great news for schizophrenics!

FBI taps cell phone mic as eavesdropping tool

The FBI appears to have begun using a novel form of electronic surveillance in criminal investigations: remotely activating a mobile phone's microphone and using it to eavesdrop on nearby conversations. [...]

The U.S. Commerce Department's security office warns that "a cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone." An article in the Financial Times last year said mobile providers can "remotely install a piece of software on to any handset, without the owner's knowledge, which will activate the microphone even when its owner is not making a call."

Nextel and Samsung handsets and the Motorola Razr are especially vulnerable to software downloads that activate their microphones, said James Atkinson, a counter-surveillance consultant who has worked closely with government agencies. "They can be remotely accessed and made to transmit room audio all the time," he said. "You can do that without having physical access to the phone." [...]

Other mobile providers were reluctant to talk about this kind of surveillance. Verizon Wireless said only that it "works closely with law enforcement and public safety officials. When presented with legally authorized orders, we assist law enforcement in every way possible."

This is a good hack; I wonder what the mechanism is. Do these phones do automatic software updates? Or would it be necessary to trick the user into downloading a trojan?

Tags: , , ,

94 Responses:

  1. bonniegrrl says:

    i heard if you have a baby monitor on in your car you can pick up any nearby cell phone conversations too. good times.

    • waider says:

      I suspect this is urban legend from that Simpsons episode... GSM phones use constantly changing frequencies and/or encryption, so your baby monitor isn't going to pick that up. CDMA phones use multiple frequencies and probably also have encryption so at best your baby monitor picks up a fraction of the call. Analogue phones are the most likely to be "tappable" with a baby monitor. I'd file it under "possible but unlikely" since phones tend to operate in licensed frequencies while home-use wireless devices (baby monitors, cordless phones, etc.) tend to operate in unlicensed frequencies.

      Still, you can use your cellphone as a baby monitor...

      • tiff_seattle says:

        Not really an urban legend, but with modern phones it's pretty much impossible. Older analog phones were definitely prone to eavesdropping. In fact, the feds made 1800mhz range scanners illegal for precisely this issue.

      • tiff_seattle says:

        actually that was 800 mhz

      • cjensen says:

        Yes, the original baby monitors and cordless home phones used the same set of crappy analog channels for unencrypted analog transmission.

        If you have a tri-band cell phone like me, to this day you get switched to the analog unencrypted cell service whenever you travel to the boondocks. You should assume you are being monitored there.

        My favorite was Marine Radio phone calls. You used to be able to get to a phone operator on certain Marine frequencies and it was entirely legal to sit and listen to someone's conversation. In fact, if you wanted to make a call you kinda had to listen to wait until the previous call was finished.

      • gryazi says:

        Way back in this time called the "1980s," cellphones or the equivalent in the US ran in what we came to know as the 800MHz AMPS band or licensed radiotelephone spectra (GMRS-esque stuff, use of specific licenses in "commercial bands" to do amateur-radio-style phone patch to Bob's Pretend You're Starring in 'Dallas' Limo Service, etc.).

        However, another product was coming on the market at this time, known as the "cordless phone." These items originally ran in the same unlicensed 49MHz band as every other piece of consumer electronics that wasn't up in the 27MHz band did. (Remember when you went to Radio Shack to flip through the Whiz Kids comics, you had all of two choices of band for your R/C cars?) Early versions of both cordless phones and baby monitors supported a grand total of, oh, about one "channel" within said band. Since all these devices (save the R/C cars) were using analog modulations, you had a grand total of "AM" or "FM" to choose from, so the chances of Product A picking up Product B's signal in the clear would be pretty damn good.

        The situation for cordless phones actually hasn't changed much today; probably half the ones on the market in the US are still analog, and sit on the same frequency within their band until you hear the neighbors and push the 'channel' button. What they have done is add that little digital-ish burst of a shared secret between the base and handset(s), thus putting up a reasonable inconvenience barrier against someone wardriving your long-distance minutes or 900 numbers. Remember, at some point in the recent past, calling beyond your local area actually cost money.

        On top of this, there has been a DMCA-like law (or an FCC rule backed by law of some sort or other) since sometime in the '90s that restricts sale of anything that can receive the 800MHz AMPS band and maybe the 900MHz cordless phone band. In reality, this has always just meant a radio nerd looks up the right jumper to snip or short in his receiver, since blocking out a chunk of otherwise tunable spectrum is pretty much a software thing, especially for manufacturers who want to sell the same hardware in countries without such rules.

        What is changing is that cellphones have been digital (with varying degrees of cryptography) for a while now, and consumer electronics have been pushed up into the 2.4GHz and 5.8GHz 'ISM' microwave bands, where various efforts to utilize the bandwidth while competing with the interference from every other device trying to use it have resulted in somewhat more novel modulations -- more digital methods, wideband, frequency-hopping, whatever, a civilian eavesdropper has to become a bit more of a software radio nerd in the DSP sense, or at the very least have a reasonable idea of what sort of device he's targeting. (900MHz, 2.4GHz or 5.8GHz cordless phone? Analog of one flavor or another? Some miscellaneous manufacturer-specific digital modulation? DECT?)

        The people you don't want to meet in government have the advantage of access to the 'wires' of the various communications networks or cellular base stations, plus all the shortcuts now mandated to protect us from terra. There's certainly hardware out there that could record a whole feltch of spectrum and drag it back to the super secret bunker hidden under the secret bunker under the secret bunker under the Krispy Kreme for processing, but there's little reason to bother with that when you have control over the base stations and lines... or in this case, the firmware of devices that were built to have random binaries pushed out to them as part of the "service." (That could change if some sort of magical ad-hoc mesh-routed infrastructure becomes popular, but any such technology would have to be standardized of the physical layer on up to the point where you could just run a proverbial tcpdump.)

      • gryazi says:


        Of course, getting back to the '80s, there's also that thing where the top of what was once the UHF TV band (channels 80+?) became allocated to the AMPS spectrum, and somewhere between 'no' and 'enough' tinkering was said to let you listen to calls that happened to fall into the band. There was one specific text file about using the leakage from a Motorola brick phone's amplifier, but I never saw it work very well back when AMPS was still in decently heavy use.

        [Damn, I actually went over the length limit.]

        ...Er, and for everyone saying things like 'I bet it hides a hidden call!!!,' you realize these things are little computers with 3G DSL-speed data links whether or not a conventional virtual voice circuit gets used, and both the manufacturers and providers collaborated to specifically design and provision you hardware built to magically accept ads, shitty games, and other canned content out of the provider's walled garden without any user intervention at all? The capabilities are there; it's just that common sense or test-marketing has spared us some of the most egregious bad ideas they were planning. (OMG WE CAN MAKE THE PHONE START RINGING TO TELL YOU YOU'RE STANDING NEXT TO A STARBUCKS WHEN YOU'RE STANDING NEXT TO A STARBUCKS!!! AND IT'LL PLAY A VOICE AD OUT THE RINGTONE SPEAKER AND THEN THE BATTERY WILL BLOW UP IF YOU DON'T BUY A BISCOTTI WITHIN THE NEXT SEVEN MINUTES)

  2. waider says:

    Hard to tell from the complete lack of information in the article (the guessing that it's a piece of software which calls a number while hacking the display to prevent it showing the active call is bogus, not least because any attempt to use the phone during that time would either disconnect the call or tip off the owner that the phone is somehow in use) but my best guess would be it's a bluetooth hack - my own Motorola phone offers the ability to offload pretty much the entire HCI to bluetooth devices, and it's entirely plausible that the only modification required to the phone would be to switch off any authentication on the bluetooth interface.

    • waider says:

      Oh, and there's this news item from earlier this year.

    • maxvt says:

      Another reason why the guessing is bogus is that the battery would die every few hours. Most modern phones' batteries are only good for 2-3 hours of talking, but can spend several days in on/standby mode.

      • legolas says:

        That might explain my battery problems ;-)

        But really, this is going to be a problem anyway, just turning onthe microphone won't help anyone let alone the FBI, the audio needs to get out somehow... Since bluetooth is +-10m, that won't help much and it's not in all phones. So transmit the phone must...

  3. prasun says:

    Some phones have a feature that the call is automatically answered after a specific number of rings, iff the headset is attached. With volume set to zero, this becomes a "bug" without any software updates.

  4. One would imagine the best way to detect this sort of this would be the rapid battery drain, right?

    My old cell phone used to get rather warm as I talked on it, but I bet the new ones don't even do that either, or perhaps the largest part of battery drain is due to the audio playback. I don't know.

    • elanswer says:

      That would explain a couple of days this past month.....

    • injector says:

      I think the biggest battery drain is running the transmitter. Even with the most recent phones the talk time is 1/10 of the stand-by time.

      So yeah, if one's phone was being used as a wireless bug for any portion of the day it should be noticeable. Unless that person was already a heavy user.

    • feren says:

      Battery drain is also a frequent side-effect of "Searching," where the cellular loses contact with a tower and has to up the strength of its transmissions in an effort to re-establish contact with a base station.

      • I think you're right. I have a treo 700p and 2 1/2 days out of my week are spent inside a building that gets zero signal. My battery is 1/4 drained by the end of the day unless I turn it off in the morning, and usually I haven't done a damn thing.

      • brettpeters says:

        Searching's impact on battery drain is even more pronounced when moving between digital and analog networks. Something to do with having to change bands on top of reestablishing the connection just sucks the life out of a battery.

        In newer-fangled phones, Bluetooth is the secondary battery drain culprit. Turning off Bluetooth is usually the best thing you can do for a lot of phone's battery performance.

        • lars_larsen says:

          Analog service uses much higher transmission strength than digital service. This is because the analog towers are farther apart, and for call quality because there is no error correction.

    • rapier1 says:

      Probably not a noticable power drain. There are a couple of ways you can do this - the mic is on but not actively doing anything unless there is enough sound to turn it on. If the phone has internal memory it could record the conversation (you could do less than 4 bits at 2khz and get useful recordings) then this file could be squirted back every so often. Either way would keep the power consumption down as you wouldn't need to keep the radio on all the time.

      The thing to remember is that you shouldn't think of this as a phone but as a radio transceiver with a computer attached. You can do a whole lot with it.

      • rapier1 says:

        oh. not noticible if they are smart about it and don't just keep it on *constantly* like a phone off the hook. I don't think whoever they are are that dumb.

      • Yeah. Or send your compressed audio squirts back over GPRS (or EVDO or whatever packet-data protocol your preferred air interface has) and you don't even need to initiate a call.

        Technologically, there's nothing difficult about this scenario. Many cell phones can get OTA firmware updates. Cell phones have enough CPU these days to run a smart compressing microphone and there's enough data bandwidth to send the audio back. If the folks from the TLAs can get cooperation from the handset manufacturer (for making the firmware update) and the local cell provider (for sending it to the phone), then a cellphone "infinity transmitter" is not at all farfetched.

        This is why I don't allow my henchmen to carry cellphones at my secret undersea base --- not that the cell signal would get through a mile of seawater anyway, but it pays to be careful.

      • 205guy says:

        Just record to memory, and duplex the data out on the next call. Downloading would be similar, your phone was not open source and you can have not way to trust it.

        In addition, your computer with a radio interface communicates with a larger computer tied into a communication network that has already been thoroughly monitored. And unlike the internet, you have no way of trusting those larger computers since they are wholly owned by private companies under the direction of the FCC.

        Though I have to wonder if the analog phone lines can still be bugged in the same ways. Maybe the equipment or knowledge for bugging analog lines is now being lost. Might there not be some local analog lines that go unnoticed because resources and know-how are focused on the new networks. You know, like in the Matrix.

        • 205guy says:

          I'm not drunk, just having trouble with copy-paste. That should read:

          ...and you have no way to trust it.

          Kinda like those election machines, the new electronic voting booths, I might add.

  5. twiin says:

    They also do this with OnStar systems in cars.

  6. insomnia says:

    From a 2001 Openwave/Verizon press release:

    Verizon Wireless . . . and Openwave Systems . . . the worldwide leader of open Internet-based communication infrastructure software and applications, have collaborated to introduce an open, customized, standards-based over-the-air provisioning solution for voice and data service. The new offering, coupled with Verizon Wireless' IP network, will centrally manage handset parameters, automatically update roaming lists and area code information, maintain IP addresses and data parameters and, in the future, will enable remote software updates to wireless phones.

    Safe to say that the ability to remotely update your mobile phone's software is pretty common nowadays.

    • insomnia says:

      Now, of course, I'm curious whether this open, standards-based provisioning solution can be hacked by the general public to do other amusing (or not-so-amusing) things.

      • brettpeters says:

        Developing the application is easy when compared to getting a major carrier to put it on one of their provisioning servers. That would take some serious social engineering.

        • sheilagh says:

          like getting AT&T to allow a completely secret network room to be built to track phone calls?

          • brettpeters says:

            Wouldn't it be great if the court cases revealed the secret rooms were actually installed at the behest of some MIT pranksters pretending to be from the NSA?

            Pure comedy gold, I tell you.

  7. moof says:

    The landline variation of this has been talked about since the 1980s (at very least.)

    • jwz says:

      People talk about a lot of things.

    • quercus says:

      Totally different tech. The infinity transmitter ('70s tech) was just realising that switches designed around DC concepts and used at 3.3kHz tops might be "open circuit" by design but were actually low impedance to a high frequency signal, owing to capacitive coupling. Squirt a high frequency signal into a low frequency piece of kit and it ran straight through the hook switch as if it was off-hook, even when the handset was down.

    • sheilagh says:

      Orwell actually published 1984 in 1949.

  8. no_brakes23 says:

    I first learned of this when reading Enemies Foreign & Domestic. Trac-fones would be the counter, I believe.

  9. rezendi says:

    I read once, source forgotten, that at least some cell phones are designed so that they can be turned on remotely even when "off" - not (initially) for spying/bugging purposes, just to automate QA.

    See also Bluebugging. Same thing, just different protocol.

    • jwz says:

      This (remote turn-on) seems incredibly unlikely for any number of reasons, so I'm not going believe that without evidence.

        • jwz says:

          There's a world of difference between "the phone wakes when an alarm goes off" and "the phone maintains a network connection when supposedly powered down."

          • krotty says:

            What if you wake it up every 600 sec to check if spy mode should be on and then go back to sleep if not? Everything is possible with custom firmware. You can have network connection on and show "blank screen" as if powered down.

          • rezendi says:

            Yeah, I very strongly doubt it would maintain a GSM (or cell-flavour-of-your-choice) connection, but it wouldn't be impossible to have a mode in which an apparently "off" handset remains half-alive, ready to initiate an outgoing call upon receiving of a given radio signal. Would even be possible, putting on my tinfoil hat, to remotely switch a phone's "off" mode from "really off" to "half-alive".

            Mind you I don't know how much power staying half-alive would require. Much less than talk mode, obviously, what with the screen off and no transmission required, but it still might draw down your battery in a hurry. And once the handset has woken up and has dialled out to the Orbital Mind Control Lasers, heat alone might draw unwanted attention.

            Or, like <lj user="krotty"> says, it could wake up and poll every so often, though that would be a pain in the ass for whoever's listening.

            • lars_larsen says:

              I doubt its true, but I can think of one reason for a phone to stay half alive.

              Say you're walking down the street with your cell phone off. You go into a building, and a criminal tries to kill you. You turn the phone on and call 911, but the attacker knocks it out of your hand before you can give your location.

              Obviously GPS doesn't work in buildings, so it would be a good thing(tm) if the phone could remember its most recent GPS coordinates. Hopefully thats near the front of the building you're in, and not 10 miles away when you turned your phone off.

              I know there is at least some slight difference between "off" and "battery removed" with my bottom-of-the-line nokia. Sometimes after I turn it off I cant turn it on again without removing the battery first. This leads me to believe it crashed while OFF.

              • jwz says:

                Well first, your example is contrived and dumb, almost as if you work for the TSA.

                But second, do any cell phones actually do GPS? I thought that what they were calling "GPS" was actually "take the average of the known, static locations claimed by all the cell towers the phone can ping." And obviously the phone can know that if you're able to make a call at all.

                I think this is what they do because, as you say, GPS doesn't work inside. Or through windows. Or fog. Or if someone has farted recently.

                • quercus says:

                  A significant number of Treo do GPS (with a dongle), if they're also being used to run in-car satnavs like TomTom.

                  There have been some real phones with real GPS, but that seemed to be a purely Japanese aberration because they could, not because anyone wanted or used it.

                  • keimel says:

                    Apparantly most Treo and many other phones do GPS. I discovered this in conversation with a State Police dispatcher when I, from the side of the road, called them from an accident scene and said "I can give you exact coordinates from my GPS, it's in hte car, let me get it."

                    "Don't worry, your phone (Treo 650) has a GPS in it. Alot of phones do, but only we can see them."

                    some level of conversation related to 'oh really?' and 'yeah, we do.... '

                    "There you are, you're about 1/2 mile north of the whatchmacallit road overpass. We'll be there soon."

                    So, my Treo, unbeknownst to me, had GPS and law enforcement had access to it. From that conversation I was given the impression that many other phones of the more modern variety do. And I did quiz as to whether they were using cell towers to triangulate me or whether it was GPS - they definately said it was GPS.

                    In this case it was a Good Thing.

                  • quercus says:

                    Apparantly most Treo and many other phones do GPS.

                    Treos don't. Their dongle is separate - usually Bluetoothed these days, although the older Clies used to use a plugin.

                    Your conversation with Officer Dibble seems to have been confusing GPS with triangulation data from base stations to cellphones. You (as a punter or dotcom with location-based services) might get access down to the cell level or so, but the uniforms do indeed get a higher precision location from it.

                  • doidydoidy says:

                    "GPS" seems to have turned into a generic term meaning "knowing where shit is". Over the weekend I was reading a newspaper article about some new surgical procedure in which navigation inside the patient's body was referred to as "like GPS", which I would hope is completely inaccurate.

                • lars_larsen says:

                  I agree its contrived, and its the ONLY thing I could possibly think of to justify keeping a phone half-alive.


                  "The recent surge in GPS, at least in the United States, can be largely traced to the Federal Communications Commission's E911 mandate. Under E911, cellular carriers must ensure that, by the end of 2005, 95 percent of the phones on their networks can be located by rescue workers when people dial 911.

                  While carriers have experimented with various ideas for implementing E911, such as the oft-criticized Enhanced Observed Time Difference (EOTD), the emerging technology of choice for many appears to be GPS, or a form of GPS that can be enhanced through cellular positioning. Sprint, Verizon Wireless and Nextel Communications are adopting a form of GPS for E911."

                  My $30 prepaid crap-tastic phone even has gps:


                  It has a feature to allow me to disable sending my GPS location to sprint except for emergency calls. It even has a little icon on the screen showing me the GPS information is not being sent.

                  • jwz says:

                    That tear-sheet does seem to say that it uses honest-to-god satellite GPS, but I'm still not sure I believe it. The E911 regs only require location, not a particular technology, and cell triangulation works pretty well for that, is way cheaper, works indoors, doesn't require ten minutes to get a signal lock, etc., etc. So I don't see a reason why they'd use real GPS.

                  • lars_larsen says:

                    Well the GPS signal doesnt require 10 minutes to get a signal lock because the cell towers tell the phone which satellites are in view, so it doesnt have to go through all of them. Thats why they call it a "form" of GPS.

                    The reason they use GPS is because not all locations have the equipment installed at the towers to do "Enhanced Observed Time Difference" location. Especially in rural areas. The federal regulations dont require a lot of accuracy, but they do require 95% of phones to be located. If enough phones are in an area without EOTD then they're shit out of luck.

                    As with most things, it probably comes down to money. Its cheaper to put a GPS in every handset than it is to roll out expensive triangulation hardware on every cell tower in the country. They can also sell services based on GPS. Nextel came out with this right away, allowing parents to track their kids, or businesses to track their employees. They even sell handsets that let you track yourself :) There are also companies that track cell phone location and movement anonymously to identify traffic congestion and sell the data to rich people with fancy in-car navigation systems.

                  • legolas says:

                    I wonder if this also goes into the phones sold in europe? Or would it be left out to save $$?

                    And if all phones have it anyway, why don't they use it as a feature more often?

                  • lars_larsen says:

                    Its not required by law anywhere in europe that I know of, but I did find information that its in use in parts of europe.

                • mackys says:

                  But second, do any cell phones actually do GPS?

                  Oh yes. Oh HELL yes. Look for the label "AGPS" (advanced GPS) or "LBS" (location-based services) on your next phone. That indicates the presence of a cut-down GPS implementation built right into the phone's circuitry.

                  I thought that what they were calling "GPS" was actually "take the average of the known, static locations claimed by all the cell towers the phone can ping."


                  That was part 1 of the FCC "phase 2" enhanced wireless 911 (E911) mandate. In laymen terms, phase 1 was knowing which cell tower and which sector antenna on the cell tower you were coming from, and how many microseconds the signal took to get to the tower. From there you can estimate a location.

                  The second part of phase 2 requires cut-down GPS in 95% of all handsets sold on the American market. And that is *exactly* what all cell phone manufacturers have done.

                  And guess what they have in mind for phase 3?

                  Know how I know all this? *I wrote the code*. Or at least part of it. I worked for a mid-sized small company called SignalSoft (later acquired by OpenWave) from about '99 to '01. Their business is to write the horrible, nastly, ugly as shit translator code that grabbed cell phone GPS locations that your cell phone automatically sends without your knowledge when you dial 911, and translate it to the format that a 911 operator could see on their screen. This may sound easy, but nothing that is forced to talk SS7 and IS41D ever is. :P

                  Even back before 9/11 I could see the inherent danger in this tech, so I was pretty relieved when they laid me off. And I've been shouting about people getting tracked by their cell phones ever since. But nobody listens or cares.

                  Big brother is in your cell phone. The laws are on the books, and have been since October 2k1.

                  • jwz says:

                    I know all about E911; the Treo even has a preference for whether so send the location data with non-emergency calls (though it doesn't show me location on incoming calls, so who knows if that really does anything yet.)

                    What I don't understand is how they can possibly use talking-to-satellites GPS to get any useful information. Because GPS sucks. It doesn't work through the goddamned windows in my apartment. I'm sure it's great for boats and planes, but it seems like just totally the wrong technology for cell phones or anything that might be covered by a roof, or kleenex.

                    Again: I'm not asking "do cell phones provide location info." I know they do, and I don't doubt that it's in some crufty format. What I'm asking is, "do they actually talk to the constellation of GPS satellites to implement this, and if so, OMG WHY?"

                  • lars_larsen says:

                    I agree its a really unreliable method.

                    Its amazing GPS works AT ALL. A GPS reciever is doing the equivalent of seeing a 50 watt lightbulb from 12,000+ miles away.

                  • mackys says:

                    "Is there GPS in my cell phone"? Yes. Absolutely. That's what part 2 of the phase II mandate was - 95% of cell phones sold since about 2k2 have had a cut-down GPS built into their circuitry.

                    Why they chose this route to do things? I have no idea. I would think that the various multiple-tower triangulation techniques (angle between three towers, signal time of arrival to three towers, etc) would work plenty well enough, but evidently not...

                    I do agree GPS is totally useless for indoors tracking, though. They'll have to come up with something else for that.

                    Speculating here, I would guess that when people are inside, they tend to pick up a land line and call 911 on that much more often than they use their cell phone. That may change as time goes on, but right now that's how it usually goes. People who call 911 from their cell phones are usually outside, normally in or near their cars. So it works fairly well there. And remember, the FCC mandate is only tracking to 50 meters, which gives you a lot of slop.

                  • 205guy says:

                    Did I spell that right?

                    This is the first I've heard of that E911 (or is that 9-11, numerology experts go ahem, crazy) legislation, it sure wasn't talked about much back then. But am the only one who thinks the government would just love to have a way to locate any cell phone, wouldn't that be so nice in the monitor-all-dissent nation we are becoming? Or does that go without saying 'round these parts? When was the last time the US government proactively used technology for civilian safety and well-being (and I'm not talking about public defibrillators)? Am I being a paranoid conspiracist now?

                    So your speculation about how this might acutally be used for 911 calls is totally pointless. They don't care about inside-the-building accuracy, because the the feds can barricade the building, I mean the firemen can help you once they find the building. Anyways, I believe land lines are going away, indoor cells can't be that much harder to make than a wireless router.

                    As for why GPS, perhaps because it is more accurate than cell triangulation (I'm assuming--GPS is also triangulation, just with dedicated hardware and signals). It's also very low power and is not dependent on the cell network (out of range, not enough cells, different provider networks, whatever fubar can happen when you have 4+ overlapping networks with computers located on roof-tops). GPS can just do its recording all the time (modulo jwz's kleenex argument) and send that data back when queried, giving a geographical history from the source. As for being totally useless under even a kleenex, my only explanation is that deciders were snowed-over by gee-whiz arguments from lobbyists and/or clueless GPS-is-the-new-black intelligence staff.

                  • mackys says:

                    So your speculation about how this might acutally be used for 911 calls is totally pointless.

                    'Scuse me? What part of "I quit the company because I felt I was writing the code for big brother" did you not get?

                  • 205guy says:

                    Sorry, didn't mean to offend. You seemed to be genuinely offering arguments that support the 911 emergency call GPS scenario. It was so unlike the tone of your previous big brother comment that I admit I didn't realize you wrote both of them. So I am assuming now that your explanation of how 911-GPS might work was a rhetorical argument to show what its defenders believe. Or am I still off the mark???

                  • legolas says:

                    Since most buildings don't cover miles and miles, just remembering the last position received may actually give a good enough indication of where that bomb you called about is... Or at least where you are.

            • legolas says:

              The phone could LISTEN but not broadcast anything: it could be receive only. Not sure how doable that is with GSMs broadcasting standards (which tower does it listen too, what if the tower goes out of range etc), but like your computer can keep a little power flowing to your network card, and you can turn the computer on by sending the right magic packet to the network card by it's MAC address, stopping any need to keep an ip etc, I guess cellphones could work the same way...

      • telecart says:

        Intelligence agencies have been using this 'feature' for quite a while. It doesn't actually turn "on" per se, but you can eavesdrop on a cellular phone even if it's turned "off", so long as the battery is still connected.
        Assuming my mere testimony is not enough (and as you can imagine, I can't really go into any lengthy details on how I know this), feel free to ask any Company man you encounter (or in fact anyone in any sort of position handling sensitive security matters) if they have a regulation to disconnect cellphone batteries before entering a war room or a meeting discussing sensitive matters.
        Then ask yourself why on Earth would they have such a regulation.

        • jwz says:

          "Because that particular phone might have been trojaned" is already a perfectly good reason. That doesn't require belief in out-of-the-box remote-turn-on. (Everyone in this conversation seems to be confusing the two.)

    • bear_cat says:

      The phones I've seen could be turned on (when in charge mode) by sending a command over the serial port. The final test does use this feature. When the phone is off, the whole radio is too, receiver included.

  10. rapier1 says:

    Dunno about you but my cell phone used to get periodic firmware/service updates from the provider. This was a few years ago but I'd imagine its still possible to push out updates to specific phones without a problem.

  11. transgress says:

    This is precisely why, or rather one of the biggest reasons you cannot carry a cell phone into a classified/exclusionary area. This isn't any new, it always amazes me that old tricks get used on the mob, get into the news and everyone thinks its novel/new.

    • jwz says:

      You're so cool, how can I be you?

    • puckchaser says:

      That is not the reason. It has to do with the ability of the device to store data. About 15 years ago while doing some contract work at Ft. Meade I wasn't even allowed to wear my watch into the computing center because it had a 4-function calculator built-in. Silly rule? Yes. But a rule none the less and they follow it strictly. That is the military way.

  12. otterley says:

    It's yet another reason why we need a truly competitive market for mobile phones and service. Allowing the carriers to control the handset market is a bad practice - one we outlawed decades ago when AT&T was (the first time around) the dominant landline player.

  13. latemodel says:

    Remember: when in doubt, power off an pull the battery.

    • jwz says:

      "Two in the head, two in the heart."

    • metahacker says:

      I do not trust any electronic device that I cannot turn off. And by turn off, I mean "introduce a large air gap between power source and brains".

      Of course, a large-cap capacitor in the phone could thwart this effort...but that'd take actual forethought.

  14. edm says:

    The description you included sounds a lot like what the Car Whisperer is able to do. It's basically a bluetooth hack exploiting the fact that many devices have default pins (and quite a few of them can't even be changed), and using bluetooth to turn on the speaker and/or microphone and channel audio. (See, eg, presentation at What The Hack (2005) and a bunch of news articles from STFW.)

    The Car Whisperer is attacking car hands free devices (effectively a bluetooth "headset" as far as the phone is concerned), but it wouldn't surprise me that if a bunch of handsets were vulnerable, at least out of the box, to the same sort of default pin and/or bluetooth audio enablement.

    Combine this with the various hacks to extend the bluetooth range (eg, directional antenna) and it could be a fairly useful technique.


    • dojothemouse says:

      There were supposedly also bluetooth exploits that would let you freeze the phone's GUI, place a regular phone call, and delete records from the call log. That sounds pretty effective for eavesdropping.

  15. deathboy says:

    I call bullshit.

    I write games for phones, I see the enormous disparities from one model to another within the same brand, let alone from one brand to the next.

    There is no way it is feasible to claim that there is a way to do this on all phones, as phones vary so wildly. Phone operating systems are radically different from one to the next, many older phones do not have any kind of upgradeability (firmware, etc - though they can all receive service messages in the form of text messages with standard settings changes - but this is well outside that scope).

    Plus, as other people have mentioned, the difference in operating battery-life, the matter of displaying (or not) onscreen whether a call is in progress and indeed general call availability. If the government has supposedly switched your phone on to monitor you, what happens if someone else tries to call you, or you try to make a call?

    The most I can imagine is that for newer, more powerful phones, you could WAP-push a program (labelled perhaps as a system update) that would enable some of this functionality, but that would only work when the phone was on and in service. and would, to anyone used to how their phone behaves, have many telltales.

    • quercus says:

      The Israelis have done this for years. Since batteries became enormous, they've become good at doing it.

      The trick is that they're not turning on a switched-off phone, they're merely trojanning it to be always-on and to look like it's switched off or on-hook. Technically it's even easy to do, the only problem is deployment. Nor is it necessary to install anything soft on a phone if you can get physical access to it, or (even better) just swap handsets for an identical one. Why do you think phone paintjobs (not just the fascia) are so popular with the potential targets in Palestine? It's not just patriotism or fanaticism, it's a way of tamper-proofing.

      As to the problem of surveillance during an incoming call, then you just drop the mic connection and listen to the call instead (and that's a tap in the network, not direct from the handset). After the call hangs up, re-establish the mic feed.

    • quercus says:

      Imagine if you could enable phone mics remotely, and you could do it to random drunks at Goth gigs...

      The GCHQ intranet is pissing itself laughing already.

    • rapier1 says:

      I don't think anyone was saying you could do this for *all* phones, However, you don't need to do it for all phones. Just a statistically significant portion of them.

      And all of the other issues you bring up are easily dealt with. Having a mic on is *very* low power. The only circuitry that needs power is some small routine that monitors the mic level. If it gets above a certain level then you wake up a recording routine. You can record it at a very low bit rate (500B/s) and send chunks back every minute or so (30K/min). The battery drain would be minimal and likely be seen by the user as the battery getting weak.

      Considering how rapidly people cycle through cell phones I would be surprised if there are many phones on the market more than 5 years hold. Any phone less than 5 years old should be more than powerful enough to do this.

      • deathboy says:

        mm, I don't go with that. if I use IRC on my phone for a few hours, it takes almost the same hit as if I'm making a call but I've only used a handful of kilobytes.

        and if your transmission is chunked to lower power use, you wind up with non-realtime backlog of data that would have to be stored in an increasing-sized cache. detecting noise levels on a mic to ignore non-useful data is fine if the phone's on a table, but rubbish if it's in a pocket or briefcase.

        • rapier1 says:

          And how much of the drain you see when you are using IRC is due to the screen being on full the whole time?

          If the phone is in a pocket you might get additional noise from jostling in the pocket. However, I don't know what levels those would be at or if it would be insurmoutable. I don't see it as a show stopper or for any reason not to do it.

          Storage isn't much of a problem., You aren't talking about an always on system and at low bit rate you should be able to store more than an hour of conversation in less that 1.75MB (assuming they don't have a better codec than truespeech). That shouldn't be a problem on most phones and the data can be hidden from the user without much problem.

          I think that you are dismissing this on the basis that its not a perfect listening device. As far as I know there aren't any perfect listening devices. This one seems to be a reasonable low cost and low risk approach that may not work properly in every situation. However, it would seem to me that it would well enough to be worthwhile - especially if you didn't have any other options.

          You are also going with the idea that people pay attention to the battery indication and are cognizant enough to think "huh, my battery was at 85% and now its at 50% and I didn't make any calls... IT MUST BE A CIA BUG!". I think most people would just say "piece of shit battery, vinny get me my charger."

  16. boggyb says:

    Apparently modern phones can do remote firmware updates. In fact, I've heard that this is even used to brick stolen handsets (by sending the phone an empty firmware update).

  17. wfaulk says:

    Have you ever had anyone accidentally call you when their cell phone was in their pocket/on the car seat/wherever? You largely can't understand a single thing that's going on, maybe pick a word out every once in a while. Why should this work any better?

    • jwz says:

      Because all the TV cop shows have that magic box where you can take a recording and turn the knob labelled "Plot Device" and the clicks and pops turn into Dolby 5.1.

    • legolas says:

      Because they would put the mic in 'handsfree' mode. If it's in your pocket, it won't do much good, but if it's on a table or something...

  18. mhagler says:

    I read somewhere else that the mob-man had a Nextel phone, and I do know from working in the industry that you can do OTA (over-the-air) software downloads onto Motorola iDen phones.

    I have seen firmware for a Nokia phone that you embed a certain calling party number into, zap onto a phone, and then when that number calls the phone will activate its microphone but otherwise make no other indication on the UI that the phone is "in-call" and thus become a spy device.

    With the help of Motorola and/or Nextel it would be trivial to write such an app and get it onto the phone.

  19. reesesx says:

    the 43,200-minute charge on my Verizon bill last month.

  20. nelc says:

    One way to get around the battery-drain problem would be to only use the capability when you know that it's worth listening. For example, if the subject is under surveillance and is observed meeting another suspicious person. Turn the phone on for the meeting, or just until something incriminating is said, at which point the feds bust in.

    Alternatively, all this is just disinformation aimed at getting the bad guys to give up their cell-phones, thereby handicapping their operations.