The House Science, Space, and Technology’s Oversight Subcommittee convened Wednesday to discuss the threat posed by international mobile subscriber identity (IMSI) catchers–which have recently come into the spotlight as tools foreign actors could be using to spy on Federal officials and perhaps even the President himself–but witnesses at the hearing said there were no easy solutions to the problem.

“IMSI catcher technology is ripe for exploitation by foreign nations seeking to spy on American government officials and is likely already being used to do so,” said Rep. Ralph Abraham, R-La., chairman of the subcommittee.

The primary impetus for the hearing was a May 22 Department of Homeland Security (DHS) letter to Sen. Ron Wyden, D-Ore., from Christopher Krebs, under secretary of the agency’s National Protection and Programs Directorate.

In the letter, Krebs acknowledged that throughout 2017, a DHS pilot program detected IMSI catcher signatures across Washington, D.C., including in proximity to the White House, the Federal Bureau of Investigation, and the Pentagon.

But DHS declined to provide a witness for Wednesday’s hearing, Abraham said, and only offered committee members a briefing on the topic last week.

“It would have been substantially more helpful for DHS to have been present today to be part of the dialogue, inform the American public, and answer questions on their work in this area,” Abraham said.

“It is clear that foreign intelligence agencies are seeking to use cell site simulators to collect intelligence on Federal officials,” said Rep. Eddie Bernice Johnson, D-Texas, ranking member of the full committee. She likewise chided DHS, as well as the FBI for their lack of participation in the hearing.

The threat is known by a few different names, the committee and witnesses noted. Cell site simulators–how they act–IMSI catchers–what they do–and Stingrays–a popular brand name. These rogue cell stations “simulate” or pose as legitimate mobile carrier cellular stations and can target cell phones in close proximity. If the targeted phones are close enough, the simulators produce a signal that tricks the phones into connecting to them–instead of a legitimate provider–thus allowing operators of the simulators to extract information about the cell phone users.

“It poses a significant threat to user privacy and security and safety because a malicious actor can determine if a subscriber is in a given location at a given time,” said Dr. Charles Romine, director of the National Institute of Standard’s and Technology’s Information Technology Laboratory.

“A foreign intelligence service could easily use cell site simulators to collect highly confidential information about government operations, deliberations, and personnel movements,” added Dr. Jonathan Mayer, a former chief technologist at the Federal Communications Commission’s Enforcement Bureau.

He said that despite Office of Management and Budget estimates of $1 billion spent on wireless service and mobile devices annually, the Federal government has no assurance that cybersecurity best practices are being applied in those products and services.

Romine said forthcoming 5G technologies will mitigate the threat of IMSI catchers with new security protocols. But 5G isn’t here yet, so what can be done now?

Participants noted that many of the issues with IMSI catchers stem from early 2G and 3G mobile networks that lack the security features of more robust LTE networks. Further, cell site simulators also are able to trick phones into switching over to connections with the lower security protocols.

Some phones allow users to automatically disable 3G and 4G connections, but that functionality does not extend to 2G for many devices, noted Dr. T. Charles Clancy, director of the Hume Center for National Security and Technology at Virginia Tech.

He said mobile carriers could roll out simple software updates to cell phone user interfaces that would allow 2G connections to be automatically disabled and cut down on the risk of being spoofed by cell site simulators.

But these are only safeguards, and don’t get toward the ultimate goal of prevention and attribution of IMSI catcher use by bad actors. That, Mayer said, could be much more difficult. Abraham asked if IMSI catchers had any distinguishable characteristics that could be used to trace them to particular state actors, like Russia or China.

“I’m not aware of any instance in which a law enforcement or regulatory agency has successfully tracked down one of these devices,” Mayer said, but expressed that it may be possible. Krebs’ letter said that DHS hadn’t validated or attributed any of the signals it found to be consistent with IMSI catchers.

“There is no definitive tell-tale sign of a cell site simulator,” Mayer said. “While there are commercials tools available, I’m not aware of anyone who’s used any of these tools to definitively identify one of these devices, and that’s why my recommendation is focusing on defense, rather than whack-a-mole with the folks setting these things up.”

Read More About
More Topics
Joe Franco
Joe Franco
Joe Franco is a Program Manager, covering IT modernization, cyber, and government IT policy for