Rogue stingrays – spy kits that can track people’s locations by tricking phones into thinking they’re connecting to cell towers and which can then intercept calls and messages – have been found in Washington and beyond, the Department of Homeland Security (DHS) has confirmed.
The Associated Press reports that this is the first time the government has publicly acknowledged the presence of stingrays, possibly being used by spies and/or criminals, in the capital.
(StingRay is the brand name of an International Mobile Subscriber Identity (IMSI) locator, also known as an IMSI catcher, that’s targeted and sold to law enforcement. The term stingray has also come into use as a generic term for these devices.)
DHS said in a 26 March letter to Oregon Sen. Ron Wyden – a politician known as a privacy hawk – that agents came across unauthorized cell-site simulators in the Washington, DC, area last year.
The letter was written in response to specific questions (PDF) Wyden asked DHS in November. In his letter, Wyden referenced how security researchers in 2014 had detected a number of IMSI catchers in the capital region that they suggested may have been operated by foreign governments.
At the time, the Federal Communications Commission (FCC) responded by establishing a task force to investigate the threat posed by foreign governments or criminals using stingrays, which are “widely available from surveillance vendors around the world,” Wyden noted. But since then, the FCC hasn’t issued any public findings or guidance.
So, Wyden wanted to know, what’s the deal? Has DHS detected foreign IMSI catchers in the capital? If so, did it report the discovery to any Congressional committees? Does the department have the technological capability to detect the catchers? Has DHS detected the devices being used in other cities?
From DHS’s response:
[T]he National Protection and Programs Directorate (NPPD) has observed anomalous activity in the National Capital Region that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers.
DHS said it’s also aware of IMSI use outside the Beltway.
In a separate letter accompanying his response, DHS official Christopher Krebs, the top official leading the NPPD, added that use of IMSI catchers by malicious actors to track and monitor cellular users “is unlawful and threatens the security of communications, resulting in safety, economic and privacy risks.”
The letter included answers to Wyden’s specific questions. As far as DHS’s technical capability to detect IMSI catchers goes, Krebs said his department doesn’t have any budget for the pricey endeavor:
NPPD is not aware of any current DHS technical capability to detect IMSI catchers. To support such a capability, DHS would require funding to procure, deploy, operate and maintain the capability, which includes the costs of hardware, software, and labor.