
How Law Enforcement Tracks Cellular Phones - maxerickson
http://www.crypto.com/blog/celltapping/
======
rayiner
This is a really excellent article.

Here's an article that goes into a lot of the law that is relevant to the
investigative techniques mentioned:
[http://www.michiganlawreview.org/assets/pdfs/107/4/kerr.pdf](http://www.michiganlawreview.org/assets/pdfs/107/4/kerr.pdf).
Note: the article makes a case in support of the third party doctrine, which
justifies many of those investigative techniques, but is very well-researched
and presents a pretty balanced view of what the law _is_ in addition to
defending that status quo.

~~~
tptacek
Matt Blaze is a really excellent person, and this is a research focus area for
him.

For more in the same vein, try "The Eavesdropper's Dilemma"
([http://www.crypto.com/papers/internet-
tap.pdf](http://www.crypto.com/papers/internet-tap.pdf)). This paper is dear
to me for reasons obvious to those who worked with me in the 1990s.

------
andr
So is the concept of someone remotely turning your cellphone into a microphone
fact or fiction? Is their any proof in either direction?

~~~
sillysaurus2
_is the concept of someone remotely turning your cellphone into a microphone
fact or fiction? Is their any proof in either direction?_

It is fact.
[http://news.cnet.com/2100-1029-6140191.html](http://news.cnet.com/2100-1029-6140191.html)

Law enforcement absolutely has that capability, as well as turning your phone
into a tracking beacon _even when it 's powered off_.

See here for more info and discussion:
[https://news.ycombinator.com/item?id=6722519](https://news.ycombinator.com/item?id=6722519)

~~~
tptacek
[https://twitter.com/mattblaze/status/411539368990363648](https://twitter.com/mattblaze/status/411539368990363648)

~~~
sillysaurus2
I don't understand. I hold your opinion in high regard, because your views are
almost always well-researched and supported; if not with evidence, then
usually with experience. For what it's worth, I strive to express my views
with the same quality and clarity as your expressions.

So your reply is somewhat disconcerting, because it seems to indicate that you
think the claims are bogus. And if you think so, then you have good reason to
feel that way, since almost all of your views are, well, reasonable. (An
aside: would you _please_ write something articulating your deep hatred for
Soylent? It was shocking to discover you felt that way, and that I didn't see
anything wrong with Soylent, so I've been silently hoping to someday see a
writeup from you in order that I may find reasons to change my own view.)

In short, I accepted long ago that there's roughly zero chance of going
through life without unintentionally believing in crazy things. Everyone does,
at some point. Therefore the most important thing is to keep my eyes open for
evidence of my own crazy beliefs, so that I can constantly reevaluate them.

So your reply seems to be strong evidence that someone I respect thinks I'm
being a bit bogus regarding cell phone tracking. If that's the case, then I'd
love to hear your thoughts on the subject so that I can revise my own.

~~~
seiji
Off = powered down = no broadcasting or receiving.

Now, in most devices these days you can't be sure "Off" is actually "Off." I
bet many Android phones lie about "turning off" and just go into a low-power-
with-quick-reboot sleep mode.

If you successfully redefine Off to be Maybe Off, nobody can argue with you
because you changed the terms of reality.

~~~
sillysaurus2
To be clear, the claim is the following: _There is reason to believe phones
have been remotely hacked by law enforcement using carrier credentials to
leave the cellular radio running and registering with the cell network even
after the off button has been pushed and the phone appears to be off. Starting
point for further reading:_
[http://www.brighthub.com/electronics/gps/articles/51103.aspx](http://www.brighthub.com/electronics/gps/articles/51103.aspx)

The claim isn't my own; it's Trevor's, the founder of Anybots, and one of the
best electronics hackers in the world.
[https://news.ycombinator.com/item?id=6087399](https://news.ycombinator.com/item?id=6087399)

He seems to have a pretty good grasp of reality, and he's more intimately
familiar with the electronics than most of us.

I also presented some circumstantial evidence indicating that law enforcement
does in fact use this capability in practice, the last time this came up:
[https://news.ycombinator.com/item?id=6722519](https://news.ycombinator.com/item?id=6722519)

If there's fault with this, then I'd like to understand why.

~~~
maxerickson
There is at least fault with presenting all that assertion and speculation as
"Law enforcement absolutely has that capability".

The first bit that approaches being evidence is the CNet article linked from
the link, and it says

 _Details of how the Nextel bugs worked are sketchy. Court documents,
including an affidavit (p1) and (p2) prepared by Assistant U.S. Attorney
Jonathan Kolodner in September 2003, refer to them as a "listening device
placed in the cellular telephone." That phrase could refer to software or
hardware._

So the absolute proof is a court document that doesn't provide any details
about the mechanism used to compromise a dumb phone in 2003.

------
nchuhoai
Just to put it to rest: This whole theatre in movies where you have to stay on
the line sufficiently long enough to be able to trace their location is bull?

~~~
DanBC
Yes.

Ann makes a call to Bob and hangs up within a second.

That call is not free; it will be listed on Ann's bill.

~~~
toomuchtodo
And if it was made from/to a cellphone, what towers saw that phone is going to
be logged. Hello triangulation!

------
coin
'Cellular phones work by periodically scanning for and "registering" with the
nearest base station (generally the one with the strongest radio signal).'

This is not true. A handset registers when it enters a new zone. A city is
typically broken down into several zones. The handset does not register itself
with every new cellsite ("tower") it encounters. If one's phone stays in the
same area, it will never transmit while idle. This is the basis for its long
battery life.

[http://denbeste.nu/cdmafaq/voicemail.shtml](http://denbeste.nu/cdmafaq/voicemail.shtml)

~~~
toki5
There was a DEFCON talk two years ago in which the presenter assembled large
antennas and ran open-source software that allowed him to mimic a base
station. Everyone who was using phones on a specific network (I don't remember
which -- I want to say AT&T) connected to his base station within a few
minutes, and he proved the concept by hijacking outgoing calls.

>If one's phone stays in the same area, it will never transmit while idle.

Maybe phones used to do this, but nowadays I'm not so sure.

------
lief79
Am I missing something, or where is the
[http://www.trueposition.com](http://www.trueposition.com) tech included in
this link? At least for the gsm networks, they can generally locate you with
cross tower triangulation within 60 meters or so, far more accurate than just
the nearest tower. Useful for e911 without GPS working. I'm not sure if they
have any non gsm customers.

~~~
nitrogen
Before GPS hardware was commonly available in phones, some CDMA carriers
offered phone-based navigation services that relied on tower triangulation.
Thus, it's highly likely that triangulated location data was available to
emergency services and law enforcement from CDMA networks as well.

------
BrownBuffalo
Hence why dump phones are so important to drug dealers. Change, recycle.

~~~
socillion
Here's one case where that didn't work out:
[http://jolt.law.harvard.edu/digest/telecommunications/united...](http://jolt.law.harvard.edu/digest/telecommunications/united-
states-v-skinner)

Using a phone without your name attached to it is not equal to anonymity:
[https://www.schneier.com/blog/archives/2009/05/on_the_anonym...](https://www.schneier.com/blog/archives/2009/05/on_the_anonymit.html)

Imagine if you had data on all cell phones, including location at time of call
- wouldn't it be remarkably easy to match a disposable phone with it's
predecessors based on when and where it was used, and who it was used to
contact? For how, see this article: [http://justsecurity.org/2013/10/11/nsa-
call-records-database...](http://justsecurity.org/2013/10/11/nsa-call-records-
database-fingerprinting-burners/)

> The [Hemisphere project] slides emphasize the program’s value in tracing
> suspects who use replacement phones, sometimes called “burner” phones, who
> switch phone numbers or who are otherwise difficult to locate or identify.

[http://www.nytimes.com/2013/09/02/us/drug-agents-use-vast-
ph...](http://www.nytimes.com/2013/09/02/us/drug-agents-use-vast-phone-trove-
eclipsing-nsas.html)

