Security Vulnerabilities in Cell Phone Systems

Good essay on the inherent vulnerabilities in the cell phone standards and the market barriers to fixing them.

So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to "be forthright with federal courts about the disruptive nature of cell-site simulators." No response has ever been published.

The lack of action could be because it is a big task -- there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.

As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

Posted on January 10, 2019 at 5:52 AM • 25 Comments

Comments

barfaJanuary 10, 2019 6:10 AM

"But law enforcement has other effective tools that are unavailable to criminals and spies. [...] In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else."
Except, of course, if law enforcement wishes to work in the same way as criminals and spies, i.e. outside of goverment control.

David WalshJanuary 10, 2019 12:37 PM

for all the noise about protocol, Australia allows Huawei to install 4G infrastructure all over the place

BobJanuary 10, 2019 1:10 PM

What incentive is there for AT&T, Verizon, Google and Apple to fix it? How does that create value for their shareholders?

PhaeteJanuary 10, 2019 2:30 PM

We have so many communication possibilities today that i have no problem accepting their flaws with their strong points.

Mobile - fast and comfy but inherently insecure
Landline - comfy, area restricted and inherently insecure
SMS/ other text app - fast but miscommunication more possible and inherently insecure
Email - formal text, inherently insecure
Encrypted mail/ other text - more hassle but secure
Face to face - more hassle but possibly secure

I omitted a lot, but you get the idea. I just use what is appropriate.
Just never confuse security with ease of use, they are (almost) mutually exclusive.

WaelJanuary 10, 2019 2:37 PM

Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

Only MNOs and associate members of 3GPP and 5G have a say in the matter.

Kristopher Stice-HallJanuary 10, 2019 2:38 PM

Bruce,

Thanks for this post. It is interesting for decades police and other agencies use security exploits to get their bad guys. This reminds us of the back and forth that Apple and the Fed are going through to have access to the Iphone. Our perspective is that they don't get it and neither does the hackers. Can't wait till the next post.

PeterJanuary 10, 2019 4:37 PM

@ Phaete "We have so many communication possibilities today"

You forgot to rate satellite

Snarki, child of LokiJanuary 10, 2019 5:14 PM

You want cellphone communication *secure* ?
It's not so hard:
1. use readily available cellphone hacking tools
2. record embarrassing/corrupt/criminal phone conversations of prominent politicians
3. put the recordings on the web anonymously

As long as it's just us peons that suffer from the insecurity, nothing will be done. So change that.

VinnyGJanuary 10, 2019 5:17 PM

@AtAStore (@@astore:?) I read the Motherboard article this morning from a different link. Apparently the wholesale price of your cell phone location (approximated via tower triangulation) is ~5 USD. Mark-ups may vary...

VinnyGJanuary 10, 2019 5:24 PM

@barfa Exactly. Why would anyone suspect for even a moment that "intelligence" or law enforcement agencies would prefer transparency to having their activities masqued by a cloud of shite dust without any overt effort on their part?

WaelJanuary 10, 2019 7:29 PM

According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls.

According to me, that's a preposterous claim. Can't be true for a Type-1 phone! If someone chooses to tweet "things", then that's human factors. Unless Obama pulled an Angela Merkel stunt on TPOTUS's phone, then it's a ridiculous report.

But law enforcement has other effective tools that are unavailable to criminals and spies.

The implicit assumption here is that the intersection of "law enforcement" and "criminals and spies" is null; Φ, empty. It's not the case. LE are not all exactly angels, see. There's always that angel that sees the angle in possible illegal, extra curricular interception activities.

Clive RobinsonJanuary 10, 2019 8:29 PM

The article is not what it could be...

The ideas behind both SS7 and GSM are quite a bit older than fourty years, look up what was the British General Post Office (GPO) System X[1] oh and the earlier "signaling systems".

Back in the 1950's through to the 1980's when the problems of phone privacy etc could have been put in place it was not. Because in part the technology although envisioned was not available. But mainly those who started those developing the ideas were working under a Government Department and the "Post Master General" was a Government Minister.

Behind this pulling strings were other Government Departments not the least of which in Britain was MI5, MI6 and GCHQ who all had a very interesting working relationship with the GPO (look up the Operation Stopwatch Berlin tunnel[2] for instance it was one of many joint but secret tunnels and other projects).

Whilst some projects were abroad many were on UK soil, back when the telephone "trunk" used microwave radio the MI's had an interest in "tapping every thing". The advantage of the Microwaves to France and Ireland was the "spill efect" which enabled receivers on the side of the "boresight paths" to pick up both sides of the communications. These receivers were put in things like fake grain silos that gave the required hight whilst not looking out of place in rural locations. Thus GCHQ had collect it all access to these microwave links with a high degree of deniability[3] as there was no way to see it by "walking the wire". The fact it was the GPO "secret squirrels" that put it all in with other microwave links back to the likes of Hanslope Park, Empress House and Century House was realy a case of "one hand washing the other" within the GPO.

The point is that RF based systems are easy to listen into, and unless extra precautions are taken with the basic link and message data then the traffic will be vulnerable to, at the very least, readily available "test equipment" or these days USB dongles that cost $10 a laptop and some open source software.

Further those precautions have to be way way more than just to get the assumed quivalent of "wired equivalent privacy" that we have seen with WiFi (that's arguably still not secure). In essence they have to be not just leading edge when a system is designed but fully upgradable without the possability of "fallback attacks" because as history has shown crypto moves on fairly rapidly and a quater of a century realy is tops for it's total service life (DES and RSA being just two examples).

Oh and watch out for standards, those "hiden hands" have been "finessing" International Standards for more than fifty years, in some cases more than a century. I've seen it at work first hand. You would think it's amazing that they have been able to get away with it for so long, but the truth is few and I realy do mean few ever thought about it untill fairly recently. The fact is Victorian customers of telegraph companies appear to have been more aware of the need for communications security than the average Internet or Mobile phone customer today...

But why should making the likes of phones more secure be so dificult?

Well there are a number of reasons and it starts with the redundancy of the human voice, especially that of the average German male (I kid you not). Just behind your mobiles microphone and speaker is a compression system that takes as much redundancy out as it can with minimum time delays so that the data rate sent to the radio modem is "bandwidth efficient". The main algorithms used are based on work (CELP) done at the NSA for DoD systems. Which might be cause for concern, we currently don't know (but then we did not about a certain Digital Random Generator that NIST standardised and then had to withdraw).

Whilst the compression system works well with high redundancy voice, it "blows up" if you try to feed random audio waves that you would get from external "voice encryption" or even a sine wave used for Frequency Shift Keying (FSK). Someting I noted would happen with "Jackpair" and I don't know if after more than four years of working on it if they have actually shipped production units yet (progress updates are only available to those who handed money over originally). Their web site does not have a "buy now" button on it or similar so I'm assuming not.

The second problem is that you still have the "analog" problem. There is no guarantee that the analog waveform you put in is what you will get out at the other end. The human ear is fairly immune to frequency, phase and higher frequency amplitude distortion which various trunk network systems will quite happily abuse. All of which a crypto system would be sensitive to unless it was of very low bandwidth.

So for voice encryption it would be considerably easier not to use the voice path of a mobile and use either the inbuilt modem to modem (see AT command set) or digital connection to a data service such as the Internet. That is use a voice encryption system on a PC that is connected by WiFi or USB to the mobile and send it across the internet, it's probably cheaper for many people anyway (check how your subscriptions services are capped).

But the big issue is there is no "Man On The Middle" attack protection in the way mobile phones work. This is due to the way the system was originally designed. In essence the earliest "analog" mobile phones back in the 1980's had lots of security issues to do with people stealing service to make free long distance / over seas calls. GSM 2G had "features" added to stop this but the "trust interface" was put at the "Over The Air" (OTA) Demarcation line (Demarc). This was because it fit in with the way the system worked for "roaming" and "emergancy" calls. That is the phone could connect to any base station based on a simple signal strength algorithm, the phone would connect to the backend network and then request "service" or more correctly services based not just on what was in the phones SIM but also recorded in the database of the subscribers "home network".

Importantly neither the phone or the home network controled the OTA interface, so encryption and other security features are controled by the owner of the base station...

These issues still happen for two backwards compatability reasons. Firstly the issue of "fallback" and secondly "layered compatability". Fallback happens when a base station can not provide a service at a better rate. This can happen when you switch cell sites and when you have marginal signal quality due to other users etc. Thus you might not have data, but can do voice and texting, or it drops right down to just being able to text. The reason they do not alow handsets to stop fallback is the old notion of "reliability" but from the service providers point of view it's actually a revenue view. Something the "hidden hands" actively promote to keep "fallback" which they can use to there advantage.

The other backwards compatability issue is "layered compatability". This goes back to ISDN and it's notion of modularisation. It provides what is a "framework" standard into which moduals can be freely swapped. But it also has to work across multiple revisions etc. Telecommunications Engineers by nature are conservative in their outlook and don't like to change things that work, even augmenting can give them the hives. Thus once something works it stays unless there is a significant reason to change things, which is actually very rare these days. So whilst the OTA,might get upgraded at the bottom of the stack, and new services get added to the top of the stack the layers inbetween don't get changed. Some of those layers effectively go back to the pre ISDN times...

This again suits the "hidden hands" as it makes their life considerably easier.

But those "hidden hands" are still at it, upto their eyeballs and beyond, and are,still getting caught[4]. The fact is they just don't care between them the extended Five-Eyes employ hundreds of thousands of people, who's jobs are to spy on the enemy, which is every one including themselves. A goodly percentage of those people spend their entire working lives subverting telecommunications systems in every which way they can. They will not stop doing this because that is not just their only way of earning a living but in many cases their sole reason to live. They have made their mark on a Devil's contract and have no real way out, they are owned not just for life but in the hear after as well.

The fact they are scared of loosing their battle to destroy your privacy is why we see the ludicrous legislation and over reach by the state LEO's to prosecute into ruination both financialy and freedom of existance.

[1] System X is a family of advanced digital switching systems that evolved from the JERC agreement of 1956 as a co-ordinated project between the General Post Office and industry. As part of it's history it spawnrd both ISDN and ATM. It had been realised some time prior to 1956 that the existing mechanical dialing systems in use, though reliable were becoming more expensive and less responsive to the changing needs of both industry and society. One major issue was that any changes had to be done with a "wire wrap tool" in a frame room often in a building in some village or town with the cost of labour and training rising it was seen as unsustainable. In 1966 the GPO published a ground breaking report about telecommunications systems of the future. It laid the foundations that in time would become known as System X and give us in time ISDN and ATM. A second follow up report, completed in 1971, concluded that the only way to forfill future requirments of telecommunications systems was an all digital one. By 1975 agreement was reached with the leading manufacturers, with the original industry partners being GEC, Plessey and STC, with STC later dropping out. Much of the work was well ahead of it's time and had to wait for technology to become available (UK Semiconductor development was quite advanced, but due to the UK Treasury only available for "defence projects"). In 1971 Wood Street international exchange in London became the first installation to use a computer as part of its control equipment. But the UK Treasury decided to cut funding to the GPO and thus time almost stood still in the UK telecommunications industry that in some parts went into recession because of it. Because of this the first public view of System X was in 1979 with the first demonstration of a System X exchange at the international communications exhibition in Geneva. This gave rise to a large amount of interest world wide and initial orders for a first eight local through trunk and tandem exchanges came into service in less than two years starting in 1981. During this low time the GPO engineers had been quite active in Europe with the CCITT working on the standards that would give X.25 and the Integrated Services Digital Network (ISDN). It was launched in the UK on June 25th 1985, Originally called Inegrated Digital Access (IDA),
It was the first ISDN system in the world and British Petroleum (BP) was the first customer on the new network. Put simply ISDN was initially the extending of the digital phone trunk network through local exchanges directly to the customers premises or desk top. In the process enabling very much faster data transfer of 64Kbit/barer chann that could be aggrigated to thirty or more synchronised channels enabling almost unimaginable data rates than had previously been possible over phone lines. Thus high speed computer communications, FM Broadcast quality audio and video and new services such as personal video calling became possible, all of which we take very much for granted these days from our mobile phones. Group Special Mobile (GSM) was based on the experiences by CCITT of gaining harmony across international telecommunications networks. Few realise these days just how politically controled national telecommunications networks were and how they were deliberatly designed to be incompatable to "protect home industry" a policy that fell flat on it's face and actually harmed the nations involved (a lesson some realy should learn today). The result was GSM was initially largely based on X.25 and ISDN both of which were derived from System X development and unfortunatly the "hidden hand" of the security services in the UK and other Five-Eyes nations ensuring that they would always have access usually under the unarguable case of consumer/user "Safety" a process known as "finessing" which takes it's name from the card game Bridge that was a very important part of the social lives of the "Diplomatic and intelligence set" from Cambridge and Oxford from WWII and well into the 1990's to my direct knowledge, and not being able to play Bridge well could significantly hamper your promotion prospects (I'm told that in the US it's the less tactical game Poker that is considered the game de facto of the Diplomatic and IC set).

[2] https://en.m.wikipedia.org/wiki/Operation_Gold

[3] That is untill somebody decided to analyse the UK's microwave link systems for the Open University in effect "publishing it to the world" it so infuriated "Mad" Maggie Thatcher who was then UK Prime Minister she insisted that the author Duncan Campbell be prosecuted under the Official Secrets Acts. An unwise move as she was told at the time but she insisted and the entire prosecution case when in court descended into farce. One by one their arguments were destroyed often by their own witnesses, eventually they had one card left, the publishing of the "Oh so super secret" address of GCHQ in Cheltenham (where everbody knew it and you could get a taxi at the station to take you there just by saying "GCHQ please"). The prosecution played what it thought was their "ace in the hole", and were absolutly slaughtered when the defence council held up a copy of the inside back page of the world wide distributed magazine "Wireless World" where every month GCHQ published a recruitment add not just with it's address but a backround image of it's "architecture award wining" main building...

[4] https://www.telegraph.co.uk/technology/2016/01/26/gchq-developed-software-for-secure-phone-calls-open-to-eavesdrop/

Clive RobinsonJanuary 10, 2019 8:40 PM

@ Phaete, Peter,

We have so many communication possibilities today

Ahh yes Satellite phones...

Did sir order "the cruise missile for one" or something a little less traveled like a modified SSARM or HARM?..

Clive RobinsonJanuary 10, 2019 9:17 PM

If you are unsure about where things are going in mobile communications and why you might hear people talking about 3gpp being resurrected in 5G. This might help,

http://mvnoblog.com/the-5g-core-network-3gpp-standards-progress-computerworld/

Oh and keep your eyes open for 10G "to your door" it's nothing to do with mobile service it's the revenge of the cable companies ;-) It appears they are trying to muddy the waters and 10G is not likely to appear if at all for half a decade or so. ;-)

http://mvnoblog.com/big-cables-10g-campaign-betrays-a-fear-of-wireless-5g-the-verge/

Oh and some mighy know that the Consumer Electronics Show (CES) is on currentl. Apparently there is a lot of 5G stuff being anounced,

http://mvnoblog.com/qualcomm-intel-make-5g-announcements-at-ces-business-insider/

Atleast on thing in there I reckon will come up on this blog in the future will be the new killer "5G conected cars"... With the amount of bandwidth and silly apps it will cause the attack surface will be immense, but as we know the auto industry is oh so competative corners get cut...

WaelJanuary 11, 2019 1:40 AM

@Clive Robinson,

Pretty good technical and historical summary!

especially that of the average German male (I kid you not)

It's believable. Do you have more info or pointers?

Whilst the compression system works well with high redundancy voice

Low pass filtering to eliminate high frequency components thus avoid aliasing, followed by A/D conversion, sampling, quantization, compression. Not sure I follow the redundancy part, although I agree that feeding encrypted digital signals may not work well. I haven't tried.

they are owned not just for life but in the hear after as well.

rofl. Funny (hereafter)

CallMeLateForSupperJanuary 11, 2019 8:26 AM

@Clive
"[...] the publishing of the "Oh so super secret" address of GCHQ in Cheltenham (where everbody knew it and you could get a taxi at the station to take you there just by saying "GCHQ please")[...]"

LOL. It struck me just as funny as it did the first time I heard about. You previously pointed out this bit of absurdity on this very blog, but it is worth repeating periodically for the edification of readers who "wandered in" in the mean time.

Thanks for the laugh. (again)

PeterJanuary 11, 2019 8:52 PM

@Clive

Sorry, but your very poor attempt at humour with the reply
"Did sir order "the cruise missile for one" or something a little less traveled like a modified SSARM or HARM?"
was out of step with what you hoped was your serious post - even though it was longer than the Bible.

You obviously don't consider satelite phones worthy of your recognition.

65535January 11, 2019 10:35 PM

@ VinnyG, AtAStore, Clive R. and others

“Why would anyone suspect for even a moment that "intelligence" or law enforcement agencies would prefer transparency to having their activities masqued by a cloud of shite dust without any overt effort on their part?”- VinnyG

Exactly.

Cell phone location data is "push button" law enforcement. Why would any LE, contractor, to TLA want to give that ability away? They don’t.

It is very sad, the cell phone location data is hitting 5 dollars per location. The market is glutted with carriers will to give away individual cell phone locations… to almost anybody. Satirically, the police are using spoofing methods to follow suspects around yet get scammed by Swatters. Unfortunately, the individual who gets the bullet is at hands of the Swat team.

@ AtAstore,

Yes, I did post that link. I thinks once lawyers, judges, and politicians figure out the ramifications they will be surprised. That information could be very dangerous to an individual.

@ Bruce S.

“…no government agency that has the power, funding and mission to fix the problems.”-Bruce S.

It is a huge problem. Further, AT&T, Verizon and Google are making money from the sale of our location data and probably they are tracking/mapping us in real time. We have become the “product” of said companies.

@ Clive Robinson

Your have covered a large part of the problem. Cell phone location data is easy to get. The only solution I can suggest is to put your cell phone in a RF proof bag and only make outgoing calls at this time. The SS7 is leaking like the Titanic but at slower rate.

Clive RobinsonJanuary 12, 2019 11:25 PM

@ Peter,

You obviously don't consider satelite phones worthy of your recognition.

I've used them and I hate them for a whole heap of reasons. But none of them have to do with why I'd avoid using one if I wanted to be covert.

First off every single call made on a satellite phone is going to be treated with suspicion by the authorities in loads of countries.

The big problem is you are reaching into space, which means your phone is pushing out a signal that's going anything upto a thousand miles to talk to a LEO Sat or 26,000 miles for Geo-Sync sats. Even with specialised dish antenas you are going to get "side lobes" that can be picked up by other sats, high altitude recon aircraft and drones.

Originaly Osama bin Laden was a fan... Then one day an "independence fighter" that was giving Russia problems had a HARM air to surface missile fly down his radio beam and take him out the game apparently with help from the US... Apparently Osama then set his sat phone on a decoy mission and went back to the multi-millennia old use of couriers experienced in smugglong things in body cavities...

Put simply sat phones do not have the "safety in numbers" factor, thus sending in a lightly modified missile is relatively easy. Further you are only likely to use one if you real are out in the sticks/boonies which means sending in a missile is not likely to have much in the way of collateral damage...

If I had to communicate through a satellite there are certain precautions I would take such that if anyone attacked the sat phone uplink it would be only an annoyance to me not a death sentence.

You are actually safer in built up areas using "electronic cutouts" that I've outlined in the past.

One thing you could do is use zrtp VoIP routed through a VPN using your mobile as an AP or broadband dongle if you must have low latency two way comms.

But you can get from the Far East Radio Modems that with just a change of software will work in the Amateur Radio 13cm band. I know of people who have used them to get internet connectivity from around 5Km line of sight and have used VoIP to get phone service as well.

I must admit I would be curious how well they would work with bi-directional "passive repeaters" which can be made with just a couple of yagi arrays that are cross polarised and joined by a relatively short length of coax.

JohnJanuary 13, 2019 2:07 PM

It would be nice to fix the cellphone network vulnerabilities, but spies all over the place want direct access in live situations.
In the USA they don't or didn't even allow any kind of encryption to allow even more easy interception by the police.

The employees want to watch and control the bosses. Until the bosses setup the standards that the employees (government's people) MUST comply and must demand company's to implement properly and close them if they don't comply (so the investors will want that, otherwise they loose it all).

John BeattieJanuary 14, 2019 5:28 AM

SS7 and G2 provide a useful historical example in comparison with the IoT security issues. The linked article has more or less the same statements as we have for IoT:

"Nobody could have envisioned how deeply ingrained cellular technology would become in our society, or how easy and lucrative exploiting it would be. Companies from China, Russia, Israel and elsewhere are making cell-site simulators and providing access to the SS7 network at prices affordable even to the smallest criminal organizations. It is increasingly easy to build a cell-site simulator at home, for no more than the cost of a fast-food meal. Spies all over the world — as well as drug cartels — have realized the power of these technologies."

As a side-remark, I'm willing to bet that there were people issuing warnings about security in 1975.

So. It has taken 40 years and these problems still exist. What are the chances that we will be in exactly the same position with IoT in 40 years from now?

Clive RobinsonJanuary 14, 2019 11:29 AM

@ ,

As a side-remark, I'm willing to bet that there were people issuing warnings about security in 1975.

I think you would win that bet.

I can not say for certain back in 75 it's self, but in the 80's I got to know both working engineers and standards body members.

I raised the issue that everything was in plaintext over what was a fully open network, where the desire to "cheat" for monetary gain would have been trivial to do and almost as trivial to get away with.

The attitude was security was not required, plaintext and open networking made interfacing easy. Oh and nobody would think of cheating, but even if they did the customer would pay it...

It also quickly became clear that some of the standards people were watering security down any which way they could... Worse at international meets certain countries would in effect play yag and back each other up on the security avoidance / weakening.

We would call them the "Extended Five-Eyes" these days.

It was clear from the technical people that the watering down of security had been taking place atleast as far back as the 1950's...

One such area was "inband signaling" in theory Law Enforcment could only put a "pen register" in which recorded the time the handset was "Off Hook" and any numbers dialed. However some people would cheat, and that "one pair of croc clips" on the line would get not just the inband signalling but also all the speach.

Thus people in an exchange would see an audio tap written up as a signaling "pen" tap. Thus providing a degree of deniabilty as the recording boxes were not available to exchange technicians just the "Secret Squirrels"... Thus they were misled that the tap was for Law Enforcment when in fact it was for the Intel community...

PeterJanuary 14, 2019 2:13 PM

@ Clive ...

Sorry about the delay but I've been hiding in my cave to avoid all those dangers you speak of.

"thus sending in a lightly modified missile is relatively easy"

You really do get carried away once you pick up your pencil.
I doubt anyone here [lurking or posting] has a Threat Level that requires them to avoid missile attacks....except for Bruce...I know he's upset a few people in his time.

You seen to be quite knowledgeable in some areas, but then you ruin all that street cred with rubbish replies. That's a real shame.

Clive RobinsonJanuary 14, 2019 10:03 PM

@ Peter,

I doubt anyone here [lurking or posting] has a Threat Level that requires them to avoid missile attacks....

Actually I suspect a number do.

Anti-Radiation Missiles (ARM) are "Standard Ordinance" in many nations armouries especially those with some measure of stealth technology in the deployment systems. ARMs are in effect first kinetic strike weapons against any transmitter, be it forward post, command and control or for what ARM's were originally developed for which is military radar systems used to detect and launch missiles at incoming aircraft. There use back in Gulf War II was mentioned in the MSM at the time and subsequently in quite a few documentaries and the like.

Thus there are likely to be a number of military comms and other RF oriented personnel that read this web site, and I know that some have commentrd in the past.

The fact that a terrorist/freedom fighter was targeted and killed with a lightly modified ARM weapon whilst using a satellite phone is as they say "A matter of record" as was Osama bin Laden suddenly stopping using his satellite phone shortly there after.

Also in the weapons arsenal there are the likes of Boeing's RC-135 "Rivet Joint" stand off surveillance aircraft that can locate the use of satellite phones and other "emmiter intelligence" from over 100 nautical miles. Well outside of any realistic response range. Because that would be picked up on any AWACS system like the E3 "Sentry" in the same region way before it could engage with the RC-135.

Those are the hard facts of reality that both regular and iregular forces have to take into account in their planning. Likewise anyone doing commercial or military covert activities of which there are any number going on all over the place at any one time.

You don't need to be worldly wise to know about the above Osama bin Laden behaviour and what is assumed to have caused it. It was in most MSM at one point or another.

Likewise Boeings civilian airframes decked out for military and SigInt use are not a secret a simple google search will bring them up. Further details can be found in the appropriate "Janes" which large libraries used to have and are available via "inter library loan" services.

Perhaps less well known are some hobbyists have converted surplus US Navy training target drones into RF surveillance aircraft,

https://www.popsci.com/diy/article/2010-08/diy-wi-fi-drone-finds-wireless-hotspots-raises-privacy-questions

As for my original comment I would have thought it's "butler/waiter speak" tongue in cheek presentation would have been obvious. And thus it was ment to add a little levity to anotherwise heavy and dry subject (in which I have some experience and knowledge).

But I guess not in some peoples cases.

But for your information I also have a proffessional interest in micro and nano satellites for communications and I have a working prototype sitting on one of my work benches. If you want to know more about the technical ins and outs of Comms Sat capabilities, you can purchase quite cheaply a number of books published by AMSAT / ARRL / RSGB about the Ham/Amateur use of not just man made satellites but celestial bodies such as the Moon (EME comms) and Venus (EVE comms). You can also look up details of the fees etc to use Inmarsat phone data and video services on their website,

https://www.inmarsat.com/

Or if you happen to be in London's City Road pop into their HQ which I've been known to frequent in the past and pick up a few glossies from the foyer. They own and run one of the largest satellite networks for both the air and maratime industries, with attendent "mobile comms" for undeveloped areas.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.