FBI Taps Cell Phone Microphones in Mafia Case

cnet-declan writes "We already knew the FBI can secretly listen in to car conversations by activating microphones of systems like OnStar. A new Mafia court case suggests that the FBI can do the same thing to cell phones. The judge's opinion and some background information [pdf] are available for reading online. The most disturbing thing? According to the judge, the bug worked even if the phone appeared to be 'powered off.' Anyone up for an open-source handset already?" From the article: "This week, Judge Kaplan in the southern district of New York concluded that the 'roving bugs' were legally permitted to capture hundreds of hours of conversations because the FBI had obtained a court order and alternatives probably wouldn't work. The FBI's 'applications made a sufficient case for electronic surveillance,' Kaplan wrote. 'They indicated that alternative methods of investigation either had failed or were unlikely to produce results, in part because the subjects deliberately avoided government surveillance.'"

open-source

[Loconut1389]

well, we may not have open-source handsets, but is open-mic good enough?

In Soviet Russia

[anagama]

In Soviet Russia, phone listens to you.

oh wait ....

Re:

[GnuDiff]

In fact, it did.

As far as I remember, just after the collapse of the USSR, there were published some information about how KGB was able to activate the mics of "normal" old phones by activating the line from substation; so that the phone didn't ring, but the mic was getting enough current flowing through it to work.

Re:

[DrSkwid]

That also happened to some people I knew in the UK, the police monitored their house via their POTS phone.

They then played the tapes back during interrogation, the bits where the housemates talked about each other behind their backs etc. to try and get them to tesify against each other.

Re:

[Gordonjcp]

That also happened to some people I knew in the UK, the police monitored their house via their POTS phone.

Bah, bloody thing posted when I hit Enter.

I don't really see how that's possible. When the handset is on-hook, the microphone is disconnected. This is a requirement for BABT compliance.

Re:In Soviet Russia

[Dun Malg]

That also happened to some people I knew in the UK, the police monitored their house via their POTS phone. .

I don't really see how that's possible. When the handset is on-hook, the microphone is disconnected. This is a requirement for BABT compliance.

You are correct. The analog POTS system fully disconnects the microphone and speaker when on hook, as per design standards going back to the 1870's. It's not possible to listen in on-hook without modifying the phone. OP is either engaging in "urban legendry", or the incident took place before 1982, when BT still owned the entire phone system (including the sets themselves) and could believably send a technician 'round to "fix the phone".

Re:

[Gordonjcp]

Nope, that *still* doesn't work. The high frequency signal is shunted to ground by the sidetone choke - if you look there's a funny little transformer with three windings to make sure that you can hear yourself in the earpiece, but not too loud. Furthermore, even with the diodes on the regulator board (which *might* rectify the 2MHz AC), you still don't get much of a voltage across the microphone, and certainly not enough to prod it into life. Most BT "round dial" phones used carbon microphones, although

Two reasons it's possible

[crucini]

I don't really see how that's possible. When the handset is on-hook, the microphone is disconnected. This is a requirement for BABT compliance.

1. Unless you disassemble and inspect the phone every time you enter the space, you have no idea what's inside. (And even then, if your adversary has sufficient resources). There are lots of ways to modify a phone for remote monitoring - search for "hook switch bypass". In this scenario, if the officers executed a search warrant earlier, they could have modified or

Re:

[crucini]

I got my info from a book by a KGB defector - can't remember his name. He worked on COMSEC for Russia. Didn't provide any technical details (voltages, frequencies, etc.). But the book has lots of interesting stories.
An eastern-block agency was spying on a Russian agency with this method. They parked a car underneath the building's overhead power line, and extended a thin wooden pole that nearly touched the power line.
Also, when the US opened a new embassy in Moscow, the joke was that the flowers would a

Re:

[CBob]

Both sides have had that ability for quite some time now. Google "infinity transmitter", they used to be avail in kit form in the old Popular Electronics or Radio Electronics circa 1980-ish

What's so alarming here?

[ZDRuX]

The fact that they are using a cellphone case as a carrier for the secondary microphone or that they somehow got a hold of the Mafia's cellphone without them knowing?!

And an open-source cellphone will do you no good when the seperate mic runs straight off the battery inside the phone regardless if your phone is on or not. This is not much different then having the FBI tap your watch, cd-rom drive, or shaver... but I guess that would be pointless since you don't talk to any of those about your secrets right? ...do you?

The real puzzle here is how they managed to swap the real phone with the one that was wired by the FBI, there must have been a mole. And since they got a court order to "monitor" the suspects, is it really that *alarming* that it worked even when the phone was off? Are there limitations as to when you can and cannot monitor dangerous suspects? For example when they sleep, or go to the bathroom, or between the hours of 9-5? Anybody know?

Re:What's so alarming here?

[iamdrscience]

The alarming thing is the possibility that the bug could have been something that was not a physical modification to the phone's hardware, but a software modification. The article suggests that this may have been the case. So while it's probably not the case that the FBI could remotely turn any phone into a bug, the possibility of that being the case is alarming.

Re:

[Anne Honime]

The alarming thing is the possibility that the bug could have been something that was not a physical modification to the phone's hardware, but a software modification. The article suggests that this may have been the case. So while it's probably not the case that the FBI could remotely turn any phone into a bug, the possibility of that being the case is alarming.

The probability that the judge and the reporter both misunderstood the technical parts of the case is certainly much higher than the probability

Re:

[iamdrscience]

I agree completely. Ultimately, the only thing truly "alarming" about this story is the idea that it could happen, but the fact that it's still exceedingly unlikely makes the story rather unremarkable.

Re:

[Catbeller]

A lot of innocent people have been robbed, imprisoned, tortured, and killed legally. Legal is not the same thing as right.

History, real history, is deemed so radical that Americans don't read it anymore. This I understand is why they seem to think law=good. Law is a set of rules laid down by powerful people. Read about Ethan Allen and the Green Mountain Boys; landowners, quite legally, stole farmers' own, purchased land and had them executed and imprisoned when they tried to resist the theft. The lawyers, j

Re:What's so alarming here?

[nchip]

It is probably feasible with Qualcomm BREW based handsets in cdma networks. CDMA operator has power to "push" content, including applications to you device. BREW apps can access your microphone and don't necessary need to be visible.

GSM networks don't have such delivery systems, and use java for applications. Most phones don't support starting Java midlets automatically to backround, or access microphone. Even when in background, running applications are visible somewhere in the menus.

Basically the java applets are sandboxed, while BREW apps are signed by the operator to be "trustable".

Re:What's so alarming here?

[ronanbear]

The Irish networks are GSM and it's reasonably well known that the networks can turn on and control phones with the signature of a sufficiently senior police officer.

I'm actually surprised more people here hadn't heard about it.

Re:

[aussersterne]

It's this weird American tendency (or maybe it just represents the true success of Big Brother that it is powerful enough to do these things without being detected) to believe that there's no possible way corporations or the government could be monitoring you (because that would be un-American). The more they're monitoring you, the more adamant most Americans become that this is clearly impossible in America. The more evidence for surveillance and civil rights violations, the more most Americans will bemoan

Re:

[Catbeller]

Nice catch, there. Americans have a self-worship mythology that is fully congruent with the Soviet's own. Ever read Hedrick Smith's "The Russians"? Seems you have, and a lot more besides: "Oliver Twist" is a good name for their attitude. What do we call the American's mirror concept? I've heard it called "exceptionalism", but something more pithy would be good. Any ideas?

Re:Soapbox much?

[Anonymous Coward]

> How perfectly tangential of you to take a technical discussion about cellphones and use it to spout anti-American bullshit.

I'd like to suggest that criticizing the U.S. government when it does bad things, is actually PRO-American, not anti-American.

...err, how?

[bagofbeans]

When the phone is genuinely off, it is not listening to base station and so cannot be turned on by it. However, the phone could be designed so that the base station can tell it not to turn off, but pretend to be off. This is practical engineering wise because if every phone was turning itself on and checking in for command to go into surveillance mode, the phone-off life would drop noticeably. However all phone designers would know this, and the info would have leaked by now.

Do you have any evidence (articl

Re:

[Anne Honime]

I'm sorry that I was misunderstood myself ; I was by no way implying that it's absolutely impossible to remotely bug a cell phone. But I don't think it's reasonably practical to do it, for a number of reasons, and I think anyway it makes a better headline to imply the contrary. Hence, my belief it's easier to bug conventionaly a phone (rewiring the mic or something like this) rather than fussing with the firmware, and I find it more probable the reporter exagerated the story.

Think about it for a minute : h

Re:

[jackalope]

The FBI probably would not need physical access to the phone. They could just use the over-the-radio firmware upgrade feature many phone have to send the target phone some new firmware with the bug software integrated into it.

Yes, the software has bugs, it is supposed to have bugs.

Re:What's so alarming here?

[Yokaze]

The poster of the story seems to be under the false impression that the FBI activated the mobile phone's integrated microphone. This would have been quite alarming. However, if he (or the original author) had read the affidavit correctly (as you probably did), he'd notice that they just bugged him. (Point 3: "[...] through a listening device placed in the cellular phone [...]").

c/net says it was the internal microphone

[femto]

According to c/net it was the internal microphone [com.com]. They give some consideration to the possibility of a separate bug but conclude the weight of evidence points to the internal microphone being activated without the owner's knowledge.

While I'm at it I'll repeat a comment I posted on Technocrat:

Given that all mobile/cell phones are required to be locatable (its for your own safety remember?) and need to be accurately synchronised with a base station, what are the chances of forming a phased array using all microphones within a certain radius of a point? That way one could eavesdrop on a conversation well away from the nearest mobile phone.

I would guess that there is no need for a super accurate location or time. Measure the two as close as possible then record all streams from mobiles in the area. Next feed the whole lot into a super computer and do a big cross correlation with sliding windows centred about the best guess at relative phase (based on the measured location and time).

It is worth noting that the wavelength of the radio signals a mobile phone uses is comparable to the wavelength of the audio frequencies of the human voice. Thus in theory it is possible for a mobile phone base station to locate a mobile phone to within a fraction of an audio wavelength, exactly what is needed for a phased array.

Re:

[jacksonj04]

Umm, cell phones aren't required to be locatable. It's a byproduct of the technology used (as with any radio device) which means they are locatable whether there's a requirement or not.

As for the phased array, does it take into account things like pockets? Not to mention you'd need very detailed weather patterns to cope with the wind carrying sound, Doppler etc.

Re:

[Dun Malg]

Actually, all new cell phones in the US are required to have internal GPS receivers so they can be located when dialing 911.

A nice idea in theory, but in practice it's largely useless. The nature of GPS is such that the receiver needs to have a fairly unobstructed view of a large sector of sky for a goodly amount of time in order to calculate position. It works passably well when someone's outdoors, not under any cover (including trees), and holding the phone up to their head. When the phone in your pocket, on your belt in a case, indoors, or in the car, GPS is not going to work.

Re:

[Junta]

That's why it isn't by and large traditional old GPS, it's aGPS [wikipedia.org]. That's why they also can quickly get location lock instead of taking some time. And yes, I believe for E911 operation phones are required to implement some sort of way to give precise location, such as aGPS.

Re:

[Lehk228]

that is not true, they must have GPS OR enhanced triangulation from cell towers.

Re:

[khayman80]

This is a fascinating idea, but I wonder if the cell phones could actually be located accurately enough. My understanding of cell phones is that each phone is "located" in the sense that the tower that it's communicating with is reported to 911 operators. Perhaps different cell phone towers could compare the time delay of the phone signals and perform triangulation? If so, this would seem to require nanosecond timing accuracy (1 foot at lightspeed takes 1 ns) and I'm not sure that's feasible across the c

Re:

[Catbeller]

By federal law, all cell phomes sold in the US after 2004 have GPS tracking installed. You cannot even activate an older phone wihtout GPS if you, say, buy it on eBay. You are being tracked, and you've no choice in the matter. There is a deactivate option on your phone menu, but if you believe that you can believe that the police only convict guilty people.

It's pissing me off. I'm using an older phone, and eventually it will fail. I will not purchase a tracking device, so I guess I'll be untethered to a cel

Re:What's so alarming LIAR! PHONE NOT ALTERRED!

[Anonymous Coward]

NOT TRUE! LIES!

Parent poster is lying and trying to coverup the shocking truth! (parent is a fed shill?)! Parent post did not cite section three PROPERLY of wiretap judge affidavit.p1.120106.pdf. Read it yourselves folks and spot the blatant parent post lie The FBI used the blanket method "OR OTHER MEANS" as clearly specified in the document. No modification to the cell phone was made AT ALL. No mods needed. (or feasable)

There are actually a few secret goodies available to the feds in many modern cell phones.

First... Sat based GPS is NOT required in most cells phones to silently get precise location, as per FCC device regulations and as per millions of dollars in levied and honored fines to lagging noncompliant cell providers.

also part of underwraps subsections of ETSI LI spec framework for LI (Lawful Interception) hint at leveraging the E911 feature that makes a cell not be able to disconnect if a 911 operator toggles a cell phone into "stay online no matter what" mode. Heck, ive played with that mode once... had to rip out the battery! (no way to hang up). Technology was added to prevent poor signal drops during a 911 call, but then used to keep line open while victim is delirious or expiring. For docs, Just look for harvesting all spec docs starting with S3LI03 prefix on the net. Or hang around Cryptome or usual places.

Regarding the gov tracking your movements in real time (if battery not removed from your non-GPS cell : 1996 the FCC defined a fancier "E911 Phase 2" for more precise ALI information to PSAPs using latitude and longitude information, and to identify a mobile caller's location within 125 meters (410 feet) 67% of the time to the PSAP. A PSAP is one of over 6,000 Public Safety Answering Points (PSAP), some route , some deal directly with initial public calls. FCC 97-402 CC Docket No. 94-102 rules (October 1, 1996). besides the 34-bit Mobile Identification Number (MIN), being sent in Phase I of E911, the 34 bit MIN accepted a "call back' even without a valid phone number, as the 1996 regulation also stipulates that CELL PHONES WITH NO CONTRACT OR DORMANT DEVICES MUST HAVE FREE ACCESS TO 911 service, no matter what. The tracking protocol is independant of billing accept/reject.

To allow the cell to be detected within 410 feet WITHOUT GPS, cell phone towers use triangulation methods automated with cellular geolocation systems involving time difference of arrival (TDOA) and angle of arrival (AOA)

As for REMOB mode of cell phone (remote observation) the details seem to be partially vender unique, but it is suspected that the table is trivially assigned via Mobile Identification Number (MIN) table lookup in REMOB snitch mode.

PLEASE NOTE that the court documents allowing the voice tapping of the MAFIA suspect stated "OR OTHER MEANS". the "OR OTHER MEANS" is the non modified NON_ALTERRED original cell phone being merely set in a VOX mode for packet burst with simple threshold to sleep unless steady VOX activation, controlled partly by other terminal point. Otherwise battery of a modern cell will last only a few hours.

I cannot believe all the fools in this thread that actually believe the FBI has ability to add devices INSIDE a modified cell phone. Yeah... like there's lots of empty space!!! The judges papers said OR OTHER MEANS and this other means is the REMOB mode. Similar to onstar silent snitch mode in Cadillacs.

If you really want to panic... the FBI buys the RFID scans of all the points on NY turnpike that record car tire RFID that the TREAD act mandates to allow gov to uniquely track movements of all cars by untamperable chips in the tires... even at 90 miles and hour adn 12 feet away (though instead of overpasses for RFID car tires as in parts of I-75, reading coils UNDER the pavement are used, as with the RFID tire impressions collected at canadian border customs booths.

sorry for all the lazy typos. I am very tired. an i know that factual anon posts stay +0 until the FBI shills squelch them to -1 rapidly with there grooming accounts they use here to stifle agitator insider posts like this one.

Re:

[no_such_user]

This has got to be the same person, talking about RFID in tires (which I never knew about -- as if I'm not paranoid enough) and more. Interesting, uh, stuff:

http://clintjcl.wordpress.com/tag/rants/ [wordpress.com]

Re:

[Catbeller]

"They can't have had the phone transmitting all the time"

They don't transmit all the time, but they do transmit "here I am" signals at regular, close intervals. And it would be trivial to use a little memory in the phone to store a stack of GPS coordinates, for use during the periodic "here I am" transmissions.

Re:

[kimvette]

Want to know if your phone is doing this while shut off? Turn off your CD player, switch to radio (FM or AM, it doesn't matter, although AM will make it more apparnt), then place your cellphone as close to the head unit as possible. Periodically while powered up you will hear little chirps/blips. If you power the cellphone off, these will stop. If they continue periodically, then your phone is a model which pings the towers while "off" so if you want to make high speed runs on highways without big brother t

Re:

[Dr. Zowie]

Cell phones are so heavily engineered for size, it's hard to imagine that the listening device was anything other than software -- most phones simply don't have room to hide a separate mic.

Re:

[Anonymous Coward]

Um, actually, i think thats exactly what they did. TFA says "a cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone."..."remotely install a piece of software on to any handset, without the owner's knowledge, which will activate the microphone even when its owner is not making a call."

they don't steal the phone and put in a microphone and the software to run it. They send the phone software over the cell net that activat

Re:

[Catbeller]

"And an open-source cellphone will do you no good when the seperate mic runs straight off the battery inside the phone regardless if your phone is on or not. This is not much different then having the FBI tap your watch, cd-rom drive, or shaver... but I guess that would be pointless since you don't talk to any of those about your secrets right? ...do you?"

This is why I've been stumping for a year for a handset that has a separate power citcuit for the e911 function. When I don't want it on, I don't want som

Re:

[Catbeller]

And one BIG addition: I'm being way too pre-Bush here. They don't need juries anymore. Secret prosecutors with secret agendas can use e911 information to quietly, extralegally, make you disappear if they deem you a "terrorist". The standard of evidence is "I feel like it." Don't give the secret police an excuse to make you disappear. Don't give them more tracking information than they already have. Thousands have been kidnapped and shipped out of this country. It's not a theory, it's a brutal reality that w

Re:

[aussie_a]

Good to see your comprehension of English doesn't outweigh your knee jerk abilities. Otherwise you would have seen that was only one fact that was considered, along with at least 1 other fact accompanying it (more likely many more facts).

Re:

[The Master Control P]

All aboard the clue train, last stop is A.C.:

FBI: "Judge, these guys are mafia and they're not falling for the typical eavesdropping routines."
Judge: "Ok, try planting bugs in their cell phones." /signs warrant

Not everyone trying to preserve their privacy is doing so for good reasons. The purpose of a warrant is to isolate the shitbags who are hiding something illegal before invading their personal lives. It's the 4th amendment: Reasonable suspicion that you're covering something up voids your right

Validating Warrants

[camperdave]

How can a citizen check whether a warrant is valid or not? How do they, or anyone else for that matter, know that the warrant was signed by a proper judge, and not some FBI bureaucrat? How do you find out how much the FBI paid the judge to get him/her to sign the warrant? ...or how hard they had to lean on the judge to get the signing? There used to be (and probably still are) "hanging judges". Perhaps there are "signing judges" who will sign any warrant that comes across their desk. What is the warra

FBI?

[Aceticon]

I bet that the NSA uses "feature" a lot more than the FBI, and when they do it they certainly don't tell anybody about it.

The big difference is that the NSA will use this for counter-terrorism and also for industrial espionage, while the FBI probably only really uses it for crime investigation.

The Solution

[FrostedWheat]

Remove the battery.

Or better yet, don't have one!

Re:

[rjdegraaf]

... or stick on one of those funny led-light-devices which lights up when the phone transmits data.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Can we use non-USA cell phones instead?

[KWTm]

Would it work if non-USA cell phones were used? I guess not British cell phones since the Brits seem to be vying for the title of Orwellian Big Brother, but suppose we went to Sweden or Japan or Venezuela and bought a cell phone there? I'm sure there would be GSM-type phones that would work within US borders when used with a US sim card.

Even if the vendor tries to lock the cell phone to a given service provider, there should be places that unlock cell phones. My brother-in-law travels to Hong Kong from t

Thankfully, it's easy to mod your phone

[Anonymous Coward]

Due to the design of cell phones, it's actually very easy to modify a phone so that it gives a clear visual indication of whether it is transmitting or not.

If, for whatever reason, your phone starts transmitting (be it on a call, or because the FBI have remotely activated it), then some LEDs can be configured to light or flash - providing clear visual feedback. This could be a bit more convenient than removing the battery except when needed.

In fact, you can get the modification kits ready for use, for less than $5 - and installation, can take less than 30 seconds.

These kits are more usually sold as novelties for 'ricing' phones, but they can also be used for serious purposes:
Example kit [ebay.com]

Re:

[quantum bit]

Or just set the thing down next to a speaker and listen for the characteristic click-click-buzz when it's transmitting. Some phones are even powerful enough that my car stereo picks it up, or leaks into the signal of a nearby land-line (the PBX phones are work are real sensitive to it).

On occasion I've put my phone down next to an LED flashlight, and when the phone rings the flashlight turns on!

My Opinion

[iamdrscience]

As someone who has on several occasions had to listen to my brother's phone pick up in his pocket without him realizing, I don't think this is much of a problem. If the FBI wants to listen to my pocket lint, more power to them.

As long as there's a court order...

[plnrtrvlr]

...then I don't care whose phone is getting bugged or how. Technology is constantly changing, so our abilities to moniter the public changes as well. It is the job of the courts to assure the public that this does not occur without probable cause. As long as there was a court order to bug the mob guys' phone, I don't care how they do it. I just want constant assurances that our government is allowing judicial oversight. This is all just a rehash of the same old story from back in the days when they were first tapping phone lines across the street from Ma Bell's switchboard.

Re:As long as there's a court order...

[idlake]

It is the job of the courts to assure the public that this does not occur without probable cause.

Well, as the Bush administration has shown, it's not the job of the courts to do this. And if spying becomes as simple as pushing a bunch of buttons, you can be certain that people will do it without a court order.

This is all just a rehash of the same old story from back in the days when they were first tapping phone lines across the street from Ma Bell's switchboard.

Well, no, it isn't. That required physical access and had significant costs associated with it. Now, the costs are considerably lower, and surveillance follows the person around. That changes things considerably.

Overall, it's a question of balance, not black-or-white-it's-all-the-same style arguments, like you're making.

Re:

[plnrtrvlr]

Actually, the argument you are making is totally different..... I've said "as long as there's a court order" and you've said "but the Bush Admin has shown......" Well, this is the crux, isn't it? As long as the law is followed and a court order is issued before such surveilance occurs, no big deal. "The Bush administration has shown they ignore the law" is a different argument. If the law is followed, it's only the tech that has changed. And according to the article, this new tech still requires physical

The old 'it is legal' argument.

[FatSean]

We're not falling for that one! I can't wait until a Democrat controlled gov't uses these privacy-invading laws to expose fundamental religious 'tards for mistreating the litters of children they keep shitting out! You can't hit your kid with a stick if he misbehaves, Mr. Savage, this is 2006.

(See, it goes both ways)

Re:

[muellerr1]

Just because the Bush administration ignored the Constitution and broke the law does not change the fact that it IS the job of the courts to issue warrants for wiretaps. Just because wiretapping is so easy that the President authorizes it without a warrant does not make that authorization legal.

Your argument that physical access and high cost made tapping phone lines legal is just weird. Just because the costs are lower and there's new technology shouldn't change the principle behind the wiretapping

Re:

[Chris Burke]

We're talking about the potential and likelyhood of abuse.

Just because wiretapping is so easy that the President authorizes it without a warrant does not make that authorization legal.

And yet it occured anyway, and the President has not been censured in any way as a result. The precident is there, and more importantly there is no reason to think this abuse is not ongoing. We know that warrantless wiretaps have been performed, and we know that the President feels he is perfectly within his rights to order

Re:

[mikelieman]

"It is the job of the courts to assure the public that this does not occur without probable cause."

We have a 2nd Amendment to make sure the WE can enforce the 1st.

RELYING on a court to provide for your Freedom and Liberty, when you have NO RIGHT to a Writ of Habeas Corpus is just plain dumb.

You might NEVER SEE A COURT.

Re:

[BillyBlaze]

So you really wouldn't be bothered by a camera in your bedroom that doesn't tell you whether it's transmitting, as long as our infallible media told you it would only be used with judicial oversight?

I think the issue is that the technology to monitor cell phones remotely while off, if it exists, does not just make it easier to bug cell phones. It actually constitutes bugging them. Bugging someone's home doesn't mean turning on a mic you put there earlier, it means putting the mic there in the first place

Hmmmm

[Sv-Manowar]

I have no doubt the ability to record from the microphone when the phone is off is available to certain people, most phones nowdays have alarms where you can set it for a time - turn the phone off and it will turn itself back on at the specific time and sound your alarm. Now if you think about what does this, then surely there are other abilities built into using the phone when you believe it is "off". Hell, the whole "geographic communications cell that the call was made in is stored with the details of th

I must then ask

[the_REAL_sam]

Which phone manufacturers did NOT sell all of its customers out to the government? Perhaps there are specific model numbers that are not compromised? Or perhaps before a certain year?

Anyhow...if I unplug the phone battery it's off for sure...right?

Re:

[mikael]

According to this 3G tutorial [nmscommunications.com], (page 118) wireless LAN's are the biggest threats to 3G dominance:

Biggest Threat to Today's 3G -- Wireless LANs

Faster than 3G - 11 or 56 Mbps vs. 2 Mbps for 3G when stationary

Data experience matches the Internet with the added convenience of mobile
Same user interface (doesn't rely on small screens)
Same programs, files, applications, Websites.
Low cost, low barriers to entry

Organizations can build own networks - Like the Internet,

secrets of cell phones

[Anonymous Coward]

there are actuially a few secret goodies available to the feds in many modern cell phones.

First... Sat based GPS is NOT required in most cells phones to silently get perecise location, as per FCC device regulations and as per millions of dollars in levied and honored fines to lagging noncompliant cell providers.

also part of underwraps subsections of ETSI LI spec framework for LI (Lawful Interception) hint at leveraging the E911 feature that makes a cell not be able to disconenct if a 911 operator toggles a cell phone into "stay online no matter what" mode. Heck, ive played with that mode once... had to rip out the battery! (no way to hang up). Technology was added to prevent poor signal drops during a 911 call, but then used to keep line open while victim is delirious or expiring. For docs, Just look for havesting all spec docs starting with S3LI03 prefix on the net. Or hang around Cryptome or usual places.

Regarding the gocv tracking your movements in real time (if battery not removed from your non-GPS cell : 1996 the FCC defined a fancier "E911 Phase 2" for more precise ALI information to PSAPs using latitude and longitude information, and to identify a mobile caller's location within 125 meters (410 feet) 67% of the time to the PSAP. A PSAP is one of over 6,000 Public Safety Answering
Points (PSAP), some route , some deal directly with initial public calls. FCC 97-402 CC Docket No. 94-102 rules (i.e., by October 1, 1996). besides the 34-bit Mobile Identification Number (MIN), being sent in Phase I of E911, the 34 bit MIN accepted a "call back' even without a valid phone number, as the 1996 regulation also stipulates that CELL PHONES WITH NO CONTRACT OR DORMANT DEVICES MUST HAVE FREE ACCESS TO 911 service, no matter what. The tracking protocol is indepentdant of billing accept/reject.

To allow the cell to be detected within 410 feet WITHOUT GPS, cell phone towers use triangulation methods automated with cellular geolocation systems involving time difference of arrival (TDOA) and angle of arrival (AOA)

As for REMOB mode of cell phone (remote observation) the details seem to be partially vender unique, but it is supected that the table is trivially assined via Mobile Identification Number (MIN) table lookup in REMOB snitch mode.

PLEASE NOTE that the court documents allowing the voice tapping of the MAFIA suspect stated "OR OTHER MEANS". the "OR OTHER MEANS" is the non modified NON_ALTERRED original cell phone being merely set in a VOX mode for packet burst with simple threshold to sleep unless steady VOX activation, controlled partly by other terminal point. Otherwise battery of a modern cell will last only a few hours.

I cannot believe all the fools in this thread that actually believe the FBI has ability to add devices INSIDE a modified cell phone. Yeah... like theres lots of empty space!!! The judges papers said OR OTHER MEANS and this other means is the REMOB mode. Similar to onstar silent snithc mode in cadillacs.

If you really want to panic... the FBI buys the RFID scans of all the points on NY turnpike taht record car tire RFID that the TREAD act mandates to allow gov to uniquely track movements of all cars by untamperable chips in the tires... even at 90 miles and hour adn 12 feet away (though instaed of overpasses for RFID car tires as in parts of I-75, reading coils UNDER the pavement are used, as with the RFID tire impressions collected at canadian border customs booths.

sorry for all the lazy typos. I am very tired. an i know that factual anon posts stay +0 until the FBI shills squelch them to -1 rapidly with there grooming accounts they use here to stifle agitatant insider posts like this one.

Re:

[Watson Ladd]

They don't track cars via the tires. They detect cars by detecting the body of the car or the pressure exerted on a hose in the asphalt. They can also use EZ-pass to track. But this isn't much of a concern as they could just have toll operators write the license plate down of everything that goes through.

Re:secrets of cell phones - WRONG! RFID tires real

[Anonymous Coward]

WRONG! The feds do in fact log all car tires that pass secret monitoring points on certain highways and have for many years since T.R.E.A.D. was enacted by law. License plates are transferrable and also not 100% discernable.

It is a US felony to commercially import or sell auto tires that do not have a sanctioned spy chip RFID radio transpnders in them, with a unique GUID for every tire.

A secret initiative exists to track all funnel-points on interstates and US borders for car tire ID transponders (RFID chips embedded in the tire).

Your tires have a passive coil with 64 to 128 bit serial number emitter in them! (AIAG B-11 ADC v3.0) . A particular frequency energizes it enough so that a receiver can read its little ROM. A ROM which in essence is your GUID for your TIRE. Multiple tires do not confuse the readers. Its almost identical to all "FastPass" "SpeedPass" technologies you see on gasoline keychain dongles and commuter windshield sticker-chips. The US gov has secretly started using these chips to track people as far back as 2002.

I am not making this up. Melt down a high end Firestone, or Bridgestone tire and go through the bits near the rim (sometimes at base of tread) and you will locate the transmitter (similar to 'grain of rice' pet ids and Mobile SpeedPass, but not as high tech as the tollbooth based units). Sokymat LOGI 160, and Sokymat LOGI 120 transponder buttons are just SOME of the transponders found in modern high end car tires. The AIAG B-11 Tire tracking standard is now implemented for all 3rd party transponder manufactures [covered below].

The US Customs service uses it in Canada to detect people who swap license plates on cars when doing a transport of contraband on a mule vehicle that normally has not logged enough hours across the border.

Photos of untamperable tracking chips before molded deep into tires! :
http://www.sokymat.com/index.php?id=94 [sokymat.com]

the first subcontracter secretly hired for providing gear for bulk logging of tire RFID on highways in 2002 was :
http://web.archive.org/web/20021014102238/telemati cs-wireless.com/divisions.html [archive.org]

ALL USA cars can be radio tracked using the tires. Refer to tire standard AIAG B-11 ADC, (B-11 is coincidentally Post Sept 11 fastrack initiative by US Gov to speed up tire chip standardization to one read-back standard for highway usage).

The AIAG is "The Automotive Industry Action Group"

The non proprietary (non-sokymat controlled) standard is the AIAG B-11 standard is the "Tire Label and Radio Frequency Identification" standard

"ADC" stands for "Automatic Data Collection"

The "AIDCW" is the US gov manipulated "Automatic Identification Data Collection Work Group"

The standard was started and finished rapidly in less than a year as a direct consequence of the Sep 11 attacks by Saudi nationals.

All tire manufacturers were forced to comply AIAG B-11 3.0 Radio Tire tracking standard by the 2004 model year.

(B-11: Tire & Wheel Label & Radio Frequency ID(RFID) Standard)

http://mows.aiag.org/source/Orders/index.cfm?task= 3&CATEGORY=AUTOIDBC&PRODUCT_TYPE=SALES&SKU=B-11 [aiag.org]

(use google cache to glance at that link if you are a hacker, all access to that page is watched by the feds, as are orders.)

A huge (28 megabyte compressed zip) video of a tire being scanned remotely was at http://mows.aiag.org/ScriptContent/videos/ [aiag.org] (the file is "video Aiagb-11.zip").
THAT LINK was still valid as recently as Feb 2004, long after my 2002 ignored warnings on slashdot. But in July 2004 died after feds saw my origianl warnings regarding T.R.E.A.D. act (RFID citizen tracking)

Re:

[drrobin_]

Where can I learn more?

Re:

[rickb928]

Sorry, AC, but your post is mostly BS.

- The T.R.E.A.D. act focuses on tire safety, identifying problems as soon as possible, and making manufacturers specifically responsible for safety and manufacture. It also specifies some research and standards for child safety seats. Go figure.

- The T.R.E.A.D. act doesn't specify RFID tags. It does allow for rulemaking that might.

- RFID tags in tires were probably first implemented by Michelin, to simplify inventory. They may have devised the embedded antenna to so

Re:

[DeadChobi]

Oh yeah? Do you have links to any of the "facts" you cited? At least the AC is collecting links demonstrating some form of research.

Re:

[Danny Rathjens]

Sensible people usually don't put as much time and effort into not believing conspiracy theorists as the conspiracy nuts do when inventing their conspiracies. :) This guy has been cutting and pasting the same rant about tire rfid for 5 years, apparently.(and if you even look at the comments to this one article you'll see he has cut and pasted the same stuff multiple times today.)

PLEASE LOOK AT THAT LINK : Its the same shocking tire material I have been trying to tell people about since the spring of 2001

For credibility, please post with GPG signature

[KWTm]

Please quit trying to coverup the shocking truth with lies denying these truths. When I claimed the feds have databases of car movement on certain highway chokepoints (I-75 for example) that use soley tire RFID, I am not making it up.

But now expect me to end up with an inexplicable poisoning death/suicide for taking the time to point out these facts.

I was also the one to point out the forensic yellow dots in us printer firmware 5 years before the press learned about it.

I also exposed gasoline taggants first

Re:

[TheCarp]

maybe, maybe not.

Sure you can buy the tires in cash and put them on with no paper trail to tie them back to you. However, how hard would that be to correlate?

As soon as you go through a toll booth or a detector with a camera nearby, it would be trivial to tie your tire IDs to your cars License plate. In fact, they wouldn't even need to do it en mass. All they need to do is store the data.

Then when they have an ID to look for, they can go back and see when they saw it previously, or where it has been since.

O

Re:secrets of cell phones - WRONG! RFID tires real

[ericartman]

Yeah OK the whole thing sounded pretty crazy to me but I just went down to put tires on my car at the local Wheel Center. The dealer wanted my name address and phone number even though I was paying cash, " For the Warranty". "Leaving the state" I said so there was no need. So after placing all 4 tires in back of my car, I told him I was getting them mounted somewhere else as I have Mag wheels and could get them mounted free. Again out came the paperwork and the dealer asked me if I was sure that this was the car that the tires were going on, I said yes and the dealer proceeded to try and write down the VIN number of the car. I asked why and he said , since the Firestone fiasco it was the store policy to write down the number of the car and send it to corporate. I then asked him if there was anyway I could just buy tires and leave. Never came up before he said and then yes he let me leave without id but how do I know if he wrote down my license plate or not or got the vin? Paranoid? Yup but I used to sell tire and we never had any restrictions on sale. The guy today sure didn't seem happy not knowing where his tires were going. Then I came home and read this about tracing tires. Now all the dealers responses seemed reasonable but......?

The Article Points Out

[cybercrime]

Several ways which suggest that FBI and Nextel were able to actually activate the built-in cell phone microphone remotely, or least use the cellular network to obtain some remote surveillance.

The affidavit seeking the court order lists the target's phone number his 15-digit International Mobile Subscriber Identifier, and lists Nextel as the service provider. Why would they have to disclose this information to the court if they were just planting an ordinary bug which requires none of the above informatio

Not the issue... here is the issue.

[Antony-Kyre]

Assuming cell phones can be listened on in the way described, I have this to say. The issue is whether the government is forcing cell phone manufacturers to include backdoors.

Re:

[Cheeze]

and also if they are letting the government listen in without warrants, and violating the phone owner's right to privacy.

Re:

[Ron Bennett]

The government already has before for other products, such as scanners and printers for various purposes. And it was kept secret for quite awhile - do a search on google, slashdot, etc for the articles.

Most scanners are designed to detect the special markings on currency and subsequently will not scan it accurately; most printers are designed likewise.

In addition, in both categories of products, many of them embed a unique identifier in their output. Only realistic way to determine if one's scanner and/or p

maybe they just bought a COTS phone

[SaberTaylor]

Maybe they just bought a commercial off the shelf (COTS) bugged phone, and surreptitiously replaced the phones after copying the user settings.

These phones went the rounds of the blogs a while ago so I think they're real:
http://www.spyphones.com/ [spyphones.com]

Not to mention you can use a phone itself as a remote GPS tracker. See this link from cruel.com in August:
http://forums.accutracking.com/viewtopic.php?t=494 &postdays=0&postorder=asc&start=0 [accutracking.com]

Open Src?

[guysmilee]

An open source cell phone wouldn't fix any of your problems ... there isn't secret software on your cell phone ... imagine a huge company trying to keep a secret like that ... the equipment has simple physical properties that make them easy to assist in snooping no software required. A basic vase in your apartment could be used to pick up sound remotely using some basic physics.

Not so new

[oki900]

In the cell phreak/hack community this has been suspected for quite some time. It's also suspect that the GPS can be activated regardless of whether you have it set for 911 only or not. If you need total anonymity with a cell around the best thing is to remove the battery completely and if you are still paranoid place a 1k ohm resistor across the positive and negative terminals of the phone (not the battery) to drain the capacitors that may still hold a charge. Further you can remove the antenna which will

Re:

[Ron Bennett]

Easier yet, simply turning off phone (if concerned about battery life, then remove it too) and then placing phone into a securely sealed EZ-Pass bag; supplied to EZ-Pass users for use when they don't intend to pay with it at a toll.

Ron

Re:

[(H)elix1]

Further you can remove the antenna which will greatly reduce or eliminate the transmission range of the phone.

I've found you can simulate this effect without modifying the hardware by using T-Mobile service. (argh)

Anyone up for an open-source handset already?

[8127972]

You mean like the TuxPhone?
http://www.opencellphone.org/index.php?title=Main_ Page [opencellphone.org]

Or the FIC Linux phone that SlashGear talked about last month?
http://www.slashgear.com/fic-linux-cellphone-can-i t-capture-the-imagination-of-the-open-source-commu nity-072392.php [slashgear.com]

Easy countermeasure

[uglyduckling]

There's an easy countermeasure to this. The method described is effectively causing the phone to make a call without the GUI showing that a call is being made. You can get very cheap toys that detect the microwave signal when the phone is making a call and light up - some are in the form of a novelty hand or other cradle that the phone sits in. I've found with mine that is will blink every so often as the phone syncs up with the nearest cell. If a call is being made it blinks all the time. So just carry one of these, and if you see it blinking constantly, somebody within 30cm or so is making a call. Take the battery out of your cellphone and see if it stops - if it does, you've been bugged.

Where is "not practical?"

[takeya]

No Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Sounds like the judge should be impeached, because my constitution doesnt make any exemptions.

Re:

[ameline]

The place: 4m radius surrounding device serial #76f84e76a583 :-)

deliberately avoided surveillance

[l3v1]

the subjects deliberately avoided government surveillance

Ok, so what does that mean, and when exactly is that taken as on offensive/criminal activity ? If you see a cctv camera and go around it, or if you don't take your mobile phone with you on the road, or wear sunglasses and baseball cap, or just simply don't leave your house ? Or what ? Since the wording of the short quote sounds like that avoidance is a bad thing or illegal or something. Is this yet another case of if you didn't do anything you shou

Easy countermeasure...

[Dr. Zowie]

... place the phone next to any sort of audio equipment. My RAZR spews so much crap all over the spectrum that it's easy to tell when it is talking to the tower -- if it's next to my car stereo, my computer speakers, my clock radio, or a zillion other things I get treated to a characteristic pattern of buzzes as it negotiates with and/or broadcasts to the cell phone net.

To find out if your phone is being used for eavesdropping, just keep it near your stereo.

WHY are Slashdotters of all people surprised?!

[aussersterne]

I'm not surprised that someone is shocked by this, but what I don't get is how Slashdotters are shocked by this? I mean? This is a technical site, right?

Listen: you have an embedded device that in its normal state is always on-network on a packet network. It has a limited range of connectivity, but this limitation is mitigated by having a large number of serialized access points that are geographically situated so as to make connectivity seamless. The embedded devices are reasonably computationally powerful (much moreso than PCs of a few years ago) and have a digital or soft-user-interface (including the power circuitry, which is not a physical full-throw SPST that connects or disconnects power, but is rather an input that runs through the embedded software). The software itself is secured and controlled by the network administration, and software and content can be "push" downloaded to the devices by the network.

From this description, all of the following seem technically obvious:

1 - You have no control over the software in your phone; the vendors and networks do.

2 - Since said software controls the power interface and user interface, you have no control over (or reason to trust as being consistent with your expectations) these interfaces either.

3 - Your phone could thus be easily set by the network to be "always on" without having any such indications in the user interface. The user interface could continue to give the appearance that you are controlling such functions as power and connectivity when in fact the phone is doing everything opposite from what you believe it is doing. There is no technical reason why a phone can't show "no signal" when it has "full signal" or a blank screen when the rest of it is still live, or that it is not transmitting or engaged in a call when actually it is transmitting.

4 - While on-network (and as we've already established, you as a mere user have no way of knowing with real certainty whether it is on network or off network, you have only your trust in the consistency with your expectations of the embedded software) it is a simple matter to observe at any moment to which access point a given user is connected. In fact, you should know that this is recorded already, or how should they know when you are "roaming" and when you are not. The side effect of this information's recording is that (even if we assume they don't automate triangulation with tower handoffs/multiple towers, which is a silly assumption) it is always known to within a few hundred feet exactly where a given phone is, since the network can clearly see to which tower it is connected.

---
---

I mean... duh.

A cell phone is a bug. Period. Anyone who doesn't get this has clearly not been paying attention. There is absolutely no technical reason (and in some cases it's technically unavoidable) why your cell phone isn't right now:

- Reporting your position to the network, and thus, to anyone who has access to the network's database (e.g. government)

- Altered by software "pushes" from the network to seem off when it's still on, or to transmit whatever the mic pics up anytime you happen to be in a certain part of town between the hours of 7pm-10pm, or to transmit whatever the mic pics up for the 10 minutes after you call some specific number

- Sending your complete contacts list and recent and missed calls lists to the network provider (e.g. government)

I mean, come on, people. Technically this isn't even a question. Whether this actually happens or not is just a matter of policy ("Do we want to track location and bug people?") on the part of networks and the government, certainly not a matter of technology ("Can the equipment do it?")

Of course the equipment can do it.

---
---

Thought experiment for the dubious.

Imagine that you have been assigned by work to carry a laptop with you at all times. This "GovCorp" laptop has a solid-state hard drive so that you can't tell if it's

Bomb in a phone

[Catmeat]

If it's possible to hide a lethal bomb in a phone, then a bug should be easy.

See: http://en.wikipedia.org/wiki/Yahya_Ayyash [wikipedia.org]

Wirecutters

[nurb432]

Just cut the damned mic and attach a privacy swtich. Or, how about take the battery out?

Then again, its MY DAMNED PHONE! Why are thy installing things without my permission/knowledge in the first place?

Re:

[Catbeller]

I've been stumping for circuit cutoff switches for a year now. But it may be useless: it would be trivial for them to add a clause to your contract stating that you void your service if you mod the mic or GPS. And not too un-trivial to have the Feds add a law to make it illegal.

They need do neither. Simplest thing would be to make the power circuit to the mic or GPS integral to the operation of the phone. Kill either, kill the phone.

Solution? Should have been to use wireless networking and encrypted packets

Re:

[Catbeller]

And if the contract states you owe them the remainder of your life's earnings, that's okay?

Those contracts run for pages to discourage reading. And frankly, they reserve the right to anything they desire, or will desire in the future. If you don't like it, you are free to own no phones for the rest of your life. "Competition" amongst carriers is worthless if they all are free to write open-ended wish lists, which they do.

VoIP Telephone Service...

[AtariDatacenter]

Think about it for a second. They're probably in that, too, you know. Actually being able to use it to listen into your house, like a bug, when your phones are hung up (depending on phone, of course). Possible?

Do you pay for the minutes on this?

[Animats]

Who pays for the airtime?

Back when Rudy Giuliani was a US attorney and the FBI was taking down the New York Mafia, the FBI had wiretaps put in by New York Telephone. These were all billed to the FBI as leased lines, and the FBI had a leased line bill of over a million dollars a year. This was a real budget problem for them; they weren't budgeted for that kind of thing.

One month, the FBI didn't pay one of their leased line bills. New York Telephone's billing software dealt with the problem by billing

Re:where's the news?

[AlHunt]

> sometimes the police install a second, hidden battery in the phone

You guys must have some awfully big c-phones there in Estonia.

Re:

[Simon Garlick]

Given the state of the mobile-phone industry in the USA--i.e., five years behind the rest of the world--my money would be on Estonia having the better hardware.

Re:

[Ron Bennett]

Problem is that court orders are handed out like candy... and that's when the government, collectively speaking, even bothers getting one.

What is the penalty for the government, lets say at the Federal level, [b]not[/b] getting a court order?

Ron

Re:

[RhettLivingston]

When we're talking about using a new technology like this, I believe that penalty has less effect. For that to have an effect, it has to be relatively easy to get permission for the tap. When tapping in a new way, that permission is not as easy to get. Thus, the likelihood of being able to gather data usable in court by these means is very low. So, an investigator with access to this capability does not have the incentive to use it legally so that it can be used in trial. But, he still needs a way to s

Re:

[homer_ca]

Yeah, you think someone might notice their standby time dropping from 3 days to 2 hours???? Just unplug the battery if you don't feel safe with the phone powered off.

Re:

[wes33]

Comments here are very confusing. The court application states that the police put a bugging device "in the cell phone". This device worked even if the cell phone was off.

That is easy to understand.

What is not so easy to understand is all the comments about cell phones transmitting even when they are "off". I have trouble believing in such magic.

Now, some cell phones perhaps cannot be fully turned off (as noted in one of TFAs). I have no trouble believing that a cell phone that is turned ON can tra

Re:

[slashnik]

Anyone going to pjone the Cell Number in the PDF
Has the Maff guy been locked up yet.