Chinese Cell Phone Surveillance/Spying and Then Some

[elelle]

I did a search here, and didn’t find a thread. I’d suppose that everyone has heard of the warnings issued to travellers to the Olympics; to take precautions with any personal communications devices, due to possible breach/evesdropping issues. I chose the above Popular Mechanics link because it was pretty even-toned and technically comprehensive. From that site:

On June 10, the U.S. Department of Homeland Security sent a threat assessment to federal, state and local law enforcement personnel, as well as key private sector partners, stressing the importance of securing laptops, personal digital assistants (PDAs) and more electronic devices when traveling abroad. While the alert did not mention China, a DHS representative said it was the first warning of its kind that the department has distributed broadly to nongovernmental personnel.

“Personal electronic equipment carried abroad is vulnerable to installations of malicious software that can steal or manipulate data well after the traveler returns,” the advisory warned. “The use of cell phones, laptops, and PDAs in foreign countries exposes these devices to unauthorized access and theft of data by criminal or foreign government elements.”

“Travelers should assume they cannot protect electronically stored data and should not transmit sensitive government, personal, or proprietary information on the Internet or through telecommunications equipment,” DHS said in its advisory, which was not released to the general public. “Barring that, protective measures should include using designated ‘travel’ computers, singe-use cell phones, temporary e-mail addresses, as well as refraining from communicating with a home organization’s information technology systems.”

That seems pretty straightforward in this day and age. Not particularly alarmist. What caught my attention on the CBS news last night, in a story about Chinese surveillance ability, was the claim that your cell phone, even if turned off, could be remotely activated , and the microphone could then pick up what you were saying at the time. The CBS expert then said that that was absolutely possible.

So, :eek: !!! That made me pay attention. I can’t find any more info on that. Is it technically possible that your cellphone can be remotely turned on and someone listen to you via mike?

[Sage_Rat]

[QUOTE=elelle]
in a story about Chinese surveillance ability, was the claim that your cell phone, even if turned off, could be remotely activated , and the microphone could then pick up what you were saying at the time. The CBS expert then said that that was absolutely possible.

So, :eek: !!! That made me pay attention. I can’t find any more info on that. Is it technically possible that your cellphone can be remotely turned on and someone listen to you via mike?
[/QUOTE]

I can’t think of why such a thing would be put into a cellphone.

The only things I can think of is that perhaps one particular make of cellphone had a weird bug that allowed this and CBS didn’t differentiate, or that Chinese cellphones (i.e. made for and sold domestically in China) are required by the government to include a particular chip that allows this–and again CBS decided to not specify this point, or you didn’t hear that part.

Not to say that I’m right. But having worked in the cellphone biz and being an engineer, it seems implausible. Things have to be built to handle various features, and like I said that’s a rather odd feature.

[elelle]

That’s what I thought, too,and that it seemed beyond current technology, a pretty big stretch to include in a basic cellphone. But, some expert was adamant about saying it was absolutely possible with current means.

[Ravenman]

I’ve seen this hack done on several devices. It is absolutely possible.

I’m not an engineer, but as I understand it, turning a cell phone off isn’t like flicking a mechanical light switch, it’s more like running a software program that says, “Now Mr. Cell Phone, when someone presses the off button, you don’t do anything at all except respond to holding down the power on button, in which case you power up all your systems.” The idea is that the software is rewritten to say, “When someone hits the power down button, turn off your screen and don’t accept incoming calls, but turn the mic on and transmit to this frequency.”

Further, it is my understanding that cell phone companies everywhere periodically send out small patches for a phone’s firmware, and that phones are programmed to accept authenticated patches without the user being bothered to ask whether they want the patch or not. You do the math. If you can’t do the math, google “blackjacking.”

The advisory suggested removing your cell phone/Blackberry/PDA battery for the duration of any international travel.

[Man_With_a_Cat]

Find a book called Killer Elite by a fella named Michael Smith.

It’s a seemingly pretty well researched book about a covert operations unit working for the US military that does this very thing. If I recall how it works, once they find a phone signal and verify it’s the phone they’re looking for they download an app into it that essentially turns the phone into an open mike and broadcasts everything said in the vicinity of the phone right back to them.

There are some pretty compelling stories about how they used this, and tracking technology to nail Pablo Escobar, and other assorted bad guys.

[groman]

If I had to guess I’d say they were referring to bluetooth headsets, which can definitely (at least theoretically) be used to spy on you if your cellphone is off.

[ntcrawler]

[QUOTE=elelle]
That’s what I thought, too,and that it seemed beyond current technology, a pretty big stretch to include in a basic cellphone. But, some expert was adamant about saying it was absolutely possible with current means.
[/QUOTE]

Don’t believe this expert unless you can come across a website that can confirm and demonstrate this ability beyond a reasonable doubt. Otherwise you might as well believe in the “good times” virus and the “run a tv off a AA battery” thing.

Regarding this issue: is it theoterically possible? Yes. Is it possible in the sense that it has been implemented and we don’t know about it? Probably not. If it was possible someone would have discovered it by now, and if it occured here or in Europe there would have been a massive roar of disapproval from the public and scandal. There are people out there who meticulously reverse engineer all sorts of equipment to discover all their hidden features, secret menues, service modes, easter eggs (sometimes with buddies on the inside to provide them with the secrets) and then make this information possible. For something as major as this, surely someone would have come across it by now, government secret or no government secret.

[elelle]

Thanks for answers, all. Again, I assumed that information could be gathered from a broadcasting cellphone, but the fact that it could be remotely turned on and miked had me wondering.

[QUOTE=groman]
If I had to guess I’d say they were referring to bluetooth headsets, which can definitely (at least theoretically) be used to spy on you if your cellphone is off.
[/QUOTE]

Could you explain the tech means there? This is new stuff for me, so appreciate a clear explaination.

[mks57]

The only way to turn a cell phone off is to remove the battery. Like many modern gadgets, what the manufacturer calls “off” is really a sleep mode. It periodically wakes up and does housekeeping tasks like checking for depressed buttons.

If the cell phone’s firmware was modified, it could be used as a bug or a locater beacon, even when it appeared to be off.

[elelle]

In posting this thread, I wasn’t sure of any concern, but now, I do. Are there any means of blocking that to the average user? And, what are the legalities involved?
This seems immensely important to my mind, and we should all know the parameters of what outside forces can do.

[Sage_Rat]

[QUOTE=Ravenman]
Further, it is my understanding that cell phone companies everywhere periodically send out small patches for a phone’s firmware, and that phones are programmed to accept authenticated patches without the user being bothered to ask whether they want the patch or not. You do the math. If you can’t do the math, google “blackjacking.”
[/QUOTE]

That seems semi-plausible as an explanation. The issues I see with it is that:

1. Cellphone manufacturers essentially lost all or most contact with the phone once they hand it over to the carrier. So any patches that had to go out would have to be handed to the carrier to spread, which is a logistical problem.
2. Cellphones have a really short lifespan. They are, for all intents and purposes, made to last no more than about two years since it’s not really worth making them to be sturdier than that because people usually upgrade to a new phone within that time frame. So it’s possibly not going to be in the wild long enough to make it worth patching.
3. Outside of some flagship cellphones like the iPhone, most cellphones aren’t complex enough that patching the firmware is likely worth it.
4. There’s going to be security on verifying that the person sending the firmware patch is indeed the carrier.
5. “Firmware” essentially means either the OS or a hardware driver or somesuch–at least in regards to the current topic. While there are only a few basic cellphone OSes, they’re all modified to the platform since the hardware is always different. This might be something as simple as a setting for what the screen size is, or significant changes to lots of places. While the outside protocols with the carrier is of course standardized, how everything works on the hardware level and is connected together it entirely at the whim of the manufacturer. To replace or patch the firmware, you would have to have reverse engineered that make of phone to learn what CPU you’re dealing with, what OS, what sort of file system it uses, where it stores its drivers on the hard drive, what memory addresses it accesses to interact with the various hardware components, what the signals are to those hardware components to turn them to the mode you want, etc. And you have to do this without visually changing the UI interaction with the user. For instance, if you force installed a firmware that assumed a screen size double that of the actual phones, the user would notice immediately and contact their carrier to figure out what’s wrong and either get the proper firmware reinstalled or buy a new phone.

Overall it seems like a really complex task that while theoretically possible seems pretty infeasible on a real world basis. At least not without the help of the actual maker and the carrier.

[Sage_Rat]

Let me comment a little bit more on item 4 of my last post:

[QUOTE=Sage Rat]
4) There’s going to be security on verifying that the person sending the firmware patch is indeed the carrier.
[/QUOTE]

It should be noted also that two big companies in the phone/cellphone biz are Qualcomm and Motorola. Both of these companies are very active in military communications and security software. While it’s just an assumption, I’d be pretty willing to guess that the security on cellphones by the carriers is pretty darn good. They definitely have access to the people to make it happen.

[groman]

[QUOTE=mks57]
The only way to turn a cell phone off is to remove the battery. Like many modern gadgets, what the manufacturer calls “off” is really a sleep mode. It periodically wakes up and does housekeeping tasks like checking for depressed buttons.

If the cell phone’s firmware was modified, it could be used as a bug or a locater beacon, even when it appeared to be off.
[/QUOTE]

Although it’s often the truth that “Off” is sleep mode in household appliances, it is remarkably rare for battery powered devices. I know for a fact that for most MP3 players and digital cameras, the only thing on when the device is on is a small Real Time Clock that is usually powered from a separate circuit.
Now, as for cell phones – it’s true it’s theoretically possible they can be hacked to never actually turn off and spy on you, but I would seriously doubt that any cell phone doesn’t turn off all transmitters and the CPU in normal firmware. I would imagine some turn off all hardware, send DRAM in self-refresh mode and idle the CPU, but I would still call that ‘off’.

I think hacking random people’s cell phones is just not practical to do. Remember, a spying hack would have to be written for every particular model which would have different hardware, different CPUs, different chip sets, different operating systems, different memory layouts. Just think about it, this would be an incredibly complex and elaborate hack to do for even a single particular cell phone with all the engineering details available. A hack is a software patch, and this patch would have to:

a) Install in an unnoticeable fashion over the air
b) Activate microphone, start recording and sending the data over the cellular network
c) Buffer up audio without interfering with cell phone functions if signal is not available
d) Continue to do it’s thing when in a middle of a phone call (optional if the phone calls are recorded separately)
e) Not crash (itself or the phone)
f) Remove itself when back in the US (optional)

I’m an embedded software engineer, and I’d estimate that for it would probably be easier to arrange for somebodies cell phone to fail and to have them rent a bugged cell phone than to custom-tailor a hack to their phone.

[QUOTE=elelle]
Could you explain the tech means there? This is new stuff for me, so appreciate a clear explaination.
[/QUOTE]

Most bluetooth headsets lack an On-Off switch, and often it’s hard to tell if it’s on or off. In general some are more secure than others. If hacked or hijacked, your bluetooth headset can be used to spy on you especially if your cell phone is off. Google around for “bluetooth security” and “bluetooth hijacking” for more information, but note this has little to do with your phone, and more to do with the headset spying on you.

[even_sven]

Perhaps most importantly, listening to a cell phone that is someone’s pocket is not going to yield much that is useful unless you have dedicated listeners sorting listening continuously- a lot of work. This means that if this technology exists, it’d only be used for high-priority targets. And chances are it’s easier to use conventional means to bug these guys.

Does anyone know what restrictions heads of state, etc. have? I think looking at how they use cell phones would provide us a good guide to how secure they are.

[jnglmassiv]

[QUOTE=groman]
Now, as for cell phones – it’s true it’s theoretically possible they can be hacked to never actually turn off and spy on you, but I would seriously doubt that any cell phone doesn’t turn off all transmitters and the CPU in normal firmware. I would imagine some turn off all hardware, send DRAM in self-refresh mode and idle the CPU, but I would still call that ‘off’.
[/QUOTE]
I would say that most (for lack of a better term) ‘digital’ consumer products are powered at least partially when ‘off’. The proof is in the power button. Unless there’s a throw switch with physical contacts that open and close, that power button needs to be scanned or otherwise monitored. Briefly looking around my living room, I can only find one battery powered device with a mechanical switch: my digital multimeter. Everything else I’ve found has a membrane-type power button and is using power right now: television remote control, ipod, police scanner, scale indicator, this laptop, my camera, etc.

For what it’s worth, highend Motorola two-way radios (walkie talkies and mobiles) can be commanded from the dispatch console to open the mic and transmit audio.

[groman]

[QUOTE=jnglmassiv]
I would say that most (for lack of a better term) ‘digital’ consumer products are powered at least partially when ‘off’. The proof is in the power button. Unless there’s a throw switch with physical contacts that open and close, that power button needs to be scanned or otherwise monitored.

[/QUOTE]

That’s not true as long as you don’t define “scanned” so broadly that any leakage currents count as “scanning” or “monitoring”.

In simplest of terms, can you imagine a power supply circuit that has a high side transistor switch. The switch is actuated by a push-button as well as a power supply control pin on the CPU that goes high when the CPU turns on. The entire circuit is un-powered when OFF since there’s no current flowing. The moment the button is pushed, everything turns on, and the CPU pulls the power pin high so that when you let go of the button the circuit stays on.

As far as remote controls go, a lot of remote controls are actually all off, and each membrane button switches it on in different ways while it’s held down.

Most laptops also, are fully off when off (except the RTC/CMOS powered by a different battery/circuit) when they are not plugged in. The charging/Wake-On-LAN/etc. are usually powered from the charging circuit, which is off if it’s not plugged in.

[Jurph]

Both the US and Chinese governments – in fact, most first-world governments – have a vested interest in cellular phones that can be eavesdropped, and a vested interest in keeping the exact details of that capability quiet. Based on that reasoning, I distrust mobile phones in general, and the more like a PC it is, the less I trust it. Until someone who works for the CIA or NSA comes in here and says “Yeah, those DHS guys are full of it; nobody knows how to do that stuff,” I’m inclined to assume they know something that you don’t, and that the DHS warning is legitimate.

[groman]

[QUOTE=Jurph]
Both the US and Chinese governments – in fact, most first-world governments – have a vested interest in cellular phones that can be eavesdropped, and a vested interest in keeping the exact details of that capability quiet. Based on that reasoning, I distrust mobile phones in general, and the more like a PC it is, the less I trust it. Until someone who works for the CIA or NSA comes in here and says “Yeah, those DHS guys are full of it; nobody knows how to do that stuff,” I’m inclined to assume they know something that you don’t, and that the DHS warning is legitimate.
[/QUOTE]

The problem with such reasoning is that there is a lot of people involved with the internals of cell phones, in and out of the industry, who understand how such technology works. Somebody would’ve found out about this and blown the whistle by now. I don’t doubt there’s Denial-of-Service technology sprinkled here and there because it’s so easy to hide it – making something broken is easy, subversion is hard.

Another problem is that we’re discussing something CBS said. The DHS advisory the OP quoted is entirely reasonable. A statement along the lines of “It is theoretically possible for a hacked cell phone to appear off but actually continue spying” is also true. A statement that says “Any cell phone that is off can be turned on remotely, hacked, and then spy on you” is blatant nonsense unless a good explanation is provided.

[Jurph]

[QUOTE=groman]

Another problem is that we’re discussing something CBS said. The DHS advisory the OP quoted is entirely reasonable. A statement along the lines of “It is theoretically possible for a hacked cell phone to appear off but actually continue spying” is also true. A statement that says “Any cell phone that is off can be turned on remotely, hacked, and then spy on you” is blatant nonsense unless a good explanation is provided.
[/QUOTE]

There’s a lot of daylight between those two options. I guess only the people doing the eavesdropping (and anyone else privy to that kind of classified info) know for sure whether the truth is closer to “it’s theoretically possible” or “we’ve usually got a phone cracked within a week of getting the firmware.”