An NBC investigative journalism team and a security researcher went wardriving around the DC area with a cell-site-simulator detector that would tell them whenever they came in range of a fake cellphone tower that tried to trick their phones into connecting to it in order to covertly track their locations (some cell site simulators can also hack phones to spy on SMS, calls and data).
They found more than 40 such devices in a single ride; these were sited in such sensitive locations as K-Street, home to DC's massive lobbyist contingent; the Trump Tower hotel; around the city's many embassies; around the Pentagon, Fort Meade and Langley; and in many residential areas.
They estimate — without disclosing their rationale — that half of the devices they detected were part of law-enforcement operations, while the other half are presumably operating on behalf of criminals or foreign spies (in April, the DHS finally admitted that they were concerned about many known "rogue cell site simulators" in DC).
Cell site simulators have been shrouded in mystery. When they were first deployed, their manufacturers and federal cops made local law enforcement sign nondisclosure agreements requiring them to lie to judges about the evidence they were introducing in prosecutions — they enforced these by raiding local police departments to steal their case-files in order to prevent the existence of the simulators from being publicly acknowledged. The FBI stymied attempts to learn about the simulators while local law enforcement went crazy buying them with asset-forfeiture money. The existence of the simulators was only confirmed thanks to an obsessive jailhouse lawyer.
The problem of criminals and spies using the simulators against Americans was created by law enforcement. Cops in DC made extensive use of them, and the kinds of cases they were deployed in went from major crimes to petty ones. As the use of the simulators became harder to deny, cops started making weak promises to moderate their use of them, while prosecutors continued to insist that they were legitimate (Maryland's AG said that you could opt out of mobile surveillance by never turning on your phone!), even as judges started throwing out evidence gathered by them.
Inevitably, keeping the existence of this vulnerability in mobile infrastructure secret led to widespread exploitation. Cell site simulators are very easy to use, very hard to defeat, and so they proliferated and morphed and then were turned into products sold specifically to criminals. The same cops who suppressed disclosure of the vulnerabilities and argued to keep them unpatched so they could be exploited for law enforcement purposes then grew alarmed that they were being used by crooks against cops, politicians and businesses.
The I-Team's test phones detected 40 potential locations where the spy devices could be operating, while driving around for just a few hours.
"I suppose if you spent more time you'd find even more," said Cheh. "I have bad news for the public: Our privacy isn't what it once was."
Especially in her ward, where many of the streets are lined with embassies.
"They're doing the interrogation, or [checking] who we are, and then the white bar represents when they release us," Turner said as he demonstrated his technology.
The I-Team got picked up twice off of International Drive, right near the Chinese and Israeli embassies, then got another two hits along Massachusetts Avenue near Romania and Turkey.
All of those countries have the phone catcher technology, Turner said.
Potential Spy Devices Which Track Cellphones, Intercept Calls Found All Over D.C., Md., Va. [Jodie Fleischer, Rick Yarborough and Jeff Piper/NBC Washington]