Spying on Cell (Mobil) Phones

© Brooke Clarke 2014 - 2017

Background
SS7 Problem
Social Engineering Problem with Two Factor Authentication
Devices   
    Stingray   
    Kingfish
    Gossamer
    FishHawk 
    Triggerfish 
    Amberjack
    Harpoon
    Porpoise
    Hailstorm
    Malicious Software Upgrade
    Fast Follower
NSA Data Warehouse
Patents
Related
References
Links

Background

I started this page after reading the on line article Meet the machines that steal your phone’s data.  It mentions a number of electronic devices intended to covertly collect data from cell (mobile) phones.  This is similar to the metadata (Wiki) collected on all land line phone calls.  In the two books by James Bamford (Ref 1, Ref 2) about NSA operations after 9/11 he goes into how they used phone company billing data (date, time call started, called and calling numbers, data time call ended) starting with the phone numbers of the hijackers and working outward maybe 6 levels of separation to everyone who they called or were called by.  Many of these calls were to people not involved in 9/11 such as pizza orders, but others were related to the 9/11 conspiracy.

The spying on cell phones was well under way prior to 9/11 and was becoming a problem for the NSA, i.e. they were in the process of decreasing spying on U.S. citizens inside when they were inside the U.S.  But that changed after 9/11 because they realized that terrorists had been operating inside the U.S. for years as part of the 9/11 plot.  So today we're far beyond the "1984" (Wiki) level of government spying on it's own citizens.

911 Call Location

Landline telephones have their number associated with a location so that if you call 911 the call center immediately knows where you are.  But when cell phones came out there was no way to know where the caller was located, hence the e911 (Wiki) system. GSM (2G, Wiki)and UTMS (3G, Wiki)cell phones use Radio Resource Location Services Protocol (Wiki) to meet the e911 requirement, but this protocol has no authentication so anyone can query these phones and find out where they are.

It looks like E-CellID (Wiki) and other ways of meeting the e911 requirement for LTE (4G, Wiki) do not use authentication.

I think this is the basis of the below Harris cell phone location products.

Digital Data

In the old days when you digitized something it was done with a simple Analog to Digital Converter (Wiki:ADC).  The problem is that the amount of data is the product of the recording time, the number of bits and the sample rate.  A 600 MB CD-ROM could only hold about the same number of songs as a phonograph record.  That same CD-ROM today can hold thousands of mp3 music files.
But now there all kinds of compression algorithms, like mp3 (Wiki), that compress the amount of space needed to store voice or data so it takes up about 10 times or less space.
Most things digital like cell phones, music files, etc. have all been compressed to save space or bandwidth and so are already in a format that minimizes the storage requirements.
So now NSA can just store this data in a massive warehouse along with header information.  Then using a search on the header information they can find the relevant compressed data file.

SS7 Problem

The old analog phone system had a problem with in-band signaling (Wiki: Blue Box) that allowed people to make free calls to anywhere in the world.

The current SS7 electronic switches (Wiki) that are the heart of the world's telephone system, including cell/smart phones has a problem now.  It's related to the use of internet protocol inside the system without knowing if the data is authentic.  This allows a hacker to infiltrate the system. 
The Guardian: SS7 hack explained: what can you do about it?-
The Intercept April 11 2017:Sen. Ron Wyden Talks Trump-Russia, “Warrantless Backdoor Queries” and Hacking of U.S. Phone System -
FCC: CSRICWorking Group 10, Legacy Systems Risk Reductions, Final Report, March 2017 -

Social Engineering Problem with Two Factor Authentication

In Aug 2017 stories have come out relating to people who have Bit Coins being hacked and their accounts cleared out.  Some of these people knew they were being targeted and were using two factor authentication (Wiki) where a code is sent to their cell phone that's needed for on line access to their account.  The thief used social engineering (Wiki) to convince the service provider to give them access from a different number, maybe a sob story of some sort.  The thief may need to make hundreds of calls to tech support to find a moronic tech who grants that access.  Once that happens the bit coin owner is locked out of his account and can watch as it's cleaned out.

NYT: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency, 21 Aug 2017 -

A better form of authentication is needed.

Devices

Stingray (Wiki)

Your cell phone thinks this is a cell tower keeping track of  you so that you can place or receive a call.  (See: Orion Electronics Ltd. Cellular Base Station ST616-CBS)
But it does not do that, all it does is record your IMSI (Wiki) / ESN (Wiki), your GPS coordinates if you phone has these along with it's location, time and date.
Note: this type of data can be archived just like license plate location, date, time and direction of travel and called up from a data base.
For example where was John Doe on this date or who was in the area on some date, etc.

This is not a "tower" it's just a small box and is connected to a small whip antenna placed on top of a car or van, or even a covert cell phone antenna (maybe one built into a rear view mirror).  Also is connected to a computing device that can log the data like a smart phone or laptop via a USB cable.

I'm guessing another mode of operation is to act as a cell tower by connecting to a land line or a real cell phone.  That way when the mark makes a call you can hear both sides of the conversation and the mark doesn't know he's being tapped.
The Intercept:
Feds Hunted Down An Undocumented Immigrant Using Controversial Phone Tracker by Sam Biddle, May 19, 2017
A Secret Catalogue of Government Gear for Spying on Your Cellphone by Jeremy Scahill & Margot Williams, Dec 17, 2015

Kingfish

Like the stingray, but battery powered and smaller/lighter.  Can be carried in a briefcase and controlled using BlueTooth (Wiki), like from a smart phone or laptop.

Gossamer

This is a handheld unit that does the same data capture as the Stingray, but also perform a denial-of-service attack (Wiki) so that a targeted phone can not receive or make calls/SMS messages.

FishHawk

This is an option for the Stingray phone tracking system that allows it to monitor GSM cell phone calls (i.e. it breaks the encryption used to "secure" GSM phone calls.

Triggerfish

This is similar to the Stingray, but can provide the location of a very large number of phones that are in the immediate area of it's antenna.  This would be good in areas where there are a lot of cell phone users like a big city main intersection.

Amberjack

This is a circular phased array antenna (Wiki) that comes in various models that cover different combinations of cell phone frequency bands. This type if antenna can be aimed in a new location almost instantaneously and so can be used to track to locate cell phones or base stations very quickly.  It works with any of the above data collection receivers.  Comes with magnets for easy attachment to a car roof.

Harpoon

This is a rang extending amplifier.  It probably not only increases the transmit power but also contains a low noise receive amplifier and so should be located close to the antenna.  The receiver can be located some distance from this box without degrading the signal.

Porpoise (Wiki)

Is laptop-based, GSM Silent SMS Monitoring System with Network and Handset capabilities (Ref 3).  It's a software package used in conjunction with a GSM phone.  Sold as a USB thumb drive.
Porpoise USB thumb drive (cell
                phone spying)

Hailstorm

This software package allows the user to link to all the telecommunications carriers and monitor calls.  It's used in conjunction with Pen-Link (Company web page) and KEYW software (probably to break the encryption on GSM calls).

Telephone Pen Recorder

The patent by Samuel B. Morse for a telegraph system (Ref 4) included a "Register" that was a clockwork mechanism that pulled a strip of paper tape under an ink pen that marked dots or dashes.  Later it was found that a good telegraph operator could turn his back on the "Register" and decode the dots and dashes by the sound they made so the "Register" was replaced with a Telegraph Sounder.

When the telephone system switched from operators to the use of dials the "Register" found a new application as the "Pen Recorder".  It was placed across the telephone line (by typically by the police or FBI) and when the phone went off hook the motor was started and as the pen would record the dial pulses.  When the phone when back on hook the motor stopped.  So you got the number dialed and the length of the call.

I'm guessing the company "Pen-Link" chose their name based on this idea.

Malicious Software Upgrade

There have been rumors that the NSA/FBI has incorporated a "Feature" in the software that controls smart phones that allows turning on the microphone and or camera on the phone remotely without giving any indication to the user that this has been done.  This is similar to software that does the same thing to a desktop or laptop computer that's already known to exist.

Fast Follower

"For example, one NSA program, code-named Fast Follower, was developed to allow the NSA to identify who might have been assigned to tail American case officers at stations overseas. By correlating an officer’s cellphone signals to those of foreign nationals in the same city, the NSA is able to figure out whether anyone is moving in tandem with the U.S. officer." Ref 5 -


NSA Data Warehouse

The NSA has for some time been collecting a lot of data on pretty much everything.  Much of it is stored in a warehouse code named Bumblehive in Utah (Ref 6).
FASCIA may be the NSA codeword for location metadata.  NUCLEON may be the code word for the voice database.  Any phone call (in the world?) in the past 30 days may be replayed using RETRO tool.

Patents

US 5687196 A Range and bearing tracking system with multipath rejection (Harris) Sep 30, 1994 - chirp signal
US 5960047 A
System and method for transmitting information signals (Harris)Sep 30, 1994 - for tracking base and remote
US 6292665 B1 Geolocation of cellular phone using supervisory audio tone transmitted from single base station (Harris)
                            Aimed at e911, but useful for the above applications.
US 6795019 B2 https://www.google.com/patents/US6795019 (Harris) Jun 25, 2001 -
EP 2637034 A1 Location identification of a portable electronic device based on characteristics of an operating environment of the portable electronic device (Harris)
                            Mar 9, 2012 - "The operating environment characteristics may include sensor values, visible transmitters, radio connection information, executing applications
                             or other operating environment characteristics that can have a value associated with them." - They can tell what apps are running on your phone.
                            A "signature vector" might consist of: Microphone, Light sensor, WiFi connection, Cellular connection, BlueTooth Connection, GPS, Gyroscope, Accelerometer,
                            Thermometer, Music playing, Browser running; where each of these would have a numerical value to be matched against a table of locations.

US 20130203460 A1 Wireless communication system having assigned access classes and related methods (Harris) Feb 6, 2012 -
US 20130223417 A1 Communication network for detecting uncooperative communications device and related methods (Harris) Feb 29, 2012 - To locate a cell phone when it's not in use.
Patent Citations
Cited Patent Filing date Publication date Applicant Title
US5719584 * Sep 3, 1996 Feb 17, 1998 Harris Corporation System and method for determining the geolocation of a transmitter
US6407703 * Aug 7, 2000 Jun 18, 2002 Lockheed Martin Corporation Multi-platform geolocation method and system
US7539166 * Oct 3, 2005 May 26, 2009 Samsung Electronics Co., Ltd. Channel estimator, demodulator, speed estimator and method thereof
US7944468 * Jul 5, 2005 May 17, 2011 Northrop Grumman Systems Corporation Automated asymmetric threat detection using backward tracking and behavioral analysis
US8259652 * Nov 17, 2009 Sep 4, 2012 Apple Inc. Location-based network detection
US20020181492 * May 29, 2002 Dec 5, 2002 Hideo Kasami Wireless communication apparatus
US20040135717 * Sep 30, 2003 Jul 15, 2004 Lockheed Martin Corporation System and method for detecting emitters signals having multi-valued illumination times
US20060019679 * Jul 22, 2005 Jan 26, 2006 Rappaport Theodore S System, method, and apparatus for determining and using the position of wireless devices or infrastructure for wireless network enhancements
US20110148714 * Dec 23, 2010 Jun 23, 2011 Q-Track Corporation Near Field Electromagnetic Location System and Method
US20120094610 * Jun 30, 2009 Apr 19, 2012 Nokia Corporation Apparatus, Method, Computer Program for Communication and System Thereof
US20120195256 * Nov 29, 2011 Aug 2, 2012 Spidercloud Wireless, Inc. Method and apparatus for timing and/or frequency offset monitoring and handling
US 20120280862 A1 Wireless location detection and/or tracking device and associated methods (Harris) May 3, 2011 -
This system consists of a "tag" that's a small active transponder that can be concealed on a person or item to be tracked.  It works in such a way that it's transmission is very difficult to detect so even if an adversary is trying to sweep for bugs this unit will not be detected.
US 7676205 B2 Active receiver detection and ranging (Harris), Sep 18, 2006 -
                            a cleaver way to determine the range to an uncooperative receiver and know if it's receiving a signal.

Related

Phones & Cell Phones
Telephone Patents
Telephone Poles & what's on them
Telephone Tool Kit
Telegraph
FasTrak Vehicle ID Transponder - is an active transponder, not an RF ID tag.
Key, Object & Pet Location Tags -
Spying on Cell (Mobil) Phones
Orion Electronics Ltd. Cellular Base Station ST616-CBS - fake cell tower

References

Ref 1: A Pretext for war: 9/11, Iraq, and the abuse of America's intelligence agencies by James Bamford, 2004
Ref 2: The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America by James Bamford, 2008
Ref 3: Special Notice August 27, 2007
Ref 4  1647 Telegraph Signs by Samuel Morse
Ref 5  New documents show how the NSA infers relationships based on mobile location data
Ref 6 Parody: Utah Data Center - Utah Governor Gary R. Herbert -

Articles


First Look Media - The Intercept (Snowden Leaks) - to be named (corruption & politics)

By cracking cellphone code, NSA has capacity for decoding private conversations - How the NSA pinpoints a mobile device - NSA can process encrypted GSM when the cryptovariable is unknown (i.e. they can break GSM encryption, that's some of the above devices do).

FASCIA: The NSA's huge trove of location records -

parody: NSA Domestic Surveilance Directorate - NSA Worldwide Cellphone Tracking - 2013 Leaks - 2014 Leaks -

Description of data collection by NSA under MYSTIC -


YouTube White House Posting - President Obama Speaks on U.S. Intelligence Programs - Jan 2014
00:01:41 "Throughout this evolution we've benefited from both our constitution and our traditions of limited government.  U.S. intelligence agencies were anchored in a system of checks and balances. With oversight from elected leaders and protections for ordinary citizens.  Meanwhile totalitarian states, like East Germany, offer a cautionary tale of what could happen when vast unchecked surveillance turned citizens into informers and persecuted people for what they said in the privacy of their own homes.  In fact even the United States proved to not be immune to the abuse of surveillance.  In the 1960s the government spied on civil rights leaders and critics of the Vietnam war. And, partially in response to these revelations, additional laws were established in the 1970s to insure that our intelligence capabilities could not be misused against our citizens.  In the long twilight struggle against Communism we had been reminded that the very liberties we sought to preserve could not be sacrificed at the alter of national security." . . .

00:04:22 "So that we demanded that our intelligence community improve it's capabilities, and that law enforcement change it's practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack."...

00:07:50 "Second, the combination of increased digital information and powerful super computers offers intelligence agencies the possibility of sifting through massive amounts of bulk data to identify patterns or pursue leads that may thwart impending threats.  It's a powerful tool.  But, the government collection and storage of such bulk data also creates a potential for abuse.  Third, the legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas.  This is not unique to America.  Few, if any, spy agencies around the world constrain their activities beyond their own borders.  And the whole point of intelligence is to obtain information that has not been publicly available.  But America's capabilities are unique.  And the power of new technologies means that there are fewer and fewer technical constraints on what we can't do.  That places a special obligation on us to ask tough questions about what we should do.  And finally intelligence agencies can not function without secrecy.  Which makes their work less subject to public debate.  Yet there is an inevitable bias not only within the intelligence community but among all of us who are responsible for national security to collect more information about the world, not less.  So in the absence of institutional requirements for regular debate and oversight that is public as well as private, or classified, the danger of government overreach becomes more acute.  And is particularly true when surveillance technology and a reliance on digital information is evolving much faster than our laws." ...

Fundamentally he's saying that the spying on U.S. citizens is being done responsibly. 

My take is that the problem can be seen in J. Edgar Hoover or Richard Nixon who used the ability to spy on citizens illegally and neither of them were brought up on criminal charges.  The same is true of the rampant violations of U.S. law committed by the Bush43 administration along with the telecom businesses and instead of prosecuting the felons they were all given amnesty.

Although Obama started out talking about the constitution and limited government he's ending up saying lets shred them.

Friday 17 January 2014 Obama's NSA 'reforms' are little more than a PR attempt to mollify the public
Obama is draping the banner of change over the NSA status quo. Bulk surveillance that caused such outrage will remain in place

25 Mar 2014 Obama’s New NSA Proposal and Democratic Partisan Hackery by Glen Greenwald  - Now a 180.

COMSEC (Communications Security) — attacking cellular/mobile & GSM telephony

Links

TED -Christopher Soghoian: A brief history of phone wiretapping -- and how to avoid it - the Plain Old Telephone System was designed to allow wire tapping by government.
TED -Christopher Soghoian: Government surveillance — this is just the beginning

Popular Science - Mysterious Phony Cell Towers Could Be Intercepting Your Calls - reads like an ad for the company that makes secure phones.  What's missing is a photo of the "Tower".

Wired magazine article on Snowden by Bamford -
Back to Brooke's: PRC68, Alphanumeric web page index, Products for Sale
Page created 27 March 2014