Thanks to the advent of cell phones, tablets and smart cars, Americans are increasingly reliant on wireless services and products. Yet despite digital technology advancements, security and privacy safeguards for consumers have not kept pace.
On June 27, the Committee on Science, Space and Technology’s Subcommittee on Oversight of the 115th U.S. Congress convened a hearing to consider communications security and privacy in an increasingly wireless landscape.
Among the testifying witnesses was Jonathan Mayer, assistant professor of computer science and public affairs at Princeton University’s Woodrow Wilson School of Public and International Affairs. Mayer recently served as chief technologist of the Federal Communications Commission Enforcement Bureau, and he joined the Princeton faculty in March 2018.
In his opening statement, Chairman Ralph Abraham (R-La.) described the threat posed by cell-site simulators. These rogue cellular towers, often dubbed “IMSI catchers,” “Stingrays,” or “Dirtboxes,” can intercept cellular calls, texts, and data as well as track cell phones. Like many technologies, these cell-site simulators can be used lawfully — but they can also be abused by criminals and foreign intelligence services.
“Historically, the use of IMSI catcher technology has been limited to law enforcement, defense and intelligence services,” Abraham said. “However, as sophisticated technologies have become more commonplace and advances in manufacturing have made the production of highly technical products easier and cheaper, IMSI catcher technology and nefarious actors looking to exploit it have proliferated.”
In response, Mayer stressed how Congress should take immediate action to address threats caused by cell-site simulators by “ensuring that, when Congress spends about a billion taxpayer dollars on wireless services and devices each year, it procures services and devices that implement cybersecurity best practices.”
At Princeton, Mayer studies the intersection of technology, law, and public policy. In his testimony, he explained how cell-site simulators function, what information they can obtain, and how foreign intelligence services could use these devices to conduct espionage against America’s businesses and government institutions.
Cell-site simulators mimic legitimate cellular towers, tricking nearby mobile devices to connect to them and then using the connection to intercept or block voice, text, and data communication. The greatest risks are associated with second-generation or “2G” wireless protocols, which don’t include authentication for cellular towers.
Cell-site simulators can attack a mobile device in a number of ways, Mayer explained. An attacker might force a phone to downgrade the cellular connection to 2G, enabling complete control of the connection. Alternatively, a cell-site simulator could pose as a miniature “femtocell” cell tower — a small cellular base station typically used in homes small business — or as a roaming network partner. Cell phones would automatically connect, allowing for eavesdropping and location tracking.
“The possible criminal uses of cell-site simulators are limited only by our collective imagination,” Mayer said. “For example, by intercepting wireless communications, criminals could capture private financial information and steal funds; they could collect sensitive medical information and conduct blackmail; or they could obtain confidential business information for commercial gain,” Mayer said.
Cell-site simulators vary greatly in cost, range and capability, and are most often used by law enforcement agencies. The federal government currently owns more than 400 cell-site simulators, and at least 73 state and local law enforcement agencies also own the devices. They are commonly used to track the location of a criminal suspect or to identify all the phones in an area.
Mayer highlighted that police departments appear to violate federal law when they operate cell-site simulators, because they are transmitting on exclusively licensed cellular frequencies. “I believe that cell-site simulators are legitimate investigative tools, and they should be available,” Mayer said. “But, until Congress takes action, the nation’s police departments will remain in legal limbo. I encourage Congress to consider legislation that resolves these issues.”
Mayer also touched upon other vulnerabilities in the nation’s wireless infrastructure that threaten privacy and safety. These include Signaling System 7 (SS) and Diameter, which allow users to connect to foreign carriers while traveling; mobile device security updates, which are often too late to protect users; and caller ID, which criminals can use for “robocall” schemes and other frauds.
Congress can and should address these pervasive issues by conditioning federal wireless expenditures on stronger cybersecurity practices, Mayer explained in his testimony.
He said wireless carriers should be required to undergo routine audits and deploy commercially available firewalls, filters and network monitoring to defend SS7 and Diameter systems. Carriers, operating system vendors, and device manufacturers should implement defenses against 2G cell-site simulators and should commit to maintaining mobile devices with prompt security updates for a certain amount of time after sale. Carriers should also commit to a near-term rollout of authenticated caller ID, with a specific timeline for adoption.
In addition to Mayer, the witnesses included:
- Charles H. Romine, director, Information Technology Laboratory, NIST
- Charles Clancy, director, Hume Center for National Security and Technology, Virginia Tech
View the full hearing, “Bolstering Data Privacy and Mobile Security: An Assessment of IMSI Catcher Threats,” and Mayer’s testimony.