You may have seen the news earlier this month. For the first time, the Department of Homeland Security publicly acknowledged the existence in Washington, DC of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages. In other words, as you are going about your business in the Washington, DC area, foreign powers could be listening to your phone calls and reading your texts.
Of course, foreign spies are not the only ones who have access to your information. American law enforcement agencies, such as the FBI and even the Washington, DC Metropolitan Police also use these devices for surveillance. With the right equipment, anyone can hijack your cellphone.
What Are These Electronic Surveillance Devices?
The devices, known as International Mobile Subscriber Identity (ISMI) catchers or by the brand name Stingray, used to be expensive, bulky and hard to purchase. However, they can now be as small as a briefcase or even a cellphone.
ISMI-catchers trick mobile devices into locking onto them instead of legitimate cell towers from a network like Verizon or AT&T. They act as a fake mobile tower between the cellphone and the service providers’ real towers, essentially creating what’s called a “man-in-the-middle” attack. They are able to bypass the mutual authentication required between the handset and the network on 3G and 4G networks by forcing devices to downgrade to older 2G services that can’t tell the difference between real and fake towers. Once the device has locked on, the ISMI-catcher can determine the exact location of a particular cellphone and, depending on the sophistication of the device, even eavesdrop on calls and text or plant malware.
Actions to Take Now
Be aware. If you are using second factor authentication through text or email to your cellphone, you are vulnerable to this man-in-the-middle attack. To protect yourself, install an app that supports second-factor authentication (2FA), such as Duo, LastPass, Google Authenticator or Authy. These applications use encryption to protect the communication between your phone and the application you are attempting to login to. This means 2FA apps will protect you even if the cellphone communication signal has been compromised and your texts and emails are visible.
Personally, I like Google Authenticator or Last Pass Authenticator (see my previous post regarding Last Pass). For corporate use, Invario recommends Duo. Duo is a great tool that allows companies to establish and enforce policies for user access to company applications and resources.
Finally, always make sure you’re following best practices when it comes to passwords. Never reuse passwords across multiple applications or websites. That way, even if you do fall victim to an electronic surveillance attack, the amount of data the hackers can retrieve will be limited.
Feedback
If you have questions about this article, or if there is an IT topic you would like to know more about please email me your suggestions.
Referral$
If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.
Referral$
If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.