The Department of Homeland Security (DHS) has detected equipment that can eavesdrop on cell-phone conversations in the Washington, DC, area – and it doesn’t know who’s behind it.

According to a letter sent to Sen. Ron Wyden (D-OR) obtained by the Associated Press (AP), DHS uncovered deployed equipment known as StingRays (or IMSI catchers), which spoofs cell-phone towers. These fake base station simulators essentially dupe mobile handsets into connecting to them, which allows their operators to pinpoint user locations and, by downgrading the connection to 2G instead of encrypted 3G or 4G, spy on conversations. They can also be used to implant malware.

“IMSI catcher attacks are one of the most common and effective, though unspoken, threats in cellular cybersecurity, mostly because they are easily available and do not leave a trace on the device and traditionally cannot be blocked or adequately identified,” explained Dror Fixler, CEO of FirstPoint Mobile Guard, via email. “The hacker's continued interest in you after the initial attack has to do with what they discovered about you in those first minutes of the attack. These devices are particularly dangerous as attackers can continue the attack by implementing a man-in-the-middle attack to covertly connect the device to the cellular network, thus monitoring all of the device's data, voice, SMS, signaling and even delivering a dedicated malware attack.”

This type of equipment has been used by law enforcement for years, and its sale has been limited to public-safety uses. The detection of unauthorized gear suggests that foreign adversaries may be at work in the area to spy on US citizens and government officials.

Wyden had asked the DHS whether it found foreign governments using the devices, to which the department said it had not “validated or attributed such activity to specific entities or devices.” Other details were scant, though the DHS did say that malicious use of such equipment is a “real and growing risk.” It also admitted in a separate, unpublished letter obtained by the AP that DHS lacks the equipment and funding to detect StingRays on its own and instead partners with third parties to do so.

Fixler added that his company has uncovered unauthorized StingRays deployed on a widespread level: “In the last several weeks alone, FirstPoint has identified numerous such attacks around the world, near government agencies, in and around airports, and next to local police stations,” he said. “This means that anyone, US citizens and government officials included, are under threat of tracking by cell-phone site simulators (IMSI catchers) while traveling, and not only at home in DC.”