FBI: Israel Used StingRays to Spy on the US

Written by

Israel has been accused of planting cellphone surveillance devices within the vicinity of the White House. First discovered in May 2018 by officials at the Department of Homeland Security (DHS), the alleged espionage has been ongoing for two years according to credible sources.

At the time it wasn't known who had planted those devices; only the evidence of their existence. However, a recent report by Politico of a detailed forensic analysis by the FBI revealed Israel to be responsible, to which claim the latter has strongly denied.

According to the report, the Israeli government used IMSI catchers, also referred to as “StingRays” to carry out the surveillance. In a case of armor necessitating better weapons, government espionage seems to have advanced from the days of using fake rocks and the like.

However, cellphone surveillance isn't just a problem for Presidents to worry about. It's for everyone using a connected device from smartphones, dumb phones to every IoT device that transmits any form of data.

Lots of people can spy on you
The use of IMSI catchers isn't "new" technology to any security professional. They simulate a cellphone tower to trick a subscriber's phone into revealing its data without the knowledge of the user or service provider. Some of this data is the International Mobile Subscriber Identity (IMSI) number that's assigned to each cellphone.

Using the IMSI, StingRays can track the phone and listen in on phone calls, but there is a lot more information they can gather, including the International Mobile Equipment Identity (IMEI) number or Mobile Equipment Identifier (MEID). This is the unique serial number identifying your phone as a specific piece of hardware, down to the different manufacturers of its components.

When the StingRays device is designed for active listening -- meaning it can interact with your phone directly rather than passively report what's going on - the possibilities treble. Now the attackers can mess with your power management, camera (don't forget the rear), GPS tracking, car, electronics and appliances.

Most people imagine them to be very small devices that can be slipped behind a family photo or carefully fitted onto a bench somewhere. However, there is a whole range of sizes for StingRays: some of them are designed to install in a vehicle such as a van, an SUV, a plane or a drone. Others can be fixed in place such as a building near the target locations/victims. Some can fit in a backpack while others are small enough to hold by hand. This portability allows someone to gather data from distant locations. To operate, the system only needs power, access to data connection and a terminal to interpret and display the data (e.g. laptop).

Depending on the set up, an IMSI catcher can cost as little as $1,200 to build, which means that it's within the reach of many.

How to counter IMSI catchers
One of the most attractive features of 5G is its potential to prevent fake base station attacks. Issues with the exposure of IMSI and IMEI numbers would be fixed and attackers would not be able to identify and track users. With the latest improvements, device data is encrypted so it doesn't lie around in easily readable text. However, security experts warn that this isn't enough.

"For the best service, your device checks with the tower every three to seven seconds to determine the strength of your connectivity," explains Dr. Dror Fixler CEO and co-founder of FirstPoint, an Israel-based startup developing cellular protection technology.

"Whenever it needs to connect to a new tower, it transmits data about itself that, like in 4G, isn't encrypted in 5G. This information could easily identify the type of device, the make and model, the hardware and OS down to the version if it's on iOS. If they had a specific target, attackers could use the information to execute the attack."

Alternatively, he says, this data could be used by attackers to downgrade a complex and sophisticated device such as a smartphone and trick the telecom operator into assigning it an older connection such as 2G or 3G reserved for devices that are lower on the scale and don't need faster speeds. This allows older StingRays to work.

It isn't a fault in 5G as a network but an issue in deployment on the carrier's end. Similar sentiments were expressed by Sen. Ron Syden in a statement about surveillance on citizens last year: "I've spent the past year fighting to reveal what a terrible job the telephone companies and FCC are doing at protecting Americans from being spied on, tracked or scammed."

"If the security protocols were deployed at system launch and data encryption was carried out earlier during connection, the attacks would be minimal. Many carriers are leaving the data out in the open, facilitating manipulation," laments Dr. Fixler.

If you're more radical, you'll get a one-way pager to receive your messages on and avoid all this tower business. For most people however, the smartphone does everything, including check their spelling.

The universal solution to this man-in-the-middle attack lies heavily on cellular networks. More specifically, their ability to team up with companies such as FirstPoint to guarantee security to their subscribers.

What’s hot on Infosecurity Magazine?