Schneier on Security

Has anyone tried this? It sounds rather unlikely; first of all, where would they get all that information, from all the different service providers? Secondly, why would they need a reply from the phone? Would that be because they need the phone's internal number (kind of like a MAC address)? Otherwise, if the phone has been moved while turned off, they would lose the "lock" on the position and would have to start over.

I don't know a whole lot about the details of the GSM protocol, but I can imagine they can find the location if they call someone (maybe even if the don't answer, as long as the phone is on).

Also, I would think this is only borderline-legal, if at all. One could argue that the location of their phone is personal information, and, as such, covered by privacy laws.

"The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.” Its tools use a phone’s microphone to let you hear essentially any conversations within earshot."

this sounds like something out of the old gene hackman movie, "the conversation".

I think that Flexispy needs an app running on the phone ( Symbian or Windows mobile ). Also from the FAQ - "FlexiSPY needs a working Internet connection on your mobile. "

I'm safe with my bottom of the range Nokia then!

And in fact one of the best ways to subvert this is to leave your well known cel phone somewhere convenient as you travel around without it.

Preferably right next to the speaker of a PC that you've been playing "Stack The Cats" on. :D "Stack the Cats" is my favorite low-cost, low-effort way of dealing with a bugged room.

http://www.thefrown.com/?/games/-2/384

@Sparky: IIRC from the first time I heard about a service like this, they don't "need" a response to the text message at all. It's a (feeble) security measure, an attempt to get the permission of the person being tracked. There's no technical need for it.

And yes, the big question is why network operators are (a) willing, and (b) permitted to provide the information needed to do this.

According to the website it's "only" Orange, Voda and O2. So maybe I'll call up Orange and tell them I'm switching to T-Mobile unless they can exclude my number from ever being tracked by any such service...

Looking at the FlexiSpy website, it appears that you have to install the software on the victim's phone:

"Can I install FlexiSPY remotely?
No. You need to have the phone physically in your hand for about 15 min. Installation is simple. You simply open up a web page on the mobile and enter your code. The download and install beings automatically"

"How does Remote Listening work ?
The phone with FlexiSPY on it is the target phone. The phone you make spy calls from is the monitor phone. When you call the target phone from the monitor phone, the target phone will answer the call, letting you listen to the phones surroundings. If the phone is busy or a key is pressed, the spy call will be disconnected, and the target will be none the wiser."

Simply put, you have the thing installed on your phone and someone else calls it. Not quite as dangerous as it initially sounds.

@sparky

Your phone can be uniquely identified by either the IMSI (sim), IMEI (phone) or MSISDN (number).

@sparky

Damn.. Posted my previous message before finishing!

Location updates (containing cell id and IMSI) are generated as a phone moves between cells. So that can give geography. But this is sent within the core mobile network and therefore would have to be provided by the network operator.

@Dave,

"Not quite as dangerous ..."

You have forgoton that the phone operator can download a patch to your phones software any time they like and frequently do (supposadly it needs to be signed or some such on modern phones...)

Also as a lot of teenagers know downloading a ring tone to a phone is not that difficult either. So 15mins seems a long time I recon with abit of practice it could be done whilst you go get a cup of coffee or comfort stop.

Phone security is at best laughable (have a look on Cryptome's GSM section). Even on modern phones the security model is to protect the phone OS from apps running in the computer OS running on the phone (MS windows / symbian et al).

Importantly phones are going to be used as security tokens in future. So not having propper app to app security is within a year or so be a significant issue.

Logged in to World Tracker - no signs of the scary ability to track someone by their cell phones. The service just allows you to _manually_ specify your location, so your friends can see where you are. Seems that Mr. Schneier just copypasted the text from www.geeksaresexy.net.

Kinda of related to the Telco / Spy thing, Why cant we devise a piece of software to track them??? YAs I know the Gov has all the tools

TO Bruce and all the Tech Guru's on this site: Would like your technical input on how Unknown Number / Unknown Numbers call be traced or HOW they are routed by Telecoms OR even allowed!

Below is my attempt at having COMCAST block a Unknown name / number that keeps calling my NEW Comcast Digital phone number!.

Hello COMCAST —This is rather long but please read

I have been trying to block a company that is calling our home number ( harassing us with unsolicited offers) I have tried using the comcast feature but it is not working as the company is obviously has a auto dialer with a registration of for both the name and number coming across as “Unknown Name & Number”. Can we do something on Comcast part to block this? The company first started calling the day after I got my new digital phone number. I was able to block the 800 service numbers but know they are using the “ Unknown Name Unknown Number” to harass us.

The 800 numbers that I have blocked are listed below, can you have Comcast investigation division get them/ trace them? Comcast should be able to trace the calls in the teleco routing station to the point from which they call.

800 257 5722
877 450 6649

if you look up these number on the internet it appears they have been frequent violators

http://whocalled.us/list/

http://800notes.com/Phone.aspx/1-800-257-5722

http://whocallsme.com/Phone-Number.aspx/8002575722

COMCAST
Thank you for contacting Comcast Live Chat Support. Please give me one moment to review your information.

COMCAST
I am sorry to hear of what this company is doing.

COMCAST
Have you had a chance to add your number to the do not call list?

Customer
I am doing that, but what about getting the comcast investigation unit involved?

COMCAST
I apologize but our features work on blocking numbers with by the phone number registered under the line or by blocking numbers who have their display blocked. Since the display shows “ Unknown Name Unknown Number” it tells us that their called id information is blank

COMCAST
I would recommend to contact the company to be removed from their contact list as well as adding your name to the Do no call list.

Customer
Again, what about having the investigation unit get involved, it seems crazy that anyone could get a number without an ID. I told them when they first called to remove me.

COMCAST
Please give me just one moment to see if there is anything that we can do on our end.

Customer
ok

COMCAST
I have looked into this for you and I am very sorry but at this time Comcast is unable to address this for you. The only thing that we would advise is for you to enter your number on the states Do no call list and the National one. If after you do this, the calls persist, I would recommend to contact the Federal Trade Commission which the is the Government office that is in charge of making sure that the Do not call registries are followed.

@Ruby: Maybe you could use some guerrilla warfare. Depending on what they are offering you, and your local laws, you could do a few things that cost them money and effort. Where I live (the Netherlands), the law basically says return any item over something like 50 euros (don't know exactly) and get a refund, no questions asked (provided the item is in new condition, packaging intact etc.). This also applies to anything send to you by mail.

You could also refuse to accept anything they have send you, make appointments for a mortage broker or whatever when you're not home, have them go through the trouble of selling you something (probably recorded), where you just mention you are intoxicated (and thus unable to enter into a contract).

If they are offering anything, you should be able to at least get a company name.

comcast dosent care, except that they are in the middle of a big promotion to get people to sign up for their network. A bad news story will damage millions of dollars worth of propaganda. There is a national do not call list in the US. its equally useless, especially if comcast will not tell you where the call originates.

@Ruby,

The problem is actually tracing the call originators connection point. It might not actually have a "dialling number" attached to it that is known. And COMCAST may not be able to trace it back further than to the forign network connection to their network.

The easiest solution is to take the call and give the sales droid the run arround and waste their time as much as possible without giving any details.

Fairly soon the droid or the next one will log you as being a time waster, which earns them nothing and at that point you usually get left alone.

@Sparky.

First of all I worked for two years for a company providing high accuracy location services for embedding into GSM networks

GSM networks support multiple methods for determining the location of a handset - ranging in accuracy from the cell location (accurate to kms down to 100's of m) upto and including GPS enabled on the handset itself. (The technology I worked on was measuring the timing of arrival of base station signals on the handset and using that to determine it's location - google for E-OTD).

One of the initial drivers for high accuracy is for emergency use (E911 in the US, sim elsewhere), and for obvious reasons does not require permission from the end user for the emergency services to locate your handset.

The operators have looked to resell this technology for general use and it is available for 3rd parties to buy from them to build applications round - e.g. the World Tracker here could be based on such a resold service. Obviously opt in/out sholud be applicable.

Dave

Hehe, Symbian or Windows Mobile...
... how do I love proprietary OLD devices.

And I will NEVER EVER use a mobile phone with build in GPS/GALILEO

From Worldtracker's site...
http://www.world-tracker.com/products/lbs/

World-Tracker.com GSM is a service which can give you the peace of mind of knowing where your (love) children, their parents or any other pesky guardians are at any time, without letting them intrude on your day to day 'activity'. It uses the mobile phone network to locate your little 'friends' anywhere in the UK. You can access this information from this website or via text message.

World-tracker. Know where (...they are when you need some.)

Well, near enough.

@Sparky: ``I would think this is only borderline-legal''

And your point is?

My answer is the ``John Ashcroft solution[1]'': buy a blister-pack pay-as-you-go phone. So long as you activate it from somewhere other than your own phone, it's anonymous.

(Admittedly, if They want to know whose phone it is, traffic analysis would have you nailed in minutes.)

[1] http://media.www.thevistaonline.com/media/storage/paper962/news/2001/09/26/UndefinedSection/Disposable.Cell.Phones.Available.In.October-2112861.shtml

RE: Cell phone eavesdropping -

This has been done for years...in fact, one very large company routinely listens in on its employees' company issued phones - without their knowledge (you can't even tell you've been connected).

Solution? Turn the damn thing off when not in use.

Three blog posts about this (from 2006):

http://www.badscience.net/index.php?s=track+girlfriend

from a respected pro-science blogger.

http://www.wired.com/science/discoveries/multimedia/2008/05/gallery_squid_autopsy

Friday Squid Blogging anyone? Haha

"in fact, one very large company routinely listens in on its employees' company issued phones - without their knowledge "

These laws vary from state to state in the US, but I believe that every state requires that either the caller or the callee must be informed that a call is being monitored/recorded. So either the employees sogned something saying they understand that the company will do this, or when they call someone that someone would get a message ("to improve the quality of service, this call may be monitored or recorded") which the employee would get asked about in short order.

I don't think there's a legal way for a company to listen in on a company-issued cellphone without the employee knowing.

This is perfectly possible - I've tried followus.co.uk myself (for tracking my 11 year daughter, should she ever go missing on the way back from school).

It's done by measuring the time from the handset to the towers, with obviously one tower giving a ring of locations, two towers giving two intersecting points, and three or more should be enough to identify the point to within _up_to_ 100m. The best I got, in the rather rurial area I live in, was around 2 miles away :-( but at least it did show the handset wasn't far, and it would have shown if it was 300 miles away, so 2 miles isn't so bad I guess.

Detecting the location of people, without their knowledge, is a EU privacy violation, so all these sites *must* have controls to prevent this, like sending initial and periodic confirmation text messages.

Fundamentally, the access to the data is sold by the phone companies, so if they violate the rights of the handset holder, the tracker company, the phone company , and the person illegally tracking someone may all be culpable. The regulator, OFCOM, have already got these companies to tighten up on handset-holder authorisation, and it very likely that abuse of these services will be looked upon as poor governance by the phone company, who it can fine, and ultimately revoke their license.

Technically, it looks like Vodaphone have the best location capabilty, e.g. they retain location data when/where a handset is turned off, so even if the phone is turned off, out of signal or destroyed, at least you know when & where is was at that point. (Other phone companies made have caught up now, technology being, well, 'technology')

@sparky - IMSIs are's usually used with basestations in europe, temporary IMSIs (TIMSIs) are automatically generated and used after initial power-up handshake. Part of this is to make it difficult to join phone data with a phone number through sniffing - you would need to sniff the initial IMSI/TIMSI handshake, and continuously monitor for TIMISI change.

It`s very interesting post, thank you.

The companies (WorldTracker, ChildLocate, ..., MobileLocate) have direct access to the Mobile Operators location database. We have done some research on this topic a couple of weeks ago.

The scary part here is that the company (MobileLocate etc) has access to the location information of any mobile subscriber with or without their consent (again, direct access to the MobOp location database).

It is then up to the company to only display tracking information to those people who pay for the service.

Of course there is a 'policy' in place that explains that the company should only extract location information of those subscribers who agreed to it.

Technically they can extract Location Information of anyone. By policy they are only 'allowed' to extract of those who agree.

The definition 'agree' and how to authenticate is user is left to the tracking company.

"Solution? Turn the damn thing off when not in use."

No, pull out the battery, turning it off isn't enough.

Anyone who seriously cares about privacy doesn't own a cell phone or pager, period. If you laugh this off or challenge it with your fat fingers you're just another monkey.

This sort of service is available in Germany as well, with all the described features (GSM & GPS location) and more. Similar to the service Dom describes in http://www.schneier.com/blog/archives/2008/05/cell_phone_spyi_1.html#c268646 , it is marketed as a monitoring service and package (you can order a complete kit including a GPS-enabled handset) for children and is offered by a foundation mostly engaged in various emergency communication services (such as the motorway phone box network): http://www.steiger-stiftung.de/LifeService-Kids.72.0.html

As Bruce has often blogged, targeting concerned parents is a very effective way to cast aside all collateral privacy concerns.

If the audio bugging product requires mobile internet connection for data transmission, it should be pretty easy to detect, in Australia at least; just wait for the sudden $1000 increase in your mobile data costs....

@Skorj:

Every recording I've heard (which means in North America) about "this call may be recorded or monitored" goes on to say "... for quality and training purposes." This means use of the recording is limited to those stated purposes