Schneier on Security
A blog covering security and security technology.
« History of the U.S. Surveillance Debate |
| Making Security Cuddly »
May 9, 2008
Cell Phone Spying
A handy guide:
A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.
All you have to do is log on to the web site and enter the target phone number. The site sends a single text message to the phone that requires one response for confirmation. Once the response is sent, you are locked in to their location and can track them step-by-step. The response is only required the first time the phone is contacted, so you can imagine how easily it could be handled without the phone’s owner even knowing.
Once connected, the service shows you the exact location of the phone by the minute, conveniently pinpointed on a Google Map. So far, the service is only available in the UK, but the company has indicated plans to expand its service to other countries soon.
Dozens of programs are available that’ll turn any cell phone into a high-tech, long-range listening device. And the scariest part? They run virtually undetectable to the average eye.
Take, for example, Flexispy. The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.” Its tools use a phone’s microphone to let you hear essentially any conversations within earshot. Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on. The phone won’t even ring, and its owner will have no idea you are virtually there at his side.
Posted on May 9, 2008 at 6:27 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Has anyone tried this? It sounds rather unlikely; first of all, where would they get all that information, from all the different service providers? Secondly, why would they need a reply from the phone? Would that be because they need the phone's internal number (kind of like a MAC address)? Otherwise, if the phone has been moved while turned off, they would lose the "lock" on the position and would have to start over.
I don't know a whole lot about the details of the GSM protocol, but I can imagine they can find the location if they call someone (maybe even if the don't answer, as long as the phone is on).
Also, I would think this is only borderline-legal, if at all. One could argue that the location of their phone is personal information, and, as such, covered by privacy laws.
"The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.” Its tools use a phone’s microphone to let you hear essentially any conversations within earshot."
this sounds like something out of the old gene hackman movie, "the conversation".
I think that Flexispy needs an app running on the phone ( Symbian or Windows mobile ). Also from the FAQ - "FlexiSPY needs a working Internet connection on your mobile. "
I'm safe with my bottom of the range Nokia then!
And in fact one of the best ways to subvert this is to leave your well known cel phone somewhere convenient as you travel around without it.
Preferably right next to the speaker of a PC that you've been playing "Stack The Cats" on. :D "Stack the Cats" is my favorite low-cost, low-effort way of dealing with a bugged room.
@Sparky: IIRC from the first time I heard about a service like this, they don't "need" a response to the text message at all. It's a (feeble) security measure, an attempt to get the permission of the person being tracked. There's no technical need for it.
And yes, the big question is why network operators are (a) willing, and (b) permitted to provide the information needed to do this.
According to the website it's "only" Orange, Voda and O2. So maybe I'll call up Orange and tell them I'm switching to T-Mobile unless they can exclude my number from ever being tracked by any such service...
Looking at the FlexiSpy website, it appears that you have to install the software on the victim's phone:
"Can I install FlexiSPY remotely?
No. You need to have the phone physically in your hand for about 15 min. Installation is simple. You simply open up a web page on the mobile and enter your code. The download and install beings automatically"
"How does Remote Listening work ?
The phone with FlexiSPY on it is the target phone. The phone you make spy calls from is the monitor phone. When you call the target phone from the monitor phone, the target phone will answer the call, letting you listen to the phones surroundings. If the phone is busy or a key is pressed, the spy call will be disconnected, and the target will be none the wiser."
Simply put, you have the thing installed on your phone and someone else calls it. Not quite as dangerous as it initially sounds.
Your phone can be uniquely identified by either the IMSI (sim), IMEI (phone) or MSISDN (number).
Damn.. Posted my previous message before finishing!
Location updates (containing cell id and IMSI) are generated as a phone moves between cells. So that can give geography. But this is sent within the core mobile network and therefore would have to be provided by the network operator.
"Not quite as dangerous ..."
You have forgoton that the phone operator can download a patch to your phones software any time they like and frequently do (supposadly it needs to be signed or some such on modern phones...)
Also as a lot of teenagers know downloading a ring tone to a phone is not that difficult either. So 15mins seems a long time I recon with abit of practice it could be done whilst you go get a cup of coffee or comfort stop.
Phone security is at best laughable (have a look on Cryptome's GSM section). Even on modern phones the security model is to protect the phone OS from apps running in the computer OS running on the phone (MS windows / symbian et al).
Importantly phones are going to be used as security tokens in future. So not having propper app to app security is within a year or so be a significant issue.
Logged in to World Tracker - no signs of the scary ability to track someone by their cell phones. The service just allows you to _manually_ specify your location, so your friends can see where you are. Seems that Mr. Schneier just copypasted the text from www.geeksaresexy.net.
Kinda of related to the Telco / Spy thing, Why cant we devise a piece of software to track them??? YAs I know the Gov has all the tools
TO Bruce and all the Tech Guru's on this site: Would like your technical input on how Unknown Number / Unknown Numbers call be traced or HOW they are routed by Telecoms OR even allowed!
Below is my attempt at having COMCAST block a Unknown name / number that keeps calling my NEW Comcast Digital phone number!.
Hello COMCAST —This is rather long but please read
I have been trying to block a company that is calling our home number ( harassing us with unsolicited offers) I have tried using the comcast feature but it is not working as the company is obviously has a auto dialer with a registration of for both the name and number coming across as “Unknown Name & Number”. Can we do something on Comcast part to block this? The company first started calling the day after I got my new digital phone number. I was able to block the 800 service numbers but know they are using the “ Unknown Name Unknown Number” to harass us.
The 800 numbers that I have blocked are listed below, can you have Comcast investigation division get them/ trace them? Comcast should be able to trace the calls in the teleco routing station to the point from which they call.
800 257 5722
877 450 6649
if you look up these number on the internet it appears they have been frequent violators
Thank you for contacting Comcast Live Chat Support. Please give me one moment to review your information.
I am sorry to hear of what this company is doing.
Have you had a chance to add your number to the do not call list?
I am doing that, but what about getting the comcast investigation unit involved?
I apologize but our features work on blocking numbers with by the phone number registered under the line or by blocking numbers who have their display blocked. Since the display shows “ Unknown Name Unknown Number” it tells us that their called id information is blank
I would recommend to contact the company to be removed from their contact list as well as adding your name to the Do no call list.
Again, what about having the investigation unit get involved, it seems crazy that anyone could get a number without an ID. I told them when they first called to remove me.
Please give me just one moment to see if there is anything that we can do on our end.
I have looked into this for you and I am very sorry but at this time Comcast is unable to address this for you. The only thing that we would advise is for you to enter your number on the states Do no call list and the National one. If after you do this, the calls persist, I would recommend to contact the Federal Trade Commission which the is the Government office that is in charge of making sure that the Do not call registries are followed.
@Ruby: Maybe you could use some guerrilla warfare. Depending on what they are offering you, and your local laws, you could do a few things that cost them money and effort. Where I live (the Netherlands), the law basically says return any item over something like 50 euros (don't know exactly) and get a refund, no questions asked (provided the item is in new condition, packaging intact etc.). This also applies to anything send to you by mail.
You could also refuse to accept anything they have send you, make appointments for a mortage broker or whatever when you're not home, have them go through the trouble of selling you something (probably recorded), where you just mention you are intoxicated (and thus unable to enter into a contract).
If they are offering anything, you should be able to at least get a company name.
comcast dosent care, except that they are in the middle of a big promotion to get people to sign up for their network. A bad news story will damage millions of dollars worth of propaganda. There is a national do not call list in the US. its equally useless, especially if comcast will not tell you where the call originates.
The problem is actually tracing the call originators connection point. It might not actually have a "dialling number" attached to it that is known. And COMCAST may not be able to trace it back further than to the forign network connection to their network.
The easiest solution is to take the call and give the sales droid the run arround and waste their time as much as possible without giving any details.
Fairly soon the droid or the next one will log you as being a time waster, which earns them nothing and at that point you usually get left alone.
First of all I worked for two years for a company providing high accuracy location services for embedding into GSM networks
GSM networks support multiple methods for determining the location of a handset - ranging in accuracy from the cell location (accurate to kms down to 100's of m) upto and including GPS enabled on the handset itself. (The technology I worked on was measuring the timing of arrival of base station signals on the handset and using that to determine it's location - google for E-OTD).
One of the initial drivers for high accuracy is for emergency use (E911 in the US, sim elsewhere), and for obvious reasons does not require permission from the end user for the emergency services to locate your handset.
The operators have looked to resell this technology for general use and it is available for 3rd parties to buy from them to build applications round - e.g. the World Tracker here could be based on such a resold service. Obviously opt in/out sholud be applicable.
Hehe, Symbian or Windows Mobile...
... how do I love proprietary OLD devices.
And I will NEVER EVER use a mobile phone with build in GPS/GALILEO
From Worldtracker's site...
World-Tracker.com GSM is a service which can give you the peace of mind of knowing where your (love) children, their parents or any other pesky guardians are at any time, without letting them intrude on your day to day 'activity'. It uses the mobile phone network to locate your little 'friends' anywhere in the UK. You can access this information from this website or via text message.
World-tracker. Know where (...they are when you need some.)
Well, near enough.
@Sparky: ``I would think this is only borderline-legal''
And your point is?
My answer is the ``John Ashcroft solution'': buy a blister-pack pay-as-you-go phone. So long as you activate it from somewhere other than your own phone, it's anonymous.
(Admittedly, if They want to know whose phone it is, traffic analysis would have you nailed in minutes.)
RE: Cell phone eavesdropping -
This has been done for years...in fact, one very large company routinely listens in on its employees' company issued phones - without their knowledge (you can't even tell you've been connected).
Solution? Turn the damn thing off when not in use.
"in fact, one very large company routinely listens in on its employees' company issued phones - without their knowledge "
These laws vary from state to state in the US, but I believe that every state requires that either the caller or the callee must be informed that a call is being monitored/recorded. So either the employees sogned something saying they understand that the company will do this, or when they call someone that someone would get a message ("to improve the quality of service, this call may be monitored or recorded") which the employee would get asked about in short order.
I don't think there's a legal way for a company to listen in on a company-issued cellphone without the employee knowing.
This is perfectly possible - I've tried followus.co.uk myself (for tracking my 11 year daughter, should she ever go missing on the way back from school).
It's done by measuring the time from the handset to the towers, with obviously one tower giving a ring of locations, two towers giving two intersecting points, and three or more should be enough to identify the point to within _up_to_ 100m. The best I got, in the rather rurial area I live in, was around 2 miles away :-( but at least it did show the handset wasn't far, and it would have shown if it was 300 miles away, so 2 miles isn't so bad I guess.
Detecting the location of people, without their knowledge, is a EU privacy violation, so all these sites *must* have controls to prevent this, like sending initial and periodic confirmation text messages.
Fundamentally, the access to the data is sold by the phone companies, so if they violate the rights of the handset holder, the tracker company, the phone company , and the person illegally tracking someone may all be culpable. The regulator, OFCOM, have already got these companies to tighten up on handset-holder authorisation, and it very likely that abuse of these services will be looked upon as poor governance by the phone company, who it can fine, and ultimately revoke their license.
Technically, it looks like Vodaphone have the best location capabilty, e.g. they retain location data when/where a handset is turned off, so even if the phone is turned off, out of signal or destroyed, at least you know when & where is was at that point. (Other phone companies made have caught up now, technology being, well, 'technology')
@sparky - IMSIs are's usually used with basestations in europe, temporary IMSIs (TIMSIs) are automatically generated and used after initial power-up handshake. Part of this is to make it difficult to join phone data with a phone number through sniffing - you would need to sniff the initial IMSI/TIMSI handshake, and continuously monitor for TIMISI change.
The companies (WorldTracker, ChildLocate, ..., MobileLocate) have direct access to the Mobile Operators location database. We have done some research on this topic a couple of weeks ago.
The scary part here is that the company (MobileLocate etc) has access to the location information of any mobile subscriber with or without their consent (again, direct access to the MobOp location database).
It is then up to the company to only display tracking information to those people who pay for the service.
Of course there is a 'policy' in place that explains that the company should only extract location information of those subscribers who agreed to it.
Technically they can extract Location Information of anyone. By policy they are only 'allowed' to extract of those who agree.
The definition 'agree' and how to authenticate is user is left to the tracking company.
"Solution? Turn the damn thing off when not in use."
No, pull out the battery, turning it off isn't enough.
Anyone who seriously cares about privacy doesn't own a cell phone or pager, period. If you laugh this off or challenge it with your fat fingers you're just another monkey.
This sort of service is available in Germany as well, with all the described features (GSM & GPS location) and more. Similar to the service Dom describes in http://www.schneier.com/blog/archives/2008/05/... , it is marketed as a monitoring service and package (you can order a complete kit including a GPS-enabled handset) for children and is offered by a foundation mostly engaged in various emergency communication services (such as the motorway phone box network): http://www.steiger-stiftung.de/...
As Bruce has often blogged, targeting concerned parents is a very effective way to cast aside all collateral privacy concerns.
If the audio bugging product requires mobile internet connection for data transmission, it should be pretty easy to detect, in Australia at least; just wait for the sudden $1000 increase in your mobile data costs....
Every recording I've heard (which means in North America) about "this call may be recorded or monitored" goes on to say "... for quality and training purposes." This means use of the recording is limited to those stated purposes
@a - "No, pull out the battery, turning it off isn't enough."
Yes, I stand corrected.
> This means use of the recording is
> limited to those stated purposes
I don't believe this is correct; if it is it will vary state by state and most likely will be interpreted case law not written legislation.
California's eavesdropping laws concern themselves with "expectations of privacy", not with the use of a recording after it has been recorded.
I wrote a little about this here:
A full guide to taping phone calls here:
Follow up on that last post:
Since Flexispy enables you to turn on the speakerphone functionality for the purposes of recording ambient noise, this certainly would fail California's "expectation of privacy" condition whenever your Flexispy target is not in a public location.
While you could possibly get away with recording someone having dinner in a restaurant with a floozy, if you kept recording while they were in the bedroom you'd be open for the penalties:
"It is also a crime to disclose information obtained from such an interception. A first offense is punishable by a fine of up to $2,500 and imprisonment for no more than one year. Subsequent offenses carry a maximum fine of $10,000 and jail sentence of up to one year."
"Anyone injured by a violation of the wiretapping laws can recover civil damages of $5,000 or three times actual damages, whichever is greater. Cal. Penal Code § 637.2(a). A civil action for invasion of privacy also may be brought against the person who committed the violation. Cal. Penal Code § 637.2."
Please tell me what capabilites a helio phone has as far as spying on someone. My ex bought a helio phone for my daughter and ever since he seems to have become psychic. He knows where we are and what we are doing. How can I tell if there is a bug on the phone?
Sounds like your ex has the "Buddy Beacon" activated on your daughter's phone. You'll need to have her turn it off.
You can read a little about it on the Helio site:
My work phone is a smart phone. I have fussed to myself about things,(and to no one else),only to discover the company knew what i had said.Think it's bugged.
can someone dowload the spyware into your cell phone by simply calling it. A person called my cell phone for the first time and a name came up without me tagging the number. That is when I suspected this guy was trying to spy or track me. I think he did this while I was in his car through his GPS device
Well, there may be a low-tech solution to the "phone as listening device." That is to keep it in a padded pouch when you're not using it.
1. You can turn off 'location services' on phones with GPS or locator service (usually in the 'settings' menu). BONUS! This also increases battery life! And you just turn it on when you want to use the GPS, etc.
2. Anyone who's ever had to enter a 'secure lab' or area (like TOP SECRET or higher) knows that you must surrender your cell phone before being allowed to enter. It is TRUE that an external signal can TURN ON your phone and activate the mic to become a listening device. So you must remove the battery to become completely secure. This is kinda tough for the new iPhone. Love it, but you can't remove the battery! So leave it in the trunk if you're discussing sensitive information.
OBTW, many rental cars have GPS and listening devices (so they can tell if you were speeding, travelling to unauthorized locations, etc.) so don't discuss anything you don't want on the internet in a rental car!!
Is it possible to remotely set up a target cell phone so that I can listen to their calls and/or background conversations? Will I be able to view phone numbers to and from the target cell? Does the target cell give ANY indications that it is being accessed? Assuming a cell phone can be remotely targeted could I remotely remove or undo the spyware at a later date? I suspect my friend is having secret conversations with other(s). I have questioned this and (not surprisingly) it was denied. If I my suspicions are wrong I don't want to reveal that I have been evesdropping. If they are correct I will have to make choices. Thanks for any info. you can provide.
I've had my cell phone for about a yr and the service and same number for two years, and in the last 2 days i've started receiving text messages and phone calls from people who expect me to be someone they talk to often! however since i've had my phone i rarely talk to anyone other than my spouse, with few if any wrong number calls or texts. Does anyone know if there is a way a cell can be "tagged" for purposes unknown to eavesdrop? @ 50 to 70 miles away? what if number is from the area these numbers originate from also?
Is it possible to remotely set up a target cell phone so that I can listen to their calls and/or background conversations and/or i can read their text messages in my phone or computer?
hello son. this is wrong and you know better
is all this legal in the us?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.