Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Unknown individuals or groups are illegally operating IMSI catchers in Washington, DC, according to Department of Homeland Security official Christopher Krebs.
  • Mitigations for the vulnerability which these devices rely on are included in the 5G mobile network specification.

Unknown individuals or groups are operating IMSI catchers–otherwise popularly known as Stingrays, after the popular model sold by defense contractor Harris Corporation–in the Washington, DC metro area. This revelation came about following the publication last week of a letter by Department of Homeland Security (DHS) official Christopher Krebs, in which he indicated that his organization “has observed anomalous activity in the National Capital Region (NCR) that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers.”

Krebs’ letter was a response to Senator Ron Wyden, who inquired last November about whether or not evidence exists indicating that foreign intelligence services were using the technology within the United States. Wyden’s inquiry (correctly) characterized IMSI catchers as devices that “impersonate cell phone towers to locate and identify nearby phones and to intercept calls and text messages covertly.”

Further, a task force was established by the FCC in 2014 following reports by security researchers that IMSI catchers were being used around DC, as reported by the Washington Post at the time, though no further statements about the issue have been made since that time.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

Now, House Representatives Eliot Engel, Frank Pallone, and Bennie Thompson, the ranking members of the Foreign Affairs, Energy & Commerce, and Homeland Security committees respectively, are demanding answers of the FCC.

In a letter to FCC Chairman Ajit Pai, the trio noted that “With no apparent evidence that these recently revealed unauthorized cell-site simulators are operating with an FCC license, it would seem the FCC need only to enforce the law to stop this foreign intelligence gathering.”

The use of IMSI catchers by law enforcement is itself a matter of concern. While the technology has been available to the FBI since the mid-1990s, only in 2015 did the Justice Department issue guidelines requiring federal agents to obtain a warrant before using the devices.

In principle, the technology works due to an oversight in the design of GSM standards, which require a device to authenticate to the network, but do not require networks to authenticate to devices. This allows IMSI catchers to impersonate base stations, and capture the IMSI IDs of devices within range of the catcher. Such devices are also capable of forcing phones to use no encryption during calls, or using easily breakable encryption, allowing the IMSI catcher operator to listen in.

It should be noted that 3G and 4G standards have introduced mitigations to this flaw, requiring mutual authentication, though advanced attacks are capable of forcing phones to communicate with the IMSI catcher in 2G mode, overriding these mitigations.

Further mitigations for this vulnerability are included in new 5G mobile network standards. The 5G standard will include both a Subscription Permanent Identifier (SUPI) and Subscription Concealed Identifier (SUCI). According to reporting by ZDNet’s David Meyer, the SUPI is “encrypted using the network operator’s public key,” which will allow phones to ensure that the network they are connecting to is genuine. This could put business travelers at ease in areas like DC, as they could be more confident that their sensitive conversations weren’t being snooped on.