Proving yet again that the US government can show a surprising soupçon of tenacity when it comes to gross invasion of privacy while occasionally catching a terrorist, a new report claims that, since 2007, the US Marshals Service has been criss-crossing the country with small airplanes equipped with fake cell towers. These small aircraft (fixed-wing Cessnas) intercept communications between your mobile phone and the carrier’s legitimate cell tower, allowing the US Marshals to find and triangulate the exact location of a target. Obviously, the primary target of the system is criminals — but the report says a lot of “innocent Americans” are also being tagged by the program.
News of this US Marshals program comes from the Wall Street Journal. According to “people familiar with the operations,” the US Marshals Service has been flying fake cell towers out of “at least five metropolitan-area airports, with a flying range covering most of the U.S. population.” The program has reportedly been in operation since 2007. There’s no word on how many suspects/fugitives were actually caught using this system, but with a reported accuracy of 10 feet (3 meters) — enough to pick out a specific room in a building — it’s probably quite effective.
The core piece of technology behind the program is a signals intelligence (sigint) box made by Digital Receiver Technology (which is now a subsidiary of Boeing). When the box (known as a DRTBOX or dirtbox) is nearby, it intercepts the registration signals that are broadcast by mobile devices as they look for a carrier’s cell tower. In hacking terms, it’s essentially a man-in-the-middle attack. From these intercepted signals, the dirtbox can sift through the IMSI (unique ID) of every cellphone in the area — and with multiple passes of the plane, triangulate the precise location of each IMSI. Essentially, the US Marshals program is very similar to the Stingray devices that police use — but flying around is farmore efficient than sticking an IMSI catcher in the back of a van. It’s also very hard to triangulate a precise location with a Stingray, while it’s relatively easy with a dirtbox-equipped Cessna.
The WSJ report says newer versions of the dirtbox can also jam signals, or download files and photos from devices. It’s not clear how the dirtbox would do this, but there are only really two options: They’re using an “official” backdoor (most device makers have to provide such a backdoor for US law enforcement to abuse), or they’re exploiting a bug/hole in the baseband. You’re probably not aware that every mobile phone actually consists of two computers — the consumer-facing OS like Android or iOS which runs on the SoC, and a “background” OS on the baseband chip that handles all of the cellular connectivity stuff. This secondary OS can be hacked, providing an alternative, very-low-level route into your phone. The WSJ says it doesn’t know if the US Marshals Service has ever used this extra functionality, or if it simply uses the dirtbox to triangulate locations.
The US Marshals flying dirtbox IMSI catcher in action [Image credit: Wall Street Journal]
The purpose of the program, as you’ve probably worked out, is to avoid having to ask carriers like Verizon and AT&T for information — a process that US law enforcement considers “slow and inaccurate.” Whether the program is actually legal or not, I have no idea. Presumably it’s on fairly solid ground if the Marshals have a warrant for the suspect’s arrest — but obviously, a lot of data is being collected about innocent people, too. Much like the NSA programs revealed by Edward Snowden, wide-scale IMSI catching by the US Marshals isn’t intrinsically bad — but because this is a secretive government program, we have absolutely no assurances that the right safeguards and appropriate oversight are in place to prevent abuse.
It will also be interesting to see how Verizon, AT&T, Sprint, and other US carriers react to this news. These dirtboxes actively intercept signals from a specific carrier — if the Marshals are looking for an AT&T customer, the dirtbox will switch into “AT&T mode,” replicating the frequencies and protocols used by AT&T cellphones. There’s a possibility that the carriers signed off on this particularly pernicious piece of governmental snooping, but I doubt it. More likely, I think the carriers will be angry that the US government is degrading their wireless services.