Washington is nervous about cellphone spying. There's no doubt about that.
The problem is, no one knows quite what to do about it.
Recent reports that surveillance devices known as IMSI catchers are quietly operating near the White House and other sensitive locations have sent lawmakers fishing for solutions. But as a panel of cybersecurity experts indicated in a congressional hearing Wednesday, there's no easy way to detect the machines that malicious hackers and foreign snoops can use to secretly intercept calls and texts. In the meantime, everyone's communications could be vulnerable.
"While awareness is important, it is simply not enough to acknowledge an issue needs to be addressed," said Rep. Ralph Abraham, R-La., who chairs the House Science, Space and Technology Committee's oversight panel. "Instead, we must also gain an understanding of the technological nature and complexity of disruptive technologies like IMSI catchers to alleviate the challenges they present."
The devices, also known as cell site simulators or StingRays, trick nearby phones into connecting to them as if they were cell towers. In addition to intercepting communications, they can pinpoint a phone's location.
While law enforcement agencies across the country deploy them in criminal investigations, a recent Department of Homeland Security study found evidence that some have been operating near federal facilities across Washington, as my colleague Craig Timberg reported this month. While DHS did not determine where they came from, the revelation added to long-standing fears that foreign spies or other adversaries are listening in on official conversations.
But it's clear from the House hearing that lawmakers' work to find a solution is just beginning. Here are a few key takeaways:
1. Catching an IMSI catcher is extremely hard.
Authorities have tools that can pick up hints that an IMSI catcher is nearby, but they aren't very effective, witnesses said Wednesday.
"I'm not aware of any instance where a law enforcement agency has successfully tracked down one of these devices," Jonathan Mayer, a chief technologist at the Federal Communications Commission's Enforcement Bureau, told the subcommittee. Nor has the Justice Department prosecuted anyone for operating a cell site simulator, he added.
The challenge, Mayer said, was that there was no "telltale sign of cell site simulation . . . there are only indicia that give rise to suspicion."
DHS has also acknowledged that it doesn't have the technical capability to detect an IMSI catcher, multiple lawmakers noted.
Authorities can try to root them out by looking at anomalies such as unusual cell site configurations. But that approach suffers from a "'spy-versus-spy' phenomenon whereby improvements in detection technologies result in improvements in spoofing technologies," said Charles Clancy, an electrical and computer engineering professor at Virginia Tech. "Any detection strategy would need to constantly evolve as adversary capabilities improve."
2. All mobile users are vulnerable - including the president.
Democrats on the subcommittee said they were worried President Donald Trump himself could get ensnared by a foreign intelligence service's surveillance devices, especially in light of news reports that he uses a cellphone that isn't equipped with sophisticated security features.
Rep. Don Beyer, D-Va., asked the panel how Trump's reportedly unsecured cellphone might put him at risk of being hacked or penetrated by foreign spies.
"Any senior official in any of the branches of government - and for that matter, any senior executive in the private sector - should take heightened precautions with respect to their telecommunications equipment," Mayer responded. "There are possible attacks involving interception of voice and text messages . . . there are also cell site simulator risks. In addition, there's an issue of security updates not getting delivered to consumer devices such that they could be remotely compromised. Anyone in a sensitive position should take heightened precautions."
And the problem isn't just restricted to government types. Mayer added that criminal uses of cell site simulators were "only limited by our collective imagination." By intercepting private communications, he testified, criminals could steal people's people's financial information, medical data or other personal details that could be used for fraud or blackmail.
3. Defense may be the best offense.
IMSI catchers work in part by getting phones to connect to 2G networks, whose security is notoriously weak. Clancy said wireless carriers that have already decommissioned 2G networks - and most have - should update their policies so that their phones connect only to more secure networks unless they're roaming. Current iPhones, for example, don't have this capability, and Androids require users to take special steps to disable 2G. "This will address the majority of the security concerns around cellphone surveillance," he said.
Congress can protect officials against the threats posed by cell site simulators by making sure that the services and devices it procures every year implement security best practices, Mayer said.
"Congress should condition its substantial wireless outlays on implementation of appropriate cybersecurity safeguards," he said. Mayer added that the National Institute of Standards and Technology, which falls under the committee's jurisdiction, could play a role by updating those standards.
"While it is worth spending time on attempting to improve detection of these devices, the far more effective focus for federal policy would be on defense," he said. "We know how to defend against the worst of these attacks."