In 2017, the Department of Homeland Security ran a trial program that used a series of cellular network sensors set up around Washington, DC and the surrounding region as part of an effort to get a handle on the usage of International Mobile Subscriber Identity (IMSI) catchers nearby. Commercial IMSI catchers, such as Harris Corporation’s Stingray, have been used by law enforcement as part of surveillance operations, and Secret Service and DHS officials have acknowledged that they use similar devices to help protect the President.
Over an 11-month period, DHS found evidence that there was reason to be concerned. In March of this year, acting DHS National Protection and Programs Directorate (NPPD) undersecretary Christopher Krebs sent Senator Ron Wyden (D-Oregon) a letter—along with answers to questions Wyden had posed as part of the confirmation process for Krebs to permanently assume his role as undersecretary—stating that the NPPD “believes the malicious use of IMSI catchers is a real and growing risk.”
In the attached answers, Krebs noted that NPPD “has observed anomalous activity in the National Capital Region [NCR] that appears to be consistent with [IMSI] catchers.” But Krebs said that DHS did not have a current capability for tracking IMSI catchers, and the department did not share how the “anomalous activity” was detected in the first place.
Wyden has opposed moving forward with Kreb’s nomination, demanding more details on the IMSI catcher information—including pressing for release of slides from a For Official Use Only presentation made by a DHS employee to members of the Federal Chief Information Officers Council’s Mobile Technology Tiger Team (MTTT) in February.
In response, on May 22, Krebs shared details on the trial program that detected the IMSI operations—and he acknowledged that IMSI catchers were detected near the White House during the trial. But Krebs refused to release the presentation to the MTTT, stating that the data was “pre-decisional” and “do[es] not constitute a validated assessment” by the DHS of the threat.
“While the NPPD pilot did observe anomalous activity that appeared consistent with IMSI catcher technology within the [National Capital Region], including locations in proximity to sensitive facilities like the White House,” Krebs wrote. “NPPD has neither validated nor attributed such activities to specific entities, devices or purposes.” Krebs stated that NPPD doesn’t have the law enforcement and counterintelligence authority to directly address the IMSI catcher threat, and it had passed along the data collected to other agencies.
Again, IMSI catchers have been known to be active in Washington for some time. In 2014, researchers with the security company ESD America detected IMSI catchers scattered across Washington, DC in the vicinity of the White House, the Russian Embassy, and Capitol Hill. Some of these may have been operated as part of counterintelligence or law enforcement activity, but some portion of the devices detected in 15 areas of interest by ESD America may have been operated by foreign intelligence organizations. The technology required to create IMSI catcher devices has only become more accessible over the past four years.
The recent presence of IMSI catcher devices in proximity to the White House and other federal facilities raises additional questions about the security of federal executives’ communications—in particular, those of President Donald Trump. Trump’s personal cell phone activities have been a source of concern and controversy since he took office. If reports are correct, the President has used iPhones with basic security configurations to place phone calls as well as to post missives to Twitter—and it’s possible that calls and data from those devices could have been intercepted by IMSI catchers if those devices were attempting to connect over the public cellular network. However, Trump may be relying on internal White House networks to place calls and tweet, and some of the potential IMSI catchers detected might in fact be systems set up to protect Trump from signals interception attacks.