by Michael Dean Thompson

The cell-site simulator (“CSS”) is a powerful and largely unregulated device once designed for military intelligence use that has found its way onto the streets of the U.S. Today, in fact, it is even being offered to policing agencies pre-installed on unmarked police vehicles. The system does not come cheap, but that has not stopped cops from purchasing them. The Boston Institute for Non-Profit Journalism (“BINJ”) managed to acquire a proposal for a CSS-enabled Chevrolet Silverado 2500 that Jacobs Technology’s Engineering Integration Group (“EIG”) submitted to the Massachusetts State Police (“MSP”). The $1 million proposal was the winning bid for a single CSS-enabled truck.

Cell-Site Simulator Features

Cell-site simulators were initially sold to domestic police departments that were willing to sign a nondisclosure agreement (“NDA”). The NDA was required, in part, by the FBI in order to conceal CSS abilities from the courts. The FBI’s position was that even “innocuous information about cell-site simulators would provide adversaries with information about the capabilities, limitations, and circumstances of their use, and would allow these adversaries to draw conclusions about the use and technical abilities of the technology,” according to an NDA acquired by the American Civil Liberties Union (“ACLU”).

The NDAs worked to obfuscate their capabilities. Despite clauses that required prosecutors to deny their use, even to the point of dropping charges if the CSS might end up in front of the courts, the devices were nevertheless brought in front of judges. At times, agents’ testimonies contradicted that of other agents. The contradictions could have been explained away as different devices but might also have been intentionally misleading. That is not as farfetched as it may seem. The efforts to hide the use of the devices led at least one Florida prosecutor to label a cell-site simulator as a confidential informant in order to dissuade the courts from looking too closely.

It has been known for some time that CSS systems are capable of eavesdropping on cellular conversations, collecting text (SMS) messages, and identifying the network to which a device subscribes. Today, more is known, although some of the obfuscation persists. Modern CSS systems are capable of intercepting 5G communications and geolocating cell phones in the vicinity.

The system EIG sold to the MSP is able to generate “heat maps” that show general locations but also include separate direction finders that help users to pinpoint devices. The entire band of 5G communications, subsuming that of earlier generations, can be detected by the EIG system—from 400 MHz to 4.2 GHz. Those frequencies include Wi-Fi communications, running the risk of exposing every network to which an innocent phone that happens to be in the area has connected to the cops. The system is also able to watch multiple concurrent connections and can be significantly expanded. The system EIG provided to the MSP also allows for a mission definition where information about all devices the system monitored can be exported to additional tools for subsequent and more rigorous analysis.

The Chevrolet Silverado also contains radio frequency shielding. That is necessary because the CSS system inside the truck is capable of emitting powerful radio signals, rather than just monitoring them. In the past, agents have admitted that the CSS devices they have used have blocked the target phone, as well as some nearby innocent devices. This happens because the CSS presents itself as a stronger cell tower, tricking nearby phones into preferring to connect to it. As a pickup truck would likely be quite far from its target (as far as a cell phone is concerned), they appear to have amped up the emissions to levels that might be dangerous to officers with long-term exposure. They may then be capable of jamming the calls of that many more devices at once. An amplifier intended to “minimize impact on non-targeted cellular use” costs an additional $125,000. Regardless, a jammed device would not have access to 911, which can be even more dangerous during “no-knock” warrants.

The submitted proposal also mentions that the equipment will allow for “live” technical and mission support over the internet. Cops who are insufficiently trained on certain features can call on EIG’s support to provide remote control assistance. Yet, that may lead technicians who are not aware of the existing local legal conditions to operate the equipment in a manner that violates the civil rights of the affected people.

A substantial amount of the proposal focuses on the system’s invisibility. Each vehicle has a color-matched “truck cap” that hides the antennas. In addition, the windows are tinted to thwart the curious. The “zero antenna profile” attempts to defeat casual awareness of the military-style device being used around neighborhoods and protests as they casually collect the identities of cellular devices and, potentially, conversation content.

Case Studies

The EIG proposal included two case studies intended to show the MSP the efficacy of the system. The first was a murder investigation by the Indiana State Police. The second was a summary of cases investigated by the Fontana Police Department in California. The proposal contained articles referencing the first case. The articles differed enough from the presentation that it is possible the company included it in the proposal in the expectation it would not be released.

The Indiana State Police example is said to have used a “discreet, turn-key CSS platform” to arrest four people, two of whom were charged with murder and torture. It goes on to mention that they used a CSS vehicle, presumably similar to the one they were selling to the MSP, to locate a targeted device. Their mobile direction finder then complemented the one in the vehicle to track down the service further. As a result, they were able to arrest people that had previously been “nowhere on the Kokomo PD radar.”

The BINJ journalist followed the included links to the news article about the arrests and discovered there was no mention of the use of cell-site simulators. Instead, a mention was made of a found video leading to the arrest. The journalist was unable to determine if any warrants or arrest affidavits mentioned the technology at all. The failure to release the technology’s use fits past CSS use profiles. Rather than be transparent about their use, police will at times create false chains of evidence (like the confidential informant in Florida) or a parallel construction, where investigators find other evidence to support their case—typically with the aid of the very device or technique whose existence is being kept secret—rather than admit to the technological source.

Alex Marthews, founder of the privacy advocacy group Digital Fourth, told BINJ, “A practice of concealment like we have seen in cell-site simulator cases cuts against the basic rules of fairness in trial proceedings.” Maddeningly, many regions do not require the acquisition of warrants or court orders in order to use cell-site simulators. Without this essential tool, defendants are not able to adequately defend themselves in the courts.

One of the functions of a CSS is to serve as an International Mobile Subscriber Identity (“IMSI”) catcher—an IMSI is a unique number that identifies a mobile device user on a cellular network. Essentially, the device just listens to nearby traffic and extracts the identification information of all nearby devices.

Fifth generation phones attempt to make the process more difficult by encrypting the Subscriber Concealed Identifier (“SUCI”). While this may help conceal the owner and network information in most cases, it is likely that a product sold at that price while targeting a 5G market has surmounted the problem at least some of the time. While the SUCI may help conceal the owner and network information, it does not conceal the device itself. The reduced effectiveness of the traditional attacks means that the 5G CSS devices must be that much more sophisticated so that the police are no longer merely listening to calls broadcast over the airwaves but are having to take active measures to listen in.

Kade Crockford, director of the Technology for Liberty Program at the ACLU, believes that the use of warrants should be uncontroversial. She told BINJ, “If you’re only using this to find dangerous people or help investigate serious crimes, then getting a warrant shouldn’t be an obstacle and you should want to get a warrant, so the defendant doesn’t have a reason to dismiss the criminal prosecution.”

The second case study was not as specific. Instead, it indicated that there were 169 arrests using the company’s technology, 13 of which were for murder. In the process of investigating cellular devices in over 300 deployments, the device ended up being quite profitable with nearly $10 million in seized money using EIG’s older, 4G technology. The company was appealing to the MSP’s profit motive, whether implicitly or explicitly. Those seizures alone would have more than paid for the tool while also likely funding other police department interests.

Marthews told the BINJ, “Forfeitures are a black box slush fund.” They can be used for virtually anything. The 169 arrests also resulted in the seizure of 238 kilograms of cocaine, 1,258 pounds of methamphetamines, 26 kilograms of Fentanyl/heroin, and 64 guns. For a town of just 210,000 people, this seems to imply an emphasis on drug cases over all others. This reflects a problem seen with other controversial technologies used by police departments, tools that are purchased to deal with the most serious crimes are often used for investigating less serious crimes.

Oversight

Boston requires that police disclose the use of cell-site simulators, but the state itself has no such limitation. As it was the Massachusetts State Police that purchased the CSS on wheels, there will be some inherent challenges as to how it might be used. That means the courts will have to deal with the CSS question as it comes up on a case-by-case basis, assuming anyone knows it was used in the first place so that it can be brought up.

Cell-site simulators are capable of dredging up significant amounts of information on both suspects and the completely innocent, and insufficient protections can result in permanent retention of that sensitive data. Without regulations covering data retention, judges might not even address the problem, according to Crockford of the ACLU.

Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation, argues that we need an independent watchdog agency to review these systems so that we can see what they do and how they are being used. It is disturbing that a sales proposal has provided more information than has been broadly available. Quintin says, “This is the clearest picture that we’ve gotten of how cell-site simulators are operated, installed, and sold in years.”

It is unsurprising that increased oversight actually reduces use. Oakland dictates that the police must submit a “description of how the surveillance technology was used, including the type and quantity of data gathered and analyzed by the technology.” It also requires that they indicate where the technology was used, helping the city to understand if certain neighborhoods are being disproportionately targeted.

In 2022, the Oakland Police Department did not use its CSS. Because Oakland police must report whether the technology was effective on top of its usage, Mike Katz-Lacabe of Oakland Privacy told BINJ, “As a result, it’s never been used more than 10 times per year…. Other departments that do not have as much transparency do seem to use their devices a lot more.” The Fontana case study would certainly seem to support Katz-Lacabe’s statement.

Conclusion

There are other cell-site simulator systems available beyond Jacobs Technology’s Engineering Integration Group. Although the former leader, L3-Harris, has backed out of the state and local CSS market, plenty other companies remain. Two other companies bid on the MSP contract, Cognyte Software and Tactical Support Equipment, Inc. They may not have won that bid, but Cognyte did go on to win a lucrative contract with Albuquerque for its CSS system. And for those who are more budget minded, there are even open-source CSS systems available on the internet. There are alarmingly few laws and regulations governing the use of these powerful devices, leading to a race for features that are designed to eliminate any real privacy for the people the police may arbitrarily target.

The MSP paid for their million-dollar pickup with part of a $4 million 2023 COPS Anti-Heroin Task Force Program grant. The grant is allocated to locations that have a high concentration of people being treated for drug use. A million dollars could have gone a long way to help treat people suffering from the scourge of addiction. Instead, it was used to expand the already bloated surveillance state.  

Sources: EFF.org, TheShoestring.org, AtlasOfSurveillance.org

Subscribe today

Already a subscriber? Login