Monday, July 22, 2013

No, the NSA can't track phones when they are "off"

According to recent stories, the NSA can track a mobile phone even when it's turned off [1 2]. This isn't true -- at least, it's not what you think. It depends upon your definition of "off", "track", and "phone".

The best way to track an "off" phone is to (secretly) install a chip, connected to the phone's battery supply. Thus, even when the phone is "off", that added chip would still be "on". In this case, it's not really the phone itself that's being tracked, but that chip. As long as you had a battery, the same tracking technique would work for portable laptops, your shoe, or even a gun. (This is how the ATF's "fast and furious" program tracking guns was supposed to work -- but the batteries drained too fast).

Another way of looking at the problem is defining, exactly, what "off" means. Conceptually, your mobile phone is "off" when you aren't using it. A secondary, ulta low power "baseband" processor remains "on" to listen to the cell tower. When the baseband processor detects an incoming call, it turns the rest of the phone back "on". Especially with older "feature phones", turning the phone "completely off" would sometimes leave the baseband processor still "on", thus allowing you to be tracked. For example, sometimes the phone had a timing circuit that will occasionally turn on the baseband to grab SMS messages every 10 minutes -- even though it was "off" enough that it couldn't receive incoming calls.

Even if the baseband is off, many phones still have an alarm clock that remains "on". As the Nokia 1100 manual states "If the alarm time is reached while the phone is  switched off, the phone switches itself on". This timer circuit emits extremely low EMF that may be detectable. Given an area in the countryside where insurgents are hiding, it might be enough to locate them.

The moral of this is that just because you define the phone as "off" doesn't mean that it's 100% completely "off" all the time.

What does "track" mean? Sometimes it simply means "detect". Radio circuits are reactive -- even with the batteries removed. You can blast out a radio wave of a certain frequency and get radio patterns in response [example]. This detection can identify a specific model of cell phone, but it can't get personal information (such as phone number, IMSI, IMEI, ICCID) that would require some part of the device to be "on".

What I'm trying to show here is while the statement "track phone while off" can be true depending on what they mean, it's false in practice. If you turn your iPhone/Android off, the NSA cannot track you by your phone number (or the other personal IDs).




6 comments:

Karl Koscher said...

What if they exploit the baseband to cause it to remain on when the rest of the phone is off? IIRC the G1's baseband processor was responsible for managing charging and the power state of everything else.

Baneki Privacy Labs said...

If the phone is rooted by an attacker, here's what a smart attacker would do:

Modify the kernel and requisite supporting binaries such that, when the "power" button (whatever that is, depending on hardware) is pressed, the phone cycles through what appears to the user to be a power-down process. Screen goes off, LEDs stop, cute little shutdown ditty. Whatever.

However, leave the kernel running quietly, still fully connected to the network. Just 'blank' its output (like software ketamine, basically) to the user. With root control of the OS, all these parameters are easily within reach.

To the user, the phone is off. But it's not - it's still acting as a tracking device. Plus, it can activate its microphone to record local audio, use the camera to record video or snapshots... whatever. All in stealth mode, as it were.

This is not far-fetched; indeed, carriers could well implement stuff like this for "improved user experience" so that "boot up times" are improved, or whatever. See also: CarrierIQ.

Q.E.D.

Unless the customer owns root on her phone, and guards it zealously, these sorts of attacks are basically trivial. After all, someone owns root: if it's not the customer, then it's the carrier... which, as we all now understand fully, means the NSA by proxy. Indeed, there's well-documented examples of FBI use of "powered down" cells as tracking devices (actually, USB sticks acting as cellular data modems; same difference) - let us know and we'll pull references for that, if folks are curious. This is, therefore, a known in-the-wild exploit - the modified kernel was 'injected' remotely by the carrier, at the FBI's orders, stealthily.

Once an attack is seen and documented in the wild, it's no longer theoretical - and the only question is how prevalent it is. Given the enormous power /root has on a modern 'smartphone' - tracking device, recording device, surveillance camera, digital data access tool - it's unreasonable to think that highly-motivated attackers with near-limitless budgets and technical resources (read: NSA) aren't making use of the attack. How broadly? That's the only real question.

Also: root the phone, and no data encryption (or FDE) retains the ability to protect anything. One word: keylogger. So a rooted phone is the ultimate surveillance tool - and one part of that is tricking the user into thinking it's "off" when in fact it's still spying away.

Were we in the role of APT-style attacker, it's what we would do - and I think our logic is fairly unimpeachable in this. Thus, by logical extension, it's being done.

Pull the battery. That's what smugglers do (trust us; we'd know - long story). That said, some phone hardware has 'backup' batteries on the motherboard; low power, but able to maintain baseline kernel functionality for some period of time, even if the main battery is physically removed. That's why some more paranoid smugglers, we're told (ahem) simply refuse to have their Handi with them in "hot" situations, ever. Period.

Some of these attacks aren't well documented, because they're the purview of motivated state agents with strong disincentives for them to become public. In such circumstances, seeing even a corner of the real picture suggests the picture itself is likely of ample size. That is, one may feel only the toe of the elephant - it's just a toe - but (rightly) conclude that the elephant herself is quite large. Why? Because the toe is a tiny proportion of the elephant - so even if it's not big, itself, the multiplier to the whole critter is enormous.

~ Baneki Privacy Labs | #UnPRISM.us

Unknown said...

Regarding MASINT, the phone companies had (at least a crude) version of this running since the 1980s in some markets. The cell phone companies had problems in the analog phone days with phone cloning -- someone would read your phone's ESN off the air, and clone it into another phone, making calls on your dime (usually the cell co's dime, as they'd write off the obviously bogus expenses.) So in areas where cloning was most common, they'd install equipment at the switch that would actually make an RF fingerprint of your phone, and if a phone popped up with same ESN but different RF fingerprint, it would be kicked off the network (probably both phones would be kicked.. but once there's only one phone on the network, it is allowed back on after some hours. The cloner would not want to wait until the legitimate owner of the ESN shut their phone off + several hours and give up. The legitimate owner would have their phone quit working then work again a few hours later, but no false calls on the bill.)


Peter Maxwell said...

Given the GSM standards are horrific to read, does anybody know what mobile phones actually transmit when they are powered-down as if the interference in nearby speakers is anything to go by they definitely still transmit *something*.

Anonymous said...

I no longer trust this blog.. the comments here are deliberately misleading!

Anonymous said...

Another way to ensure no tracking is to do what we do for FastTrak here in the SF Bay Area: mylar/foil bags.