Researchers have created a device using off-the-shelf components that can sniff out controversial cell phone surveillance devices, known as IMSI-catchers or StingRays, used by federal and state law enforcement as well as hackers.

The International Mobile Subscriber Identity-catchers have not only been used to locate mobile devices but also to sometimes eavesdrop on users, send spam or upload malware, according to University of Washington (UW) security researchers.

"The threats remain the same when looking at enterprises: tracking and, under certain circumstances, eavesdropping are possible through this attack," said Dionisio Zumerle, a Gartner research director for Mobile Security. "The attack requires technical expertise and equipment that was once hard to find; today it is easier and that is the main source of concern."

IMSI-catchers or cell-site simulators work by pretending to be a legitimate cell tower that a smartphone would typically use. The catchers trick the cell phone into sending identifying information about its location and how it is communicating. The portable surveillance devices range in size from a walkie-talkie to a suitcase and in price from several thousand to hundreds of thousands of dollars, according to UW.

University of Washington Time series of measurements of one cell tower base station over two months. Higher received signal strengths are red, and lower strength in blue. By modeling the typical behavior of each cell tower over time, SeaGlass can pick out aberrations that indicate the presence of cell-site simulators.

One popular IMSI-catcher, called a StingRay, is made by the Florida-based Harris Corp. and is used by a dozen federal agencies, including the FBI, NSA, DEA, the Immigration and Customs Enforcement agency and all branches of the U.S. military, according to the ACLU.

While it's illegal to use the devices without a court order, the ACLU has identified 48 other agencies in 20 states and the District of Columbia that own StingRays. Many of the agencies have shrouded their purchase and use of the devices in secrecy, and civil rights groups said their numbers likely "dramatically" underrepresent the actual use of StingRays nationwide.

[ To comment on this story, visit Computerworld's Facebook page. ]

The increased use of IMSI-catchers makes it increasingly important that IT security managers look at the antimalware and mobile threat defense (MTD) technology market, the products available and how they should be used, according to Gartner.

Researchers' SeaGlass experiment

The UW researchers built a system called SeaGlass -- it's based on a Raspberry Pi single board computer along with seven other components -- that detects anomalies in the cellular transmissions to indicate where IMSI-catchers are in use. The new system is described in a paper to be published this month in Proceedings on Privacy Enhancing Technologies.

University of Washington The parts that make up a SeaGlass IMSI-catcher detector include a Raspberry Pi, a cellular modem to scan the cell spectrum, GPS, a bait cellphone, and a mobile hotspot to upload data.

"Up until now the use of IMSI-catchers around the world has been shrouded in mystery, and this lack of concrete information is a barrier to informed public discussion," Peter Ney, a doctoral student at the Allen School of Computer Science & Engineering at the UW, said in a statement. "Having additional independent and credible sources of information on cell-site simulators is critical to understanding how — and how responsibly — they are being used."

Partnering with ride-sharing drivers to install the SeaGlass system in 15 vehicles, Ney and his fellow UW researchers were able to collect millions of measurements across Seattle, Wash. and Milwaukee, Wisc. during a two-month pilot. They identified dozens of anomalies consistent with cell-site simulators.

"In this space, there's a lot of speculation, so we want to be careful about our conclusions. We did find weird and interesting patterns at certain locations that match what we would expect to see from a cell-site simulator, but that's as much as we can say from an initial pilot study," Ian Smith, a former Allen School research scientist and co-author of the study, said in a statement.

Dennis Wise/University of Washington UW Security and Privacy Lab researchers Peter Ney (left) and Ian Smith (right) install a SeaGlass sensor in a test vehicle.

"But we think that SeaGlass is a promising technology that — with wider deployment — can be used to help empower citizens and communities to monitor this type of surveillance," Smith added.

SeaGlass works by continuously uploading sensor data from vehicles and aggregating it into a city-wide view of cell tower transmissions, real or fake. Algorithms then find anomalies in the cellular network that indicate IMSI-catchers; by modeling a city's cellular landscape, SeaGlass can identify "suspicious anomalies," the UW researchers said.

University of Washington SeaGlass sensors are made with off-the-shelf parts that are packed into a box and installed in a vehicle’s trunk, with antennas on or near windows.

Clear and present danger

Nathan Wessler, staff attorney with the ACLU, said there is a real danger to U.S. business travelers having their mobile devices tracked and hacked by IMSI-catchers, even though it would be illegal for law enforcement to do so.

"That doesn't mean it's not happening by people with criminal intent. There may be reasons for enterprises in the U.S. to be concerned, but I have no idea how likely that threat is or if there are entities using catchers," Wessler said.

Law enforcement agencies are increasingly using IMSI-catchers to locate and track cell phones, and they've been "duplicitous with courts" by not always getting proper authorization, Wessler said.

There have been at least 4,000 documented uses of IMSI-trackers by Baltimore Police Department and 1,000 uses by the New York Police Department, according to Wessler.

Mobile threat detection solutions

The market for messaging and voice protection technology is crowded and characterized by a diverse set of offerings that address different verticals and uses. Most IT vendors offer mobile voice protection only to certain pockets of the population and focus on voice encryption, while texting solutions are provided for the entire workforce, according to a July 2016 report from Gartner.

Gartner, in a report, recommended that companies "gradually add MTD systems to the organization to mitigate attacks, emphasizing integration, and avoid long-term contracts."

Companies considering MTD products and secure mobile communications (SMC) technologies have to decide if they need them for employees who travel in untrusted regions or use untrusted networks, and whether sensitive data is vulnerable in those situations. They should also consider any regulatory requirements to protect voice and text messaging or text archives based on a comprehensive risk-based approach, rather than simply covering spot regulatory needs, according to a Garner report.

Gartner recommends finding a provider that can partner or integrate with current EMM suites.

MTD tools protect mobile platforms by addressing threats to devices, OSes, networks and apps, protecting organizations on various mobile platforms, including iOS, Android and Windows 10 Mobile. MTD solutions, Gartner said, provide security at one or more of the following four levels:

Device behavioral anomalies that track for variations from expected and acceptable use patterns.

Vulnerability assessments that inspect devices for configuration weaknesses that will lead to malware execution.

Network tools to monitor traffic and disable suspicious connections to and from mobile devices.

App scans that can find "leaky" apps that put enterprise data at risk and malicious apps (spotted by reputation scanning and code analysis).

The techniques used in MTD are still maturing, and the mobile platforms they run on are also rapidly evolving. Many of IT products in the MTD market come from small, innovative companies.

A number of IT vendors sell secure smartphones, such as GSMK, or software, such as Rosberg Systems AS and Verizon's Voice Cypher Ultra, that use various technologies, such as encryption, to thwart IMSI-catchers from viewing mobile data and voice transmissions.

MTD architectures vary but typically involve an agent residing on a mobile device, as well as a server component that aggregates findings, Gartner said. MTD systems use various methods to gather intelligence about mobile threats and attacks. Crowdsourced threat intelligence analysis is a prevalent method, with a server component that's often cloud-based. Crowdsourced threat intelligence can also be collected from consumers that install a basic version of the app on their device.

University of Washington How SeaGlass works.

"By 2018, fewer than 15% of organizations will have... MTD in place, which is an increase from fewer than 5% today," Gartner said in its report. "By 2018, 80% of organizations with MTD solutions in place will integrate them with their enterprise mobility management (EMM) solutions...."

EMM and other configuration control efforts already strengthen mobile platforms against attacks, but they can make it harder for MTD systems to operate efficiently, Gartner said.

Rosberg's Verji SMC software, for example, is aimed at protecting speech, messaging and file sharing through encryption. The app can be deployed to thousands of employees through commonly used MDM and EMM systems.

"If enterprises have reasons to believe they are at risk for industrial espionage, they should look into these solutions: Stock brokers or high-level executives traveling in untrusted countries or other locations are typical examples," Zumerle said. "However, for the vast majority of enterprises, adopting a Mobile Threat Defense solution would help countering more mundane threats."