Hacker News new | past | comments | ask | show | jobs | submit login
Edward Snowden's New Research Aims to Keep Smartphones from Betraying Owners (theintercept.com)
296 points by secfirstmd on July 21, 2016 | hide | past | web | favorite | 150 comments

When I place my smartphone on the desk near the computer speakers any time it is going to ring the speakers start making a funny noise a second or two before the ringing starts. So I presume it must be possible to DIY a cheap sensor for GSM signal detection based on a little speaker.

This is a silly question but I'd like to understand if it's possible for a human to sense those same signals. So many times I have had a sensation that my phone will ring and then moments later it does.

Probably confirmation bias or maybe I'm subconsciously hearing the interference in speakers and taking the hint from there. It doesn't happen every time and I don't receive a lot of calls.

HN seems a decent place to settle it once and for all.

It seems very unlikely that you would be able to sense those frequencies, except indirectly through something like audible speaker interference.

However, this would be pretty easy to test! Just have a friend call you at random times throughout a 2-hour interval or something, and record every time you think the phone is about to ring, and every time it actually does. If there's a close enough correlation between the two, that's fairly persuasive evidence.

This is still anecdotal. You would need hundreds of people, also, the very fact that you are expecting calls pollutes that experiment already...

A large sample size of people isn't necessary to verify the ability.

Case in point, the woman who can smell Parkinson's disease, to some ridunculous p-value.


It's not anecdotal if it's consistently repeatable. You would only need hundreds of people if you were trying to prove that everyone could do it.

You can measure the probability of achieving the result at random and determine the statistical significance of your experiment. Being able to successfully anticipate a call within 10 seconds in a 2 hours interval yields a p < 0.01

Some effects published in medical journals have a less convincing p-value.

And ensure that he records all the false positives

I'd expect it to be audio-ish. I can hear my Macbook Pro compute. AFAIK there's no moving parts except the fan but certain programs I can audibly hear something going on inside the machine. It's kind of annoying as I wish it was silent. Note I'm not saying I have any special ability. I'm sure if I had a sensitive mic I could amplify the sounds.

This could simply be some capacitor or fan issues.

Former Dell XPS 13 Sputnik (9333 model) user checking in.

A decent dev machine for $2K-ish, save for a major flaw: "coil whine"[1]. Very annoying when working in silent environments. Frustratingly random as well - for me, backlight on/off, usb connect/disconnect and scrolling on browsers would change the whine frequency noticably. [2]

It is possible that you can hear something similar from your MBP - however it is very unlikely that this has anything to do with any of the radios.

I miss the good old days when you knew your PC was busy by the HD sounding like a thousand monkeys tap-dancing shakespear.

[1] https://en.wikipedia.org/wiki/Coil_noise

[2] BTW, Dell denies this issue, claiming it was fixed before 9333. Users disagree: https://www.reddit.com/r/Dell/comments/47g46m/lets_investiga...

"It seems very unlikely that you would be able to sense those frequencies"

Is this true? What about heat radiation for example. We can feel that.

And we can see/sense changes in electromagnetic fields: http://www.nature.com/ncomms/journal/v2/n6/full/ncomms1364.h...

please please do it!

Scientifically: There are people from disparate countries who believe that they suffer from a condition called `EM hypersensitivity`, and are convinced they must live in remote areas away from radios to avoid sickness or headaches. In the handful of published studies that exist, evidence points to an inability of these people to distinguish between exposure and non-exposure in a laboratory setting.

Anecdotally: I can definitely "feel" large AC transmission lines. They do have an audible buzz, however the "feeling" sensation seems distinct to me. My experience is from hiking the Appalachian Trail, which spends days outside of cell phone range, and then crosses regional transmission lines periodically.

So if that observation is not pure illusion or auditory synesthesia (perhaps a fully deaf person can assist here?), it would seem to follow that there is a mechanism to sense EM radiation, and it is simply a matter of whether the perceptive threshold has been met, which would obviously vary from person to person and even from instant to instant.

Oh you can definitely feel effects from AC transmission lines. Search for pictures of florescent tubes lighting nearby, without being connected to them. There's plenty of ions getting shoved around to stand your hair up a little if nothing else.


I remembered now of a church pastor I know, that was an antenna.

The story: this pastor, and only this pastor, would make wireless microphones in certain frequencies act up.

Eventually the audio team found out that somehow this particular pastor worked as an antenna for a particular frequency, matching a nearby radio transmitter, that due to its enormous size would overpower the microphone transmission and corrupt the data.

Everybody is an antenna. Probably his size was very "well tuned" to that radio transmitter.

One of my friends has a magnetic butt. Any time he carries a mag strip card in his back pocket, it no longer works.

I also knew somebody who had to use wind-up pocket watches, because quartz wristwatches would always skew when he wore them, but would keep time fine when removed.

Weird stuff. Who knows.

And how about the wind-up watches ? Did they not skew :-)

People have long reported experiencing radio reception through tooth fillings, usually in the ham and FM bands from 1 to around 100 MHz.

I can imagine cell frequencies would be even more likely due to smaller antennae for the higher frequency.

It's not conclusive by any means but Mythbusters tested this and came to the conclusion that tooth filings don't act as an antennae:


Sometimes the Mythbusters do interesting things, but their ad hoc methods, largely uninformed by theory, are often so haphazard that they prove basically nothing.

Well, if they can manage to reproduce a phenomenon, however they stumble on it, it's pretty conclusively confirmed.

There's definitely doubt about their conclusion when they can't reproduce something and then declare it busted -- absence of evidence is not evidence of absence.

I can think of one "confirmed" myth involving bacteria that was likely invalidated by improper sample handling. The lab scientist who ran the test appeared to be straining to say that without overstepping her remit on the show.

But do some, imperfectly fitting, filings act as a diode?

At some point during some school work I felt I could sense when someone tried to call me on my parents landline. More then half my life has passed since then and I have never felt close to replicating so I guess most likely my subconsciousness figured out some patterns in who called when.

Another observation though: I worked professionally with radar systems for a while and IIRC one of the oldtimers mentioned one isolated case where a person had been able to tell when a certain radar was transmitting in his sector. (Radars often only transmit in sectors turning away from the population.)

But, to be honest, I haven't heard about it anywhere else and most people who claim to sense that kind of radiation either refuses to undergo blind studies or fail them so if you treat this as anything but an old wives tale you have to do your research :-)

I'm curious about animals other than humans. Once I was waiting for a call by a window, there was a generous spider on the other side. As I'm very afraid of spiders, I was looking at it while waiting for that call to arrive, it was very calm, barely moving. As soon as the call showed on the screen, silent mode on, no sound or vibration, the spider got completely mad, moving around like crazy so I moved away and the spider stopped moving again. I did experiment moving closer and away repeatedly with the same result. So maybe spiders are sensitive to that frequency?

Theoretically it might be possible. There are some studies on the effects of electric fields onto single neurons. If an external field can influence the firing of neurons in some way, probably one can train to read these signals.


I have no idea on what field intensities are sufficient to influence the neurons.

Very hand wavy of me, but I'd say there is a way that it's true you can sense it. We may not yet know how you can, though. An example that I like to think of is of infrasound. People can't hear it, but there are some who sense when it's moving through them.

I don't believe that humans can really sense it on their own. But there was/is a group of "body hackers" who would implant a small shard of a magnet into their finger tip to allow them to feel electromagnetic fields.

Those stickers are cool. Japan had various dangly things to attach to your feature phone that worked similarly for years. Smartphones generally have no place to attach anything so they seem to have mostly disappeared.

That was an old IRA technique to detect certain types of signals nearby. Cheap headphones and a modified radio of sorts. Looking for interference.

I have no idea how this happened, but about twenty years ago, I had an internal PC modem that started randomly speaking to me about fire, brimstone, salvation, etc. Thought I was going off my rocker, until I figured out that it was picking up an AM religious station and playing it through the onboard speaker. My best guess is that somewhere on the circuit board there was a diode and a capacitor just in the right spot and it was using the phone line as an antenna.

"fire, brimstone, salvation" sounds like you grew up in Northern Ireland alright :)

Use old style opamps for this btw, they are more susceptible to this, like LM741 NE553, LM883, ... If you are ok with putting your cellphone on the detection box, all you need is an opamp driving a small speaker, and the opamp requires no input. Or you could just hook an antenna on it. If you want I could try, but I have more exiting things to do :)

These are GSM/3G signals. I never hear anything when transmitting wifi or bluetooth.

You would need a GSM phone, not just a speaker. Your phone's radio can interfere with electronics like land-line phones. My Nexus 5, on a GSM/LTE network, will cause my Polycom speakerphone to make "dit-dit-dit" noises occasionally (when the network interrogates devices in range) if it is with a few inches of the speakerphone. I suspect people who think they can sense a call coming in are hearing the network looking for their phone in order to offer a call, and not sensing radio waves.

its probably signal interference because i get it too. " beep-beep-beep ; beep-beep-beep ; beep-beep-beep ; beeeeeeeeee" then call or text comes through

The poor mans way of stopping your iDevice from transmitting, is by putting it in DFU mode [0]. This regretfully will prevent you from using it for anything else too, unlike airplane mode. And some will probably argue that a nation state could mimic DFU on an active phone, but it is a viable option that anyone afraid of being under surveillance could chose. The timing of DFU mode can be quite difficult, this video [1] has been help to millions.

Alternatively some use an iPod with only Signal installed. As stubborn Moxie requires access to the address book [2], the iPod address book is exclusively used for Signal addressees.

[0] https://www.theiphonewiki.com/wiki/DFU_Mode#Entering_DFU_Mod...

[1] https://youtu.be/bITIiGswjF

[2] https://whispersystems.org/blog/contact-discovery/

This advice does not make much sense, DFU Mode is for performing a full restore on a device. It is not a way you'd just carry a device around, I believe it actually reboots after a certain amount of time.

At that point just walking around with a powered off device makes more sense than DFU.

Maybe this is not an option for you and you prefer turning it off if you want to protect yourself against nation state attackers. I assume the DFU mode ROM is hardcoded and therefore more difficult to attack, but if you have heard of DFU mode attacks/simulations/circumventions, by all means let us know. Turning a device off can be easy simulated on a jailbroken device as Snowden argued by asking journalist to put their devices in the fridge.

I wasn't aware that an iDevice comes out of DFU mode after some time, please enlighten us. According to the instructions [0] I understand you need a special set of actions to return to the normal firmware.

I am curious where your thoughts on DFU come from. I am very familiar with it as it was the bootrom-level recovery mode my team utilized when we worked on jailbreak tools that exploited SecureROM.

DFU has a single purpose: wait for an Apple-signed firmware file to be sent to it over USB for it to execute. You seem to indicate that it's something you would carry your phone around in...in which it would just reboot into iOS after awhile.

Asking the obvious: Have you booted an iOS device into DFU mode before? Maybe the iPhone Wiki made it sound like it is a "mode" you can boot iOS into? I am not sure exactly what you think it is, but again, the device screen is completely black and indistinguishable from being off, OS is not booted and nothing is happening at all, besides the fact that (again) it is indeed on and "spinning" as it waits for the USB interrupt.

Regarding the fridge thing, xbee devices communicate perfectly from within at least some fridges. Are phones substantially different?

Why not just place it in a shielded bag that blocks RF?

Excellent idea, similar to what Snowden used three years ago with a fridge. Don't forget to turn off your device or put it in airplane mode because you batteries will run down quickly as it will try to find a GSM transmitter. Unless of course you're device is used as a surveillance device and transmitting even if seemingly off/in-airplane-mode....

There are many options and as always in security/warfare/sports/etc the best defense depends on the attacker, the circumstances, the capabilities of the defender etc. DFU mode probably is one more option in a list of options and it has the advantage that it is available most of the times (it has to be practiced as always in security/warfare/sports/etc) and, for now, probably not hacked. If Will Strafach shows us that an iDevice reboots out of DFU mode after some time, that is one more thing to take in consideration. Or if it is not possible to carry an iDevice around in DFU mode, it might be useful only in limited cases.

Again, there is zero use in an iOS device being carried in DFU mode. All that will do is waste battery, because the single function of DFU mode is to wait for the USB interrupt started by a computer sending a Apple-signed bootloader to use to boostrap loading of the firmware restore RAM disk.

As previously mentioned, it seems that you have the idea that DFU is a "mode" that you can boot iOS into. This is absolutely not the case, the device screen is completely black and the device appears to be completely off, because it almost is, it's just "spinning" and waiting for the USB interrupt.

The reason I am very adamant about this is because your comment was upvoted when the advice would serve no purpose to someone who needed it.

If you do not believe the device will reboot, go get an iPhone now and boot into DFU mode while plugged in. Then look at your computer and wait for it to recognize the DFU connected device (only way to know when it's in DFU versus being off). Then unplug it and watch, it will reboot into normal iOS at some point (or power itself off if battery is low, depends, same point though).

I'm getting "This video does not exist." on the YouTube link.

Sorry, link [1] is http://youtu.be/bITIiGswjFI

Probably just showing my ignorance, but there is a processor running in the phone, and it is connected to the various chips on the board, and you can run your own apps that could query the chips directly? If the OS disallows this, I'd be hacking the OS, rather than the hardware.

How did we get to this point, where our personal computing devices are completely out of our basic control? We live in bizarro world.

In this day and age, no computer is just a CPU. Each radio effectively have their own CPU and accompanying firmware.

The phone OS is as much in control of that radio (at best) as your laptop is in control of the ISP router.

Surely the main processor could query the sub processors for relevant info like current state? if this isn't possible then the HW/SW world of phones makes no sense.

And if the subprocessor is compromised, what is the chance that it would not lie? When it comes to these things there is no such thing as "too paranoid" (sadly).

HW & SW just happens in the middle of the night by elves? Mistakes were made? For a tech board I expect a bit more ownership of the problem here. This is OUR domain and we should act like it.

Who are these "us" you are talking about (as in, "OUR domain", "we should")?

HW & SW engineers (I'm one, I assumed many or most here are as well).

The point is that there is such complexity in your average smartphone, that strictly enforcing radio silence with software from within is practically impossible.

Let's forget everything aside from GSM for a moment.

The GSM/LTE/whatever radio runs very closed source firmware. This communicates with the very closed source CPU and other subsystems, controlled by the very closed source OS. On top of that you run various other closed source apps, opening potentially malicious documents and browsing potentially malicious links.

In theory nothing goes wrong. When you hit 'airplane mode', the OS tells the radios to STFU. In practice, anything could go wrong - maliciously or not. Your phone could have been "jailbroken" without your knowledge by a 0-day exploit, effectively negating the OS security. Once the bad guys are in your OS, they may as well update your baseband firmware to do whatever they want. Or any of the other firmware/drivers/ICs that they are able to access. Or CPU microcodes. Anything.

Ideally you would have a phone with a physical switch, powering off all radios. Not politely instructing them to please cease functioning, but actually power them the f... off. This almost never happens. I have a hardware switch on my laptop - this doesn't actually cut the power to the wireless radios. If/when the firmware is compromised, it is as useless as the Wifi LED indicators.

So, great, you'll say - implement that rather than build a whole new system to babysit your smartphone stack. Make a hardware switch that powers off all radio subsystems. Even if that were possible, your iPhone would not like a subsystem disappearing from existence. It isn't designed to handle that contingency and will surely fail in spectacular ways.

Hence, tapping into debug ports/buses/etc and trying to monitor traffic that way.

The analog way[1] may make more sense, but usability would probably be restricted. I'm fairly certain Snowden has heard of faraday cages.

[1] https://www.amazon.com/FawkesBOX-Smart-phone-Faraday-Cage/dp...

> The point is that there is such complexity in your average smartphone, that strictly enforcing radio silence with software from within is practically impossible.

Change is never impossible for something we ourselves design and manufacture.

>The GSM/LTE/whatever radio runs very closed source firmware.

This seems like a problem that could be fixed.

>Your phone could have been "jailbroken" without your knowledge by a 0-day exploit, effectively negating the OS security.

Probably sounds quaint, but run SW from a ROM.

>Make a hardware switch that powers off all radio subsystems. Even if that were possible, your iPhone would not like a subsystem disappearing from existence. It isn't designed to handle that contingency and will surely fail in spectacular ways.

You seem to be saying that the iPhone SW can't be altered to tolerate the disappearance of a subsystem, I just don't believe this is true. It's a poor excuse to do nothing.

If humans are incapable of writing secure SW, then put in one or more physical switches that powers down all transmitters, and write SW that can adapt to this. Don't tell me that's impossible or even all that difficult.

>>The GSM/LTE/whatever radio runs very closed source firmware.

>This seems like a problem that could be fixed.

The problem is that it's illegal to reflash the firmware, because the Radio Frequency Giveaway Committee* is scared that people would abuse that to send on frequencies that they haven't permitted.

*Probably not the official name.

> Probably sounds quaint, but run SW from a ROM

Even your CPU accepts firmware updates - in the form of microcode updates. There is no ROM any more :/ It wouldn't fix much either - find a bug/vuln in the ROM and those devices are owned "for life", since they can't be patched.

> You seem to be saying that the iPhone SW can't be altered to tolerate the disappearance of a subsystem, I just don't believe this is true. It's a poor excuse to do nothing.

I'm describing the situation as I see it today. It could; it won't. Apple has no incentive. Their shit is super secure already, haven't you heard?

> If humans are incapable of writing secure SW

We kind of are. Consumers don't really care until their inbox lands on wikileaks. @hillary waves

Yes, all these problems could be fixed if you make all your own hardware. Snowden doesn't manufacturer iPhones though, so he's left with a clever hardware hack.

> How did we get to this point

The point happened when those devices were being common enough so that there is a good enough opportunity to use it as an intelligence and information gathering tool.

Not saying it's right or wrong, but until around 2010, smartphones were not mainstream enough for the government to be interested. If you're a government and you have a lot of resources, things get done pretty quickly, especially in sensitive matters like this one.

They explain in the article: your phone may be compromised, and an app running on the main processor has no reliable way to tell.

That's why they're using a completely separate piece of hardware.

OK, I agree, we should wash our technical hands and let some poor schmuck in exile clean up all of our technical security messes.

Why are you reacting like this to someone who's just telling you facts? You want to do something that's not possible. If your hardware is compromised (well), you can't fix that with software.

My reaction is because no one here seems to have any sense of ownership for the products they design, which are a key part of the security issues and abuses we are currently experiencing.

If you participate in the design of a phone that broadcasts its position in dangerous situations without the user knowing this, and subsequently gets them killed, maybe you're so far down the line and organizationally have so many people between you and them that you don't notice the small amount of blood on your hands.

Just by existing we all cause trouble, but I'd like to see a bit more ethical sense among those who are directly enabling the current oppressive state.

That's not my point (although the fact that you consider "HW/SW engineers" some kind of cohesive group who can make decisions together is kind of laughable). My point is that people are telling you what software cannot possibly do. And rather than look for alternative, you start railing against their lack of ownership of the problem.

Share with us what you're doing to fight the problem, aside from posting on HN. If it can solve all the problems, I'm sure we'll all join up.

If someone came to me and told me one of my inventions/products could get someone killed, I'd move heaven and earth to fix whatever was wrong.

That same message, when presented to a large enough group where the responsibility is sufficiently diffused, is simply shrugged off. This is human nature and as such can be relied upon to supply endless weaponry and surveillance tools to our betters.

It's Snowden's fault that he has, in this environment where having minimal conscience is an asset, an over developed sense of ethics. Which unfortunately can't make up for the rest of our lack of it.

So just complaints, no solutions? Let your actions speak for themselves.

You can buy unlocked Android phones and run whatever custom Android ROM you want (Cyanogenmod, Paranoid Android, etc.). The situation isn't as dire as you make it seem.

And that does nothing about the baseband which is responsible for all the radio communication. The baseband of your unlocked Android phone is still closed source.

I'm curious as to why Snowden didn't simply recommend everyone go this route instead of bending over backwards trying to fix the iPhone?

I was more responding to this:

> our personal computing devices are completely out of our basic control

I can't speak about the security of the latest iOS versus the latest custom ROMs. There may be a reason he didn't recommend these. Or maybe he knows some people are too attached to Apple to move away and is trying to do the best he can for them.

I wonder why Apple isn't responding to this directly? It would seem like a natural since they've given a lot of lip service to security issues lately.

My guess: they can't respond to everything, so with some randomness legitimate security concerns don't get an official response.

Go for you life, build your own phone


No disrespect to Snowden and Bunnie, but it seems to me that a much simpler solution giving you a much higher OPSEC is to buy a smartphone with a removable battery. No battery, no radios are on.

And if you are truly paranoid, it's simple to disassemble the phone and look for/remove any backup batteries. I know, I had to pull the backup battery from my wife's Moto G after it fell in the sink.

Wouldn't it be easier to use some kind of case or pocket [0] that acts as a Faraday cage?

0: http://www.popsci.com/sites/popsci.com/files/styles/large_1x...

That seems safer, with Snowden's device it has to detect transmission after it begins to occur in order to trigger shutdown or alert the user, so it's going to leak some amount of RF even if little. A properly constructed Faraday cage shouldn't though.

I think that Snowden's device would play a different role, I was comparing it to removing the main and backup batteries.

So it records and transmits later, at opportunity.

Good point. I guess it depends on the use case.

+1. If you are trying to detect surveillance by considering RF emissions but only some of the time, a sane attacker will simply have the bug record what it needs and transmit it in a burst later when you will not find RF activity suspicious.

You need to prevent the thing from recording you in the first place.

A metal case will block any unwanted RF emission. That said, the article states that the goal is to make it possible for users to still use their smartphones as camera, GPS, or whatever tool you need on it, while being safe.

As someone who knows a bit about computer security I find it mindblowing that journalists would go into war zones and expect to be stealthy with their smartphones in their pockets but they apparently are willing to risk their lives for their iPhones, so the best we can do is offer tools to mitigate the risks.

Snowden explained that the CMOS button battery is enough to send a transponder signal that can be heard by a drone. He said the only way to shut it down is to put it in a freezer.

I mean, I'm a programmer, I am not an expert on sigint stuff, but I don't think it's very hard to innovate in intelligence gathering technologies.

No battery leads to a useless mobile computer.

There is also the convenience factor. I do remove my battery frequently from my phone but it is too easy to just leave it on. People will generally not want to hassle with it if they don't have to.If security is easier and requires less effort then it lowers the cost and will be favored more often and it will protect more people.

There are also many times that people have been unhappy because I have my phone off and unable to reach me. There are also other times you want to be available.

Unfortunately, if your phone is owned then they can just exfiltrate the data when normal data transfer occurs. The data will still need to be stored for transmission later though.

With the iphone, you also need to monitor Bluetooth and WiFi in addition to cellular activity. Hopefully they will also monitor these.

Depends on your use-case. If you only want to stop communications during a specified period of time (e.g.) during a "secret" conversation, then this is useful. If you have any apps installed that might be polling the 'net for information (e.g. checking the weather), then this is useless in the general case of "the phone is on my desk next to me while I'm working."

What is described in the article does not do traffic inspection, it only verifies that all radios are off.

I see the argument that there is a use case for the smartphone for taking pictures while operating without radios. But wouldn't a better solution then be a compact digital camera and a notebook? You can invent your own code for note taking that becomes arbitrarily hard to break. You can disguise a compact camera as a smartphone using just a case and a hot glue gun.

Better yet, install a small custom switch that enables you to physically disconnect power from the battery without actually having to remove it from the phone.

Much less conspicuous if you're in public under physical surveillance, and provides options for phones with non-removable batteries assuming the right modifications are made.

Actually, regardless of whether or not smartphones have a removable battery, there's always a small second battery connected to the baseband for emergency purposes. I've confirmed this firsthand by taking apart several models, and you make out small coin cells on most online disassembly documentation as well.

The one in my old Atrix was a good 250mAh.

I don't mean to call you out, but I'm fairly positive this is wrong. I ran the baseband software team at Apple and worked on the first two generations of iPhones. I'm intimately familiar with that hardware having done reworks by hand myself on the first prototypes and being in all schematic reviews. They definitely didn't have secondary batteries connected to them. While this may exist on some new models of phone, I've never heard of it.

This doesn't even make much sense to me. Assuming you're talking about emergency calls, the application processor is necessary for dialing. You'd need to power the entire phone including the screen to make an emergency call.

Always ? from the few (~10) cellphones I disassembled I remember nothing that looked like a cell.

Also how do you trigger an emergency call ? manufacturer embeds a special firmware so you don't have to boot the main OS and only use energy for the call ?

It could have been located away from view on the other side of the motherboard, as is sometimes the case.

As for what the full intended purpose and potential capabilities of these secondary batteries are, I have no idea since that's not documented. I do know that it's for a whole lot more than an RTC, however.

I stripped them completely. Unless it was a very slim cell that could be confused with an inductor, or hidden into some module (say camera block) ...

I'd love for it to be true though.

What would the baseband transmit in an emergency and how would it know that there was an emergency, if the phone itself had lost power?

When a phone is off or out of power, is the baseband periodically pinging cell towers?

If it has a 250mAh battery then that is good for a continuous 1/4W transmission for 1 hour. But I imagine the batter is mainly there for the watchdog and RTC. Which is why you never have to set the clock every time you turn the phone on.

You don't need to set the clock when you turn on the phone because it gets the time from the network when it registers.

Pull your sim and battery. Reinsert the battery and turn the phone on. The time is still there, network or not.

I could see coordinates, e.g. of a lost party, or someone who called 911 but got disconnected by a low battery, that kind of thing. Cell phone pings can be extremely handy for SAR.

Sure, I said as much in the comment above, and I also know and have tested that at least one common smartphone works just fine with this battery physically removed.

then store your phone in a Faraday cage like you have in your kitchen (probably)

Took me a second to get what you meant. But yes, I do in fact have one. The seals around the door are meant to be airtight rather than RF-tight, though, so it may or may not be good enough, depending on your purposes. If you want your phone to not transmit its position, it may not be good enough, but if you want it to not eavesdrop on you, it probably works.

They mean the microwave, not the fridge/freezer.

I thought he meant aluminum foil.

> meant to be airtight rather than RF-tight

You are thinking about the wrong one.

I've heard about this emergency capability for years, e.g earthquake, tsunami etc...But has anyone ever heard of it actually being activated for real?

Yes. Japan for earthquakes. But no evidence battery is not required.

citation please

(good luck, as this is false)


I'm not sure I like your attitude. This is readily available information

That's talking about a backup battery for the real-time clock on the phone. That type of battery is usually not rechargeable and doesn't support enough power to make any sort of call. I've never heard of an emergency backup battery for just the 'baseband' in any phone, but I am open to being proven wrong.

The Neo900 is designed to detect unauthorized radio transmission from the modem and power the modem down in a fraction of a second, and notify you. It seems to be the only device that will have that capability.



Why go through test points rather than directly detecting RF emission?

In addition to the required hardware modification, a sufficiently nefarious attacker might be able to spoof test points. RF power detection, on the other hand, can't lie. If it's going to communicate, the phone must transmit.

An RF-detection tool would be as easy as a phone case (and could double as a backup battery for the phone). It'd be far simpler and easier to adopt than directly hacking on the hardware.

Edit: My concerns are partially addressed in the actual paper: https://www.pubpub.org/pub/direct-radio-introspection

One nefarious method malware could use to get data off the device without RF would be to play sub 20kHz audio through the speakers, assuming there was a device with a microphone near by that's able to receive the signal, and of course that the speakers can play a frequency that low.

Along the same lines, but only successful if the user isn't looking, would be to use the flashlight LED.

Or maybe very short low power vibrations, if the receiving microphone is on the same surface.

All of these require somewhat particular situations, but fun to think about in any case :)

If anyone would like to see this in action, try this out on your laptop https://quiet.github.io/quiet-js/


Cool! I always wondered what the accuracy/success rate of such a sidechannel would be, nice that your tool allows me to test this easily :)

Interestingly enough, after some fiddling I could get it from my speakers to phone mic, and phone speakers to laptop mic, but only in the audible spectrum, not in the ultrasonic. Only response I got was one time, an error--probably one packet that failed the CRC check, but the rest of the time nothing.

I didn't have time to mess with the code and try different modulation frequencies yet. But it's definitely a cool toy! :D

Would you mind sharing details about your setup? I assume you have an Android phone since in mobile Safari you can't access the mic, full stop.

I'm also curious to hear what the error was. Do you mean an error occurred in the JS console? That isn't supposed to happen in any event.

If you want to more thoroughly test, try https://quiet.github.io/quiet-profile-lab although it's worth noting that this tool can only work on one device, transmitting to itself

Finally, it's intended to be a production library, not just a toy ;)

edit: it's worth noting that if your receiver is Firefox, you'll never get anything from ultrasonic. That's because firefox resamples to 32kHz, cutting off any frequencies above 16kHz

My apologies for calling it a toy!! ;-) Still fun to play with though ;-)

I used Chromium Linux on the laptop and and Chrome for Android on the phone end. I normally use Firefox as my main browser but I opted for Chrome because I assumed it was a PoC and you'd need a lot of uninteresting work to make it smoothly cross-browser and most people here develop for Chrome first--I'd save that effort for the weaponised exploit ;) Or production library, in your case ;) (what is the use case there btw?)

Thanks for the heads-up on Firefox's resampling, so I know not to try that ;) Wonder if they chose that for security reasons? Seems a solid protection exactly against this. If so, then comes the question how good their lowpass (resampling) filter is, if nothing leaks through and you can't secretly grab ultrasonics anyhow via longer statistical methods trying to infer which freqs are aliased and which aren't :)

So, I tried the audible signal first, to be sure it was making sound (I have my Firefoxes locked down rather tightly, JACK and PulseAudio often fight, so unless it's a mediaplayer or audio-production tool, it doesn't make sound usually). But Chromium did (after re-enabling Pulse). I got decent results for both ways (sometimes partial text, I didn't try images), so recording worked too and the multimedia JS code seems to work fine.

One idea on that end; And I never wrote JS audio (I plan to, though) so I don't know if this is hard, but maybe next to the "listen" buttons, you could add a simple VU-meter bar for the mic, so I can clap my hands and check if the mic is indeed receiving (maybe your profile-lab already does this, havent checked).

The error I saw looked like an intentional popup-message you wrote in the code. It was a modal DIV popup, styled like the site, more like a debug message perhaps. I didn't quite understand it, so I don't remember it exactly: that it received 1/100 packets, and failed checksum ... sorry I can't be more specific, I only saw it once. It seemed to indicate it detected one packet but it was an incorrect one, or something similar. Given the config mentions CRC checks, I assumed it was that.

I didn't check the JS console for messages, but the behaviour of the site didn't indicate to me that there were actual JS errors.

Extra info: The sound from Chromium Linux was played through high quality large speakers, the microphone is built-in (Eee 1215B netbook, rather old thingy) so probably not very good. On the phone side, it's running Cyanogenmod on a Samsung S4. I believe the mic on the phone is better than on the laptop because it's rather old and quite noisy.

Is there a reason the profile-lab tool only works for one device transmitting to itself? Cause that's part of the fun (yeah yeah no toy :p), transmitting data between two devices that have no connection to each other. If I was to be thorough, I'd set it to airplane mode just to prove the fact :)

I'll have another play with quiet.js and also the quit-profile-lab. If I see the error message again or find anything I didn't describe above, I'll report back. If you got any specific things you'd like me to test, let me know.

It's a legitimate way to transfer data. I linked it here in a discussion about something more surreptitious but I doubt it'd actually be useful in that context. Think of it like an audio QR code -- anywhere a QR code might be useful, this could also be useful. And it already is pretty much fully cross-platform.

Firefox downsamples in order to save CPU cycles on noise reduction and echo cancellation.

Also yeah, I forgot about the div that gets added. Since that page is just a demo, I don't necessarily see any reason to display additional receiver info. The hope is that this is a workable library that won't put a lot of burden on the end-user in order to confirm it's working. Perhaps all that's missing here is looking at signal energy just to confirm that the mic isn't muted, and displaying something if it is.

The lab only transmits to itself because of UI sync difficulties. It is on my road map to come back to this later, but essentially the issue is that the receiver has to have the same setup as the transmitter, which would require some out-of-band method to sync up. Running it on my laptop seems to be a perfectly workable way to test the config.

Ok, followup:

First, I played again with quiet.js

This time it seemed harder to get it to detect even audible signals. I'm pretty sure I don't have more background noise today than yesterday, but my laptop fan can be pretty loud (and is less than a foot from the mic), so maybe it's spinning louder today.

I have to hold my phone (mic) real close to the speakers to get it to do anything (yesterday as well, btw). The other way around, I also have to hold my phone (speakers) real close to the laptop mic. But IMHO that might be more expected since the phone speakers are so tiny and tinny, and the laptop mic is so crappy.

I also got the error messages again! (and I misremembered, they're not modal). Seems it's just the message you get when it loses some packets. Yesterday I just happened to get either 100% loss or perfect transmission, so it wasn't immediately clear what ".. set the volume to 50%. Packet Loss: 1/1 (100%)" meant. For a production library, I'd definitely take note, for usability. I'd like to have a clear indication that the mic is actually receiving (can be very minimal, even just a little circle that fades from black to red depending on the level). Also "set volume to 50%" is (for me at least) quite ambiguous :) I have ALSA, Jack and Pulse applying their dB levels, through my laptop jack to my stereo amp which has again a big volume button, I won't even ask what is 50% here, because there is no answer :) I presume this is to prevent distortion artifacts, which may be present on phone and laptop speakers (but not my big ones ;) Are there maybe any modulation schemes that are (somewhat) robust against (overdrive/amp) distortion?

Here's screenshots of the messages: http://imgur.com/a/4x3Tu . First one is mobile (receiving), also IIRC that's the exact message I got yesterday on the laptop. The second one is from the laptop today (also receiving), only after seeing that message I understood what the earlier really meant because the numbers were more arbitrary ;) (1/15 7%)

I didn't try the ultrasonic frequencies because I couldn't get the audible ones to work reliably (I'll leave the no-fun debugging of something you can't hear to the professionals ;) )

Then I tried the quiet-profile-lab. I can't get it to work. The mic frequency spectrum visualiser works well, showing frequencies as expected, also for other sounds like clapping my hands. But "Frames Received" stays at 0. Screenshot: http://i.imgur.com/Jj0UWwx.png -- I set the centre frequency to 8kHz for this one, because it has a lot of noise on the low and the high ends. The low noise is probably the crappy mic, but the high-freq noise is somewhat surprising to me. I'm not sure at what freq my laptop-fan is whooshing, but it sounds like a low-mid tone plus mid/high-mids noise to me (based on the sound, not visualiser). Also tried other centre-frequencies, no luck.

Oh WOW, trying quiet-profile-lab on my phone, the mic is so much clearer, it's not even funny, check the screenshots: http://i.imgur.com/iUpWpOW.jpg http://i.imgur.com/MtrEYrb.jpg loud and clean signal at 4kHz (centre freq) and a much quieter harmonic at 8kHz (and you can even see a tiny 3rd hardmonic at 12kHz). And also in the ultrasound, look at this nice clean spectrum: http://i.imgur.com/9DUO7V7.jpg

So, I guess if you guys want to improve accuracy on crappy systems like my laptop, you may get much better results after a noise-removal filter? From experience a lot of my laptop mic's noise is quite stationary. A tip: the Audacity wiki on its noise-removal filter is quite extensive, technical and informative. Also the (C++) source code for that filter is surprisingly readable (bit long, but most of it is comments). Reading it, I gained a lot of respect for that feature and believe it's one of the better ones out there (definitely in FOSS).

Sorry I'm not going to play with the quiet-profile-lab on my phone much further, because it's not a toy and I've already spent 1.5 hour on my saturday evening ;-) [what can I say, I love DSP, and I love side-channels]

Friendly advice on the quiet-profile-lab UI (even though it's not for production): You got the settings left and the output right. Occasionally, a change in settings wasn't always applied right away, so I figure it would be nice if the output column would display a short summary of the parameters on the left, that it is currently playing.

I'm not that familiar with various modulation / operating modes, but I assume the flow goes like: listen to sound > detect a packet > decode+checksum the packet. Maybe it'd be nice to visualise this onto a slow-moving (cyclical buffer) waveform of the mic input: black=just sound, blue=possible packet, red=decoded bad checksum, green=decoded correct checksum.

So! I hope this extensive feedback is useful to you! Sorry if it's a bit rambling but it's weekend so I'm not going to edit (the thread is old enough I'm sure no one will mind this mammoth post). If you make got a cool new feature or improvement in your library, I'd love to hear about it and you can hit me via email (see my profile).

afterthought: it's kind of disturbing the difference in perceived level between 14.5 and 15.5 kHz, I can hear it but need to turn it up quite a bit, I am 35 years old. Even higher and it disappears further but replaced by a cleaner mid-frequency "windy" noise (that isn't quite there at lower centre freqs). quite a difference from when I tested my hearing range using pure sine tones generated in audacity (when you do this, tip: always add a fade-in otherwise the click makes it even harder to tell if you're hearing something or not). also I really feel for the person who has to test this setup every day ;-) given it's a serieous project, do you ever invite kids into your office? I work with kids in a creative science-lab / hackerspace type of centre, so we did the hearing tests a couple of times, as I said for the 15kHz I need to turn it up to be able to hear it clearly, when I did that with kids in the room (ages 9-13) they were all like "AAAAAAAAAAAA TURN THAT OFF!!" at the level when I felt, "I can comfortably detect this tone". And kids can easily hear a few kHz's higher than that even. But for me, the perceived level sharply plummets after a certain frequency. So maybe interesting to check, those sounds you perceive as barely audible might be distressingly loud beeps for other people. (fun fact: on the low end, 20-30Hz, seems we're all pretty much equal regardless of age--you need quality headphones to test those freqs though or the sound you think you hear is in fact harmonics from distortion).

Thanks for all the testing and feedback. I'm just as baffled by the high frequency noise in your mic -- I've never seen anything like that, but I don't have a ton of extensive tests. Given the even spacing of it, some of it looks to be harmonics?

Overall, I'm not really sure how much faith I'd place in noise reduction here. I feel that in general, applying another non-linear process to the signal may just make matters worse. It's hard for me to say since all of the noise I've encountered has been low-frequency ambient/fan noise, which can be easily avoided by just shifting the signal further up. At any rate, the process of cancelling noise for human speech versus modulated tones would look completely different. The hardest obstacles to overcome so far have been non-linear blocks in the receiver, which cause much more distortion than tinny speakers or a mediocre mic.

> One nefarious method malware could use to get data off the device without RF would be to play sub 20kHz audio through the speakers, assuming there was a device with a microphone near by that's able to receive the signal, and of course that the speakers can play a frequency that low.

did you mean to say "sub 20 Hz"? or rather the ultrasound between 20kHz and 22kHz?

it's a bit ambiguous cause both 20 Hz and kHz are lower and upper ranges of human hearing, respectively.

if you meant the lower, then no. mobile speakers already almost entirely lack power in the musical bass frequencies (50-150Hz roughly), let alone the infrasonic ones. if the speaker would even have a response to such a signal, it's not going to have a lot of range. .. a sub-20Hz audio signal has a wavelength of more than 17 metres in air, I'm not sure if that's physically impossible, but I'm having a hard time imagining that tiny tweeter to manage such a signal (my knowledge is mostly with digital signal processing, not entirely sure about what speakers can do, Bose has done some pretty amazing room-shaking bass with very clever tiny speakers, that seemed impossible to me as well, has to be some trick there). And then, doing it without getting harmonics in the audible spectrum! :)

It would be around/above 20KHz, not below; our hearing is theoretically ~20Hz-20KHz (though almost noone starts out actually able to hear that high and the high frequencies decrease with age). AD/DA converters will also apply a low pass filter below Nyquist to prevent aliasing - assuming they are operating at 44.1/48KHz (and even if they are spec'd higher there's no real reason they'd always be running the higher rate), Nyquist is about 21KHz, though filtering lower than that is beneficial as it allows them to employ a less steep slope on (very steep filter slopes can create artifacting of their own). The small speaker set up in your average phone would be quite capable of outputting 18-19KHz, which is still outside most people's hearing range, and unless you're particularly attuned to high frequency audio you might not notice or work out what it was anyway.

yup, there are lots of non-EMF ways to get data off a device. iirc it's easier to transmit data with higher (inaudible) frequencies than lower ones.

> Why go through test points rather than directly detecting RF emission?

I'm guessing it comes down to making sure the signal is from the phone and not from an external source.

All modern wireless protocols have multiple devices share a single frequency range. Thus just listening for traffic on those ranges with an antenna will produce false positives.

In addition to the other things people have mentioned, the NSA appears to be fond of retroreflective bugs that don't transmit anything, but reflect incoming signals with modulation.

The problem that got Colvin killed is at the RF/layer 1 layer in the OSI stack... Iridium and Inmarsat phones operate in the L and S bands (1.2 to 2.0 GHz) which is not difficult to do radio frequency direction finding on, if the Tx source remains active. Particularly easy if you have access to Russian military grade DF equipment. The protocol layers and crypto are moot if you are radiating and have a determined DF adversary.

Yeah, I'm not sure if the article starting that way was meant to suggest this device would have saved Colvin or if it was just meant as a vague illustration. Because as it points out, journalists do actually use their phones for calling people and receiving calls quite a lot, so the utility of a phone that is forced offline - for a journalist - would seem to be very low. Why have it powered at all, in that case? Couldn't you just buy a tablet that doesn't have any long-range radios to begin with? WiFi signals don't travel far.

A typical handheld satellite phone doesn't stay powered up and on net much, if it's in a backpack or being carried around... You need to be standing with a clear sky view to use one. But if you're a journalist in a war zone sleeping in the same location 3 or 4 days in a row and making one 5-minute phone call a day, or sending iridium SMS a few times daily from the same lat/long, that is enoigh to DF you.

If you can't trust your phone, how would you ensure that it doesn't just record everything (audio, etc.) when in airplane mode and uploads it somewhere later, once you disable airplane mode.

Seems to me that removing the battery would be safer.

Of interest perhaps, here is a full source code of an Android phone software and its baseband firmware:


Actually there is some .o files in the baseband but easy to pull apart in IDA. Each one relates to a single .c and there are export symbols.

This does seem feasible for the specific use case of a protected phone for "clandestine" meetings.

My initial thought was they'd have to redesign it for every phone, but that's not necessarily the case. If eaves dropping is such a concern for you, I would think you would be okay with not having the latest gen phone. Or having an old one just for these sorts cases.

I suppose the concern then shifts to whether this device is easily subverted, or whether it's easy to determine if it has been subverted.

Why does not wanting to have someone eaves drop on me mean I have to use inferior technology? I find that to be offense in the extreme. Everyone should be concerned about or more ideally not have to worry about people accessing their phone without their knowledge.

How hard would it be to make the following after-market modifications?

1. add a physical "off" switch that cuts battery power to everything

2. (Hard Mode) Cut power to all radio chips/subsystems (GSM, WIFI, bluetooth) while leaving the rest smartphone operational for taking pictures or recording audio?

How does this address masking "bad" transmissions behind "good" ones? Instead, the spooks will just make sure not to upload your chat logs until you start Tindering the next time, or something.

Interestingly in the paper they address this somewhat for alternatives they discarded. Since they are proposing an introspection engine it should also drown-out the mic and cover the cameras. But then you still have the shock sensor that could record steps. I'm really inclined that a true power switch with introspection engine to verify things are really off is a better approach.

Almost like you need a faraday cage for the phone, with an internal antenna, a "router" through the faraday cage that you have hardware/software control, and then an antenna to rebroadcast outside the cage.

Basically, a radio firewall. So you can enforce absolute radio silence if needed. And log the signals.

You know, if we had source access and hardware blueprints to these devices and actually owned them, this wouldn't be a problem.

But trying to solve an obvious problem (proprietary basebands, phones, and hardware) with bandage solutions kicks the problem down the road. We need to liberate the hardware eventually for liberty's sake.

If Freedom of the Press Foundation set up a supply chain of modified phones then the NSA and their ilk will likely intercept and compromise any mailed devices before they reach the intended recipients.

Isn't that device a Faraday cage?

And if you are in war zone - using a phone with removable battery is absolutely mandatory IMO.

As nfjstjstns notes, very often there is "a small second battery connected to the baseband for emergency purposes".

This is entirely false for most modern phones

Except it's not.


Do you have a vested interest in the matter?

I've opened many phones and have one open in front of me. I have schematics of a few open too. Some have supercaps for RTC. No extra batteries.

Show me a picture on a teardown on ifixit with this in a nexus phone?

Or in an iPhone?

No? Yeah...

This same sort of approach has been used by terrorists in the past.


I wonder if the use of the word "betraying" in the title is a subtle jab at Snowden.

Unlikely - the founding editor of The Intercept is Glenn Greenwald, one of the journalists who published the original Snowden stories.

Quite the opposite. The idea is obviously that security agencies are betraying the people.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact