Bringing transparency to cell phone surveillance

cell tower that a phone would normally communicate with, and tricking the phone into sending back identifying information about its location and how it is communicating. The portable surveillance devices now range in size from a walkie-talkie to a suitcase, and in price from several thousand to hundreds of thousands of dollars.

Law enforcement teams in the U.S. have used the technology to locate people of interest, to find equipment used in the commission of crimes and even to collect massive amounts of cell phone data from airplanes. Even less is known about how spies or cyber criminals are deploying them worldwide, especially as models become more affordableor able to be built in a hacker’s garage.

To catch these IMSI-catchers in the act, SeaGlass uses sensors built from off-the-shelf parts that can be installed in vehicles — ideally ones that drive long hours and to many parts of a city, such as ridesharing vehicles or other fleets. The sensors pick up signals broadcast from the existing cell tower network, which remain fairly constant. Then SeaGlass aggregates that data over time to create a baseline map of “normal” cell tower behavior.

The team from the UW Security and Privacy Research Lab developed algorithms and other methods to detect irregularities in the cellular network that can expose the presence of a simulator. These include a strong signal in an odd spot or at an odd frequency that has never been there before, “temporary” towers that disappear after a short time and signal configurations that are different from what a carrier would normally transmit.

Allen School doctoral student and co-author Gabriel Cadamuro built statistical models to help find anomalies in the data. The team’s survey approach differs from existing apps that attempt to detect attacks from a cell-site simulator on an individual’s phone.

“We’re looking at the whole cellular landscape and pinpointing discrepancies in data, while the apps for the most part are guessing at how a cell-site simulator would act with a phone,” said Ney.

Co-author and Allen School professor Tadayoshi Kohno added, “We’ve demonstrated that SeaGlass is effective in detecting these irregularities and narrowing the universe of things people might want to investigate further.”

For instance, around an immigration services building south of Seattle run by the U.S. Department of Homeland Security, SeaGlass detected a cell tower that transmitted on six different frequencies over the two-month period. That was notable because 96 percent of all other base cell towers broadcast on a single channel, and the other 4 percent only used two or three channels.

The team also detected an odd signal near the Seattle-Tacoma International airport with suspicious properties that were markedly different from those normally used by network providers.

Those patterns would make sense if a mimicking cell-site simulator were operating in those areas, the researchers said, but further investigation would be necessary to definitively reach that conclusion.

“This issue is bigger than one team of researchers,” said Smith.  “We’re eager to push this out into the community and find partners who can crowdsource more data collection and begin to connect the dots in meaningful ways.”

— Read more in Peter Ney et al., “SeaGlass: Enabling City-Wide IMSI-Catcher Detection,” Proceedings on Privacy Enhancing Technologies (June 2017)