How To Tell If Your Cell Phone Is Bugged

[David Farber <dave () farber net>]

Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: December 4, 2006 12:46:30 PM EST
To: dave () farber net
Cc: lauren () vortex com
Subject: How To Tell If Your Cell Phone Is Bugged



                 How To Tell If Your Cell Phone Is Bugged

              ( http://lauren.vortex.com/archive/000202.html )


Dave,

A story is making the rounds right now regarding FBI use of cell
phones as remote bugs (e.g. http://news.com.com/ 
2100-1029-6140191.html ).
I originally wrote about this concept in my PRIVACY Forum in 1999
("Cell Phones Become Instant Bugs!"
 - http://www.vortex.com/privacy/priv.08.11 ) so the issue is real,
but we still need to bring the current saga back down to earth.

This discussion doesn't only relate to "legal" bugs but also to the
use of such techniques by illegal clandestine operations, and
applies to physically unmodified cell phones (not phones that might
have had separate, specialized bugs physically installed within them
by third parties).

There is no magic in cell phones.  From a transmitting standpoint,
they are either on or off.  It is true that many phones have an alarm
feature that permits them to "wake up" from a seemingly "off" state.
However, this is not a universal functionality, even in advanced
phones such as PDA cell phones, which now often have a "totally off"
mode available as well.

It is also true that some phones can be remotely programmed by the
carrier to mask or otherwise change their display and other
behaviors in ways that could be used to fool the unwary user.
However, this level of remote programmability is another feature
that is not universal, though most modern cell phones can be easily
programmed with the correct tools if you have physical access to the
phones, even briefly.

But remember -- no magic! When cell phones are transmitting -- even
as bugs -- certain things are going to happen every time that the
alert phone user can often notice.

First, when the phone is operating as a bug, regular calls can't be
taking place in almost all cases.  A well designed bug program could
try to minimize the obviousness of this by quickly dropping the bug
call if the phone owner tried to make an outgoing call, or drop the
bug connection if an incoming call tried to ring through.  But if the
bug is up and running, that's the only transmission path that is
available on the phone at that time for the vast majority of
currently deployed phones.  Some very new "3G" phones technically
have the capability of running a completely separate data channel --
in which voice over IP data could be simultaneously transmitted at
full speed along with the primary call (conventional GSM data
channels -- GPRS/EDGE -- typically block calls while actively
transmitting or receiving user data).  But this is pretty
bleeding-edge stuff for now, and not an issue for the vast majority
of current phones.

Of course, if a cell phone is being used as a remote bug, the odds
are that the routine conversations through that phone are also being
monitored, right? So this "one call at a time" aspect isn't as much
of a limitation to bugging as might otherwise be expected.

Want to make sure that your phone is really off? Taking out the
battery is a really good bet.  Don't worry about the stories of
hidden batteries that supposedly can be activated remotely or with
special codes.  The concept makes no sense in general, and there just
isn't room in modern cell phones for additional batteries that could
supply more than a tiny bit of added power, if any.

But if your battery seems to be running out of juice far too early
(despite what the battery status display might claim), that might be
an indication that your phone is being used to transmit behind your
back (or it might be a worn out battery and a typically inaccurate
battery status display).

Another clue that a phone may have been transmitting without your
permission is if it seems unexpectedly warm.  You've probably noticed
how most cell phones heat up, especially on longer calls.  This is
normal, but if you haven't been on any calls for a while and your
cell phone is warm as if long calls were in progress, you have
another red flag indication of something odd perhaps going on.

Finally, if you use a GSM phone (like the vast majority of phones
around the world, including Cingular and T-Mobile in the U.S.) you
have a virtually foolproof way to know if you phone is secretly
transmitting in voice mode.  You've probably noticed the "buzzing"
interference that these phones tend to make in nearby speakers when
calls or data transmissions are in progress.  A certain amount of
periodic routine communications between cell phones and the networks
will occur while the phones are powered on -- even when calls are
not in progress -- so short bursts of buzzing between calls (and
when turning the phones on or off) are normal.

But if you're not on a call, and you hear a continuing rapid
buzz-buzz-buzz in nearby speakers that lasts more than a few seconds
and gets louder as you approach with your phone, well, the odds are
that your phone is busily transmitting, and bugging is a definite
possibility.  Note that this particular test is much less reliable
with non-GSM phones that use CDMA (e.g.  Sprint/Verizon phones),
since CDMA's technology is less prone to producing easily audible
local interference.  This strongly suggests that CDMA phones may be
preferred for such bugging operations.  A variant form of CDMA
(called "WCDMA") is used for the high speed data channel (but not
the voice channel) on new 3G GSM phones.  Since voice could
theoretically be encoded onto that channel as I mentioned above --
which would be harder to detect than the main GSM voice channel --
this is a technology that will bear watching.

Most of this applies to bugging in real time.  If delayed bugging is
acceptable, there is another approach available that would be more
difficult to detect -- record ambient audio from the phone mic and
store it in the phone's memory in compressed form, then upload it en
masse later.  Modern phones have plenty of available memory,
especially ones with cameras, mp3 capabilities, and the like.  The
processing requirements of a delayed bug would probably be beyond
the capabilities of some low-end phones, but even most entry-level
phones are relatively powerful these days.

When the recorded audio was uploaded all of the transmission factors
mentioned above would come into play, but since the transmission
time would be shorter this would be harder to detect.  Probably the
biggest giveaway to this type of bugging would be battery drain,
which would typically be quite considerable even in a
voice-controlled recording (VOX) mode.  So, my comments above about
unusually poor battery performance would be especially applicable in
this case.

The odds of most people being targeted for bugging are quite small.
But it's always better to know the technical realities.  Don't be
paranoid, but be careful.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Founder, CIFIP
   - California Initiative For Internet Privacy - http://www.cifip.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/