Gawker has a profile of "Martin," a "mercenary hacker" who provides IT security consulting to millionaires, crooks, cheating spouses (or spouses who suspect their other halves of cheating) and so on. Martin's tradecraft — rotating SIM cards using pill-sorters labelled for each day of the week and the like — would be moderately effective against an unskilled attacker, but it seems to me that it wouldn't survive an advanced persistent threat like a government or a major spy agency. For example, he instructs his clients to use "dumb" candybar phones instead of smartphones, which, on the surface, has some logic to it (smartphones are more complex, so they have more attack-surface). But the crypto in wireless telephony is junk, so anyone with a little smarts and the capacity to follow a recipe they find on the Internet can build interception equipment that would allow them to listen in on the calls from such a phone. On the other hand, a smartphone allows users to overlay their own, industry-grade crypto for voice and SMS communications.
Likewise, Martin has his customers rotate SIMs every day, but reuses the SIMs every 14 days. This does require adversaries to acquire fourteen times more numbers and intercept them, but that, in and of itself, is not that challenging (if you can wiretap one number, you can wiretap 14, too). Especially as the phones maintain the same IMEI — the hardcoded serial number that is sent along with the phone signalling information, which uniquely identifies a handset regardless of what number it's using. Again, this is where a smartphone would help, as a sufficiently rooted phone can be instructed to spoof its IMEI with each call, or on some other rotating basis.
Martin also provides "search-engine optimization" — gaming FourSquare to boost the apparent popularity of a club, gaming YouTube falsely increment the view-counter, and he'll install a keylogger on a phone or computer for you, or sell you hidden wireless mics and cameras.
With Martin's system, each crewmember gets a cell phone that operates using a prepaid SIM card; they also get a two-week plastic pill organizer filled with 14 SIM cards where the pills should be. Each SIM card, loaded with $50 worth of airtime, is attached to a different phone number and stores all contacts, text messages and call histories associated with that number, like a removable hard drive. This makes a new SIM card effectively a new phone. Every morning, each crewmember swaps out his phone's card for the card in next day's compartment in the pill organizers. After all 14 cards are used, they start over at the first one.
Of course, it would be hugely annoying for a crewmember to have to remember the others' constantly changing numbers. But he doesn't have to, thanks to the pill organizers. Martin preprograms each day's SIM card with the phone numbers the other members have that day. As long they all swap out their cards every day, the contacts in the phones stay in sync. (They never call anyone but each other on the phones.) Crewmembers will remind each other to "take their medicine," Martin said.
Not only does Martin's system make wiretapping difficult, Martin claims it can protect the group if a phone gets compromised. If authorities snatch or tap a phone from Martin's system, they'll have access to only 1/14th of the entire network. The crew can just replace their SIM cards from that day in the pill organizer, assured that the other 13 of their SIM cards are still secure
The Mercenary Techie Who Troubleshoots for Drug Dealers and Jealous Lovers
(via Kottke)
