Congress must adopt stronger safeguards for wireless cybersecurity: Expert
Cell-site simulators mimic legitimate cellular towers, tricking nearby mobile devices to connect to them and then using the connection to intercept or block voice, text, and data communication. The greatest risks are associated with second-generation or “2G” wireless protocols, which don’t include authentication for cellular towers.
Cell-site simulators can attack a mobile device in a number of ways, Mayer explained. An attacker might force a phone to downgrade the cellular connection to 2G, enabling complete control of the connection. Alternatively, a cell-site simulator could pose as a miniature “femtocell” cell tower — a small cellular base station typically used in homes small business — or as a roaming network partner. Cell phones would automatically connect, allowing for eavesdropping and location tracking.
“The possible criminal uses of cell-site simulators are limited only by our collective imagination,” Mayer said. “For example, by intercepting wireless communications, criminals could capture private financial information and steal funds; they could collect sensitive medical information and conduct blackmail; or they could obtain confidential business information for commercial gain,” Mayer said.
Cell-site simulators vary greatly in cost, range and capability, and are most often used by law enforcement agencies. The federal government currently owns more than 400 cell-site simulators, and at least 73 state and local law enforcement agencies also own the devices. They are commonly used to track the location of a criminal suspect or to identify all the phones in an area.
Mayer highlighted that police departments appear to violate federal law when they operate cell-site simulators, because they are transmitting on exclusively licensed cellular frequencies. “I believe that cell-site simulators are legitimate investigative tools, and they should be available,” Mayer said. “But, until Congress takes action, the nation’s police departments will remain in legal limbo. I encourage Congress to consider legislation that resolves these issues.”
Mayer also touched upon other vulnerabilities in the nation’s wireless infrastructure that threaten privacy and safety. These include Signaling System 7 (SS) and Diameter, which allow users to connect to foreign carriers while traveling; mobile device security updates, which are often too late to protect users; and caller ID, which criminals can use for “robocall” schemes and other frauds.
Congress can and should address these pervasive issues by conditioning federal wireless expenditures on stronger cybersecurity practices, Mayer explained in his testimony.
He said wireless carriers should be required to undergo routine audits and deploy commercially available firewalls, filters and network monitoring to defend SS7 and Diameter systems. Carriers, operating system vendors, and device manufacturers should implement defenses against 2G cell-site simulators and should commit to maintaining mobile devices with prompt security updates for a certain amount of time after sale. Carriers should also commit to a near-term rollout of authenticated caller ID, with a specific timeline for adoption.