JUNE 17, 2020
As uprisings over police brutality and institutionalized racism have swept over the country, many people are facing the full might of law enforcement weaponry and surveillance for the first time. Whenever protesters, cell phones, and police are in the same place, protesters should worry about cell phone surveillance. Often, security practitioners or other protesters respond to that worry with advice about the use of cell-site simulators (also known as a CSS, IMSI catcher, Stingray, Dirtbox, Hailstorm, fake base station, or Crossbow) by local law enforcement. But often this advice is misguided or rooted in a fundamental lack of understanding of what a cell-site simulator is, what it does, and how often they are used.
The bottom line is this: there is very little concrete evidence of cell site simulators being used against protesters in the U.S. The threat of cell site simulators should not stop activists from voicing their dissent or using their phones. On the other hand, given that more than 85 local, state, and federal law enforcement agencies around the country have some type of CSS (some of which are used upwards of 1000 times per year), it’s not unreasonable to include cell site simulators in your security plan if you are going to a protest and take some simple steps to protect yourself.
A CSS is a device that mimics a legitimate cellular tower. Police around the world use this technology primarily to locate a phone (and therefore a person) with a high degree of accuracy, or determine who is at a specific location. There have been reports in the past that advanced CSSs can intercept and record contents and metadata of phone calls and text messages using 2G networks, there are no publicly known ways to listen to text messages and calls on 4G networks however. Cell-site simulators can also disrupt cellular service in a specific area. However, it is very hard to confirm conclusively that a government is using a CSS because many of the observable signs of CSS use—battery drain, service interruption, or network downgrades— can happen for other reasons, such as a malfunctioning cellular network.
For more details on how cell-site simulators work, read our in-depth white paper “Gotta Catch ‘em All.”
Interception of phone calls and text messages is the most scary potential capability of a CSS, but also perhaps the least likely. Content interception is technically unlikely because, as far as we know based on current security research (that is, research around 2G and LTE/4G networks that does not take into account any security flaws or fixes that might occur in the 5G standard), content interception can only be performed when the target is connected over 2G, rendering it somewhat “noisy” and easy for the user to become aware of content interception also can’t read the contents of encrypted messages such as Signal, Whatsapp, Wire, Telegram, or Keybase.
Police using a CSS to intercept content is legally unlikely as well because, in general, state and federal wiretap laws prohibit intercepting communications without a warrant. And if police were to get a wiretap order from the court, they could go directly to the phone companies to monitor phone calls, giving them the advantage of not having to be in the physical proximity of the person and the ability to use the evidence gathered in court.
One advantage law enforcement might get from using a CSS for content interception at a protest is being able to effectively wiretap several people without having to know who they are first. This would be advantageous if police didn’t know who was leading the protest beforehand. This type of mass surveillance without a warrant would be illegal. However, police have been known to use CSS without a warrant for tracking down suspects. So far, there is no evidence of police using this type of surveillance at protests.
Locating a specific mobile device (and its owner) is anecdotally the most common use of cell-site simulators by law enforcement, but conversely it may be the least useful at a protest. Locating a specific person is less useful at a protest because the police can usually already see where everyone is using helicopters and other visual surveillance methods. There are some situations, though, where police might want to follow a protester discreetly using a CSS rather than with an in-person team or a helicopter.
If a CSS were to be used at a protest, the most likely use would be determining who is nearby. A law enforcement agency could theoretically gather the IMSI of everyone at a gathering point and send that to the phone company later for user identification to prove that they were at the protest. There are other ways to accomplish this: law enforcement could ask phone companies for a “tower dump” which is a list of every subscriber who was connected to a specific tower at a specific time. However, this would have the disadvantages of being slower, requiring a warrant, and having a wider radius, potentially gathering the IMSIs of many people who aren’t at the protest.
Denial-of-service or signal jamming are additional capabilities of CSS. In fact, it has been admitted by the FBI that CSS can cause signal disruption for people in the area. Unfortunately, for the same reasons it’s hard to detect CSS use, it’s hard to tell how often they are disrupting service either purposefully or accidentally. What looks like signal jamming could also be towers getting overloaded and dropping connections. When you have many people suddenly gathered in one place, it can overload the network with amounts of traffic it wasn’t designed for.
How to protect yourself from a cell-site simulator
As noted in our Surveillance Self-Defense guide for protesters, the best way to protect yourself from a cell-site simulator is to put your phone in airplane mode, and disable GPS, wifi, and Bluetooth, as well as cellular data. (While GPS is “receive only” and does not leak any location information on its own, many apps track GPS location data, which ends up in databases law enforcement can search later.)
We know that some IMSI catchers can also intercept content, however as far as we know none of them can do this without downgrading your cellular connection to 2G. If you are concerned about protecting your device against this attack, the best thing you can do is use encrypted messaging like Signal or Whatsapp, and put your phone in airplane mode if you see it drop down to 2G. (There are plenty of legitimate reasons your phone might downgrade part of your connection to 2G but better safe than sorry.) However an important part of protests can be streaming/recording and immediately uploading videos of police violence against protestors. This is at odds with the advice of keeping your phone off/in airplane mode. It’s up to you to decide what your priorities at protests are, and know that what’s important for you might not be someone else’s priority.
Unfortunately, iOS and Android currently offer no easy ways to force your phone to only use 4G, though this is something the developers could certainly add to their operating systems. If you can turn off 2G on your phone, it is a good precaution to take.
How a cell-site simulator might be detected
Unfortunately, cell site simulators are very difficult to detect. Some of the signs one might interpret as evidence, such as downgrading to 2G or losing your connection to the cell network, are also common signs of an overloaded cell network. There are some apps that claim to be able to detect IMSI catchers, but most of them are either based on outdated information or have so many false positives that they are rendered useless.
One potential way to detect cell-site simulators is to use a software-defined radio to map all of the cellular antennas in your area and then look for antennas that show up and then disappear, move around, show up in two or more places, or are especially powerful. There are several projects that attempt to do this such as “Seaglass” and “SITCH” for 2G antennas, and EFF’s own “Crocodile Hunter” for 4G antennas.
While it is possible that cell-site simulators are being or have been used at protests, that shouldn’t stop people from voicing their dissent. With a few easy precautions by protesters, the worst abuses of these tools can be mitigated. Nevertheless, we call on lawmakers and people at all levels of the cellular communications industry to take these issues seriously and work toward ending CSS use.
Cooper is a security researcher and Senior Staff Technologist at EFF. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware. He has also performed security trainings for activists, non profit workers and ordinary folks around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. He also was a co-founder of the Hackbloc hacktivist collective. In his spare time he enjoys playing music and participating in street protests.