Your cellphone is a tracking device that lets you make calls

Just in case you had any doubts about how much of a security risk your mobile phone presents, have a read of Jacob Appelbaum's interview with N+. Jake's with both the Tor and Wikileaks projects, and has been detained and scrutinized to a fare-thee-well.

Appelbaum: Cell phones are tracking devices that make phone calls. It’s sad, but it’s true. Which means software solutions don’t always matter. You can have a secure set of tools on your phone, but it doesn’t change the fact that your phone tracks everywhere you go. And the police can potentially push updates onto your phone that backdoor it and allow it to be turned into a microphone remotely, and do other stuff like that. The police can identify everybody at a protest by bringing in a device called an IMSI catcher. It’s a fake cell phone tower that can be built for 1500 bucks. And once nearby, everybody’s cell phones will automatically jump onto the tower, and if the phone’s unique identifier is exposed, all the police have to do is go to the phone company and ask for their information.

Resnick: So phones are tracking devices. They can also be used for surreptitious recording. Would taking the battery out disable this capability?

Appelbaum: Maybe. But iPhones, for instance, don’t have a removable battery; they power off via the power button. So if I wrote a backdoor for the iPhone, it would play an animation that looked just like a black screen. And then when you pressed the button to turn it back on it would pretend to boot. Just play two videos.

Resnick: And how easy is it to create something like to that?

Appelbaum: There are weaponized toolkits sold by companies like FinFisher that enable breaking into BlackBerries, Android phones, iPhones, Symbian devices and other platforms. And with a single click, say, the police can own a person, and take over her phone.

You may be saying here, "Huh, I'm sure glad that I'm not doing anything that would get me targeted by US spooks!" Think again. First, there's the possibility that you'll be incorrectly identified as a bad guy, like Maher Arar< who got a multi-year dose of Syrian torture when the security apparatus experienced a really bad case of mistaken identity.

But second, remember that whatever governments can do with technology, organized criminals can do too (this is doubly true of back-doors that governments mandate in telecoms equipment and software to make spying easier -- they can be used by anyone, not just "good guys").

And finally, remember that whatever the leet haxxors of the mafia are doing today on the cutting edge will be reduced to a short script that can be run by fatfingered noobie script kids tomorrow, in automated attacks that are indiscriminately ranged against tens of millions of devices in the hopes of finding a few that are vulnerable.

Or as Jake says:

The first response people have is, whatever, I’m not important. And the second is, they’re not watching me, and even if they were, there’s nothing they could find because I’m not doing anything illegal. But the thing is, taking precautions with your communications is like safe sex in that you have a responsibility to other people to be safe—your transgressions can fuck other people over. The reality is that when you find out it will be too late. It’s not about doing a perfect job, it’s about recognizing you have a responsibility to do that job at all, and doing the best job you can manage, without it breaking down your ability to communicate, without it ruining your day, and understanding that sometimes it’s not safe to undertake an action, even if other times you would. That’s the education component.

So security culture stuff sounds crazy, but the technological capabilities of the police, especially with these toolkits for sale, is vast. And to thwart that by taking all the phones at a party and putting them in a bag and putting them in the freezer and turning on music in the other room—true, someone in the meeting might be a snitch, but at least there’s no audio recording of you.

Leave Your Cellphone at Home (via /.)


  1. Most workdays between 10:00 and 7:00, my tracking device won’t even make phone calls for me.  (Verizon has a remarkably crapulent hole in their coverage encompassing 90% of the Warner Bros backlot.)

    Can anyone recommend a reliably snitch-resistant dumbphone?  It’d be nice if it could receive email, too, but anymore I don’t really want it to do anything but place and receive voice calls.

    1.  It depends on what you want, bearing in mind that every bit you transmit is technically out of your control once it leaves your phone. AT&T used to have ancient dumbphones with pay-as-you go for almost free, but now it looks like $18-$19 minimum. If your carrier is GSM, you can use anything that takes a SIM.

    2. “Can anyone recommend a reliably snitch-resistant dumbphone? ”
      Geo tracking is inherent of mobile technology. Your phone must connect to a cell tower that is relatively very close by, usually within 5 miles. As you move about, you switch from tower to tower, and your phone and your provider are keeping a history of what towers and when. When that canadian porn actor/serial killer went missing, the authorities (with the help of cell providers) watched his international phone connect to towers on the other side of the world, which led them right to dumbass.

      One solution would be a pre-paid phone and plan that involves no contract, such as Virgin Mobile or Boost. Since there is no contract, you can give them a fake name. However, depending on the specific circumstances, the authorities will still have access to complete records of everyone the phone called, social websites logged in to, etc. (For example, if your phone is tracked as being at a terrorist rally and the pigs really want to know who owns that phone, they will get your fake name from the provider, as well as that phone’s general geographic history, calls, texts, etc). I guess the best thing to do would be to buy two no contract phones, and keep one turned off except for only “emergency” situations.

      1. A forwarding number that you give out + regularly changed burner SIM cards from different providers would make you a lot harder to track.   A dedicated tracker could still find you, but it would require a LOT more work on the tracker’s end.

        Combine that with a dumbphone that doesn’t do anything more than send/receive voice calls and texts and you’re a lot less vulnerable than if you’re carrying an always-transmitting general purpose computer in your pocket that’s linked directly to your name and Social Security number.

    3. There is no such thing as a cellular telephone on the market that the US government cannot remotely activate the microphone on, smart or dumb. There may have been at one point, but the presumption now must be that if it can be remotely managed by a carrier (and even my ancient “dumb” Nokia phone can have firmware pushed to it), it can be remotely managed by the government that allows that carrier to operate.

    4.  I posted this before I started reading others comments but it may help you make a choice because you can just slip your phone in it when you don’t want tracking.
      Ok if your so afraid of the black helicopters, police knowing where your are or having your conversation recorded there is a simple answer. It’s called a faraday cage, or in this case faraday pouch. It’s basically a container which blocks radio waves. So lets say you want to keep your phone from giving away your location turn it off and slip it into the pouch, even tho you wouldn’t really need to turn it off. Once its in the pouch it wouldn’t be able to send or receive radio waves from backdoor programs. So unless it had a hidden program already on it which turns on the voice recorder whenever turned off or when it looses signals then it could send out your conversations it hears while in the pouch once it gets signals again, but still won’t be able to say where u been while in the pouch or alert your whereabouts to a fake cellphone tower.

    5.  I got the same non-coverage from Verizon.  They explained to me that I was in a marginal area.  Maybe one day Rockville, MD will join them fancy big-league towns.

  2. From the linked article:

    The FBI […] picked through his trash to identify his bank and mortgage companies, presumably to send them subpoenas.

    HUH? They have to go through his garbage, to figure out his bank connections???
    Either the reporter is making stuff up out of thin air, or the FBI knows A LOT LESS about us than we may think…

      1. They don’t need a warrant to shoot you, rape you, torture you or wire your nuts up to a car battery.  They pretty much do everything you would expect a psychopath with a badge to do.  

  3. This is such old news, I figured it out for myself years ago. And here is the ultimate irony: the voters of the U.S. have been rejecting a national ID card for decades, because it would be too intrusive and violate their precious privacy. Yet those same people are willing, nay, eager to carry around a device that can take videos of them as they read their email while sitting on the toilet.

      1.  Machiavelli for me.  There’s just something about contemplating the administration of a small Iberian city state while seated on the “throne”.

    1.  I agree. I feel the same way about tattoos..a permanent id chip is out of the question, but make tattoos a popular trend and now we have unique registrable marks that can be easily seen and documented and we have a population that can be identified and databased.
      I have neither.

      1. “He’s the one with the tribal arm band” or “She’s the one with the dolphin by her bikini line” doesn’t do much to narrow it down.

  4. Do not take your phones to protests unless the battery is removable. If possible, take a dumbphone not attached to you, and make it one that you can disassemble and break in half quickly. The lack of a battery will protect intrusion through the air, but you can still have your shit manhandled if you get arrested. That includes your contact list, sexy videos, your browser history, grocery list, photos of your children, etc.

    Of course, you shouldn’t be dong anything dumb or illegal. The funny thing is that your privacy doesn’t come back when they drop your bogus charges.

    1.  well… three big brothers. Apple, Facebook and Google and several other smaller cousins that collect as much information about you as they can and sell it to advertisers.

  5. This is no surprise. Not only that, I don’t mind that my phone tracks me.

    What I do mind is that I can’t see my own data. They think they’re hiding that my phone tracks me from me, and the byproduct of that is that I can’t make sweet GPS drawings of dicks over a map of San Francisco just by walking around. 

    I suppose I’m just not prepared for the kind of responsibility associated with knowing where I’ve been.

    1.  smart phone with an app that lets you mark spots on a map via gps maybe?  visit the path to draw a phallus frequently after you map it out.

      1. I used dick drawing as an example here. There are many reasons I would like to access regular positioning data from my phone without having to have an app open. Finding out how much time I’ve spent on buses, or mapping every public restroom I’ve been in to merge with my poop tweets, for instance.

        1. As a general personal belief I like to do things to make people collecting data on me wince and question why they bother with doing so.    Though I can heartily see the interest in mapping your  ‘target of interest’ (for lack of a more appt term atm) , and looking over it in a quasi ant-farm voyeur way.  It is very interesting to be able to see the patterns we are mostly unaware of.

          1. I guess my point is that the battle of whether or not you’re being tracked is lost. If you don’t want to be tracked, you don’t even stand a chance anymore. So instead, you should be informed about how you’re being tracked, and maybe get something useful out of it for yourself as well.

      1.   Tin foil hats for our devices as protection against government control by radio waves. 
        To have to think about that …
        I made an aluminum sleeve for my wallet to hold my RFID’ed documents. 

        I didn’t think I was paranoid, but if I am, that doesn’t mean They are not really after me. 
        Oh, and after y’all. 

    1. You know those anti-static bags every computer component comes in (video cards, sound cards etc)? Those are basically faraday cages; just drop your cellphone/passport/anything with RFID in one of those and it can’t be reached.

      1. Are you serious? You can go into a store, put something in one of those and then walk out and it won’t trip the alarm?

        1.  Aye.   The oversized ones available at WalMart are supposedly a favorite of the pros.  

          Test it for yourself.  Just drop your phone in one and have a friend try to call you.

        2. There are powered tags that are capable of transmitting through the Mylar bags, BUT the majority of inventory control tags are passive – EM resonance cavity ( the ones with the loose metal strip in the flat plastic bubble) and RFID.
          They don’t work as Faraday cages (Faraday cages MUST be grounded), but they attenuate the signal enough to knock it out of band. If they were actually grounded, they’d eat even the powered tags’ signal.

    2. If you’re going to do something to block the signals to your phone, you should probably also turn it off, or it’s going to drain its battery pretty quick in full signal boost mode trying desperately to contact a tower.

  6. First we abuse human rights at G-Bay. Then we restrict a bit of freedom while travelling. Now they are on the verge of tracking our phones. Next comes forcing to censor results on selected keywords related to “US National Security”. 

    Further on, due to increasing income disparity between the 1% and the 99% of the population, there is revolution. The 1% is forced into labour camps. Notion of private ownership of assets is abolished so that everyone is equal. 

    (insert photo of Donald Trump and various Wall Street types being handcuffed and led through streets with signs around their necks “Capitalistic Traitors to the Great Nation of America”) 

    Trade barriers are erected to “bring jobs back”. Most of everyone you know work at factories producing iPhone 5’s. There is no other phone available. The rest work at factories producing Birkenstocks. There is no other footwear available. Yet there are still long lines at shops stocking these 2 products due to rationing.

    (insert photo of Obama and Romney wearing drab grey outfits,  both smiling woodenly from a poster as they put on bumpers on newly-minted iPhone 5’s while text copy proclaims that all Americans should patriotically work in the factories to resist the cheap imperialistic goods of China and India)

    1.  I’d say there’s rather more risk of the 99% working on plantations (converted from the suburbs where they used to live) run by the 1%.  Hard left socialism is not really a popular philosophy in the US these days but feudalism seems to be making quite a comeback.

  7. I paid cash for my phone and I pay cash for minutes.  It does what I want a phone to do: It makes phone calls. It’s anonymous even though I don’t really care if anyone knows where I am.

    I did sell a spare phone I registered in my name to a guy who just got out of jail. I hope I’m not doing drug deals or stalking anyone.

    1. Your phone, every roughly twelve hours, plugs in to external power and sits on the same tower, within view of X other towers (has negotiated soft handoff possibilities with those towers), at the same antenna direction from all those towers, with the same signal strength. Someone with a $350 piece of equipment can drive past the phone and pin it within a three foot radius. This doesn’t even cover whether it has Bluetooth capabilities, WiFi, has ever been forwarded an MMS from someone you know, has ever been called by someone you know, has your spouse or parents listed as ICE, has a ringtone generated by iTunes, yadda yadda yadda. There is only one class of anonymous cellular phone, and it’s the one you just bought from the convenience store 30 miles from your home while cross-dressing and riding public transit.

      1. Someone with a $350 piece of equipment can fly drive past the phone and pin it within a three foot radius.” 

        This might be a great time to invest in drone technology stock.

  8. “I’m not doing anything illegal.”

    Big mistake there, everyone is doing something whether they realize it or not.  Then again with the NDAA it doesn’t make much difference, if they want you, they disappear you.

    1. The big problem is the bumbling government droolers have about a 90% error rate, they can’t read, nor ask questions and their single braincell overloads constantly.  Its like Mr Magoo meets the Coyote with an unlimited Acme account.

  9. German police setting a negative example in monitoring….”Last year alone, the Dresden public prosecutor initiated 462 suits against participants of anti-Nazi protests, about 400 of which are still open. Dozens of houses were searched nationwide and more than a million mobile phone records collected from about 50,000 people. Among those placed under surveillance were people such as politicians, lawyers and clergymen, who are specially protected by law from police investigation and whose phone data cannot generally be seized. Joachim Wieland, a constitutional law expert, determined that the mobile phone monitoring conducted by the police and the prosecutor was entirely illegal.”…

  10. The writer of the article is correct.  What is particularly interesting is that this is presented as something of a revelation, but I forget that most people have not paid attention to what has been going on in the war over it’s past 11 years, and the young are simply led to believe there is a thing called privacy to protect, as though the privacy bug had not been resolved long ago in such technology.

    It is important to note the description of the surveillance device also allowing people to make phone calls.  It is very important, because it clarifies the priorities intended in the hardware’s deployment in the war, where getting the public to cover the cost of the government’s surveillance equipment themselves.

    The problem is people who do not use cell phones, who may remain off the radar, and therefore the government is not able to ensure they are secure.

  11. And, if you keep them in your pocket you can cook your balls and mutate your future offspring, too!   And now!  Foresman’s Law:
    The first people to be protected by proper law enforcement, are law enforcement.   When you can’t tell teh truth, you can’t communicate.  When you can’t can’t communicate, you can’t work with the FUBAR.

  12. It seems to me that if you’ve been on any calls from a phone that can be traced to you since the government has been sampling signals from all phones, your voice and hence your location can be identified from any phone regardless of other precautions. Therefore, to defeat their surveillance, you should scramble your voice before it enters any phone. But then you have to worry about the content and patterns of your conversations so just encrypt/decrypt voice accoustically externally to the phone making sure the phone never hears the cleartext sounds and manage the keys carefully. Since you can’t receive calls if your phone’s in a Faraday cage, put it in a sound-proof container when waiting for a call to defeat microphone eavesdropping and tape over the camera while you’re at it.  Put the phone in the cage when moving around because you’ll become a target when they detect your countermeasures.

  13. Going forward, I really don’t see a way to prevent people from looking (at least not without sacrificing significant benefits). Making it impossible to look without everyone knowing that you looked (and what you looked at, and when) would solve a lot of concerns however. By the same mechanism that keeps most people (including criminals and law enforcement) from sneaking up to windows to peek through.

    There is no future for privacy through obscurity (the privacy that we relied on). But we can still get most of the benefits of privacy through transparency.

  14. I wonder if it would be possible to at least reduce accuracy of cellphone tracking. For e.g. by using directional antenna that tracks only one of nearest towers + randomly adjusts signal strength. Of course, due to size and complexity this could be used in cars only.

    1. interesting idea.  i’m pretty sue the signal strength could be done in software.  the directional antenna could be tiny.  and even just a parabolic piece of aluminum foil…

  15. Maybe we need a mandatory hardware privacy switch on all connected devices, the unhackable hard switch. And further more, stop going to bush doofs and everyone has their phones out snapping video later published… and the signals all strong as they seek connections – I wonder if one day we will have phone/computer-free zones, kind of like a “down tools” place where devices are checked at the door. Radio silence. Each to their own I suppose.

  16. anyone have serious countermeasures links?  i haven’t seen any in here.  i’ve been mind experimenting this for a while. 
    i’ve gotten as far as the obvious rotating burner phone situation with a huge pool of IMEIs and burned sims.  just have to think like a drug dealer.  but how do you retain a single number for incoming calls?  if you had google voice fwd to the new sim, google would always know who/where you are.  and even if you had your own pbx to do that, the bad guys could just see what phone has incoming from that pbx number.  i’m stuck on this point…  is there some setup like anon VPNs for deployment of VOIP or something?

    then the problem with data (social nets, mapping, searches).  maybe restrict all cell data usage to an anonymous VPN or two with one outside the country.  the latter was recently covered a bit on boingboing.  i’ve been toying with VPN sw built into android (ICS) and it sucks.  if the VPN isn’t reachable for a second or two it just drops back to default network coverage, which we obviously wouldn’t want here.
    i also need to look into this backdoor nonsense they reference in TFA, see how protected one is by running cyanogenmod, et al.  i’m assuming not much since there are still large blocks of non OSS; in the baseband section, etc; from what i understand.

    i guess i should go search out some privacy forums, etc.  i’m decent at android programming so maybe i should look into this seriously…
    i’m assuming any solution will at least double my cell phone bill

    1. Android’s baseband/GSM stack (the subsystem of the phone that directly controls cellular hardware and communications with cell towers) has not been released as  opensource by Google. Project OsmocomBB is the first to develop one.

  17. One partial solution – hang on to your old, dumb cellphone as long as possible. If it’s not too late already. Can’t protect against monitoring which cell your device is connected to and can’t protect against wiretaps, but at least they can’t install malware on it.

Comments are closed.