Why It’s So Hard to Say Who Is Using an IMSI Catcher
Israel, China, Russia? Who was using a surveillance device on Parliament Hill in Ottawa?
On Monday, the CBC reported that it used some specialized tools to detect the possible use of powerful surveillance devices called IMSI catchers on Parliament Hill in Ottawa, the seat of Canada's federal government.
IMSI catchers imitate cell phone towers and force all phones within a designated area to connect, revealing information about the device and its user. Although we know that the RCMP and local police have used IMSI catchers in Canada in the past, Minister Ralph Goodale, whose office oversees national security, denied that any of the country's police or security agencies were responsible for the detected surveillance. However, this week, the RCMP did confirm that they use the devices for the first time.
So, who was allegedly spying on people's phones in Ottawa? Thanks to some speculation by an unnamed government source, as reported by the CBC, everybody is freaking out about whether it could be Russia. But it's actually incredibly difficult to say who deployed an IMSI catcher, or even where it was made.
"That does not mean that they deployed it, and it doesn't even mean that they made the IMSI catcher"
The CBC quoted Les Goldsmith (the CEO of ESD America, the company that manufactured the tools used by CBC to detect the surveillance devices) as saying that the device could be of Russian, Chinese, or Israeli origin, but in a follow-up call with Motherboard he explained the nuances and why it's actually impossible to know for sure.
"Although there are [many] countries that say they make IMSI catchers, there are only a few countries that actually make the chipsets [the circuits at the heart of the device], which are used by various manufacturers," he continued. "The activity that we're seeing is consistent with one of those three countries being the origin of the chipset. That does not mean that they deployed it, and it doesn't even mean that they made the IMSI catcher."
According to Goldsmith, the market for IMSI catchers is saturated with copycats that use the same chipsets from that small set of countries, making it difficult if not impossible to say for certain where the device came from, or who was using it.
"You will see that when it comes to IMSI catchers, when you look online and see what's for sale—many are in the exact same box, and that's because different companies add software to existing chipsets and market it as their own product," he explained.
Geoffrey Vaughan, a Toronto-based information security researcher who focuses on IMSI catcher detection, agreed that speculating whether the IMSI catcher came from Russia or China is bound to be fruitless.
"If IMSI catchers are sold from the UK, for example, presumably they have a setup guide, an installation guide, and they all follow that reasonably closely—so they'll all have a similar signature that might pop up in the UK or any of the dozen countries they devices are sold to," Vaughan said.
It's also possible that the CBC reporters detected a false positive, although that's an unlikely scenario due to the use of ESD America's software, which Vaughan said is one of the best in the industry at IMSI catcher detection. Still, he continued, some pieces of legitimate infrastructure may create signals that look like IMSI catcher activity if the person doing the detecting doesn't first conduct numerous sweeps of an area to determine the normal level of activity.
As for how certain Goldsmith is that the activity detected by the CBC team using his product is in fact an IMSI catcher, percentage-wise, "the high 90s," he said.
But when it comes to saying whether Russia, China, Israel, or anybody else is responsible for skulking around Ottawa with surveillance equipment, nobody can be that certain.
Subscribe to pluspluspodcast , Motherboard's new show about the people and machines that are building our future.