Cell Phone Manufacturers Offer Carefully Worded Denials To Question Of Whether NSA Can Track Powered-Down Cell Phones

from the it's-not-so-much-what's-being-said,-it's-how-it's-being-said dept

Back in July, a small but disturbing detail on the government's cell phone tracking abilities was buried inside a larger story detailing the explosive expansion of the NSA post-9/11. Ryan Gallagher at Slate pulled this small paragraph out and highlighted it.

By September 2004, the NSA had developed a technique that was dubbed “The Find” by special operations officers. The technique, the Post reports, was used in Iraq and “enabled the agency to find cellphones even when they were turned off.” This helped identify “thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq,” according to members of the special operations unit interviewed by the Post.
Ars Technica reports that some security researchers are calling this statement into question and have contacted cell phone providers for statements on the NSA's claim. Only a few have responded at this point, and their denials have been worded very specifically.

Google had this to say:
When a mobile device running the Android Operating System is powered off, there is no part of the Operating System that remains on or emits a signal. Google has no way to turn on a device remotely.
Google may not have a way, but that doesn't mean the NSA doesn't.

Nokia:
Our devices are designed so that when they are switched off, the radio transceivers within the devices should be powered off. We are not aware of any way they could be re-activated until the user switches the device on again. We believe that this means that the device could not be tracked in the manner suggested in the article you referenced.
Once again, we're looking at words like "should" and "not aware." This doesn't necessarily suggest Nokia does know of methods government agencies could use to track phones that are off, but it doesn't entirely rule it out either.

Samsung's response is more interesting. While declaring that all components should be turned off when the phone is powered down, it does acknowledge that malware could trick cell phone users into believing their phone is powered down when it isn't. Ericsson, which is no longer in the business of producing cell phones (and presumably has less to lose by being forthright), was even more expansive on the subject.
The only electronics normally remaining in operation are the crystal that keeps track of time and some functionality sensing on-button and charger connection. The modem (the cellular communication part) cannot turn on by itself. It is not powered in off-state. Power and clock distribution to the modem is controlled by the application processor in the mobile phone. The application processor only turns on if the user pushes the on-switch. There could, however, be potential risks that once the phone runs there could be means to construct malicious applications that can exploit the phone.
On the plus side, the responding manufacturers seem to be interested in ensuring a powered down phone is actually powered down, rather than just put into a "standby" or "hibernation" mode that could potentially lead to exploitation. But the implicit statement these carefully worded denials make is that anything's possible. Not being directly "aware" of something isn't the same thing as a denial.

Even if the odds seem very low that the NSA can track a powered down cell phone, the last few months of leaks have shown the agency has some very surprising capabilities -- some of which even stunned engineers working for the companies it surreptitiously slurped data from.

Not only that, but there's historical evidence via court cases that shows the FBI has used others' phones as eavesdropping devices by remotely activating them and using the mic to record conversations. As was noted by c|net back in 2006, whatever the FBI utilized apparently worked even when phones were shut off.
The surveillance technique came to light in an opinion published this week by U.S. District Judge Lewis Kaplan. He ruled that the "roving bug" was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone.

Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets can't be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.

While the Genovese crime family prosecution appears to be the first time a remote-eavesdropping mechanism has been used in a criminal case, the technique has been discussed in security circles for years.
Short of pulling out the battery (notably not an option in some phones), there seems to be little anyone can do to prevent the device from being tracked and/or used as a listening device. The responding companies listed above have somewhat hedged their answers to the researcher's questions, most likely not out of any deference to government intelligence agencies, but rather to prevent looking ignorant later if (or when) subsequent leaks make these tactics public knowledge.

Any powered up cell phone performs a lot of legwork for intelligence agencies, supplying a steady stream of location and communications data. If nothing else, the leaks have proven the NSA (and to a slightly lesser extent, the FBI) has an unquenchable thirst for data. If such exploits exist (and they seem to), it would be ridiculous to believe they aren't being used to their fullest extent.

Filed Under: mobile phones, privacy, surveillance, tracking
Companies: ericsson, google, nokia, samsung


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Mr. Applegate, 13 Nov 2013 @ 10:04am

    Re: Re: Re: Cell phone ID / tracking

    The link you provided is capable of reading Active RFID tags, not PASSIVE RFID tags, which was what John Fenderson was pointing out. From the manufacturer's Information Sheet.
    http://www.wavetrend.net/downloads/information-sheets/readers/RX202.pdf

    The RX202 reader detects and decodes RFID (radio frequency identification) signals from Wavetrend’s range of active RFID tags.
    You must provide a fair amount of RF energy to provide enough power for a passive RFID tag to respond. Here is some interesting information:
    Generally speaking RFID tag maximum read distances are as follows:

    125 kHz. and 134.3 kHz. Low Frequency (LF) Passive RFID Tags -read distance of 30 cm (1 foot) or less - usually 10 cm (4 inches) unless you are using a very large tag which can have a read distance of up to 2 meters when attached to metal. SkyRFID can provide several different LF 134.2 tags which produce read distances of 1 - 2 meters in industrial environments. We also have special readers that allow for a 1 - 2 meter read distance using standard size tags. There are no limits with SkyRFID!

    13.56 MHz. High Frequency (HF) Passive RFID Tags - maximum read distance of 1.5 meters (4 foot 11 inches) - usually under 1 meter (3 feet) and you can use a single or multi port reader plus custom antennas to extend the read range to longer tag read distances or a wider RFID read zone. To obtain more than 1 meter you need a reader with more than 1 watt RFID output power. SkyRFID can supply 13.56 readers with RF power outputs up to 10 watts for multiple antenna connections and over 1 meter tag read distances.

    860 ~ 960 MHz. Ultra High Frequency (UHF) Passive RFID Tags - minimum read distance of over 1 meter or 3 feet. Gen2 tags can have a read range of up to 12 meters or 37 feet, however new generation of IC's plus antenna designs are now pushing this distance to over 15 meters! Gen 2 tags can be either 860 MHz. or 902 MHz. frequencies. Gen2 EPCglobal are multifrequency 860 ~ 960 MHz. Gen 2 Semi-active battery assisted tags are semi-passive (semi-active) tags have a read range of up to 50 meters or about 162 feet. Gen 2 Semi-active tags are just emerging on the market. We have both readers and tags available for those companies that need to be on the leading edge or simply need the range of the Gen 2 Semi-active technology. SkyRFID Windshield tags out latest version read at over 12 meters (40 feet) when attached to the inside of a windhsield and using our OEM hand held reader. You can get far longer read distances using our Sky fixed readers using Gen 2 US frequency 902~ 928 MHz.

    860 ~ 960 MHz. 3rd and 4th Generation IC/Silicon - The new generation 3 and 4 (Monza4, Higgs3 and NXP G2XM) silicon (Integrated Circuit) is now available in numerous inlay designs. This new silicon (IC) provides up to 40% more sensitivity while reducing RF interference. This means that a tag using this new generation of silicon can have a read range of over 16 meters or 50 feet under FCC regulations of 4 watts EIRP. For your local power regulations see RFID Frequencies and Transmission Power. SkyRFID is now offering many H3, Monza4 and NXP G2XM tags and has tested these tags at read distances of over 16 meters or 53 feet using 30 dBi power and a single antenna!
    RTLS - Real Time Location Systems - Usually LF and SHF - now you can have a UHF RTLS that is extremely accurate and can easily control 250,000 sq feet on a single switch. Use the Contact Us for more information.

    433 MHz Ultra High Frequency Active RFID Tags - up to 500 meter read range (1,500 feet) SkyRFID carries a complete line of 433 MHz readers and tags that can be used for many industrial,healthcare, mining, and other tracking and locating applications.

    2.45 GHz. Super High Frequency Active RFID Tags - up to 100 meter read range (325 feet) There are several different modulations for 2.45 GHz. and you can also have real time location information from these active tags.

    Source: http://www.skyrfid.com/RFID_Tag_Read_Ranges.php


    The latest technology Passive RFID Tags can be read at about 50 Feet max.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.