Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: 30-Foot Giant Squid Washes Ashore |
| Insecurities in the Linux /dev/random »
October 14, 2013
Fingerprinting Burner Phones
In one of the documents recently released by the NSA as a result of an EFF lawsuit, there's discussion of a specific capability of a call records database to identify disposable "burner" phones.
Let’s consider, then, the very specific data this query tool was designed to return: The times and dates of the first and last call events, but apparently not the times and dates of calls between those endpoints. In other words, this tool is supporting analytic software that only cares when a phone went online, and when it stopped being used. It also gets the total number of calls, and the ratio of unique contacts to calls, but not the specific numbers contacted. Why, exactly, would this limited set of information be useful? And why, in particular, might you want to compare that information across a large number of phones there’s not yet any particular reason to suspect?
One possibility that jumps out at me -- and perhaps anyone else who’s a fan of The Wire -- is that this is the kind of information you would want if you were trying to identify disposable prepaid “burner” phones being used by a target who routinely cycles through cell phones as a countersurveillance tactic. The number of unique contacts and call/contact ratio would act as a kind of rough fingerprint -- you’d assume a phone being used for dedicated clandestine purposes to be fairly consistent on that score -- while the first/last call dates help build a timeline: You’re looking for a series of phones that are used for a standard amount of time, and then go dead just as the next phone goes online.
Consider this another illustration of the value of metadata.
Posted on October 14, 2013 at 6:37 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm also guessing that you'd be able to figure something out by noticing that certain numbers where often being called by these disposable phones.
Yeah I guess you don't need complicated heuristics to determine that say, a phone that is activated, used for a handful of calls and then goes inactive probably needs more attention. I guess you could also have a 'fishy-ness' metric on each phone number based on the number of calls made to it from disposable cells (or even better calls made to it from disposable cells that meet the criteria we spoke of above). Once you normalized it by taking a median fishyness of all the currently connected phones you'd find the outliers - and the ones to the positive side are the ones you scrutinize.
Hemispheres (the AT&T service for the DEA) specifically advertises this as one of the two big capabilities (the other being pen registers without a court order!)
I suspect the AT&T version is better: I suspect it is that you look for all phones with a similar call graph to the target and a similar tower/movement pattern. It's two linear passes in a Hadoop style data store to generate the candidates.
With mobile so available and "pay as you go" widespread, I wonder how many individuals will get caught up in a dragnet. Imagine for a moment you purchase a pre-paid using say 2125551212. You use the phone for only a month for whatever reason. Now imagine the next individual who purchases a pre-paid being allocated the same DID, doing nefarious things. Some of the things this country does is so bizarre.
Isn't this similar to how the Lebanese tracked down some spies a few years ago? Foggy on details. Looking for articles but cannot find. Basically, the L looked at call records that fit typical tradecraft patterns. Phones which were often off, turned on for short periods, makd limited calls to specific numbers and then turned off again. Think they grabbed some CIA related spying activities.
Like the use of TOR, if you use a certain product in a certain way, you are much more likely to be marked. This underscores the importance of blending, instead, to avoid detection, in the first place.
Remember, everyone's a criminal, it's just a matter of finding out what they've done wrong. No need to worry about "innocents" caught up in the dragnet.
Plausible. Fixed habits are a very bad idea when you want to avoid being identified by data-mining techniques.
Another good metric would be the percentage of time the phone is connected to the cell network. "Normal" people probably have their phones on 90-100% where as those who don't want to be tracked would pop the battery until they want to use it.
I'd be surprised if this isn't also in their mix and just not mentioned.
All of these metrics seem very difficult to evade while still maintaining compartmentalization. However, if one were to just think "How would I track people like me if I were on the other side of the fence?" they could probably come up with this same list and try to evade detection. The question is: how many [shady] people actually do this? (A: probably not many)
Now do they do that by IMEI or by number or both?
I have a phone that I have had for some years, but it's had a number of different SIMs over the years, Occasionally for short periods of time. Would the IMEI be flagged because of the short usage periods of some of the SIMs. Would those different SIMs be connected because they have been used in the SIM phone. Would other phones those SIMs have been used in then be flagged?
Could I explain this to $AGENCY?
In the UK the LEA's have been getting their "panties in a wad" over "burner phones" for some considerable time (I've seen briefing documents that long pre-date 9/11).
The problem turns out not so much to be an issue for LEA's but for those that don't do their OpSec right with burner phones.
In effect mobile phones have two (supposadly) unique numbers one is the equivalent of the electronic serial number of the phone and the other the serial number of the subscriber Identifier on the SIM that via the network center DB becomes the "phone number".
So putting a new SIM in and old phone links it back one step to the current or previous owner's phone number via the phone serial number. Often this is sufficient to identify the current user. Likewise putting an old SIM in a new phone provides a link on the SIM serial number.
Further carrying the phone around leaves "bread crumbs" which can be cross corelated with other mobile phone tracks. Which can identifiy a unique individual or collection of individuals.
Knowing and adhearing to the complex OpSec that goes with the use of burner phones is very difficult.
One thing you can do to aleviate it is to use an old fashioned "pager service", as a one way Broadcast service it's more difficult to track a recipient of messages.
Thus you have your burner with battery out when you get a page you move to a known place and leave your ordinary mobile there and then go to a random place sufficiently far away and put the battery back in the burner and make/take the call at a pre-aranged time. Then remove the battery from the burner prior to moving, then go back to where your normal phone is and retreive it. Obviously the random place you select should be one you've not used before, or will use again...
There are other tricks but as you can see it's not easy avoiding a ubiquitous Big Brother with records going back not days but years.
I've just marked myself as 'abnormal' then - although following a completely predictable and I suspect not too unusual pattern. I turn my phone off whenever I'm driving so there are two blocks (at least) each day corresponding to my commute.
I'm not going to open up another debate - just simply state that for me at least phoning and driving don't go together.
Not that that would stop anyone interested, I don't go so far as to remove the battery so it's still broadcasting location info via tower triangulation.
Burner phones are kind of like frequency-skip keying in slow motion.
It occurs to me that the correct procedure then is to put an extra month's worth of prepay credit on the phone and then either give it to some kid or donate it to a charity shop; either way, the phone will generate new traffic after its end of life as a "burner" phone, potentially for months if not years.
From a privacy rights point of view, it looks like a shot at good law. Investigators have legitimate targets. Spies and Mafias do commit crimes.
The private citizen that has a need for new burn phones all the time isn't exactly evading Wile E Coyote.
Another reason for a broad vacuuming of information on burner phones is also simply to establish some sort of baseline. The average usage pattern is such-and-such, so any significant deviation from the average is worth a second look.
I kind of wonder how my recent burner phone usage compares. I was recruiting for my company recently at a college career fair. Rather than expose my personal mobile number I just bought a burner phone to contact interested students and give them a call-back number. Paid for with cash, used for a total of three days to contact a small group of numbers, then never used again. Waiting for the black helicopters to find me...
Burner phones are like encryption in a sense. Most of the people on your network need to be using it to make it effective. If some numbers aren't being changed regularly, then it does little good for a few to change their numbers, since they're attached to consistent numbers just one-step removed....
tsr2 - as Clive already mentioned there are several identifiers used in GSM and UMTS networks. The handset IEMI and the IMSI which is based on data stored on the USIM. All of this data is logged, so yes - simply removing your 'normal' SIM and placing another in to make a private call will not help. There was a case overseas where they caught a notorious prankster who kept dialling 112 from a GSM phone with no SIM installed by doing this kind of lookup. He figured that by removing the SIM he was making himself untraceable. He was only like fourteen though....
@Blarkton - criminal organizations will provide their all their members with SIM cards pre-programmed with each other's phone numbers. Thus, every day every phone gets a new SIM, and the previous day's SIM is discarded. (Conveniently, birth control pill containers have daily slots just the right size for a SIM card.)
Thus, unless you get your hands on one of these pill boxes, knowing which phone numbers were dialed won't help, since all the phone numbers change every day.
This introduces a problem with this kind of metadata analysis: if the SIM only lasts 24 hours, there are likely to be too few calls to do frequency analysis.
This assumes there is not a back door built into the phone, and that the NSA isn't real time locating them as you speak. How else do they drone sheep herders?
What about simply using video surveillance to identify buyers of burners before even used?
Cartel's tactics. It's incriminating normal radio; and generating a bunch of garbage noise goes against my principals as a ham, ruins the airwaves.
Occam's razor on two possibilities: (1) The NSA has come up with some extremely inventive method of using this seemingly inadequate and useless data collection; or (2) the NSA is lying about what is being collected.
I vote (2): It's the simplest explanation that explains why the described collection doesn't make sense.
Ooh, more metadata for surveillance! This stuff is nearly a single SQL SELECT command, and that's it.
Alice wants to hide her phone conversations with Bob from Charlie. Alice and Bob both decide to use disposable phones, use them for some random amount of time, and then throw them away. Charlie wants to track the movements of Alice and Bob, along with when they communicated. Charlie has access to the cell phone network log data. First, Charlie looks for calls from disposable phones that were in use less than X days. Then Charlie maps the phone's physical location, call times, call length, and numbers called or received.
Guess who sticks out like a sore thumb?
Now, how many times have Alice and Bob been observed making calls? There you go.
Now let's say that Alice and Bob are keeping the phones in play by giving them away to someone, say taxi drivers, pizza delivery guys, and teenagers. The phone usage starts on date X, and physical observations of Alice and Bob will correspond, at some point, to the phones.
The thing is, Alice and Bob usually won't roam outside of a specific area. Now, to screw with surveillance Alice and Bob could be using phones from a large pool. Then the dates and locations would be the most significant points in the metadata collection. To be completely anonymous, Alice and Bob would have to be communicating from random locations using phones from a very large pool, and swap very often, maybe even every few hours, whether the phone is used or not.
Another thing that could be done is to use open WiFi connections to stay off of the phone grid. Say Alice and Bob use disposable Android smart phones running a privacy communications app, and the app is downloaded from a personal Raspberry Pi device. Alice and Bob look on a WiFi war-driving map for access points in their area. Alice and Bob then briefly connect, and go on their way.
Now, it's up to what kind of logs the ISP keeps. Are they keeping track of all port traffic, a subset, or none of it? Depending on the type of service, such as Freenet Project or Bittorrent, the default traffic lights up like a big red flashing light. So Charlie still has to occasionally physically chart Alice and Bob's location and movements, and have some sigint for RF to see what's up.
Slightly OT (but not really). Does anyone know of an easy way to detect an incoming silent SMS (a 'ping') in android? Is this handled by AOSP - and is it just a matter of patching the SMS parsing code or is it buried in the binary only baseband firmware? It would be nice to get some kind of 'canary' notification so I can adjust my ops if I know I am targeted.
@ Mike the goat,
SMS comes in several, I think 4, "classes"... Check 3GPP specs for classes of "SMS". for Android, you can check with 'adb logcat -v threadtime -b radio' and see what you get. Depending on the Chip manufacturer, you can also look at the baseband with specific tools. If you have a QC chip, then you can use QXDM and look into it. This is not a public tool, though. Not sure that answers your question... I haven't looked at AOSP in a few months, and am not sure if parts of baseband (relating to handling SMS) is open source (check https://www.codeaurora.org/)
You can also see some security "advisories" on that site, https://www.codeaurora.org/projects/security-advisories?project_id=251
Also check this for a quick reference on SMS classes If you don't have time to dig through specs....
You can also check http://www.xda-developers.com/tag/aosp/
Wael: thanks! Will have a read. I believe the technique they use is to send an empty flash (class 0) SMS. This gets the device talking which aids location. I was just curious.
In my country, they passed a stupid law that anybody using a phone with no subscriber info had no right to privacy, therefore legally they could be intercepted/tracked and tapped without a warrant at the whims of the police.
Speaking of a phone that isn't used much as an indicator for a burner phone I recall The Grugq speaking about an incident where the CIA had their network in Lebanon rolled up by Hezbollah, who had access to phone records. They looked for a phone that didn't move around, was off most of the time and that only received few calls. Once located they put that residence under watch and unravelled the whole CIA network.
@ Mike the goat,
Device is periodically "talking" with or without an SMS ;)
@mike they bombard the phone with type0 stealth SMS that is dropped silently (doesn't notify user) but will send an ACK each time, which can be used like a constant ping to determine the phone location. I'm also unsure if this is a SIM card app that the telco installs (E911 requirements to find and locate) or if it is built into the baseband GSM stack. I suspect it is a SIM toolkit app
Wael: oh, I am aware of that :-) my main motivation was to design some kind of 'canary'. Standard geoloc procedure is to start a flood of stealth SMS 'pings' to generate traffic. If I could intercept this (and it looks almost certain that I can on a rooted handset as I believe it is handled by AOSP code and not in the baseband) and then when detected immediately pull down all the radio interfaces.
SecPol: indeed. I strongly suspect that a specially crafted packet will result in the phone responding with GPS lat/long too. I have a friend in law enforcement who has almost free reign with their intercept systems (but little technical knowledge as to how it works). He could flag a test device for location without too much trouble. If I can somehow sniff everything on a device I would do just that.
Cryptophone GSMK has a baseband hardware 'firewall' which monitors baseband activity. If the application CPU is not also busy when the baseband CPU is busy, then something is shady like silent SMS traffic being returned so it will shut down the radios since there is no legit reason for the baseband to be very active by itself.
They test their firewall at airports since national security agencies at all airports attack phones for who knows what reasons. Sadly this phone is 4,000EUR to buy. A possible work around would be to buy a TurboSim or similar device that fits over the SIM and can be programmed to block SMS or filter type0, that is if this is a SIM toolkit spy app telcos use and not built into the phone itself
SecPol: it looks like it is on the device rather than the USIM. I have already removed the E911 "location service" from my build along with the service that dealt with Barry Soetoro's Presidential alert (TXT FROM PREZ: I PWND UR CELL), AMBER, etc. s**t that we were forced to put up with (I note that the app is even on the international Nexus 4's - odd hey?) but I suspect that there is nasty mojo in the baseband that could do who knows what. I will let y'all know if I at least work out a way to disable answering SMS probes. I will download all the source and go looking... Will disable OTA push updates too.
It is interesting that if you Google for it you find a few people asking on the usual android forums about disabling E911 being flamed and accused of breaking FCC laws and chastised.
Are we all still in preschool or something?
I am seriously considering putting a 802.11n AP and a 10W amp on the roof of my office and just writing a bit of logic to kill my UMTS radio where I have WiFi. The AP (along with another at a residence) would provide pretty much constant coverage. The only time I would need to enable 3G would be when traveling.
I guess Google Voice or similar can handle routing my calls. Most of the calls to my cell originate from an office SIP server's dialout anyway and could be just as easily terminated straight onto my device.
1) Never use a burner phone for more than half a dozen calls.
2) Clearly you need to endeavor to use the middle of the phone's useful life, not the beginning or the end.
3) Have multiple burner phones, and use them randomly.
4) Pass them on to a random homeless person after half a dozen uses; get someone else to do the hand-off. Better yet, 'lose' them in the park.
Dead drops are going to come back in fashion.
@mike this guy reverse engineered the Qualcomm baseband stack and discovered it was running in ARM Supervisor mode (root) with no NX bit, so technically you could overwrite the memory and null any suspicious SMS service. http://events.ccc.de/congress/2011/Fahrplan/... and test it. There's a video for that lecture around too.
The new 'burner' phone I guess should look like this if people can't build their own AOSP ROMs:
1) Source your Android phones used from local craigslist and other methods. You would not want to mail order in case you are being watched and they are intercepted. Stores will have cameras, identity requirements, other problems.
2) Unlock bootloader, Wipe the NAND flash and install a custom ROM, preferably one that uses their own build signing keys and not the generic AOSP keys (Cyanogenmod is good). Re-lock bootloader.
3) Encrypt the entire device then open Cyanogenmod console, type su (superuser) and type vdc cryptfs changepw so you can have 2 passwords: easy PIN to unlock screen, long password when phone is rebooted.
4) Purchase a different VPN for all your phones, so there is no fingerprint of the clandestine network using the same VPN, or make your own.
5) Sign up to Ostel and download CSipSimple which uses aliases instead of phone numbers (Redphone uses numbers). No Playstore is needed. Verify the signature of the build or even better build the .apk yourself in Eclipse it's open source.
6) Install macchanger to change your wifi0 MAC address after every connection to avoid profiling by MAC. Preferably this should give you a random one when you boot by calling a .sh script in init.rc or device.init.rc
7) Use Android Debugging Bridge (ADB) or Cyanogenmod shell to mount /system/app and rip out anything that says 'OTA', 'VoiceDialer' 'SoundRecorder' and especially all Google apps.
8) Go into Settings->Profile in Cyanogenmod and block GPS/Bluetooth/NFC. Disable USB debugging (important!). Scroll down setings to # Superuser and disable it.
9) Sit out of range of cameras near wifi hotspots and make your clandestine calls to each other over wifi without a SIM.
If you want to chat with each other download Orbot (Tor) and use Gibberbot/OTR tunneled through the VPN to avoid Tor traffic being seen locally.
After a certain period re-flash the phone with another ROM, sell it on craigslist or trade it for another phone and do this all over again with different VPN, different Ostel accounts. Because you aren't using a SIM hard to track phone so long as you aren't using the exact same wifi connection every day or at any regular intervals.
Dumping it on a park bench or giving it to a hobo is a terrible idea, if Stasi are following you around they can pick it up and do forensics on the device because you discarded it and they don't need warrant. Nuke it first, then do whatever you want with it.
Of course if you can build your own device you would do something much different such as your own build keys, dropping in mobiflauge, ripping out plenty of stuff out of /bin, ripping out all GPS and Bluetooth/NFC files, dropping in SEAndroid MAC policies like install time mac that prevents anything not signed by your key being installed, and intent mac that protects apps from sending intents to each other. Permissions revoking is also possible such as revoking your browser's permission to obtain your location.
@Mike The Goat
"I am seriously considering putting a 802.11n AP and a 10W amp on the roof of my office and just writing a bit of logic to kill my UMTS radio where I have WiFi. The AP (along with another at a residence) would provide pretty much constant coverage. The only time I would need to enable 3G would be when traveling."
Then you're probably increasing your odds of showing up in the data searches this blog post was about.
(phone off for long periods, ...)
Does anyone remember CarrierIQ? That app can show the difference between a battery pull shutdown and a low battery shutdown. *cough*
Bruce you forgot to mention that “All” telephone calls was monitored by AT&T’s switches. The NYT article and slides make note of that. AT&T crosses all boarders including a sting on a Canadian Hell’s Angles bikers.
Bruce, another thing you forgot to mention in your sentence is Geolocation: “this query tool was designed to return: The times and dates of the first and last call events, but apparently not the times and dates of calls between those endpoints…” Take a look at the NYT AT&T article.
Also, didn’t the Obama Administration hand out a bunch of “burner” phones to voters in Ohio and else where during the election cycle? Could that have been a “honey pot” operation?
It appears to be both. See the NYT article slide 16 “Request by Type, Northwest HIDTA 2012-2013.” It notes 46 requests for “Basic” phones and 106 requests for “Dropped Phone[s].” That indicates that about 31% percent of the requests were for “Basic” phones. Then read about the Canadian Hell’s Angele's group and Verizon.
That is a very broad dragnet! This could have been how SR was taken down. I don’t like what I am reading.It's a huge Fourth Amendment violation.
Obama and Burner TracFones:
"TracFone Wireless, a provider of prepaid mobile phones, will provide free mobile-phone service for as long as a year to Virginia families who earn less than 135 percent of the federal poverty level. For a four-person household, for example, the threshold would be an annual income of $28,620..."
BJ: that's not my primary concern. My main concern is a) avoiding lradiolocation through 3GPP radios. b) alerting to 'strange' goings on like stealth pings so at least I would get a heads up.
I occasionally have reason to work for organizations (NGOs) who have reason to worry about government surveillance given their political and social message. This is the state of the 'free' world I am afraid. Say something that the powers that be do not like and they will find a reason to dox you. There is certainly a non trivial risk that I - as their sysadmin - will get tarred with the same brush, so to speak.
Wael: great info as usual.
@ Mike the goat
oh, I am aware of that :-) my main motivation was to design some kind of 'canary'.
I was hoping you used a candle instead of a canary;) just like Sir Humphrey Davy did when he invented the...
Re info: Thank you! Glad it helped...
This is the state of the 'free' world I am afraid
Oh, don't be so pessimistic! It's the ultimate freedom, my caprine friend! You are free to say whatever you want, and "they" are free to do what they want to you! Sounds free to me :)
Wael: there are government agencies out there that would love to capture and dissect an internet-enabled goat. I have to be careful for the sake of my herd. 8-)
Some random thoughts:
1. Not everyone carrying a burner phone has perfect opsec. If you have a regular phone on you when you're using a burner phone, you can be found out rather easily using geo-location.
2. Burner phone users are people. They hang out with other people. The other people might have regular phones. When the same phone appears more than once (or even just once) near a burner phone, you start following, see if you come up with anything interesting.
3. If a burner phone is used in the vicinity of a high-profile target (political, financial, whatever) - maybe someone needs to be alerted.
circa 1999/2000 I worked for the IT department of Police force,
one of the things I did was setup an A0 plotter for a specialist department.
at first I was confused, having only seen that type of device in building and manufacturing before why do the police have one
having set it up, it had to be tested,
out came a spider web plot of phone numbers,
who was calling who based around small number of suspects,
the tools allowed then to pull out "top dogs" , "end points" etc
that was 14 years ago, so I read articles, like this, with great interest, yet no surprise !
On October 14, Brian M. wrote:
"To be completely anonymous, Alice and Bob would have to be communicating from random locations using phones from a very large pool, and swap very often, maybe even every few hours, whether the phone is used or not."
That reminds me of a recent "Sons of Anarchy" episode, where the Sons force an IRA member to give them the phone number of the IRA "Kings" in Belfast (the two groups are having a dispute over their gun selling business in the U.S.).
They call the number, and the scene shifts to Ireland, where we here a phone ringing, and then see someone dig through a large pile of mobile phones in a cardboard box.
After the call is completed, they are told to never use that number again.
"This underscores the importance of blending, instead, to avoid detection, in the first place."
Doesn't everyone just use one phone for legitimate use, and a second one for their illegal activity? Do we really need to rotate our second cel phones faster than our email passwords?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..