Remotely Eavesdropping on Cell Phone Microphones

I give a talk called "The Future of Privacy," where I talk about current and future technological developments that erode our privacy. One of the things I talk about is auditory eavesdropping, and I hypothesize that a cell phone microphone could be turned on surreptitiously and remotely.

I never had any actual evidence one way or the other, but the technique has surfaced in an organized crime prosecution:

The surveillance technique came to light in an opinion published this week by U.S. District Judge Lewis Kaplan. He ruled that the "roving bug" was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone.

Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets can't be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.

Seems that the technique is to download eavesdropping software into the phone:

The U.S. Commerce Department's security office warns that "a cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone." An article in the Financial Times last year said mobile providers can "remotely install a piece of software on to any handset, without the owner's knowledge, which will activate the microphone even when its owner is not making a call."

Nextel and Samsung handsets and the Motorola Razr are especially vulnerable to software downloads that activate their microphones, said James Atkinson, a counter-surveillance consultant who has worked closely with government agencies. "They can be remotely accessed and made to transmit room audio all the time," he said. "You can do that without having physical access to the phone."

[...]

Details of how the Nextel bugs worked are sketchy. Court documents, including an affidavit (p1) and (p2) prepared by Assistant U.S. Attorney Jonathan Kolodner in September 2003, refer to them as a "listening device placed in the cellular telephone." That phrase could refer to software or hardware.

One private investigator interviewed by CNET News.com, Skipp Porteous of Sherlock Investigations in New York, said he believed the FBI planted a physical bug somewhere in the Nextel handset and did not remotely activate the microphone.

"They had to have physical possession of the phone to do it," Porteous said. "There are several ways that they could have gotten physical possession. Then they monitored the bug from fairly near by."

But other experts thought microphone activation is the more likely scenario, mostly because the battery in a tiny bug would not have lasted a year and because court documents say the bug works anywhere "within the United States"--in other words, outside the range of a nearby FBI agent armed with a radio receiver.

In addition, a paranoid Mafioso likely would be suspicious of any ploy to get him to hand over a cell phone so a bug could be planted. And Kolodner's affidavit seeking a court order lists Ardito's phone number, his 15-digit International Mobile Subscriber Identifier, and lists Nextel Communications as the service provider, all of which would be unnecessary if a physical bug were being planted.

A BBC article from 2004 reported that intelligence agencies routinely employ the remote-activation method. "A mobile sitting on the desk of a politician or businessman can act as a powerful, undetectable bug," the article said, "enabling them to be activated at a later date to pick up sounds even when the receiver is down."

For its part, Nextel said through spokesman Travis Sowders: "We're not aware of this investigation, and we weren't asked to participate."

EDITED TO ADD (12/12): Another article.

Posted on December 5, 2006 at 6:29 AM

Comments

GregDecember 5, 2006 7:27 AM

Yea well there is a lot of things posible on cell phones. Old ones and new ones. When I was working for a GSM based network----there where....cases that makes me belive the current claims.

There is however a few things to note. First is that battary life is based totaly on the transmission time. This is physics you can't "hack" it, so battary life would be very short if its "on" all the time-even sound activated would drain it pretty quick.

The second is interference and general security. Hi security places don't alow any *trasmission* or recording device because they don't trust the guy with the phone anymore than the phone. GSM phones also make a hell of a racket with my PC speckers.

Chris1December 5, 2006 7:41 AM

@Greg (or anybody who knows):

What would battery life look like if the phone was recording audio to an internal buffer, and then transmitting it in short bursts, at faster-then-realtime speeds whenever the buffer got full?

Ian EiloartDecember 5, 2006 7:47 AM

Interestingly, MI5 used to (perhaps still do) use ordinary landline telephones in a similar way. It does require them to get up close, and bounce a radio beam off the phone, but apparently the microphone in the handset modulates the radio reflection.

TimDecember 5, 2006 7:50 AM

I wonder if the BBC article (do you have a link?) is talking about turning on automatic answer on a mobile phone, rather than something more mysterious. If you turned off the ringer, and turned on automatic answer, you have a bug that can be used simply by calling in to it. If you have it plugged into a charger, the bug is permanent. It would be simple to put such a phone into a meeting room in a company and then phone in for a listen when the company bigwigs are in there.

Owen BlackerDecember 5, 2006 7:53 AM

This was also mentioned by Henry Porter in a recent documentary called Suspect Nation that he did for the British TV channel More4. The same technique was used there — install eavesdropping software then spy at leisure.

Lourens VeenDecember 5, 2006 8:12 AM

Doesn't the ISDN standard have a similar facility built-in, where a phone can be put into listening mode remotely?

Roger LipscombeDecember 5, 2006 9:02 AM

"mostly because the battery in a tiny bug would not have lasted a year"

But the bug's right next to an (e.g.) 850mAh battery (the Li-ion battery in my Nokia) that's probably going to be recharged (without thinking) whenever it gets a bit flat.

Surely, when installing the bug (when you have a couple of minutes access to the phone), you just attach a couple of patch wires between the bug and the battery connection.

Grant GouldDecember 5, 2006 9:04 AM

If I were the FBI, I'd take the hardware approach and build bugged batteries. Cell phone batteries are easily replaced, but since they're rechargeable almost nobody ever looks at them. Many different phone models from the same manufacturer have the same battery type, which saves manufacturing.

I wouldn't use the phone's antenna, either -- it's too obvious when GSM phones are using the network, they interfere with computer monitors in a distinct and suspicious way. Rather, I'd have the bug record and dump it periodically over a short-range connection to a receiver near the suspect's home or workplace. That would minimize suspicious loss of battery life -- indeed, if the receiver were near wherever the suspect kept his or her charger, the battery drain of the transmission could be completely unnoticeable.

OctavianDecember 5, 2006 9:40 AM

And a bit of history - a simple trick used in the 80s by the secret services (especially in the former communist block) was to slightly increase the line voltage so that the microphone would become active even if the phone was on hook.

Ian RaeDecember 5, 2006 9:52 AM

On a slightly related note, this reminds me of the time I dropped my cellphone and it acquired a new feature: anytime someone would call me as soon as they would press send, and while my phone was ringing, my phone would also transmit audio from the caller. I could hear them but they couldn't hear me...until I picked up of course. as tempting as it was to keep the feature I responsibly got the phone fixed. It was too eerie...

I have no doubt there are a ton of related tricks to surreptitiously capture audio. My phone was a Nokia 6310i. Awesome phone, wish I still had it.

AnonymousDecember 5, 2006 10:02 AM

Yep, this is legit and I remember a "friend" who works in security for the government telling me about this fun feature about six years ago. It's software-based, so the eavesdropper doesn't have to "plant a bug" or be anywhere NEAR your phone. Just assume that every conversation you've had in the past 10 years was recorded by the NSA.

AsdfDecember 5, 2006 10:20 AM

Wasn't there a bit of a hissy fit in Europe recently about the staff of Ericcson phones installing this stuff, and it was used against people in the Greek government?

MikeADecember 5, 2006 10:23 AM

@Octavian
Raising the voltage enough to get across the
physical switch-contacts on both sides of the
line would make a pretty dramatic show, if you
tried it on a phone from the first hundred years
of telephony, which are still common today.
Not that I doubt there are _some_ phones,
somewhere, for which this might have worked,
but I do doubt they were common, at least
outside the Soviet Union. When one controls
all means of production, a lot is possible. :-)

SteveDecember 5, 2006 10:25 AM

Didn't the Feds do this with the built-in 'phone home' phones in mercedes S class saloons some time ago ? That car being favoured by high income types of every persuasion - some bright spark noticed a lot of criminal big wigs have them and figured out how to activate the phone remotely and so 'bug' the car with no need for physical access.

Clive RobinsonDecember 5, 2006 10:25 AM

@Bruce,

"I hypothesize that a cell phone microphone could be turned on surreptitiously and remotely"

This has been talked about befor on your blog and enough info has been put on it for you to have more than a hypothesis... It is all to easy to do and the software can be downloaded to the phone by the phone operator. Most mobile phone code uses standard chips and copies of either existing code or code that is supplied by the chip manufacture as refrence code. So it is easily possible for a knowledgable cracker to do the same, and you have seen reports of Mobile Phone viruses that are real so why do you doubt it?

@Chris1, Roger Lipscombe

"What would battery life look like if the phone was recording audio to an internal buffer"

Don't think battery think very high value "super cap" capacitor of half a farad or more they can keep things running for several days. You find them in lots of comsumer equipment these days to hold charge for Real Time Clocks etc whilst the battery is being charged, Oh and the average rechargable battery is omly good for around 200 charges where as a super cap is good for several thousand.

@Eiloart

"MI5 used to (perhaps still do) use ordinary landline telephones in a similar way"

I think you are confusing two things here. First off the "Spy Catcher" device worked on a very simple idea, you put an RF carrier on the line from outside the house that is a little above the MediumWave band, you also insert inductors on the exchange side and a couple of caps across the line to bring the phone and it's line to resonance. The "Hook Switch" being a real switch back in those days looked like a very very small capacitance in series with the carbon granual microphone which efffectivly bridged the tuned cct. Effectivly any sound changed the Q of the tuned CCT and ended up Amplitude Modulating the RF carrier you injected. You then picked this modulated signal back up off the line with a current pick up (think VSWR detector circuit).

THe Other thing you might be thinking of was the "Rusian Singing Eagle" Basically the story is that a hand carved U.S. Eagle supposedly carved by Moscow children was given to the US ambassador who hung it on his wall. Inside was two RF cavities one of which had a very flexible end (think aluminium foil) which changed the Q / Resonant frequency of the cavity. The two cavities where connected to each other by a diode that acted as a frequency multiplier. When the Rusians beamed a microwave signal at the eagle a multiple of the frequency was re-radiated modulated by any sounds in the room. Supposedly the Russians beamed a very very large amount of microwave radiation from a church adjacent to the embasy which prompted many jokes about it.

@Tim
"turning on automatic answer on a mobile phone, rather than something more mysterious"

It's one way to do it that works and there are several others.

A couple of these ideas appear to have been used against a hundred or so people prior and during the Athens Olympics (Bruce Covered it when it broke news back then) It appears they used "Standard Software" in Ericson Switches. To Bug just Calls and SMS (although there are hints at other activities, which a death put an end to further enquires).

@Lourens Veen

"Doesn't the ISDN standard have a similar facility built-in"

Yes as do most "digital service" landline switches, they always have done and the same thing is available for all mobile phone switches as well (if you want to pay for it and you are the right sort of customer...)

@All

First off unless you are using a very old (think analogue) channel based system most mobile phones give away the fact that they are transmitting to an audio Amplifier or medium wave radio. It is fairly simple to demonstrate turn on your hifi amp and MW receiver tuned to a blank part of the band (ie his) and make a call to your home phone then move your mobile close to your hifi. You will hear a very anoying buzzing noise which is your mobile phone sending out packets of data. Your HiFi is "envelope detecting" the signal. You also get a similar effect when you put your mobile next to a modern electronic phone.

Therefor you can build a reliable "bug detector" for this out of a small audio amplifier a diode a capacitor and a small coil of wire. All of which you can get from your local Radio Shack / Tandy / Maplin etc etc.

Likewise any bug would need to be continuouse carrier (FM/PM) to avoid a similar fate.

A second effect that is well known (publicly) since the 1980's is TEMPEST/HIJACK/NONSTOP cross modulation attacks. Basicaly a mobile phone like most other digital electronic equipment generates all kinds of RF junk that gets into all kinds of other electronics, and data in one cross modulates with the other. Effectivly confidential data can piggy back out of a secure TEMPEST area on an RF carrier that would not normally be present...

The UK Prime Minister Maggie Thatcher baned the use of mobile phones in all confrences and secure areas for specifficaly that reason. The current incumbrent and his cohorts chose to ignore the demonstrations and still go to sensitive meetings with their mobiles on....

RoyDecember 5, 2006 10:40 AM

Any manufacturer that designed in a side-channel capability would hope to receive favorable treatment from the US government, right?

Think of government contracts and favorable judicial decisions.

Clive RobinsonDecember 5, 2006 11:06 AM

@dave

Lauren Weinstein's artical contains some minor mistakes for instance,

"First, when the phone is operating as a bug, regular calls can't be taking place in almost all cases"

Not true, most mobile phones can handle two or more calls at the same time (think third party calling, bridge/conference calls etc). As long as the bug software took this into account then it is not a problem.

Also if the people bugging you are using a "micro/nano cell" to act as a bridge then all betts are off on this one.

"Another clue that a phone may have been transmitting without your permission is if it seems unexpectedly warm."

Only partialy true, if it transmits on the lowest power or you keep your phone in an inside pocket you are unlikley to notice (though a cheep thermal image cammera or IR remote temp meter certainly would). So if you are evesdropping via a micro/nano cell then the phone can be told to use minimum power.

"record ambient audio from the phone mic and store it in the phone's memory in compressed form, then upload it en masse later"

Actually it is not that practical, most efficient compression software "throws away" background and other "non prime" audio content in order to get the 10-40 compression ratios needed. Unfortunatly when used as a bug this "throw away" audio is usually the stuff you realy want to hear.

Assume lowest (telco) acceptable ADC quality then you are still looking at 64Kbit/sec before compression say 5Kbit afterwards that is still 2.25Mbyte an hour for very low quality audio. The other problem is of course you realy would be using quite a lot of CPU cycles to get this rate so the old heat & battery argument becomes valid.

ALso some phones with "noise canceling mics" are likewise not very good when it comes to bugging for similar reasons...

Clive RobinsonDecember 5, 2006 11:12 AM

@Roy

"Any manufacturer that designed in a side-channel capability would hope to receive favorable treatment from the US government, right?"

Ah probably not have a look at the FBI interpretation of CALEA.

Also look at what the The Cellular Telecommunications Industry Association (CTIA), the Personal Communications Industry Association (PCIA), the Telecommunications Industry Association (TIA) and the U.S. Telephone Association (USTA) have to say on the matter it makes interesting reading...

Clive RobinsonDecember 5, 2006 11:44 AM

On the subject of phone tapping Matt Blaze gave a talk up at Stanford on just this subject back in March this year as a follow up to his paper,

http://www.crypto.com/papers/wiretapping/

You can see a write up of the talk at,

http://vitanuova.loyalty.org/nb/nb.cgi/view/vitanuova/2006/03/09

It is certainly worth a read as you might be realy surprised who can legaly own and operate wire tap equipment in the US (18 USC 1252(2)(b)) and just how cheaply it can be obtained.

If you go looking on the Internet for "wire tap" equipment you might find the expression "Telephone loop extenders" will get you more reliable information (both illegal and legal).

Back many years ago in the UK such equipment was refered to as a "pole job" because it was usually put up the top of the telegraph pole (by a General Post Office squirrel), however few people are old enough to either remeber or talk about such things these days... The legal bods all moved over to the central exchange where it was "warm and cosey" and no "interested parties" hanging around.

In later years "pole job" also refered to a piece of very illegal equipment that you would put in the "equipment room" of a block of "flats" where all the telephone pairs where available. Basically it bridged many pairs and had a control pair. If you lifted the handset on the control pair it would find a vacant line and switch it over to you so you could make calls at other peoples expense.

The equipment is supprisingly easy to make, and it was also quite easy to add features that indicated the "real owner" of the line had picked up as well as faking a dial tone followed by a busy signal to them after they had dialed a couple of digits.

Davi OttenheimerDecember 5, 2006 12:03 PM

"One of the things I talk about is auditory eavesdropping, and I hypothesize that a cell phone microphone could be turned on surreptitiously and remotely."

As others have said, no need to hypothesize. You might call this as much a feature as a "bug", depending on your perspective.

FWIW, I used to know of a similar "bug" for Macintosh in the early 1990s (they usually had sound/mics built-in, unlike PCs). An attacker/friend just needed to get their target/friend to click on a fake bomb message (simple prompt for a restart) and sounds could be output to their system, or input redirected to play somewhere else.

Eventually, if not now, people will have a need for monitoring the software config and traffic for their mobile devices. And the more data stored on the server (back to your theory of removing the assets from remote devices) with constant connectivity, the more users can simply hard-reset their device at a moment's notice to destroy bugs without losing their contacts, calendar, etc.

another_bruceDecember 5, 2006 12:10 PM

i've heard about this before with cellphones and assumed they had this capability.
what about landlines? how do we know for absolute sure and certain that our landlines can't listen to us when they're on the hook?

Israel TorresDecember 5, 2006 12:39 PM

From my experience Nextels are outright noisy devices especially when there is inbound/outbound traffic channeling through. Even just walking by an FM radio, cable television, or most electronic communication devices will start giving audible noise-clicks.

For good measure any type of carry-on electronic device (cell, calculators, watches, pens) should be left at the door before entering "private" areas. Usually anything said in these areas shouldn't be written down in the first place so justifying an electronic device would be really difficult and really draw suspicion.

Israel Torres

Clive RobinsonDecember 5, 2006 1:04 PM

@another_bruce

"how do we know for absolute sure and certain that our landlines can't listen to us when they're on the hook?"

It would be very unwise to asume they coud not...

There are things you can do to reduce the posibility but the answer would still be the same

AnonymousDecember 5, 2006 1:51 PM

When I worked at the University during the '90's there was a move to 'privatize' a bunch of civil service positions. The civil service staff were understandably concerned.

The University boardroom contained a projection screen, with a computer intended for showing Powerpoint presentations. Some folks I know wrote a tiny, simple program that captured the audio from the built-in microphone and sent the packets over the campus network to our desktop systems. Under the guise of a tech support call they installed it on the boardroom projection PC. We could then sit at our desks and listen to what was going on in the boardroom, regarding the privatization or whatever, at any time.

My T-Mobile MDA is basically a handheld Windows computer just like that boardroom PC. I suspect the very same little eavesdropping program would work on my MDA.

Fortunately I don't have anything to worry about from overzealous law enforcement, because I've never done anything wrong.

Well, except for the thing with the boardroom PC.

derfDecember 5, 2006 2:21 PM

It's a "feature", and yes - you pay extra for it. Now you know what "cost recovery fee" covers.

Stephan SamuelDecember 5, 2006 2:34 PM

Aside from the software bugs (just wait until your car navigation runs Java), and hardware bugs, which spy-types have been doing for years, there are also secondary ways of listening to things.

Ordinary objects become transducers in the presence of sound waves. Sound waves vibrate air and the air vibrates anything it hits correspondingly. While building walls are difficult to listen to, glass isn't. The microphone in your mobile phone works on this principle: when you speak, it generates an electrical waveform corresponding to the sounds you make. Between radar, sonar and eavesdropping, engineers and scientists have been working on the technology to use these transducers for a long time. Between low-noise amplifiers and technology to pick one signal out of noise from another, there's a lot that you can do with some well-designed circuits and a directional pick-up.

Bruce SchneierDecember 5, 2006 2:37 PM

"Wasn't there a bit of a hissy fit in Europe recently about the staff of Ericcson phones installing this stuff, and it was used against people in the Greek government?"

That's different; it was done at the switch.

a_LexDecember 5, 2006 2:46 PM

C'mon guys!
A phone has a... um... a microphone, right? yep. And an antena...
Right?

So what made some of you think such a device was ever "secure" in the first place?

No really, cellies are for convenience, NOT for privacy/security. Securing a cellie is a reaserch project in itself.

Off course, there MAY be cellphones that are free of both intentional and unintentional backdoors (i wonder if someone somewhere could actualy give the cellphone an official certificate that it is hardware/software backdoor free), but unless it has been PROVED that your cellphone is secure we have to play cautiously and conservatively, and assume that the cellphone is capable of acting as a surveiliance device.

@derf

"It's a "feature", and yes - you pay extra for it."

A wise note.
This gives us an idea of which phone most probably does not come bundled with some preinstalled backdoor.

THE CHEAPEST ONE.

a_LexDecember 5, 2006 2:49 PM

@Bruce Schneier

On an almost unrelated note, Mr Schneier, the man who discovered that a backdoor in a switch was utilized has died in a "tragic accident".

Coincedences... How probable is such a coincedence?

Alice LillieDecember 5, 2006 2:57 PM

I have a rather old cell phone.

How new do phones have to be in order for the phone mic to be remotely turned on to eavesdrop on conversations near the phone?

It's a Nokia 3360. The copyright in the instruction book is 2001. I got it second hand.

Please e-mail if you know at aliceprez@aol.com

This is one good reason to use old equipment, if all it is for is to receive and make calls, no camera or other fancy stuff.

AlbatrossDecember 5, 2006 3:25 PM

How probable is such a coincidence?

About as probable as the death of Ken Lay during the window between conviction and sentencing, resulting in automatic abatement and thereby saving his estate millions of dollars otherwise forfeit.

That's why I've carefully avoided becoming wealthy - I'd hate to find out the hard way that I was worth more dead than alive...

C GomezDecember 5, 2006 3:27 PM

So cell phones aren't secure. Is that news? What, do we need legislation to protect us? What good will legislation do when a) criminals don't care about legislation and b) governments can and will insert clauses allowing them to bypass legislation.

You have to take care of yourself in this world. Considering the federal government in the U.S. is barely capable of administering anything, I don't expect a problem.

Igor DrokovDecember 5, 2006 3:32 PM

At some recent event a German company demonstrated a way of exploiting a "service SMS" security.

After delivering and installing some Trojan (via an unauthorised service SMS) they claimed to be able to have a remote access to the handset including listening to conversations, copying contacts etc.

More details: http://www.techworld.com/news/index.cfm?newsID=7425

A rather lengthy video from the presentation (in German) http://www.it-sa.de/itsa_asx.php?file=RO_Mi_16_30_Hafner&year=2006

Clive RobinsonDecember 5, 2006 4:18 PM

@a_Lex

"i wonder if someone somewhere could actualy give the cellphone an official certificate"

Yes there are GSM mobile phones certified toto at least ITSEC E4+ (from the UK CESG)

For the GSM phone look at,

http://www.tripleton.com/product_security_T301B.htm

for a brief guide on ITSEC ratings look at,

http://www.tripleton.com/product_security_T301B_itsec.htm

And no I have no connection to the company (other than one of it's founders used to be the MD of a company I worked for)

anonymous (sorry folks)December 5, 2006 5:01 PM


I work for the manufacturer of the leading mobile OS for everywhere outside the US.

From a software perspective this is extremely easy. However inbuilt OS security in all of the mobile OSs I know mean the chances of such malicious code being installed by a 3rd party is extremely small.

That said it is very easy for the network opperator to silently install whatever they want over the network. Given how they rolled over for the previous federal wiretapping scandle nothing would surprised me...

Anonymous42December 5, 2006 5:04 PM

Any mobile device capable of FOTA (Firmware Over-The-Air) updates can probably have its firmware and applications updated silently. Sprint started supporting FOTA right after my departure so I can only guess at what the process looks like from the user's end, but I imagine that even a normal update with modal progress dialog would be dismissed as "just another update or something."

Mobile phones are major security and privacy holes, and things will get much worse before they get better.

sidelobeDecember 5, 2006 5:10 PM

I discussed this with a colleague who was once in cellular customer service. Remember car phones? I'm talking about cellular phones permanently installed in vehicles. Some of them were manufactured and installed with an "auto-answer" feature that was meant to be safer and more convenient for a driver. But at least one model had a disconcerting problem: it would answer a call without ringing.

In at least one case, a subscriber called customer service complaining that he was caught in some unauthorized extra-marital activity, because "that blankety-blank phone answered on it's own."

RoyDecember 5, 2006 5:33 PM

So, what we need is a clamshell holster for mobile phones with electromagnetic shielding all around, good quality acoustic insulation to attenuate voice leakage, and an internal device situated right at the phone's microphone pickup that feeds it a random electronic yodel? Did I miss anything?

ZDecember 5, 2006 6:16 PM

@Roy:
Yes. You forgot the easiest way to eavesdrop:
1. Wait for your target to walk by you while he talks on his cellphone.
2. Listen
:)

klDecember 5, 2006 8:21 PM

@Roy
I would rather prefere to see the spread of an open source cellphone platform(s), like qtopia, tuxphone, openmoko etc.

Davi OttenheimerDecember 5, 2006 9:33 PM

@ kl

Exactly, but a very familiar problem (everyone's favorite OS) is more likely to repeat than not with a proprietary network. Are consumers demanding an open phone, or a service that makes it easy to separate client from the target (see my comment above -- imagine phones designed to not be tied directly to an owner). Ironically, the limitations of the mobile platform could help reduce the complexities and thus enable exposure of vulnerabilities, but instead they might also be a perfect excuse for shortcuts and control gaps driven by "market" forces.

Jon KayDecember 5, 2006 9:39 PM

I read the actual evidence referenced by the original story and didn't see any evidence to support the article's claims.

In fact, it seems clear to me that some other kind of equipment must have been used in this case, because the opinion talks about it working even when the cellphone was turned off. I don't believe any cellphone out there can run a program while turned off (or do anything else, much less transmit, without hardare hacking.

Therefore, contrary to the article, it must've involved a physical hack of the cellphone such the transmitting battery suggested earlier in the thread.

The original article also implies that a "roving bug" (mentioned in the legal documents) is the technique for turning cellphones remotely into bugs. That's rather likelier to be legal language referring to the "roving tap" authority needed to establish mobile or otherwise especially intrusive taps under a mechanism established by the Patriot Act. The legal language around the term seems to support that.

Davi OttenheimerDecember 5, 2006 10:25 PM

"I don't believe any cellphone out there can run a program while turned off"

I can press the "off" button on a phone just to turn off the screen, or to turn off portions of the listener/transmission service, etc.. So unless all sources of power (e.g. battery) are completely removed, the term "off" is very relative. In fact, mobiles are often designed to allow "always available" functionality with default-enable across multiple networks even though you might press the "off" button and save some power.

ladybloggerDecember 6, 2006 3:03 AM

"A wise note.
This gives us an idea of which phone most probably does not come bundled with some preinstalled backdoor.
THE CHEAPEST ONE."

i have a -- no-cost-to-me -- LG phone, about two years old. weinstein (cited above) talks about 3G phones. my crappy phone is 3G CDMA, whatever the hell that means...

TarkeelDecember 6, 2006 3:27 AM

"[...] said mobile providers can "remotely install a piece of software on to any handset, without the owner's knowledge [...]"

I wonder when this will be used to create some nice and nasty cellphone virus.

I assume they atleast do code signing or something similar to protect from unauthorized access, but imagine the payoff from pulling this off: You can basically blackmail entire societies with the threat to render their cellphones inoperable.

@Jon Kay: ""I don't believe any cellphone out there can run a program while turned off""

Unfortunately, "Off" is very rarely off these days. As was mentioned earlier, most phones will happily turn themselves on (if there is enough battery left) to trigger alarms etc.

I know some hybrid phone/PDAs come with a "airplane" mode to turn off the antenna since you can't turn them off.

dermotDecember 6, 2006 3:45 AM

Hi Bruce,
If I were going to attempt this, I'd use voice-activated recording, compress to 4 or 8kbits/sec (1.8-3.6MB/hour) and store in the phone's flash camera memory. Periodically, I'd get the phone to add a .jpg file extension to the sound file and send it to a specified address - then delete the 'sent' record on the phone. My phone has a 1GB flash card - that's a lot of voice recording time...

AnonymousDecember 6, 2006 6:37 AM

> You can basically blackmail entire societies with the threat to render their cellphones inoperable.

Have you seen anyone blackmail entire societies with the threat to render their Windows computers inoperable (*) ?

* with any kind of (remotely approaching) success ?

AnonymousDecember 6, 2006 1:28 PM

Sprint's OTA software updates are (generally) totally transparent to the user.

While GSM devices cause noise in speakers, and sometimes even mess with video displays, CDMA devices do not. At mw of power, it would not get warm or anything.

A lot of current phones have speakerphones on the outside. They are worse at filtering out background noise, on purpose, and are on the outside (for clamshells) so would make excellent bugs.


I assume any device that has access to power is more or less on. If I was in a criminal enterprise I would pull the battery at certain times. If I was a member of the security services or the chief officer of a large company with scary competitors, I would not even allow devices /without/ obvious power supply in certain areas.

Jon KayDecember 6, 2006 2:02 PM

> I can press the "off" button on a phone just to turn off the screen, or
> to turn off portions of the listener/transmission service, etc..

Then I call it "idle". You can also press the "off" to turn it really off.

> I know some hybrid phone/PDAs come with a "airplane" mode to turn
> off the antenna since you can't turn them off.

OK, I guess that's true, but that's unlikely to have been what we had here.

> I assume any device that has access to power is more or less on. If
> I was in a criminal enterprise I would pull the battery at certain
> times. If I was a member of the security services or the chief
> officer of a large company with scary competitors, I would not even
> allow devices /without/ obvious power supply in certain areas.

You know, it's amazing how perfect we assume the government and large organizations are when we're being paranoid. Mafiosos are people, too. Plus, the top Mafiosos are generally arrogant, and arrogant people make mistakes by the ton.

AndrewDecember 6, 2006 10:11 PM

Several related anecdotal points.

1) Nobody is allowed to bring unauthorized electronic devices of any kind into a Security Operations Center, Emergency Operations Center, etc. in which secure data is handled. If you were dumb enough to bring such things into a SCIF, you shouldn't know what an SCIF is, let alone be inside one.

2) The technology discussed not only exists, but is a monitoring option for mobile phones issued to employees. Add GPS and stir, briskly.

That sound was your illusion of privacy being shattered. Cheers.

3) It's easy to check the microphone for ambient sound, and save only that sound which is human voice. The phone also detects when it is plugged into a charger. Funny that the latest Motorolas don't let you use unauthorized chargers, isn't it? A convenient time to do the upload -- or just time-share the data stream during a voice call.

>> So, what we need is a clamshell holster for mobile phones with electromagnetic shielding all around, good quality acoustic insulation to attenuate voice leakage, and an internal device situated right at the phone's microphone pickup that feeds it a random electronic yodel?

Sounds like a product.

The classy approach is to have shielded small lockers with white noise in the vestibule of your operations area. You forward your mobile phone to one of the "guest" lines, and put it in the locker.

A thought for your privacy at home, too. Except that your local telco is an order of magnitude easier to tap :)

ZaphodDecember 7, 2006 1:06 AM

@Roy "Did I miss anything?" - yes an internal pouch for one's RFID passport!

Zaphod

This is so old...December 7, 2006 3:14 AM

And has nothing to do with mobile phones tho they are also used cause those are usually located near person/persons who are under surveilance.

Not going to details, but its only radio waves + microphone (in this case). So, no need for power/battery, lines etc Basicly anything can be used and RF is just more advanced than infra red beams.

Basic principle is propably 50 years old, but this technique told in article has been in use around 10 years.

Clive RobinsonDecember 7, 2006 7:48 AM

@Jon Kay

"Mafiosos are generally arrogant, and arrogant people make mistakes by the ton"

Arrogant they may be but remember they designed and deployed the first telephone bugs...

As always the LEA's had to play catch up and that required some time...

@Andrew

"So, what we need is a clamshell holster for mobile phones with electromagnetic shielding all around, good quality acoustic insulation to attenuate voice leakage, and an internal device situated right at the phone's microphone pickup that feeds it a random electronic yodel"

Such things are already fairly widly available, go into any cellphone test area (say Cingulars in Redmond Town Center for instance) and you will see the clam shell cases some have both speakers (for the mic) and mics (for the earpiece) so you can plug them into achostic tests sets. If you want to buy one new go to the Rhode and Schwarz web site.

I have seen some for sale on E-Bay in the past, for quite a small amount of money.

Jon KayDecember 7, 2006 5:25 PM

> Arrogant they may be but remember they designed and deployed the first telephone bugs...

That just demonstrates that they can do smart things, not that they don't take shortcuts and make mistakes.

jayhDecember 8, 2006 7:32 AM

Ref POTS landlines:

The older style cheap phones had a mechanical switch which disconnected the phone on hook. These are probably the most secure.

Frank RiegerDecember 8, 2006 8:27 AM

@Kees:

We have done for the CryptoPhone a lot of work on the operating system. We remove attack vectors, based on a user-selectable OS-security profile that essentiall balances features vs. attack surface.
The most likely attack vectors for remotely listening over a phone are the operators capability to update the firmware over the air, the SIM-Toolkit functionallity and WAP-push / MMS based exploits. All of these are removed in even the lowest security level the user can select on a CryptoPhone. Other potential attack vectors are removed on higher security levels.
Feel free to mail me if you want more details.

a_LexDecember 9, 2006 5:22 AM

@Asdf

"not an accident. Supposedly a "suicide by hanging", but suspicious remarks were made before his death."

Sorry, confused it with the Adamo Bove case

@Clive Robinson
"Yes there are GSM mobile phones certified to at least ITSEC E4+ (from the UK CESG)"

Does ITSEC cover all the potential "remote activation malware/backdoor" issues, or is it a purely cryptographical certificate?

ON CLAMSHELL STUFF...

Speaking of defensive measures, I have done some reasearch on the topic and discovered Russian LEAs are so much very concerned with this cellphone feature. They have been concerned since the first cellies hit the market.

And they have developed a countermeasure - a relatively soundproof holster with a tiny speaker, which hisses white noise into the cellie's microphone. The noise level in 1 mm from cellies microphone is 100 +/-2 dbA

It turns on whenever it detects transmission attempts on the side of cellie, so if you basicaly put a turned on mobile in there, it will be immediately jammed by noise and will be jammed untill you bother to turn off the phone

This approach (placing a TURNED ON cellie in "cocoon jammer") seems nice because you, on one side, effectively jam the microphone (even when adversary runs this spycell malware, no sound but a menacing hiss will be recorded) and, on the other hand , are still able to recieve calls, as communication with network is intact (use vibration, as the holster is designed to be effectively soundproof).

There is also a version with a Bluetooth disrupter.

It can "hiss" for more than 48 hours in a row without recharge.

As all Russian surveillance countermeasures, it is sold with no export limitations.

Sold here http://www.cbi-info.ru/products/search/?search=%CB%CF%CB%CF%CE

@Frank Rieger

Wow!
Now I really want that phone!

LarryDecember 12, 2006 3:00 AM

In my opinion there are not so many issues while a lot of software for voice encryption over GSM are spreading.
There are dozen of windows mobile based (www.cryptophone.de), some hardware based (www.crypto.ch) and now there's also an upcoming system for Symbian devices (www.privategsm.com).

Imho in the next years we will see some j2me java based crypto phone too.

Still have some doubt that encryption technologies will remain free in the future...

Old NokiaDecember 19, 2006 6:52 PM

@Ian Rae

I also had an experience with my (old brick) Nokia phone a couple of years ago. One day I received a message from my cell provider informing me that the menu options on my phone had been 'upgraded'; I checked and they had. There was no 'If it's OK by you' or anything like that. It just happened. Who knows what else thay can do with your mobile these days?

@Clive Robinson

Fantastic posts! Thanks for that.

@Alice Lillie

Sorry, my phone is as old as it gets. See above.

@Anonymous42

Agreed.

Unfortunately I can confirmJanuary 17, 2007 5:27 PM

Someone close to me has had this happen to them. Someone has used numerous cell-phones as listening devices in numerous locations and then made the person close to me aware of the eaves-dropping by emailing text of conversations or calling/leaving voice-mails of overheard conversations. I was present when one such eaves-dropping was apparently made and the text of part of someone's speech was relayed.

VERY VERY scary.

Reading the above I had an idea - just buy one of those (stupid-looking) light-up antennas so one would (likely) know when it was transmitting otherwise surreptitiously.

yassine chtiouiFebruary 10, 2007 6:17 AM

does anyone know where one can buy a cell phone tap device?if so please e-mail me at my e-mail address,thanks,yass,

alteMarch 23, 2007 1:36 AM

post by yassine chtioui on feb 10,07
if you get replies can you share them?
thanks

saffronMay 12, 2007 2:36 AM

A few nights ago around 21:45 I was on a cell phone call in Austria (between 3 and T-mobile). My cell phone is a Sony Ericcson. Suddenly an amusing Buzzer clay/tone sounded... 3sec. later a second… for instance in each case 1sec. long. Subsequently, I could hear 2 other people in conversation (in English)… they could not hear me, however, since they had not reacted to me. after for instance 10-15sec. my telephone call was interrupted. Neither I nor my interlocutor knew the Voices. What can that have been?

peterin saMay 17, 2007 5:11 PM

I have a copy of the roving bug on my Samsung X670 cellphone called Datamover which was bluetoothed onto my handset by work collegues who listened into my calls surreptitiously.

yoJune 25, 2007 7:06 PM

why do all this when all you need is a police scanner to pic up any cordless or cell phone conversations.

jillOctober 17, 2007 10:36 AM

hello, i have no idea what all of this means, but you guys seem like you do. if someone can make me a device, tell me how to use it, and it works, I will send whatever is fair for it.. think about it-- email me at rbcwallace@yahoo.com--

rickJanuary 8, 2008 8:43 AM

I am the developer of "World System of Proof" technology which turns any cell/mobile/land line phone into a recording device with unlimited capacity anywhere in the world. The service will be offered March 2008.

SteveApril 23, 2008 12:32 PM

I am looking for a device to eavesdrop on cell phone conversations without having to ever touch the cell phone, can anyone help me.

joshOctober 4, 2008 8:43 PM

I had a similar situation happen to me. The nerds where I work, somehow bugged my Palm Treo 650. They messed with me pretty bad, made me think they were psychic and stuff. They did it for about 1 year in conjunction with spyware that got in through an e-mail they sent me. I almost went insane till one day I dropped my cell phone in the lake and it quit working. It is true, in my case, what they say. The phone got unusually warm and the battery drained faster. I told the authorities about the eavesdropping but they FBI, State and local authorities said they really didn't have the manpower to deal with it.

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..