Is someone hacking cellphones in Washington, D.C.?
A Nevada-based security technology company says it has discovered proof of as many as 15 cellphone interception devices secretly operating in the nation's capital, capable of illicitly identifying the movements of prominent people, recording audio from mobile phones, listening to calls and reading email.
The company is a small security firm called ESD America, which markets a Cryptophone designed to block attempts to hack the phone and alert its user to attempts to hack into it. ESD employees spent several days surveying Washington, D.C., last week. The company's president, Les Goldsmith, said the small team discovered that someone was operating cellphone interception devices at some of the most sensitive locations in the nation's capital, including near the Capitol building, the White House, Treasury and in McLean, Virginia, not far from CIA headquarters.
Just who was doing the alleged phone snooping is not clear—ESD said its devices can't pinpoint the exact location of cellphone hackers, just that they are operating in a given area. But there are any number of reasons for people to want to snoop on calls in Washington. Foreign intelligence services, corporate spies, political opposition researchers and even U.S. law enforcement and national security agents have a dizzying variety of people to target in the capital's core.
CNBC spent part of last Tuesday afternoon driving with a pair of ESD operatives whose devices registered several malicious attempts to probe the phones. At one point, Aaron Turner, a consultant for ESD, said his phone had registered an attempt near the intersection of 11th Street and Pennsylvania Avenue by a hostile attacker operating to crack into his phone and steal data.
"We've got definitive proof that someone is here in this area is operating some sort of intercept device," Turner said as his car rolled down Pennsylvania Avenue. "Whether that's just tracking people or listening to calls, we can't say."
Turner said he couldn't say who was trying to crack into his phone, but he said his best guess was that it was not U.S. government surveillance. Instead, he suspected the ESD devices had stumbled on evidence of corporate espionage in action, possibly targeting large law firms or corporate board of directors meetings in office buildings nearby.
"The information that we've gotten during this research session basically says that they're looking at everybody, but they're picking a couple of select people to intercept," Turner said. "On regular consumer devices, people are totally at risk."
Turner said the attackers trying to crack into his phone were operating a device called an IMSI catcher, which is an eavesdropping device that mimics a cellphone tower. Mobile phones constantly scan for the nearest available cellphone tower, but when they connect with the IMSI catcher, they can be fooled into transmitting information as if to a real tower. In reality, an attacker has gotten access to that phone, and can use malware to prevent the phone from giving any indication to its user that it has been hacked.
ESD installs interceptor-detecting software written by the German firm GSMK onto Samsung mobile phones running an Android system and resells the phones to its customers for more than $3,000 each. The company says it sells the phones to people and companies who handle sensitive materials on their phones and are paranoid enough to pay a hefty fee to protect themselves.
The claims made by ESD, Goldsmith and Turner cannot be independently verified by CNBC. ESD said it is the only company that makes a commercially available device designed to detect cell phone interception.
Not all cellular experts are convinced by ESD's findings. The company, after all, has a vested interest in selling its products. "The sightings are technologically possible," said cryptographer and security researcher Karsten Nohl, "but unrealistically frequent in the recent reports."
Other experts, though, say ESD is on the right track. Asked whether ESD's claims are credible, Joshua Marpet, a security researcher at the data security firm GuardedRisk, said: "Oh, Lord, yes, it's realistic." He added, "they can't tell you that you are connected to a rogue tower or IMSI catcher. What they can tell you is that the tower your phone is trying to connect to does not have a correct ID, is numbered badly, has turned off encryption, or in some other way, is simply 'off.' "
Alan Butler, senior counsel at the Electronic Privacy Information Center, a public interest group focused on civil liberties, said the techniques used by ESD are generally plausible. "This sounds like a pretty solid technical way to detect such a device," Butler said. "Plans for a device that would be in effect an 'IMSI catcher-catcher' have been out there for a while."
The Electronic Privacy Information Center has been engaged in a long-running dispute with the FBI about law enforcement's own use of cell phone interceptors, which privacy advocates worry could be abused because of their wide-ranging powers. "The FBI has been very tight-lipped about the use of this technology, and has been for many, many years," Butler said. "But it is a pretty significant piece of their surveillance toolkit."
CNBC contacted the FBI and Department of Justice to ask if there is any law enforcement reason why cell phone interceptors would be operating in downtown Washington.
"We cannot comment on their credibility or their claims," said Andrew Ames, a spokesman for the FBI's Washington field office. "Additionally, we do not comment on whether we employ particular means or methods as part of investigations."
Intercepted cell phone calls have caused trouble in Washington before. In February, an unknown person intercepted a call between Assistant Secretary of State Victoria Nuland and the U.S. ambassador to the Ukraine in which Nuland used a vulgar expletive to refer to the European Union during the unfolding crisis in Ukraine.
A person who sounds like Nuland can be heard on the tape saying "F--- the EU."
The release of the leaked tape—which was first widely promoted on Russian language websites—was deeply embarrassing to the United States. It's not clear where the call was intercepted, whether in Ukraine or Washington, or who intercepted and released it. But the interception itself shows the political and diplomatic damage that can occur when candid comments are released publicly.
A spokesperson for CTIA, the wireless communications industry trade association, declined to comment on the ESD America findings and referred a reporter to the Department of Homeland Security. A spokesman for Homeland Security referred CNBC to the Federal Communications Commission.
A spokesman for the Federal Communications Commission also declined to comment on the claims made this week by ESD America, saying "current law prohibits the unauthorized possession or use of IMSI catchers."
But the FCC is concerned enough about the possibility of illicit cellphone interceptors that it created a task force this summer to investigate who might be using them, and why. "The commission is aware of recent reports alleging the unlawful or illicit use of IMSI devices to intercept cellular communications," the FCC spokesman said. "The commission has assembled an internal team to begin to look into the facts surrounding these allegations and will consider necessary steps based on its findings." The spokesman declined to say what progress, if any, the FCC's task force has made so far.
The hacking threat to mobile phones has long been known by security professionals, but ESD says it is only within the past year that it has developed the technology to block cell phone interceptors, and to detect where they are operating. Since then, ESD has made waves in the press with claims that as many as 18 IMSI catchers are operating throughout the United States. This week's announcement, however, is the first time ESD has revealed its data on cell phone interceptors in Washington, D.C.
ESD released a map of the Washington region showing where it believes it caught cell phone interceptors operating in the capital. Hot spots include the U.S. Capitol, an area around the White House and much of Pennsylvania Avenue.
Turner said that the ESD cryptophone works by gathering a variety of information from a cellphone's baseband operating system to determine if the phone is being hacked or not. A cellphone interceptor mimics a cell tower, but emits a powerful radio signal to drown out other real towers in the area, giving phones picking up the signal an indication that it is the only cell tower in the area.
Turner said the ESD software looks to see if it is getting an indication that the cell tower it has locked onto is the only one in the area; in a large metropolitan area, that should not be the case, and may be an indicator that the phone is locked onto an IMSI catcher, rather than a real cell tower. "Cell phones are very promiscuous," he said. "They're always looking for three towers to connect to."
The device also checks whether the phone has been forced from a highly encrypted mode of communication such as 3G or 4G down to a 2G level that is easier for a hackers to unencrypt. Finally, the device checks if it is still able to send data in 3G or 4G. If all those conditions are present, the device decides it is under attack, and issues an alert to the user to discontinue the call.
"This is the first time we've really had this capability," Turner said. "This has exceeded our expectations. When we came here to do this research, we knew we would find some. By no means did we think we would find 15 separate areas just within the District."
And he said there's an obvious reason why people would want to collect cellphone information in Washington: "The information here belongs to the most powerful people on Earth, so that information is valuable. And whenever information is valuable people will dedicate the energy and resources to go and get that information."
—By CNBC's Eamon Javers.