Regular readers of Commsrisk will already appreciate that IMSI-catchers are portable devices that communicate with and gather information from mobile phones by taking the place of a network operator’s base station. You understand the technology, and hence the risks, but the following video is terrifying because it shows how IMSI-catchers are being marketed. It presents the perspective of a user as they walk through a crowded shopping mall whilst ostensibly carrying an IMSI-catcher in a discrete backpack. There is no attempt to present this as a legitimate form of intelligence gathering, as occurs when IMSI-catchers are used by the police for surveillance after they have obtained a warrant, or when IMSI-catchers are installed in search-and-rescue helicopters to locate lost hikers and skiers. It just depicts somebody spying on everybody nearby, with the implication that the device is capable of intercepting their communications. The video was shot in Singapore per the names of the operators displayed by the IMSI-catcher, but the same scene could just as easily play out in any shopping mall, anywhere in the world.
Recent events have demonstrated that the scenario depicted in the video is not just a dark fantasy. Earlier this month, Thai police arrested two residents of Hong Kong who carried an IMSI-catcher in a backpack through one of Bangkok’s most popular shopping districts. The Hong Kongers apparently used their IMSI-catcher to send fraudulent SMS texts to phones within a 1km range, but the proliferation of portable radio devices that can connect to mobile phones also represents a threat to privacy.
There has become a trend for politicians in various countries to blame social media companies for not doing enough to prevent crime. New laws and increasing pressure are being applied to social media firms, mostly with the aim of forcing them to moderate harmful content, such as adverts for scam services or links to websites that spread disinformation. The same principle could just as well be applied to this YouTube video that encourages the illegal use of technology. So why are adverts for products and services used by scammers, fraudsters and spies so easily found by anyone looking for them on LinkedIn, Facebook, YouTube and other social media platforms?
I suspect there are two reasons why legislators have overlooked adverts that target criminals who misuse comms networks and equipment, even though thousands may fall victim to their crimes. Firstly, these adverts only attract the attention of the relatively small number of criminals who already understand how to generate profit by procuring these products and services. Politicians will get a lot more positive publicity when they demand censorship of content that interests the general public, so they ignore the opportunity to nip a problem in the bud by clamping down on sales of equipment and services to criminals. That leads to a more important observation. It is difficult to identify harmless reasons why a law-abiding person would want to own and operate a device like an IMSI-catcher. Only law enforcement agencies and emergency services have a genuine need for such devices. But governments have not imposed bans or used licensing regimes to limit the sale of equipment like this.
The net result of uncontrolled sales of IMSI-catchers is that the comms industry and technologists are once again trying to solve a problem in wrong place: by detecting scams and other criminality after somebody has been harmed. The authorities should know better: French magistrates warned about the proliferation of such devices when issuing an arrest warrant for a Chinese man who later admitted to selling IMSI-catchers to a smishing gang that drove them around Paris. Prevention is better than cure, but governments keep failing to protect the public, even when they are best placed to tackle the roots of crime.
