TechWorld: All mobile phones may be listening devices (wiretapping)

Mobility & Wireless News
24 November 2006
Devastating mobile attack under spotlight
By Peter Judge, Techworld
All mobile phones may be open to a simple but devastating attack that enables a third-party to eavesdrop on any phone conversation, receive any and all SMS messages, and download the phone's address book.

The attack, outlined by a German security expert, would amount to the largest ever breach of privacy for billions of mobile phone users across the world. But it remains uncertain exactly how easy and how widespread the problem could be thanks to a concerted effort by mobile operators to muddy the issue while they assess its extent.

The official response of the mobile phone operators when asked about the threat is that the attack is phoney. But despite three days of inquiries by Techworld, none have provided any evidence that there is an adequate defence to it. One operator told us all its security experts were at a meeting in Denmark, although, oddly for mobile company employees, they were also incommunicado.
http://www.techworld.com/mobility/news/index.cfm?NewsID=7425

The bug in question is called RexSpy.

In German:
http://www.securstar.com/press_2006_10_31.php

You can presumably download fix here:
http://www.securstar.com/s_download.php

In another article, only avail. in Norwegian:
FBI uses mobile phones for wiretapping of buildings.
By Ann Kristin Bentzen Ernes
It has been disclosed that the FBI can use mobile phones for so-called «roving bugging».
(...)
FBI has adopted a new way of electronic surveillance in criminal investigations. Not only do they listen to phone conversations, they can also remotely activate the microphone of the mobile phone, and catch ordinary conversation in the phone's vicinity.
(NO):
http://www.digi.no/php/art.php?id=360051
------------------------------------------------

This discussion doesn't only relate to "legal" bugs but also to the use of such techniques by illegal clandestine operations, and applies to physically unmodified cell phone hardware (not phones that might have had separate, specialized bugs physically installed within them by third parties).

There is no magic in cell phones. From a transmitting standpoint, they are either on or off. It is true that many phones have an alarm feature that permits them to "wake up" from a seemingly "off" state. However, this is not a universal functionality, even in advanced phones such as PDA cell phones, which now often have a "totally off" mode available as well.

It is also true that some phones can be remotely programmed by the carrier to mask or otherwise change their display and other behaviors in ways that could be used to fool the unwary user. However, this level of remote programmability is another feature that is not universal, though most modern cell phones can be easily programmed with the correct tools if you have physical access to the phones, even briefly.

But remember -- no magic! When cell phones are transmitting -- even as bugs -- certain things are going to happen every time that the alert phone user can often notice.
First, when the phone is operating as a bug, regular calls can't be taking place in almost all cases. A well designed bug program could try to minimize the obviousness of this by quickly dropping the bug call if the phone owner tried to make an outgoing call, or drop the bug connection if an incoming call tried to ring through. But if the bug is up and running, that's the only transmission path that is available on the phone at that time for the vast majority of currently deployed phones. Some very new "3G" phones technically have the capability of running a completely separate data channel -- in which voice over IP data could be simultaneously transmitted at full speed along with the primary call (conventional GSM data channels -- GPRS/EDGE -- typically block calls while actively transmitting or receiving user data). But this is pretty bleeding-edge stuff for now, and not an issue for the vast majority of current phones.

Of course, if a cell phone is being used as a remote bug, the odds are that the routine conversations through that phone are also being monitored, right? So this "one call at a time" aspect isn't as much of a limitation to bugging as might otherwise be expected.

Want to make sure that your phone is really off? Taking out the battery is a really good bet. Don't worry about the stories of hidden batteries that supposedly can be activated remotely or with special codes. The concept makes no sense in general, and there just isn't room in modern cell phones for additional batteries that could supply more than a tiny bit of added power, if any.

But if your battery seems to be running out of juice far too early (despite what the battery status display might claim), that might be an indication that your phone is being used to transmit behind your back (or it might be a worn out battery and a typically inaccurate battery status display).

Another clue that a phone may have been transmitting without your permission is if it seems unexpectedly warm. You've probably noticed how most cell phones heat up, especially on longer calls. This is normal, but if you haven't been on any calls for a while and your cell phone is warm as if long calls were in progress, you have another red flag indication of something odd perhaps going on.

Finally, if you use a GSM phone (like the vast majority of phones around the world, including Cingular and T-Mobile in the U.S.) you have another virtually fullproof way to know if you phone is secretly transmitting. You've probably noticed the "buzzing" interference that these phones tend to make in nearby speakers when calls or data transmissions are in progress. A certain amount of periodic routine communications between cell phones and the networks will occur while the phones are powered on -- even when calls are not in progress -- so short bursts of buzzing between calls (and when turning the phones on or off) are normal.

But if you're not on a call, and you hear a continuing rapid buzz-buzz-buzz in nearby speakers that lasts more than a few seconds and gets louder as you approach with your phone, well, the odds are that your phone is busily transmitting, and bugging is a definite possibility. Note that this particular test is much less reliable with non-GSM phones that use CDMA (e.g. Sprint/Verizon phones), since CDMA's technology is less prone to producing easily audible local interference. This strongly suggests that CDMA phones may be preferred for such bugging operations. A variant form of CDMA (called "WCDMA") can be used for the high speed data channel and voice calls on the new 3G GSM backwards-compatible phones. Since additional voice channels could theoretically be encoded onto that data stream as I mentioned above -- which would be harder to detect via interference than an ordinary GSM voice channel -- this is a technology that will bear watching.

Most of this discussion applies to bugging in real time. If "delayed" bugging is acceptable, there is another approach available that would be more difficult to detect -- record ambient audio from the phone mic and store it in the phone's memory in compressed form, then upload it en masse later. Modern phones have plenty of available memory, especially ones with cameras, mp3 capabilities, and the like. The processing requirements of a delayed bug would probably be beyond the capabilities of some low-end phones, but even most entry-level phones are relatively powerful these days.

When the recorded audio was uploaded all of the transmission factors mentioned above would come into play, but since the transmission time would be shorter this would be harder to detect. Probably the biggest giveaway to this type of bugging would be battery drain, which would typically be quite considerable even in a voice-controlled recording (VOX) mode. So, my comments above about unusually poor battery performance would be especially applicable in this case.

The odds of most people being targeted for bugging are quite small. But it's always better to know the technical realities. Don't be paranoid, but be careful.

MZr7

I just found out why my phone have behaved so strangely the last year. Ah, well.

Please credit your sources.

peace

http://www.earthtimes.org/articles/show/news_press_release,22393.shtml

Privacy is a thing of the past. The unthinkable has occurred: No mobilecommunications between people are transferred over a wire line, and no moreSMS messages can be sent without potentially being recorded by third parties,competitors or spouses. Simply by sending an invisible and unnoticeable SMSmessage to a particular cell phone, spying on cell phone users has becomechild's play. Wilfried Hafner, CEO of SecurStar GmbH, has developed a Trojanhorse, named "RexSpy", solely for demonstration purposes. The results arealarming. When the Trojan invades the system, the security vulnerabilitiesdiscovered by Hafner show the possibility of eavesdropping on any cell phone.The company gives advice on protection and offers a security tool free ofcharge that can be downloaded immediately at www.securstar.com.

http://www.earthtimes.org/articles/show/news_press_release,22393.shtml

It sounds suspiciously like bullshit to me.

http://www.it-sa.de/itsa_asx.php?file=RO_Mi_16_30_Hafner&year=2006&PHPSESSID=79b5b54b14ff8e4447505bcf34868424

The official response of the mobile phone operators when asked about the threat is that the attack is phoney. But despite three days of inquiries by Techworld, none have provided any evidence that there is an adequate defence to it. One operator told us all its security experts were at a meeting in Denmark, although, oddly for mobile company employees, they were also incommunicado.

Wilfried Hafner of SecurStar claims he can reprogram a phone using a "service SMS" or "binary SMS" message, similar to those used by the phone operators to update software on the phone. He demonstrated a Trojan which appears to use this method at the Systems show in Munich last month - a performance which can be seen in a German-language video.
http://www.techworld.com/mobility/news/index.cfm?NewsID=7425