Security researchers at the University of Washington have developed a system designed to spot anomalies in cell networks that could indicate the presence of a device that can be used to spy on mobile phones or bombard them with spam.
These surveillance devices are called International Mobile Subscriber Identity catchers, and trick phones into sending location information and details about how they are communicating by acting like legitimate cell towers. They can range in size from a walkie-talkie to a suitcase and cost anywhere from a few thousand dollars to hundreds of thousands. Law enforcement agencies use them on a regular basis, and UW says spies and cyber criminals are leaning on the catchers internationally, though little is known on this front.
“Up until now the use of IMSI-catchers around the world has been shrouded in mystery, and this lack of concrete information is a barrier to informed public discussion,” said Peter Ney, a doctoral student at UW’s Paul G. Allen School of Computer Science & Engineering. “Having additional, independent and credible sources of information on cell-site simulators is critical to understanding how — and how responsibly — they are being used.”
To begin to identify IMSI catchers, also known as stingers or cell-site simulators, the research team developed a system called SeaGlass and this month published a paper about it in the June 2017 edition of Proceedings on Privacy Enhancing Technologies. The team placed SeaGlass censors in 15 ride-share vehicles in Seattle and Milwaukee — because they log heavy hours driving all over the city — and spotted “dozens” of anomalies that could be stingers. But, UW cautioned that it would be impossible to conclude that the anomalies are definitely IMSI catchers without further investigation.
Here are a few examples of anomalies the UW researchers found in Seattle:
For instance, around an immigration services building south of Seattle run by the U.S. Department of Homeland Security, SeaGlass detected a cell tower that transmitted on six different frequencies over the two-month period. That was notable because 96 percent of all other base cell towers broadcast on a single channel, and the other 4 percent only used two or three channels.
The team also detected an odd signal near the Seattle-Tacoma International airport with suspicious properties that were markedly different from those normally used by network providers.
The sensors can be built from available materials and they aggregate data to create a baseline of normal cell network activity. A team from the UW Security and Privacy Research Lab then developed algorithms to spot irregularities, like a strong signal in an odd spot or “temporary” towers that disappear after a short time, that could indicate the presence of simulators.
SeaGlass represents a different approach to tackling IMSI catchers, the team said, from existing apps that focus on detection on individual phones rather than the cell network as a whole. Still, the team indicated that their technology is only a piece of the puzzle in catching IMSI catchers.
“In this space there’s a lot of speculation, so we want to be careful about our conclusions. We did find weird and interesting patterns at certain locations that match what we would expect to see from a cell-site simulator, but that’s as much as we can say from an initial pilot study,” said Ian Smith, a co-lead author of the paper and former Allen School research scientist. “But we think that SeaGlass is a promising technology that — with wider deployment — can be used to help empower citizens and communities to monitor this type of surveillance.”