The Growing Cellphone Eavesdropping Threat

Because of the nature of cellphones, and the means in which they connect and authenticate with cell phone towers, the threat of cell phone tapping is a real one, and one that continues to grow in scale.

Cell phone surveillance devices known as ‘International Mobile Subscriber Identity (IMSI) catchers,’ send out signals like cell phone towers, mimicking cell tower signals, and tricking phones into connecting to them in place of legitimate cell sites. The IMSI catchers then collect all kinds of information transmitted from the phone including conversations, messages, and identifying information¹ without disrupting those communications and while remaining imperceptible to the target.

‘StingRay,’ the name of a widely known IMSI catcher manufactured by the Harris Corporation, is named for the stingray fish that sweeps the bottom of the ocean floor without notice from other fish; analogous to the StingRay device that sweeps up conversations without awareness of either the target or the cellphone carrier. The term Stingray has also become a generic term to describe IMSI catchers.

It is commonly assumed that intrusive cell eavesdropping technology is widely used in China, Russia, Eastern Europe, Latin America, the Middle East and elsewhere. Naively, we tend to feel more assured in the United States and in Western Europe. However, it has been widely covered that IMSI catchers were found all over the US including New York, Washington, California, Texas, Florida, and Illinois. As recently as last week it was reported that more than 20 were discovered in the UK.

It is now known publicly that IMSI catchers, or Stingrays are widely available. These devices continue to grow smaller and have become less expensive. Today, they are as small as suitcases and are commercially available for less than $2,000. As a result, the growth in the use of these devices continues to accelerate. People with nefarious intentions procure and use them, and Stingrays are no longer the exclusive domain of law enforcement.

Once someone – anyone – sets up an IMSI catcher, they can collect all sorts of communications, putting people’s security and privacy at risk – without the targets ever being aware that they are at risk.

From a practical perspective this means that when you are on your mobile phone, conducting a conversation with your significant other, boss, colleague, or collaborator, someone can very well be listening in – either intentionally tapping your phone, or listening to other conversations in the same area where yours is picked up as well. This tapping can easily be done – without you ever being aware of it.

Protecting your Communications

Frequently, rather than putting sensitive information in an email – whether the confidential information is business, personal, or subject to compliance – we pick up our mobile phones and call to make sure never to leave sensitive information in writing. We think of our cellphones as an extension of our direct communication, and speak freely to the person on the other end, not concerned about the path in between. Rarely do we hesitate before making a phone call to consider whether anyone other than the person on the other side of the call will have access to the information.

While we cannot prevent our phones from falling prey to IMSI catchers, we can prevent the hackers from collecting any meaningful information by encrypting our mobile communications and ensuring that our conversations and messages cannot be tapped.

The only way to completely secure mobile communications is by encrypting them. Encrypted phone calls and messages are never available to anyone other than the intended recipients. Should the call or message be hacked, or intercepted by a stingray or any other technology, only encrypted communications can be accessed. Unencrypted, perceptible communications can never be accessed by a third party.

KoolSpan provides an easy-to-use mobile communications encryption solution, ensuring calls and messages are encrypted end-to-end, and only accessible to the intended recipients. KoolSpan solutions are available for download from app stores including Google Play and Apple and are supported on Android and iPhone.

For more information on securing your mobile communications, contact KoolSpan.

¹https://www.emsec.rub.de/media/crypto/attachments/files/2011/04/imsi_catcher.pdf

Elad Yoran

Elad Yoran is Executive Chairman of KoolSpan, CEO of Security Growth Partners (SGP) and Associate Adjunct Professor at Columbia University School of International and Public Affairs (SIPA). He is a 20+ year cybersecurity executive and entrepreneur, among other things having founded and led many foundational cyber companies. He serves as director at Infinidat as well as on several government and industry boards including the Army Cyber Institute, the Cloud Security Alliance, and previously, the FBI IT Advisory Council. Elad is the author of many articles going back to the original Internet Security Threat Report research papers. Elad’s cybersecurity entrepreneurial experience, for which he was honored as “Entrepreneur of the Year” by E&Y, includes Riptech, acquired by Symantec; MediaSentry, acquired by SafeNet; Sentrigo, acquired by McAfee; Vaultive, acquired by CyberArk and others. Previously, Elad served as VP Global Business Development at Symantec. In addition, Elad was a strategic investor and director/advisor to Red Owl Analytics, acquired by Forcepoint; NetWitness, acquired by RSA; ThreatGrid, acquired by Cisco; and Insightix, acquired by McAfee. Previously, Elad served as a US Army officer and is a veteran of Operation Restore Hope in Mogadishu, Somalia. He is a graduate of the Wharton School and West Point.