Going rogue

A quick drive around Washington DC found 15 rogue cell phone towers.

cell phone tower

On Tuesday, ESD America and IntegriCell drove around Washington, D.C. and discovered 15 new rogue cell towers (also known as IMSI catchers or interceptors).

Rogue interceptors

Shown on the map of Washington, DC are rogue interceptors. Interceptors are a huge risk if used by a malicious actor. That's because once a device connects to them, the interceptor's operator can perform a number of tasks, including eavesdrop on calls or text messages, or in some cases push data (spyware for example) to the device.


Devices like the CryptoPhone are costly, so their not for everyone. However, Aaron Turner, president of IntegriCell, says their essential if "you're a high value target, or if you have high-value information inside of your company..."

IntegriCell plans to take the baseband firewall used in the CryptoPhone and bring it to the enterprise market later this year.

Rogue cell towers

Warnings such as this are an anomaly where portions of the communications are being manipulated outside of what is considered normal. This can include anomalies where data sessions are being manipulated or where the baseband (the OS underneath Android or iOS) does something without user interaction or after user interaction ends.

Rogue cell tower

This warning is designed around three key characteristics, Les Goldsmith, the CEO of ESD America explained to CSO. The first characteristic centers on whether the band is being reverted, such as forcing 3G communications to fall back to 2G and so on. The second centers on the cell tower that the device is connecting to, in this case it isn't real as it's not part of a legitimate network and it has no neighbors. The third characteristic is when the ciphering is disabled. Alone, these characteristics are minor issues, but when combined they can be a real problem.

White House

The discovery of so many rogue cell towers in Washington D.C. might be cause for alarm in some circles. But IntegriCell's Turner says this isn't a moment where the public should panic. It's a moment that should make one realize that if they have access to sensitive data, or if they could be a high-value target themselves, then precautions need to be taken when accessing the cellular network.

National Mall

When it comes to guarding the airwaves, the FCC isn't properly resourced to tackle the interceptor problem. Carriers should be the ones to maintain and secure the spectrum. However, they are more focused on revenue and availability, and some actions that would prevent IMSI intercepts might prevent legacy systems (such as responder equipment) from operating. The area near the National Mall was spotted as having a rogue tower signal nearby.

Kristen Paget

IMSI catchers are available from a number of dealers online who will only sell to law enforcement of governments. However, homegrown versions can also be created that work just as well for less than $1,000. In 2010, Kristin Paget demonstrated an IMSI catcher at DEFCON. Within minutes, Paget had more than 30 phones connected to the homemade system.

US Capitol

In August, the FCC told Congress that they were going to create a task force to deal with unauthorized IMSI catchers. However, the task force isn't fully operational. Moreover, it isn't clear if the FCC's enforcement arm would be responsible for dealing with perpetrators, as that might fall under the jurisdiction of the FBI, depending on how the interceptors are being used. The drive through Washington DC also found rogue cell towers near the US Capitol.

ALSO: Read the story "Rogue cell towers discovered in Washington, DC"