
Samsung, Nokia say they don’t know how to track a powered-down phone - dan1234
http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-how-to-track-a-powered-down-phone/
======
revelation
They are probably not even lying that the baseband processor is shut down by
the application processor, as it controls the power and system clocks.

But the dirty little secret is that the baseband processor is still a
completely uncontrolled subsystem, loaded with some propietary binary blob by
trustworthy companies like Qualcomm. GPS and even the microphones are usually
integrated into the baseband, not part of the application processor that runs
your Android. So you have a perfectly capable ARM processor running a
propietary RTOS system, written completely in C (or C++ occasionally) with
access to all the vital periphery and a gigantic attack surface in dealing
with all the mobile communication protocols. The only reason there hasn't been
a complete breakdown yet is that it's difficult for amateur researchers to
exploit, you need expensive RF hardware and the mobile communication protocols
are huge bodies of closed committee designed standards. But it is without a
doubt in the reach of the NSA, and they are probably actively exploiting
baseband processors already.

(Interestingly, since baseband processor have grown in complexity, most
smartphones can now update the firmware on them, so there are lots of firmware
images floating around. I highly recommend just even running strings on them,
its quite enlightening. Some examples from a Nexus 4 radio:

    
    
        Failed do spoof USB cable disconnection
        Assertion os_mutex_pool_ptr[mutex_index_in_pool].is_available == 0 failed
        hsu_al_ser_open: hsu_al_ser_base_open for port NMEA (%d) returned failure
        Conversion to UTF-16 failed! Returned %d, expected %d
        Unexpected IP family %d - assuming IPv4
        inflate 1.2.3 Copyright 1995-2005 Mark Adler 
        Received ARP Request
        CxM - Received WLAN Early Grant Release
    

(Yes, these are format strings! And this device has all the good stuff:
classic 2005 zlib, a homebrew network stack, homebrew character conversion
routines, homebrew operating system, homebrew USB stack...)

~~~
brokenparser
The only proper way to turn off a phone is to remove the battery, in lieu of
nuking it from orbit (just to be sure).

~~~
marvin
A Faraday cage should also ensure that no one can track you.

~~~
ballard
As seen on KS:

[http://offpocket.com/](http://offpocket.com/)

~~~
specto
Seems like the price is a bit steep for a little bit of fabric.

~~~
headShrinker
Indeed, a metal cocktail shaker works as a faraday device as well.

------
andyjohnson0
_" Back in July 2013, The Washington Post reported that nearly a decade ago,
the National Security Agency developed a new technique that allowed spooks to
“find cellphones even when they were turned off."_

Since this technique pre-dates smartphones, it is unlikely to involve
installing software on the phone. At best, the NSA might have found that a
given model of phone didn't properly power-down its radio when the phone was
powered-down. Given access to the cellular network it might be possible to
ping the phone and make it disclose its position via triangulation.

Very hard to see how this could be anything other than deliberate
disinformation by the NSA though.

~~~
Zigurd
A remote command capability was revealed in the trial of a mob boss. The FBI
used a non-smartphone as a room bug. A reasonable surmise is that the phone
can be commanded to periodically power on and listen for commands. Those
commands could include turning on the speakerphone, jacking up the agc, and
auto-answering without indicating the phone is on.

Turning on periodically so it can be tracked would be one part of what it
takes to implement a room bug.

------
zaroth
There's tracking a phone while it's off, and then there's realtime tracking of
a phone while it's off. Two very different things, and two very different
attacks.

"a new NSA technique enabled the agency to find cellphones even when they were
turned off"

The current administration is very careful with choosing their words. I
haven't seen WP's source, but I wonder if this is more about the phone
blipping its receivers to record some local MAC addresses and scrambling codes
and then uploading the data the next time the phone's powered on.

You know when the word "collect" doesn't mean what you think it does, I
wouldn't bet on nailing the word "find". :-)

------
philliphaydon
Personally I've never understood why with every single Laptop and Mobile I've
ever owned (where I could remove the battery) if I turned off the device, with
full battery, eventually the battery dies...

Yet if I power off the same device, take the battery out and leave it for the
same amount of time, then put it back and power it on, its a full battery...

On the same note, my iPhone 4, 15" Mac Book Pro w/ Retina, and Lumia 925, all
when turned off completely, eventually the batteries die...

Just slower than if they were turned on...

~~~
RBerenguel
Just guessing, but a battery inside a computer/phone, even if turned off is
probably still powering at the very least a few wires. Even if they don't go
anywhere (i.e. they are not connected anywhere else) they probably are slowly
eating away the battery. On the other hand, I don't know how modern
computers/phones turn off, but I doubt they involve a full circuit cut (i.e.
there is no big red button making a click sound and closing all wires coming
out of the battery)

~~~
Billkd
From what i found with my phone, I would like to confirm that even if phone is
turned off, power is still supplied to few wires. When i remove battery from
my phone and then put it back and turn it on, it would ask me to configure
date settings. But if I just turn the phone off and then turn it on, it
doesn't prompt me to configure date settings. so I can tell that at least the
clock on my phone uses battery even when the phone is turned off.

------
rlpb
If I were tasked to implement this, I would arrange for the phone to appear to
be powered down when in fact is is not, and for malware to do this when
shutting down from inside the normal OS. If you "powered off" from software
(by shutting down from a menu or holding the power down until the screen goes
blank, but not the many seconds it takes to trigger a more hardware-level hard
power off), then I would make the screen go blank and make all other inputs
unresponsive, except for the normal power on input.

For bonus points, I would arrange for the baseband to transmit only very
minimally as necessary, so it isn't noisily detectable from RF pickups such as
nearby speakers.

The technical details would get simplified, and management would hear that I
can track a "powered-down" phone.

~~~
dobbsbob
That's exactly what FinFisher police spyware does: pretends to shut off your
phone but the mic is still recording

------
Theodores
Thanks to Snowden we know the NSA backdoor crypto code and have leverage over
the telcos to get the help they need. We also know that solutions are
plausibly deniable as far as the big name companies that we know about. So the
same thng could go on here.

If I had to put this in place I would get something that worked even if there
were no cellphone masts in the area. Get the radio to listen to something
entirely different, broadcast from some box that could be put in a car or in
one of those electronic listening planes the military have. Have it work at
the radio level on the phone so the cpu does not need to be used. The reply
could be an entirely different identifier to the IMEA or SIM identifier with
it being a simple database 'select' to get these codes.

------
femto
If there's any sort of oscillator still running in the phone, or any other
circuit switching with a predictable pattern of rising/falling edges, you'd
think it might be possible to pick up EM radiation with a sensitive enough
receiver/antenna.

A bit more "out there", maybe it is possible to pick up a powered down
antenna? Think that an antenna is a (typically passive) conductor, designed to
resonate at a particular frequency. If the antenna is irradiated with that
frequency, wouldn't the antenna couple to the field and disturb it is some
way? If those disturbances can be measured, then the antenna (and consequently
the phone) can be detected.

~~~
Wingman4l7
Sounds like you're describing The Thing[1]. It might work -- but then how
could you tell cellphones apart?

[1]:
[https://en.wikipedia.org/wiki/Thing_%28listening_device%29](https://en.wikipedia.org/wiki/Thing_%28listening_device%29)

------
kojoru
My Sony Ericsson K310i used to discharge in a week when turned off with a SIM-
card present and only lose 5% in a month when turned off with SIM-card
removed.

At the time I thought it was due to poor power management, but now it really
makes me wonder.

------
joosters
I wonder how a hypothetical 'bugged' phone would do the data transmissions? I
used to have a phone on a contract that had excessively high data charges. As
a result, I only used it for voice / SMS. If a bug had been planted on it, and
it used normal IP networking, it would be obvious when I got my bill.

I wonder if there are ways that a pwned phone could transmit to an attacker
without hitting the billing system? Non-billed SMS? Or are there other
techniques on GSM? (e.g. network operator updates get pushed to phones and
they aren't billed; there must be some other low-level two-way messaging
capabilities)

------
tudorconstantin
The tracking might refer to listening to conversations that takes place near a
shut down phone. The technique might be similar to the one used in laser
microphones
([http://en.wikipedia.org/wiki/Laser_microphone](http://en.wikipedia.org/wiki/Laser_microphone)),
but instead of measuring vibrations, to measure the electro magnetic field
variance of phone's microphone.

------
lotsofcows
Are NFC enabled 'phones both NFC devices and NFC readers or just NFC readers?

If they start adding RFID tags to 'phones, the only safe way to not be tracked
will be not to carry the 'phone.

~~~
tmzt
In some devices the NFC transceiver is part of the battery, assuming it has
it's own CPU and firmware it could be easily exploited to be trackable from
relatively large distances.

Other "near field" devices have, such as payment cards and passpoets, have
been successfulyy communicated with or exploited using directional antennas
from further away than you might think.

------
doctorstupid
Why is it that when flying, we are sometimes requested to put phones into
flight mode before switching them off?

~~~
46Bit
At a guess it might be so that if you turn it back on during flight it's
already in airplane mode?

~~~
doctorstupid
Good thinking.

------
ismail
one of the ways that coiuld be used to track feature phoned while they were
switched on however was sending specially crafted messages sent to the phone
that would force a location update which you can use to grab the cell id, and
basically determine movement once you have a few of them.

------
chatman
As long as we have non free software running on their phones, it would be hard
to believe the claim as is.

~~~
nl
Why?

It's quite possible to check if a phone is transmitting, without even opening
it.

Additionally, it is usually possible to see what parts of a device are
consuming power (or at least have current).

~~~
chatman
Though, it might not be transmitting all the time when off. Imagine a schedule
when a switched off phone transmits once a day, at a random time. Although it
is not impossible to record such transmissions, it isn't quite simple.

------
einehexe
Never go outside without a large hat. Switch vehicles at underpasses or car
parks. Don't forget the milk.

