called the GSMK CryptoPhone, had detected signs of as many as 18 IMSI catchers in less than two days of driving through the region. A map of these locations, released Wednesday afternoon, looks like a primer on the geography of Washington power, with the surveillance devices reportedly near the White House, the Capitol, foreign embassies and the cluster of federal contractors near Dulles International Airport.
“I think there’s even more here,” said Les Goldsmith, chief executive of ESD America, a technology company that is working with Integricell to promote the CryptoPhone. “That was just us driving around for a day and a half.”
Security experts have warned that some of the claims about CryptoPhone may be overblown as the company rides a surge in publicity and business in the aftermath of last year’s revelations by former National Security Agency contractor Edward Snowden. Few doubt the underlying technology, but several in recent days have questioned the ability of CryptoPhone to locate individual IMSI catchers with the precision its marketers claim.
“I would bet money that there are governments that are spying in D.C.,” said Christopher Soghoian, who is principal technologist for the American Civil Liberties Union and has written extensively on the use and abuse of IMSI catchers. “Whether you can detect that with a $3,000 device, I don’t know.”
As Goldsmith acknowledges, if there are indeed IMSI catchers in the locations his company reported on Wednesday, the CryptoPhone cannot easily determine whether they are deployed by the U.S. government, a local police force, a foreign intelligence agency or some other entity.
Experts say the most common users of IMSI catchers are law enforcement agencies, but such surveillance gear has become so affordable and common that many security experts believe that criminals are using them to spy on targets, including perhaps the police themselves. Reasonably skilled hobbyists can build an IMSI catcher, which typically consists of high-tech boxes with radio antennas, for less than $1,500. Goldsmith’s company also sells IMSI catchers to government agencies outside the United States.
The Federal Communications Commission is sufficiently concerned about IMSI catchers — which would be illegal to use without a search warrant or other legal authority — that this summer it formed a task force to study possible abuse by foreign governments or private individuals. It does not have authority, FCC officials say, over government use of this surveillance technology.
Goldsmith and Turner are looking to market CryptoPhones, at $3,500 apiece, to big businesses that might have reason to fear industrial espionage.
The quest for a device that can find IMSI catchers — often dubbed an “IMSI catcher-catcher” — has consumed researchers in recent years. Several are developing apps that would be free or inexpensive while providing some of the detection capabilities promised by the CryptoPhone.
Developed by a team of security researchers based in Germany, the CryptoPhone works by measuring three potential indicators of an IMSI catcher in action. The first notes when a phone shifts from a more-secure 3G network to a less-secure 2G one. The second detects when a phone connection strips away encryption, making interception easier. And the third reports when a cell tower fails to make available a list of other cell towers in the area; this is called a “neighbor’s list,” and it allows phones to easily switch between nearby towers. IMSI catchers typically don’t offer lists of alternatives because they seek to keep phones captured.
Each indicator is noted by the screen of the phone, with colors signifying its degree of confidence that an IMSI catcher is present. The most serious detections cause the CryptoPhone to flash a black warning box indicating that users should be particularly concerned about having their calls overheard at that moment — by police, spies or even powerful criminals.
“Their approach is definitely one of the best we could take, but I wouldn’t say it’s 100 percent conclusive,” said Ravishankar Borgaonkar, a telecommunications researcher at Technical University of Berlin who has also developed a free app that purports to do the same thing. “We only can see one side of the activity, not the other side.”
The CryptoPhones carried by Turner frequently reported one or two of the three indicators of suspicion as he drove Wednesday afternoon with several Washington Post journalists. But not once in the 90-minute drive were all three detected simultaneously. Experts in surveillance gear say that sometimes an IMSI catcher will simply “scrape” the data from nearby phones to determine their locations but not actually intercept the voice or data transmissions being made.
Researcher Adrian Dabrowski, a graduate student at the Vienna University of Technology who last month co-authored a paper on developing “IMSI catcher-catchers,” said that when all three indicators happen at the same time, there’s a very good chance that an IMSI catcher is responsible.
“There are rare occurrences when all these indicators are present without an IMSI catcher,” Dabrowski said. “But it’s a situation where you might say, ‘Let’s now be careful and not talk about sensitive things on the phone.’ It’s not a perfect indicator.”
He also warned that the makers of IMSI catchers will probably adapt their technology to defeat the new IMSI catcher-catchers, triggering “an arms race” in surveillance technology and the tools intended to defeat it.
Goldsmith said there has been a surge of interest in the CryptoPhone since an article in Popular Science purporting to reveal 17 IMSI catchers around the country triggered a rush of news coverage, including on Glenn Beck’s conservative talk show. The marketers intend to soon begin searching New York and Silicon Valley for IMSI catchers — and release those maps as well.
The company, said Goldsmith, has sold 30,000 CryptoPhones in the United States and 300,000 globally.
Among those interested in the technology, Goldsmith said, is the FCC, which already has met with the CryptoPhone’s marketers. He said its devices are more sophisticated than the commission’s own technology for finding IMSI catchers.
“If they can’t see the espionage, maybe they need more money and equipment to detect it,” Goldsmith said.
Soltani is an independent security researcher and consultant.
Follow The Post’s tech blog, The Switch, where technology and policy connect.