SMS of Death

This will be hard to fix:

Using only Short Message Service (SMS) communications—messages that can be sent between mobile phones—a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run on a phone. Network operators use these files to, for example, change the settings on a device remotely. The researchers used the same approach to attack phones. They performed their tricks on handsets made by Nokia, LG, Samsung, Motorola, Sony Ericsson, and Micromax, a popular Indian cell-phone manufacturer.

[...]

The researchers were able to create malicious SMS messages for each type of phone they studied. The messages affect the phones without any response from the user. Because feature phones are so common, Mulliner says, such an attack "could take out a large percentage of mobile communications."

To target a specific user, an attacker would need to know what kind of phone he or she uses, since each platform requires a different message. But Mulliner says that attackers could easily knock out large numbers of phones by sending a set of five SMS messages—targeted to the five most popular models—to every device on a specific network. Mulliner notes that there are Internet-based services that send SMS messages en masse either cheaply or free, making it possible for an antagonist with limited resources to carry out such an attack from anywhere in the world.

EDITED TO ADD (1/9): A response from one of the researchers.

EDITED TO ADD (1/12): Their talk is online.

Posted on January 6, 2011 at 1:13 PM • 48 Comments

Comments

zorroJanuary 6, 2011 1:34 PM

how nice, an additional way to cause problems to other people:-(

I guess it is a variant of the "exploding SMS" described e.g here:

Mobile phones explode after receiving calls from numbers that appear in red
Thirty cases have been reported so far within a period of one week. According to the witnesses and victims the explosion took place soon after they received calls from numbers that appeared in red on the handset screens. Most of the victims complained of nausea and a splitting headache and some of them had become unconscious after the explosion.
(my URL below has link to source)

Nick PJanuary 6, 2011 2:01 PM

The makers of Cryptophone saw this risk coming. Their hardened Win Mobile removed and altered substantial portions of messaging code.

AlanJanuary 6, 2011 2:07 PM

Actually, this is reasonably easy to fix. The telco's simply need to add filtering software to their message delivery platform, similar to the filters on email servers that screen out spam, trojan's and other unwanted emails. If the malicious SMS messages are not delivered to the handsets, then they cause no harm.

DogsbodyJanuary 6, 2011 2:13 PM


This has been possible for quite a while and is another example of how newer smartphones *could* at least be more secure than old phones as they can be upgraded and patched.

5 Years ago my entire company had Nokia 6310 phones. A bug was found where you could read all the phones SMS via the bluetooth stack. I was the only one that downloaded and reflashed the phone to fix the problem.

5 years on and people are still using this phone with this vulnerability :-(

Matt from CTJanuary 6, 2011 2:16 PM

So what their saying is with some open source software and the right hardware to emulate a cell...I could knock out most of the phones within a [theater|train|airplane]. This could be useful ;)

I wonder how easy it would be to build the femtocell, capable of working on multiple radio bands, gsm + cdma, etc into a working laptop?

Clive RobinsonJanuary 6, 2011 2:51 PM

@ zorro,


It's a stupid message that makes people pass it on to others and is doing the rounds in places like Africa at the moment.

It's like those emails warning of viruses that. didn't exist.

If you thing about it unless your phone has a colour option it's kind of difficult to make the phone number come up in red.

Davi OttenheimerJanuary 6, 2011 3:02 PM

Attack binaries are specific to the handset? Sounds like a feature; Providers send a binary of death to get subscribers to update to a newer model phone...

It's impt to note the research all was on a private open-source network not a real provider. The researchers discussed with providers but did not test with them. They mention in the presentation that providers can filter the binaries...not really a "hard" fix.

The reason there is no need for this attack vector on the iPhone: users find it "interrupting phone calls, to disconnecting people from the network" by design. They even pay extra for it.

bobJanuary 6, 2011 3:04 PM

A binary program? Are you sure? SMS messages can contain a UDH. Different programs can be used to handle the message depending on the UDH. The rest of the message is the payload. This is how multipart messages and MMS work. I assumed that phone configuration type messages worked on the same basis.

My phone indicates that I've got a config message and asks me to confirm that it should be run. As I have no way of knowing where it came from, I never do.

BrianDJanuary 6, 2011 3:21 PM

TSA could use this to make it safe for us to bring toner cartridges on planes again!

(the toner bombs used phones as the triggering device. Since TSA only defends against previous specific threats, disabling phones would be sufficient to thwart that attack vector.)

TimJanuary 6, 2011 3:51 PM

How on Earth do they managed to mess up the parsing of a text message? That's beyond incompetence.

RHJanuary 6, 2011 5:37 PM

Those who haven't, this is a good time to Wikipedia Blue box and find out just what happens to _EVERYBODY_ who sends important signaling in-band.

Its like putting your mySQL user/pass in a javascript and trusting no one to take advantage of it.

Richard Steven HackJanuary 6, 2011 5:50 PM

"How on Earth do they managed to mess up the parsing of a text message? That's beyond incompetence. "

Well, I still don't understand how it is that routers and browsers still can't handle anything coming over a telecom line. I don't care if "any" binary string can come across due to line noise or whatever. It's now twenty years past when this sort of thing was common in the "file transfer" programs of the '80's and '90's.

Just yesterday while downloading a file, my router went out. Took me a couple of hours fiddling around trying to determine whether it was the DSL modem, the router, or what. Tried all the usual fixes, nada. Finally hooked everything up again one last time, suddenly could ping the router. Got into the router browser interface, suddenly everything works again. Still don't know what the problem was or what fixed it.

So I'm not surprised that these phones have data commo stacks that can be shredded by some incoming data with one missing bit or something.

Whatever happened to the primary rule of any form data vetting: make sure you can handle ANY data that comes in to the program? Look at all the stupid SQL injection stunts - same thing.

Bottom line: Most system programmers are still morons.

Dirk PraetJanuary 6, 2011 6:25 PM

A particularly horrible week for network operators, I'd say. Berlin rules !

JimMcJanuary 6, 2011 7:53 PM

Is this another good reason for having SMS proxy/forwarding services like Google Voice? People text me at my Google Voice number, GV receives it and forwards it on to my dumbphone.

Not sure if GV strips out non-text portion of a message, but if it doesn't I'm sure Google (or any other SMS proxy operator) could make the change to do so. Using an SMS proxy service seems like it would solve the vulnerable-phone-OS issue.

Clive RobinsonJanuary 6, 2011 11:01 PM

@ zorro,

Not sure what hapend to the link I put into my earlier reply about the hoax text messages.

These texts include a list of numbers that you should not answer otherwise the phone will emit a high frequency noise thet will "kill you by brain hemorrhage" / "make you impotent" / "make you pregnant" / turn you into an undead by ancestor spirts angry about a phone mast on their graves... etc.

Supposadly if you are called the number will come up in red even on non colour phones...

You can read more about this hoax's little trips around Africa and Assia at,

http://urbanlegends.about.com/od/medical/a/...

It's been doing the rounds one way or another for some time.

@ Bruce,

I wonder if the hoax "brain exploades" SMS could be used as a psychology experiment in gulability of certain nations / races / beliefs.

Maybe I should start one in the UK about taking calls that stop you winning on the national lottery (and include the numbers of those anoying telesales companies ;)

ChrisJanuary 7, 2011 1:34 AM

@Alan, actually, this is not that easy to fix. Binary SMS are typically sent as multi-part messages, and can be sent with significant time delays between them, as the malicious/corrupt element could bridge the split in the messages. So the network would have to store all messages over a long period of time and decode them. Plus, an invalid message causing a crash on one phone model could be valid on another; I used to do this deliberately to a colleagues Samsung phone.

Danny MoulesJanuary 7, 2011 2:55 AM

"This has been possible for quite a while and is another example of how newer smartphones *could* at least be more secure than old phones as they can be upgraded and patched."

Low-end phones can generally be upgraded and patched too. The problem is they don't really give a crap about security, they believe obscurity is security, so no patches get pushed out.

SeiranJanuary 7, 2011 3:39 AM

Cellular providers have long been able to perform OTA programming and can occasionally control aspects of the handset's operation remotely, such as setting the WAP/SMS/VM gateways, unlocking screen-lock security codes and resetting the radio. I never looked into whether these commands were properly secured - signed/encrypted, protected against replay, locked to a recipient and time, etc - but the ability to change phone numbers (MSISDNs) remotely did seem like a possible security problem.

It's been reported in the news (http://news.cnet.com/2100-1029_3-6140191.html) that microphones can be activated remotely, with the FBI even bragging about their surveillance capabilities, on occasion. While I generally treat these stories with skepticism, it does remind me that mobile phone security is still in its infancy.

During the time when I used a BlackBerry, this was less of a concern. As security is a major selling features of those handhelds, I had assumed the software had been designed a *little* more rigorously. Though, you never know for sure.

I am on HTC/Android now. It's an open platform, and they've (Google et al.) put a lot of thought and clever features into secure design. For example, Whisper Systems notes in their FAQ (http://www.whispersys.com/support.html) that it's not possible to have "unkillable" background services without displaying a notification icon. However, the sheer complexity of the software and firmware code inside a modern smartphone makes an exploit almost inevitable. Again, polyculture helps to increase the cost of a successful attack here.

Dirk PraetJanuary 7, 2011 3:59 AM

@ Clive R.

I don't think race, nation or belief are determining factors in buying into hoaxes. It's all about education and awareness. Same thing with 419-scams. Then again, greed, lust, power and fear are known to shut down the brain. QED.


bitoJanuary 7, 2011 4:03 AM

Hi!
Good to see CCC news after a week.
There was a security audit team in Hungary with similar results with the first Communicator, around 10 years ago.
B2

BillJanuary 7, 2011 4:21 AM

Since SIM toolkit has been around for over a decade now, I'm amazed that this is the first exploit to take advantage of it. Letting the SIM card run run code that is delivered by SMS (and giving that code access to make calls and send SMS) has always seemed like a dangerous idea to me.

akJanuary 7, 2011 6:05 AM

@Davi Ottenheimer:
"It's impt to note the research all was on a private open-source network not a real provider. The researchers discussed with providers but did not test with them. They mention in the presentation that providers can filter the binaries...not really a "hard" fix."

No, in the presentation they said that they did the fuzz testing on a private network, but confirmed all found bugs on real networks in Germany. That's also how they found the retransmission issues and could determine the retransmission rates for each of the German providers.

Also, while there exists SMS filtering software, it isn't designed to filter binaries (rather text), and the network providers would have to maintain a list of patterns. So, if you wan to launch a massive attack, all you need to do is to find a malicious payload that hasn't been blacklisted yet, and your attack will succeed.

Nico GoldeJanuary 7, 2011 6:20 AM

Hey Bruce,
I was one of the researchers working on this and I'd like to clarify something I think technologyreview got slightly wrong.

"As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run on a phone."
Of course what they meant here was that we weren't sending simple text messages but rather binary payload that caused the issues. This is not to be confused with binaries running on the phone. Also the configuration binary messages were just an example, like one of the commenters said those usually need a confirmation on the phone to get installed. Our binary payloads don't.

This also renders Tims comment pointless, they didn't fuckup parsing of text. While I'm happy with the overall media responses towards this talk I'm also a bit disappointed to see that some of them just understood things in a wrong way and other media services were just blindly copying those. I highly recommend everyone to see the talk to get the complete picture.

Cheers

Clive RobinsonJanuary 7, 2011 6:38 AM

@ Seiran,

"Cellular providers have long been able to perform OTA programming and can occasionally control aspects of the handset's operation remotely, such as setting the WAP/SMS/VM gateways, unlocking screen-lock security codes and resetting the radio..."

Some manufactures can compleatly reflash the phone over the air due to being able to download a little helper applet to do it then overwriting the existing equivalent of a PC's BIOS & OS. There are a whole host of other tricks that can be done through the SIM using either a test SIM or the SIM Toolkit that you can get hold of fairly easily.

"I never looked into whether these commands were properly secured - signed/encrypted, protected against replay, locked to a recipient and time, etc"

Not realy the code is "signed" but due to the number of "sub-certs" around issued to network operators it realy does not have much meaning (partly because the phone can be factory reset / reflashed in most cases from an external connector). Some manufactures will optionally sell you hardware with your own PubKey in to do your own Over The Air programing on hardware you own. This is partly for development work and partly for people selling the likes of "fleet managment", "burglar alarm", "MediAid" systems.

"It's been reported in the news (http:// news.cnet.com/2100-1029_3-6140191.html) that microphones can be activated remotely, with the FBI even bragging about their surveillance capabilities, on occasion."

Yes it's true there are commands that can be sent down the "D chan" of Signaling System 7 that enables the Mirophone. You can thank the UK Gov under Harold Wilson for that (or more correctly the security services frightened at lossing the "flooding technique" that the "Spy Catcher" book Maggie Thatcher did so much to advertise ;).

Thus the functionality was built into the original "System X" protocols and then migrated into "ISDN" and has remained in there ever since and the GSM protocols sit on top of ISDN...

[And people wonder why I bang on about protocols being the bigest security threat there is...]

In theory it is also possible to make a 'silent' phone call to a number and have it auto answered via SS7 (though I've not actualy seen it done). So if I know your number I could through an SS7 gateway quietly call you up and listen in. Then there is "three party calling" which gives limited conferance abilities, all built into the GSM switch (which is one of the features supposadly used in the Greek Olympic Wire Tapping Scandal that Vodafone got caught up in).

Though why the FBI would want to boast about these capabilites I realy don't know, strikes me they are likely to make themselves "outsiders" to the "intel community" if they carry on like that. But then that's their choice.

You can tell if your phone has "gone on air" ie it's being spyed upon directly with something as simple as a small Medium Wave receiver likewise a small audio amp. The Cellphone system being a pulsed RF system actually puts out the equivalent of an envelope modulated carrier. This envelope can be detected by a simple diode detector or any amplifier. If you phone someone up and move your phone near a cheap AM transistor radio you will hear a loud continuous buzzing noise (the envelop) that won't be there when you are not talking (it will occasionaly buzz as the phone re-registers with the cell site occasionaly).

However with modern smart phones their are "audio memo" features, that is the phone behaves like a dictaphone and can store an outstanding amount of compressed audio without having to "go on air". And yes I've seen a prototype "private eye" version that interfaces to SMS and the GPS interfaces, and Internet interface to do file uploads.

"As security is a major selling features of those handhelds, I had assumed the software had been designed a *little* more rigorously."

Maybe, it does however not matter as to be a GSM phone it has to pass the base phone requirments and turning the mic on (if it is fitted and connected hint, hint ;) remotly is one of those requirments GSM has inherited...

I'd go and have a carefull look at how Android interfaces with the phone and how the air interface, and likewise how the air interface interfaces with the SIM and base phone features, you might be in for an unpleasent surprise.

Put simply most "smart phones" have two parts that talk to each other by a mediated interface (demarc). The base GSM compliant phone which contains the SIM and the rest of the phones features that can only communicate across the air through the mediated interface.

This is (supposadly) to stop uncertified software mucking up the Telco Network. In old systems this mediated interface used to be known as the "demarc" which is short for Demarcation Point.

What is on the air interface side of the phone is fully controled by the network, what is on the other side of this mediated interface the user controls.

This was originally designed to protect the Telco's engineers from being electrocuted etc by people inadvertantly connecting one phase of the mains to the phone line (which can happen with earth faults caused by dry weather etc).

It you want to see more have a look at section 2 of the EU RT&TTE directive (you'll find it on europa.eu) and the related standards framework that goes with it.

Peter A.January 7, 2011 6:43 AM

@Dirk Praet: "I don't think race, nation or belief are determining factors in buying into hoaxes. It's all about education and awareness."

I completely agree with your second sentence. Unfortunately, bad education is all too often correlated with particular sets of properties mentioned in the first sentence.

zorroJanuary 7, 2011 9:07 AM

@Clive Robinson,
Not sure what happened to the link I put into my earlier reply about the hoax text messages.

These texts include a list of numbers that you should not answer otherwise the phone will emit a high frequency noise that will "kill you by brain hemorrhage" / "make you impotent" / "make you pregnant" / turn you into an undead by ancestor spirits angry about a phone mast on their graves... etc.
---

Yes I had actually read about this hoax but the stories about SMS messages causing the phone to explode seemed different because:
A. it seemed somewhat more plausible B. did not include claims of extraordinary effects on the listener
C. did not attempt to spread with the help of fears caused by superstitions.

Yet of course these reports of explosions could be a hoax as well. Although, looking at what you write in your last post it seems like there is considerably more to the SMS system than what is generally known.

dobJanuary 7, 2011 10:48 AM

@Peter A:

Bad education is correlated with nationality, is probably correlated with belief. Your suggestion that bad education is correlated with race is not supported by the data, however, and it's by definition racist.

Petréa MitchellJanuary 7, 2011 11:30 AM

Dirk Praet and Peter A.:

I'm afraid it's worse than that. Low education levels make people more susceptible to certain types of hoaxes and superstitions, but higher education opens you up to other kinds.

And one thing that increases your vulnerability to any of them, regardless of education, nationality, or religious belief, is believing that you are less gullible than most people.

Clive RobinsonJanuary 7, 2011 1:14 PM

@ zorro,

"Yes I had actually read about this hoax but the stories about SMS messages causing the phone to explode seemed different"

They may well be so, however in the hoax I pointed to you get the "number in red" and "27" people died etc.

The points you had the same "numbers in red" and 30 people.

Which just sounded to coincidental.

What we both need is a good honest report on it that can realisticaly be verified.

One of the problems with the Internet is to get readers smaller news sites are getting more and more like "The National Enquirer". That is the more bizarre / gross / outlandish / sexed up the stories the more hits they get thus advertising revenue.

As a journalist friend of mine told me over twenty years ago,

Mrs Smith "wins cake competition" is of local interest, Mrs Smith "Gives judges food poisoning" is of regional interest, where as Beautiful Miss Smith "Kill's cake judges with witch's love potion in cake" is of national if not international interest.

Clive RobinsonJanuary 7, 2011 2:51 PM

@ dob,

"Your suggestion that bad education is correlated with race is no supported by the data, however, and it's by definition racist"

I don't think that is what Peter A. is saying.

If you take his paragaph as a whole his first sentance makes the second sentance read as though others are incorectly ascribing a connection between race and education.

Which is unfortunatly true and is in many cases as you note racist.

I will however note that there is a corelation with depravation and run down areas and lack of education resources. And that unfortunatly due to other factors you do oftem get a particular demographic.

I will also note that the IQ test used to rate peoples abilities has been accused of being racial biased in the past with good reason.

GabrielJanuary 7, 2011 5:49 PM

Perhaps this explains the exploding droid. http://www.mobiledia.com/news/77570.html

I guess Baseband designers took halt and catch fire quite literally.

Ok being serious now I wonder if teh gubmint's going to eventually use this as an excuse to start "locking down" (monitoring and blocking legit traffic) in a big telecomm cyber security push.

go2nullJanuary 7, 2011 7:53 PM

SMS (or rather Teleservice) can accomodate different applications (with different Teleservice IDs, like ports in TCP).

The SMS stack will forward the message to the appropriate app for that Teleservice ID.

Text Messaging uses one Teleservice ID, OMA-CP - what's described in the article - uses another.

Rajesh LambaJanuary 7, 2011 8:26 PM


@Bruce, the 2000-2010 was a decade of internet chatting and 2010-2020 will be of course a decade of human/social networking. In both the decades we have seen security risks and privacy issues getting higher and higher towards the upper layers of human networking. The private information is being sold and missused at the risk of security of the human lifes. The governence and people are not safe due to the leaks in security agencies and/or by human networking groups. Needless to say the human network is becoming more and more sophisticated and vulnerable with time.


Nontheless, humans have always been intelligent and fast in learning than the machine of all the times. Human brain is always exponential in learning for unethical gains while the technologies have always developed in linear manner.


Schneier, your keynote in Pune, India was an eye-opener. We remember you suggested the paper voting for the election along with the EVMs. The same could be applied on the currency notes which come out of ATMs using credit/debit cards, if possible with digital watermarking of transaction made and credit card details used in every transaction so that we can follow it easily if required. The paper documentations along with smart electronic system backups. This way we can audit manually, in case of frauds and scams.(I was feeling sleepy after the lunch, because I had not taken rest for the last 48Hrs and I unfortunately missed some important points in the telecom-session.)

The human values and the humanity has always been given top priority in both of our democracies. The human freedom, the privacy, should never be challenged on the ground of homeland security and/or insecurity of the comman man. Sir, we further need your comment on these issues and risks in India.

skywalkerJanuary 8, 2011 7:14 PM

Hi guys
where I can read sample code of sms of death. I want to try it. where it is available?

AlexJanuary 9, 2011 11:33 AM

The horror of it is that the GSMA has just come around to accepting OTA SIM update (i.e. can change carrier by SIMtoolkit message), which they rightly rejected for years on security grounds. The nice thing about the SIM being that it's user-swappable and physically evident, and provides the various crypto gubbins to use the network. You could rely on some things being safe as long as the enemy didn't have physical access to the handset, and at the very least, you could pull the SIM and install a fresh one, then theoretically grab a signed update for the handset. If you can't pull out the SIM card, or they can just zap it again, that makes both security and recovery far easier.

Clive RobinsonJanuary 10, 2011 2:39 AM

@ Alex,

Your last sentance,

"If you can't pull out the SIM card, or they can just zap it again, that makes both security and recovery far easier"

Jibes with the previous sentance and the earlier part of your post.

Unfortunatly with GSMA effectivly representing the "network operators" not end users, Over The Air (OTA) Subscriber Interface Modual (SIM) updates for things that will significantly reduce costs for the operators will be given a high priority especialy if it also alows the "opening up of the market" political ethos to move forwards.

Historicaly user security in telecoms has always been a "lip service only" political aim due to the drivers of "National Security" and the "drivers" of those LEO's etc behind it.

The problem the LEO's and the politico's etc they advise don't appear to realise is, that rather than decreasing security, increasing it in line with technology would be in their best interests long term.

Recent history shows us that when it comes to protocols and their security strength, standards authorities retrospectively don't appear to have much knowledge of the subject. This is because, often what they do has a habit of being subsiquently shown as having exploitable faults.

Please note the use of "retrospectivly" and "subsiquently", this is because the faults are usually found by academic researchs after the standards have been in place for a while. That is although the faults might be in a broad class of fault that is "known" the specific fault is new and thus would have been "unknown" to the standards bods when making their choices.

It is an open question as to if the fault types where "known" to national level communications security organisations (GCHQ et al) or not prior to a standard. The ComSec agencies dual rolls of protecting National Security whilst breaking the communications of other nations effectivly prevents them from giving anything other than suggestions to teams they can trust, which is difficult in multinational teams such as international standards organisations.

The one thing we do know is that in the past ComSec agencies have taken a very conservative aproach to the design of equipment and have frameworks that alow for the relativly easy changing of parts of equipment.

This used to be the method used in engineering prior to high reliability electronics and in some respects can still be seen in the way EU standards are developed.

One can only hope that the GSMA mandate a way to do things within a conservatively designed framework so that parts that will inevitably have faults found in them can be replaced in a simple and cost effective way such that legacy issues do not keep the faults in circulation any longer than is necessary.

One of the apparently odd dynamics of the mobile phone networks market is that the users usually keep their SIMs longer than their phones...

Peter A.January 10, 2011 2:37 PM

@dob:

If you read my post carefully, you will notice I meant *some* (not all) *sets* of traits, that is a particular combinations of any or all of them. You've mentioned a particular, and rather obvious single-element set: nationality. There are some others not so obvious but present, and having identified them is not racist ravings but a statement of a sorry state of affairs.

Intelligent people (like Clive) should notice that all of it drills down to the place of residence. Most people receive their education - or most of it - in or near their place of residence. Given a particular place of residence, large (a country) or small (a neighbourhood) it will have both a specific demographic and a specific level of education - for complex historical, economical, political, social and other reasons. Poeple tend to socialize with the likes of them and breaking out of your own social circle is hard - the more deteriorated and poorer the local environment, the harder. Therefore most people from poor countries and bad neighbourhoods receive anything from not-so-good education to next to no education. Sadly, it seems to be a self-aggravating condition, unless significant external efforts are present to amend the situation. Even the most developed and richest countries in the world have failed to eliminate the problem completely.

Ok, this is the elaborated form of my previous two sentences. Now back to your post. Your definition of racism (or at least your concise expression of it, not necessarily your intention) is somewhat circular. In the light of it, any statement about a race may be considered racist. My definition is more along the lines of unequal treatment of people of various races based on their race alone, or inference of superiority of one race over another, not about observing some statistical differences - correlation is not causation. Indeed I would reasonably expect that comprehensive survey of the global population (I am not aware of any - it would be very hard to perform truly reliably and mostly pointless in my opinion; and the race itself is actually hard to quantify) would show differences of the *average* level of education based on race - for the very basic reasons: the greatly uneven distribution of educational resources over the whole Earthly territory and likewise uneven distribution of racial demographic profiles over the same territory - and the causes of these distributions are many and very very complex, racism (historical and present-day) included. This is just the current state of affairs, period.

Said that, there's nothing to support that one race is "less intelligent" (whatever that means, IQ tests actually testing the ability to solve IQ tests) than another - which you may have been referring to as "unsupported by data". My private adage is that if one race of homo sapiens sapiens would be less intelligent or in some other way inferior than some other race it would have been wiped out in prehistoric times.

@all:

Sorry for overlong post.

Michael DwyerJanuary 10, 2011 4:30 PM

@Clive
Just a slight niggle: The buzzing interference you hear on a radio is a trait of TDMA cell phone protocols, like used in GSM. Most modern air interfaces are going CDMA, which doesn't interfere in nearly the same way.

Still, your point still holds that you could presumably detect a higher field strength around the phone when it is active. I propose an easier method -- monitor the amp draw on the battery. Especially on a non-smartphone, that should be a pretty good indicator of when the phone is transmitting, and is something one could presumably do with nothing more than a multimeter.

Nick PJanuary 10, 2011 7:12 PM

@ michael dwyer

Nice idea. The problem with it is that smartphones are the most common among business people and government types that spies would target. Many low tech crooks still use older phones but even many sub-$100 prepaid phones are becoming more like smartphones. Better to invest in a survelleince tech that works on both types.

Clive robinsonJanuary 11, 2011 2:06 AM

@ Michael Dwyer

"Most modern air interfaces are going CDMA, which doesn't interfere in nearly the same way."

The TDMA-v-CDMA debate will no doubt run and run as both have differing advantages.

However without a doubt TDMA is the most anoying as far as interferance is concerned for the very same reason it is easily detected.

The problem with CDMA from the detection aspect is as you identified the need for more obvious or specialised complex equipment.

With in the case of the multimeter needing to get access within the phone usualy underneath the battery which is not just awkward it is very obvious to even the untrained eye. Wires hanging out of a mobile phone these days is likley to scream "terrorist" to many cops and plenty of others, which will get you the sort of attention you don't want. Also how do you explain away having a mutimeter permanently attached to your phone...

In both cases of anti-surveillance equipment for CDMA "it is obvious" if you are picked up for casual search. However having your iPod in or clipped adjacent to the same pocket as you GSM TDMA iPhone just makes you look like at worst like an "Apple nerd".

It is an aspect of surveillance "field craft" many people who put people under surveillance forget.

If you as the target look and behave like "Jo Rube" then you will get the rookie surveillance operative tripping over their feet on your tail. If however you behave like a switched on surveillance aware operative then you will get the invisable ten man team on your tail.

As a potential target you do not in any way want to appear as being "surveillance savey". Because this can easily mean the difference between life and death or worse in many places in the world.

Also if you are aware you are being watched because you got the rookie stumbler you can change you behaviour in a number of non obvious ways.

The whole point of surveillance is gatherin intel or more pragmaticaly "giving you rope to hang yourself" and hopefully others by.

But importantly surveillance done properly is skilled manpower hungry and thus expensive, it is not something most LEO's do well and training to do it well takes practice. It is also inordinatly noisy in the setup phase thus as a potential target a few simple non obvious techniques setup in advance will give you due warning.

However there is still the issue of random chance, or "Murphy's law", if you have your phone connected up to a bit of obvious anti-surveillance kit you have to be able to explain it away within your assumed persona or "legend".

That is if the kit you are using becomes known by random event like, it snags and comes out of your pocket accidently when taking the phone out, or you get stopped and searched for a reason unrelated to your activities, or somebody you have had to get close to goes through your pockets for some reason (like doing the washing / finding a pen), etc, etc you have a problem you don't want to have.

And don't forget in many places anti-surveillance equipment is illegal and can be confiscated on the spot or get you into a whole world of hurt.

When it comes to field craft simple and in charecter are what you are looking for, anything and I do mean anything that looks even slightly odd (even a trailing shoe lace) will draw peoples attention to you and that's when your carefully woven cloak of charecter or legend starts to unravel.

Nick PJanuary 11, 2011 2:14 PM

@ Clive Robinson

Nice post. I find the best strategy for dealing with this is two-fold: (1) stay out of countries that will jail you for counter-surveillance efforts; (2) make sure your legend would explain the need for counter-surveillance. For instance, if you can snag a position on the board of a decent sized company, you have plausible deniability due to rampant industrial espionage. A security consultant who has mobile access to sensitive intranets or specializes in counterespionage might also plausibly look for bugs because they are also a worthwhile target of crooks. The point being that a person who is a worthwhile target and employs counter-intelligence methods isn't suspicious: the TSCM market grows every day.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..