How To Tell If Your Cell Phone Is Bugged

Eugen Leitl eugen at leitl.org
Mon Dec 4 03:18:28 PST 2006


(((Smartphones with bug apps can of course log audio to flash, if lots
of it is present -- when it is sending, a LED toy indicating HF transmission
could come handy)))

http://lauren.vortex.com/archive/000202.html

December 03, 2006
How To Tell If Your Cell Phone Is Bugged

Greetings. A story is making the rounds right now regarding FBI use of cell
phones as remote bugs. I originally wrote about this concept in my PRIVACY
Forum in 1999 ("Cell Phones Become Instant Bugs!") so the issue is real, but
we still need to bring the current saga back down to earth.

This discussion doesn't only relate to "legal" bugs but also to the use of
such techniques by illegal clandestine operations, and applies to physically
unmodified cell phones (not phones that might have had separate, specialized
bugs physically installed within them by third parties).

There is no magic in cell phones. From a transmitting standpoint, they are
either on or off. It is true that many phones have an alarm feature that
permits them to "wake up" from their usual "off" state. However, this is not a
universal functionality, even in advanced phones such as PDA cell phones,
which now often have a "totally off" mode available as well.

It is also true that some phones can be remotely programmed by the carrier to
mask or otherwise change their display and other behaviors in ways that could
be used to fool the unwary user. However, this level of remote programmability
is another feature that is not universal, though most modern cell phones can
be easily programmed with the correct tools if you have physical access to the
phones, even briefly.

But remember -- no magic! When cell phones are transmitting -- even as bugs --
certain things are going to happen every time that the alert phone user can
often notice.

First, when the phone is operating as a bug, regular calls can't be taking
place in almost all cases. A well designed bug program could try to minimize
the obviousness of this by quickly dropping the bug call if the phone owner
tried to make an outgoing call, or drop the bug connection if an incoming call
tried to ring through. But if the bug is up and running, that's the only
transmission path that is available on the phone at that time for the vast
majority of currently deployed phones. Some very new "3G" phones technically
have the capability of running a completely separate data channel -- in which
voice over IP data could be simultaneously transmitted at full speed along
with the primary call (conventional GSM data channels -- GPRS/EDGE --
typically block calls while actively transmitting or receiving user data). But
this is pretty bleeding-edge stuff for now, and not an issue for the vast
majority of current phones.

Of course, if a cell phone is being used as a remote bug, the odds are that
the routine conversations through that phone are also being monitored, right?
So this "one call at a time" aspect isn't as much of a limitation to bugging
as might otherwise be expected.

Want to make sure that your phone is really off? Taking out the battery is a
really good bet. Don't worry about the stories of hidden batteries that
supposedly can be activated remotely or with special codes. The concept makes
no sense in general, and there just isn't room in modern cell phones for
additional batteries that could supply more than a tiny bit of added power, if
any.

But if your battery seems to be running out of juice far too early (despite
what the battery status display might claim), that might be an indication that
your phone is being used to transmit behind your back (or it might be a worn
out battery and a typically inaccurate battery status display).

Another clue that a phone may have been transmitting without your permission
is if it seems unexpectedly warm. You've probably noticed how most cell phones
heat up, especially on longer calls. This is normal, but if you haven't been
on any calls for a while and your cell phone is warm as if long calls were in
progress, you have another red flag indication of something odd perhaps going
on.

Finally, if you use a GSM phone (like the vast majority of phones around the
world, including Cingular and T-Mobile in the U.S.) you have another virtually
fullproof way to know if you phone is secretly transmitting. You've probably
noticed the "buzzing" interference that these phones tend to make in nearby
speakers when calls or data transmissions are in progress. A certain amount of
periodic routine communications between cell phones and the networks will
occur while the phones are powered on -- even when calls are not in progress
-- so short bursts of buzzing between calls (and when turning the phones on or
off) are normal.

But if you're not on a call, and you hear a continuing rapid buzz-buzz-buzz in
nearby speakers that lasts more than a few seconds and gets louder as you
approach with your phone, well, the odds are that your phone is busily
transmitting, and bugging is a definite possibility. Note that this particular
test is much less reliable with non-GSM phones that use CDMA (e.g.
Sprint/Verizon phones), since CDMA's technology is less prone to producing
easily audible local interference. This strongly suggests that CDMA phones may
be preferred for such bugging operations. A variant form of CDMA (called
"WCDMA") is used for the high speed data channel (but not the voice channel)
on new 3G GSM phones. Since voice could theoretically be encoded onto that
channel as I mentioned above -- which would be harder to detect than the main
GSM voice channel -- this is a technology that will bear watching.

The odds of most people being targeted for bugging are quite small. But it's
always better to know the technical realities. Don't be paranoid, but be
careful.

--Lauren--

--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]





More information about the cypherpunks-legacy mailing list