Cell Phone Manufacturers Offer Carefully Worded Denials To Question Of Whether NSA Can Track Powered-Down Cell Phones

from the it's-not-so-much-what's-being-said,-it's-how-it's-being-said dept

Back in July, a small but disturbing detail on the government's cell phone tracking abilities was buried inside a larger story detailing the explosive expansion of the NSA post-9/11. Ryan Gallagher at Slate pulled this small paragraph out and highlighted it.

By September 2004, the NSA had developed a technique that was dubbed “The Find” by special operations officers. The technique, the Post reports, was used in Iraq and “enabled the agency to find cellphones even when they were turned off.” This helped identify “thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq,” according to members of the special operations unit interviewed by the Post.
Ars Technica reports that some security researchers are calling this statement into question and have contacted cell phone providers for statements on the NSA's claim. Only a few have responded at this point, and their denials have been worded very specifically.

Google had this to say:
When a mobile device running the Android Operating System is powered off, there is no part of the Operating System that remains on or emits a signal. Google has no way to turn on a device remotely.
Google may not have a way, but that doesn't mean the NSA doesn't.

Nokia:
Our devices are designed so that when they are switched off, the radio transceivers within the devices should be powered off. We are not aware of any way they could be re-activated until the user switches the device on again. We believe that this means that the device could not be tracked in the manner suggested in the article you referenced.
Once again, we're looking at words like "should" and "not aware." This doesn't necessarily suggest Nokia does know of methods government agencies could use to track phones that are off, but it doesn't entirely rule it out either.

Samsung's response is more interesting. While declaring that all components should be turned off when the phone is powered down, it does acknowledge that malware could trick cell phone users into believing their phone is powered down when it isn't. Ericsson, which is no longer in the business of producing cell phones (and presumably has less to lose by being forthright), was even more expansive on the subject.
The only electronics normally remaining in operation are the crystal that keeps track of time and some functionality sensing on-button and charger connection. The modem (the cellular communication part) cannot turn on by itself. It is not powered in off-state. Power and clock distribution to the modem is controlled by the application processor in the mobile phone. The application processor only turns on if the user pushes the on-switch. There could, however, be potential risks that once the phone runs there could be means to construct malicious applications that can exploit the phone.
On the plus side, the responding manufacturers seem to be interested in ensuring a powered down phone is actually powered down, rather than just put into a "standby" or "hibernation" mode that could potentially lead to exploitation. But the implicit statement these carefully worded denials make is that anything's possible. Not being directly "aware" of something isn't the same thing as a denial.

Even if the odds seem very low that the NSA can track a powered down cell phone, the last few months of leaks have shown the agency has some very surprising capabilities -- some of which even stunned engineers working for the companies it surreptitiously slurped data from.

Not only that, but there's historical evidence via court cases that shows the FBI has used others' phones as eavesdropping devices by remotely activating them and using the mic to record conversations. As was noted by c|net back in 2006, whatever the FBI utilized apparently worked even when phones were shut off.
The surveillance technique came to light in an opinion published this week by U.S. District Judge Lewis Kaplan. He ruled that the "roving bug" was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone.

Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets can't be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.

While the Genovese crime family prosecution appears to be the first time a remote-eavesdropping mechanism has been used in a criminal case, the technique has been discussed in security circles for years.
Short of pulling out the battery (notably not an option in some phones), there seems to be little anyone can do to prevent the device from being tracked and/or used as a listening device. The responding companies listed above have somewhat hedged their answers to the researcher's questions, most likely not out of any deference to government intelligence agencies, but rather to prevent looking ignorant later if (or when) subsequent leaks make these tactics public knowledge.

Any powered up cell phone performs a lot of legwork for intelligence agencies, supplying a steady stream of location and communications data. If nothing else, the leaks have proven the NSA (and to a slightly lesser extent, the FBI) has an unquenchable thirst for data. If such exploits exist (and they seem to), it would be ridiculous to believe they aren't being used to their fullest extent.

Filed Under: mobile phones, privacy, surveillance, tracking
Companies: ericsson, google, nokia, samsung


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    aldestrawk (profile), 13 Nov 2013 @ 10:18am

    "Short of pulling out the battery (notably not an option in some phones), there seems to be little anyone can do to prevent the device from being tracked and/or used as a listening device."

    It's not that hopeless. As pointed out in some of the previous comments a faraday cage or bag is sufficient to prevent remote activation of your cell phone. These are now being made and will probably become more common. If you don't care about style, you can just use a mylar bag. There are 2 caveats to keep in mind;
    1). Not any bag made from metallized film will do. I have tested anti-static bags that don't work.
    2). make sure it is fully closed and stays that way in your pocket or purse.

    Your bag is easily tested. Just call your phone while its in the bag. The test is better if it is done in a place that shows the maximum bars for service. For foolproof testing, stand next to a cell tower for your carrier and do the same thing.

    This avoids having to worry about; whether the radio circuitry is really turned off or not, getting a phone with a removable battery, secret secondary batteries, or secret RFID chips.

    If some of the phone manufacturers are being coy about denying the ability to remotely activate a turned off phone, it might be because they have allowed the phone to be configured to listen while "off". It is conceivable to me (but I'm not convinced) that manufacturers along with carriers in conformance with CALEA might allow a phone to be set in a pseudo-off mode in response to a wiretap order. Regardless, this can still be defeated with a Faraday bag.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.