Can cell providers tell when police spy on their networks?
New research shows it's possible to tell when police use IMSI catcher surveillance technology
For years, police and government agencies around the world have used a controversial investigative technique to spy on cellular phones, often disrupting cellular networks in the process.
But one wireless carrier has had enough.
T-Mobile Austria, which is a fully-owned subsidiary of Deutsche Telekom, teamed up with academics at SBA Research in Vienna to study the effects of electronic surveillance devices known as IMSI catchers on cellular networks — and most importantly, whether the use of such devices can be reliably detected.
The researchers propose using the network monitoring systems that most carriers already have in place to look for tell-tale signs that an IMSI catcher may have been used.
Their paper was presented at a computer security conference in France this past September.
As far as I know, some Canadian carriers are investigating their ability to detect these devices- Christopher Parsons, research associate at The Citizen Lab
IMSI catchers, which have been deployed in law enforcement vehicles and even airplanes, masquerade as legitimate cellphone towers so that cellphones in the device's immediate geographic area are tricked into connecting to the fake cell tower instead.
Once connected, police can track the location and movement of a phone, access information about the phone — commonly known as metadata — which can be used to link a phone to its owner, and even intercept communications depending on the target phone and model of IMSI catcher used.
Civil liberties lawyers and privacy advocates have decried the use of IMSI catchers because of their potential to infringe on user privacy — in some cases forcing hundreds, if not thousands of phones, which are not under investigation, to hand over information about their owners — a point that law enforcement agencies contest.
But for cellular network operators, the use of IMSI catchers is a business concern as well. By design, IMSI catchers disrupt a user's connection with the cellular network for varying periods of time — which, depending on the length of the outage, can result in complaints — and in some cases have even been found to block attempts at dialling 911.
"We want to protect our frequency spectrum, which is quite expensive," said Georg Petzl, T-Mobile Austria's chief security officer, and one of the study's co-authors. "To make sure that customers' service quality is not lowered, you need to be able to say 'this was an incident happening on our network' and 'this was a misuse of the frequency.'"
Looking for needles in a wireless haystack
Two of the paper's authors, SBA Research academics Adrian Dabrowski and Edgar R. Weippl, were granted supervised access to T-Mobile Austria's network — which has four million subscribers — to test their proposed methods for detection.
The researchers tested various makes and models of phones to see how each behaved after disconnecting from a makeshift IMSI catcher. They used the results to identify a common set of criteria, of varying degrees of reliability, that a network operator could use as evidence suggesting an IMSI catcher had been used.
"Our results show that detection from the operator side is possible," the researchers wrote.
Of course, there are caveats. Due to limitations in T-Mobile Austria's monitoring systems, and the way that cellular networks are designed, the researchers were only able to monitor a single area of coverage — also known as a cell — at a time. They suggest that modifications would be necessary to make real-time detection possible across the whole network.
Also, the researchers admit that further study is needed to reliably detect IMSI catchers that are only used to locate and identify a cellular phone, versus IMSI catchers that capture a phone over longer periods for the purpose of storing, modifying, or relaying communication data.
Could these hurdles be overcome, and detection mechanisms be deployed on a carrier's network?
"It could be done," Petzl said.
Carriers stay quiet
One question is whether telecommunications carriers should notify users when an IMSI catcher is used — much like tech companies such as Google and Microsoft do when user data has been requested by a law enforcement or government agency, unless prohibited by law.
"We're not interested in individual devices," Petzl said, when asked whether T-Mobile Austria was interested in informing users when IMSI catchers are used. "From a carrier perspective, we're only interested in disturbances on a cell level."
"We don't publicly disclose the measures we take to ensure the security of our networks- Jacqueline Michelis, Bell spokesperson
"I think the carriers have an obligation to their customers, as well as the government that's providing them with spectrum licenses, to monitor when spectrum is used inappropriately and report on it," said Christopher Parsons, a research associate at the Citizen Lab, which is part of the University of Toronto's Munk School of Global Affairs.
Parsons, along with lawyer Tamir Israel from the Canadian Internet Policy and Public Interest Clinic (CIPPIC), co-authored a comprehensive report on the use of IMSI catchers in Canada, which was published in September.
"As far as I know, some Canadian carriers are investigating their ability to detect these devices," Parsons said, but declined to name them.
In Canada, IMSI catchers are technically illegal to possess or use, but documents shared with the CBC suggest that the government may have granted the RCMP and CSIS an exception.
In response to questions, Bell spokesperson Jacqueline Michelis wrote in an email that "the use of IMSI catchers is illegal in Canada. We don't publicly disclose the measures we take to ensure the security of our networks."
TELUS and Videotron did not respond to a request for comment, while Rogers declined to comment.
In the U.S. Verizon and T-Mobile USA declined to comment, AT&T did not respond to questions, and Sprint merely linked to the company's privacy policy.