In a June 2014 study, Government Business Council asked 318 federal officials to list the top mobile security threats facing their agency. Perhaps unsurprisingly at the time, wireless network vulnerabilities ranked low on their lists, well behind behind malware, unsecured mobile applications, and human error. Nevertheless, recent revelations that U.S. networks are far less secure than previously thought are likely to turn a few heads.
Articles in the Harvard Journal of Law and Technology as well as Newsweek and Wired have brought to light allegations that criminal organizations and foreign governments, as well as domestic law enforcement agencies, are exploiting persistent vulnerabilities in the nation’s 2G wireless network to hack into Americans’ cell phones.
Although cyber security experts and civil liberties activists don't agree on much, both are speaking out about the potentially dangerous consequences of allowing these vulnerabilities to remain unaddressed.
Using devices known as International Mobile Subscriber Identity (IMSI) “catchers” (also known as “Stingrays”) that disguise themselves as false cell towers, operatives can hone in on a mobile phone’s unique signal, track its location, listen in on conversations, and even siphon away sensitive data.
Stingrays capitalize a glitch in 2G networks that prevents mobile phones from authenticating that the cell tower they’re connected to is real. And while this glitch was resolved in 3G and 4G networks, it’s possible to jam 3G and 4G signals and force devices to revert to running on 2G. Once too expensive for all but the best-equipped national law enforcement agencies, IMSI catchers can now be manufactured for as little as $1800 and a bit of technical know-how.
In early July, Rep. Alan Grayson (D-Fl) issued a letter to FCC Chairman Tom Wheeler expressing concern that the democratization of Stingray technology could raise serious security and civil liberties challenges. “It is extremely troubling to learn that cellular communications are so poorly secured and that it is so easy to intercept calls and track people’s phones,” said Grayson.
In response, Wheeler announced the formation of a special task force to investigate illegal Stingray use with the goal of developing “concrete solutions to protect the cellular network systematically from similar unlawful intrusions and interceptions.” Added Wheeler, "The task force can also leverage the agency's risk responsibility with our federal partners at the DOJ, FBI, and DHS in order to clamp down on the unauthorized use of these devices and promote consumer privacy."
But despite the FCC’s calls to “combat illicit and unauthorized use of IMSI catchers,” the press release gave sparse details regarding their ongoing use as a legitimate law enforcement tool. From the perspective of the Electronic Frontier Foundation and American Civil Liberties Union, these activities can infringe upon Americans' rights under the Fourth Amendment, as authorities often rely on “general warrants,” used to conduct broad surveillance activities without a defined target.
Cyber experts agree that the federal government should scrutinize the use of IMSI catchers, but for a totally different reason. According to Stephanie Pell, assistant professor and Cyber Ethics Fellow at West Point, the law enforcement benefits of Stingray technology come at the cost of undermining efforts to harden the nation’s wireless infrastructure against cyber threats:
“Given the serious cyber threats our country faces, the surveillance benefits realized by law enforcement through the use of IMSI catchers can no longer justify ignoring the cyber security weaknesses in our communications networks that enable their operation. Indeed policymakers should take a dim view of any aspects of national surveillance policy and practice that rely upon perpetual network vulnerabilities.”
Essentially, the same vulnerabilities that make it easier for law enforcement to track down suspects also make it easier for foreign operatives or cyber criminals to conduct political or corporate espionage. And while the FCC task force certainly represents a step in the right direction, says Pell, simply targeting the illegal use of IMSI catchers without resolving the broader network issues will result in merely a stopgap solution.
This means that federal agencies interested in expanding mobile options -- both for secure and non-sensitive data environments -- will need to look to mobile technologies with robust authentication and encryption capabilities. In the long-term, however, there is no substitute for addressing the network vulnerabilities themselves.
Read the complete GBC report to learn how federal agencies are striking a balance between flexibility and security.