Tuesday, December 05, 2006

Remotely Eavesdropping on Cell Phone Microphones

A cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone.

read more | digg story

FOLLOWUP THOUGHTS (Jan 4, 2007):

I can’t get paranoid about this one. It seems to me that if the bug is obtained through the auspices of a proper (4th Amendment compliant, probable cause, yadda yadda yadda) court order, it’s not all that different than any other form of bug. We can be paranoid about the cops and courts as a general rule (and should be…), but the means they use to exercise their court orders is not all that much more scary.

I couldn’t tell (and CNET obviously can’t from what I read) if the bug is one that directly transmits a signal to a receiver operated by the police, or if it transmits something via the cell network. Legally it should not be all that much different if there's been a proper court order, although you’d have to rope in the cell provider if the latter.

Technically it is interesting in that the only radio that should be in your typical cell phone is the radio that transmits to the cell network. (Blue tooth, found in an increasing number of handsets is, of course, a wild card in all of this – Let’s set that one aside for the moment though.) If we’ve got the bug set up as a purely software bug that infects the phone and has it transmitting what’s passing through the microphone over some sort of ‘radio’ then it must be going over the cell-transmission radio – And, that seems difficult to conceive other than something that would require the cooperation of the cell phone provider, since operating that radio without interacting with the cell network would be something I cannot believe would be an ‘off-the-shelf’ capability of the phone handset. If that’s the case then I’m less concerned again about non-legal hackers because it seems hard to believe that the cell networks would volunteer to allow a hacker to use the network! (It also suggests that this technique shouldn’t work against somebody sitting on an airplane, unless the FBI is suggesting that the FAA’s prohibition on cell phone use is not really a safety concern for all on the plane...)

If, as the BBC article mentioned in the CNET article linked above suggests, the cell network radio is hacked, via some kind of Malware that is sent electronically to the victim’s phone, to stay in transmit mode even where the phone seems to be turned off (or the radio has been turned off, as I can supposedly do with my BlackBerry), and even if ‘intelligence agencies’ can find ways of intercepting that signal and decode it, that would still require the spy to have physical proximity to the victim at all times (presuming the cell network isn't being used), and I find that all rather implausible as a useful source of data unless the spy is investing a LOT of money in this victim (and, if they have that much money to invest, they’d find some other way than this exploit to get what they want). We’re not going to see hackers using this tactic for random crap they might want to listen to while your talking to your best friend at the local coffee shop. (And, the cell providers would quickly come up with anti-spyware tactics for their phones if the exploit got out beyond this nefarious ‘intelligence community,’ so any win by a hacker would be short-lived at best.)

Apart from the radio that is used for purposes of the cell network, the only other ‘radio’ in a typical cell phone (off the shelf) is the Bluetooth. That might be an interesting hack (and the subject of multiple discussions already). Still, it seems hard to believe that there would be a hack that might alter the phone to NOT turn off the Bluetooth (and/or the phone itself) when I thought I’d turned it off – There would be a hell of a lot of software necessary to do that, and it would be so handset specific that, again, the investment for any one particular victim would prevent the odd private citizen hacker from taking advantage of it – We don’t have the single-source problem for cell phone operating software that we have for PCs. (I do work for that industry, and actually work on licenses for cell phone operating system software, so I speak from knowledge in that regard.) Also, since the off-the-shelf Bluetooth system in my phone does not use the microphone on the phone handset itself, but rather the microphone in my earset, it would require an even more incredible hack to get the handset to use the Bluetooth transmitter for such a non-standard function as to transmit the sounds on the microphone to a surreptitious Bluetooth listener, and to do so while also allowing the spy to circumvent whatever encryption is on the Bluetooth transmitter, and probably to do so as well while still allowing the Bluetooth transmitter to be used simultaneously for its intended purposes since otherwise one would tip off the victim of the bug. Finally, Bluetooth is even more susceptible to the need to be proximate to the victim -- That radio will reliably transmit only a few hundred feed through clean space. Again, it might be plausible for the 'intelligence community' to invest in human resources to follow somebody around who is a high-value target, but that target would be gotten one way or the other if somebody was really interested, that target would probably know well enough to take out the battery of his phone, and the rest of us are perfectly safe from the pimple-faced script kiddie.

Finally, if all that’s involved in the above is a physical bug snuck into the cell phone itself, then those paranoid executives who remove their batteries are missing the boat. And, pimple-faced kids sitting in coffee shops are still at a loss when it comes to physical invasions of people’s personal property (or I’m not all that worried about the few who would try such a thing). Regardless, the addition of using a cell phone (as opposed to slipping a bug into the back of my jacket collar) to the mix doesn’t change anything where you’ve got somebody who’s willing to commit a criminal breach of my personal effects in order to plant his bug.

In other words – I’m kind of skeptical about all of this.


But, it all leads to finding stuff on the BBC article cited by CNET, such as this actual living example of a Cone of Silence. Where’s Maxwell Smart when you need him? (If you read the BBC article, it really seems poorly thought out – For example, they find ‘experts’ who claim that a physical bug wouldn’t work since the battery would wear out, but who’s to say the bug wouldn’t be set up to use the cell phone’s own battery (duh…). And, I did check the dateline of the article – It’s not April 1, but maybe it should have been.)

No comments: