US government officials are concerned that someone is tracking all the mobile phones in the Washington DC area and could be spying on the communications of senators, president Donald Trump, foreign diplomats and many other branches of the government.
The Department of Homeland Security (DHS) is currently investigating after receiving information from a defence contractor that highly suspicious behaviour is coming from multiple mobile base stations belonging to a major US mobile operator in the region. A huge amount of location data is being siphoned off by a third party that might be controlling multiple mobile base stations in Washington DC.
"The attack was first seen in DC but was later seen on other sensors across the USA," a source told US political news site Washington Free Beacon on condition of anonymity. "A sensor located close to the White House and another over near the Pentagon have been part of those that have seen this tracking."
The information was gathered by the ESD Overwatch programme, which is run by ESD America, a Las Vegas-based defence and law enforcement technology firm that routinely supplies technology to the US Department of Homeland Security.
The firm operates a real-time detection system called ESD Overwatch that basically detects fake or illegal mobile base stations (cell towers in the US), which are telecoms equipment known as IMSI catchers commonly used by cybercriminals to intercept communications from mobile phones.
ESD America has been monitoring the mobile base stations as part of an official 90-day pilot programme for the DHS that began on 18 January. A report by ESD Overwatch prepared for DHS seen by the Washington Free Beacon says that the US mobile operator question has experienced "unlawful access to their network for the purpose of large scale subscriber tracking".
Remember the Stingray controversy? This is the same thing
The idea is that when you walk near an IMSI catcher, it tricks your phone into connecting to it, instead of your carrier's real mobile base stations. In addition to gathering a mobile phone user's location and identifying information, data from text messages can easily be intercepted with an SMS server, without the user's mobile operator or the user themselves being any the wiser.
You might have heard of fake mobile base stations before – the topic been covered by the US media frequently over the last two years. A type of IMSI catcher is the "Stingray" marketed by Harris Corp, which has been used by numerous police and law enforcement agencies for bulk data collection to spy on citizens' communications.
The issue has caused tension in the US as multiple judges claim they signed warrants enabling the use of Stingray without understanding what the technology was for and the scope of what it could do.
US lawmakers demanding answers on telecoms espionage
Using telecoms equipment to spy on citizens has become such a big issue that members of the Senate and the House of Representatives petitioned the DHS on Wednesday 15 March to outline what defences the US government has to prevent foreign governments from spying on American soil.
"For several years, cyber security experts have repeatedly warned that US cellular communications networks are vulnerable to surveillance by foreign governments, hackers, and criminals exploiting vulnerabilities in Signaling System 7 (SS7). According to published media reports, US cellular phones can be tracked, tapped, and hacked—by adversaries thousands of miles away—through SS7-enabled surveillance," a letter written by Senator Ron Wyden and member of Congress Ted Lieu states.
"We are deeply concerned that the security of America's telecommunications infrastructure is not getting the attention it deserves. Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones."