Hacker News new | past | comments | ask | show | jobs | submit login
Samsung, Nokia say they don’t know how to track a powered-down phone (arstechnica.com)
41 points by dan1234 on Nov 12, 2013 | hide | past | favorite | 51 comments



They are probably not even lying that the baseband processor is shut down by the application processor, as it controls the power and system clocks.

But the dirty little secret is that the baseband processor is still a completely uncontrolled subsystem, loaded with some propietary binary blob by trustworthy companies like Qualcomm. GPS and even the microphones are usually integrated into the baseband, not part of the application processor that runs your Android. So you have a perfectly capable ARM processor running a propietary RTOS system, written completely in C (or C++ occasionally) with access to all the vital periphery and a gigantic attack surface in dealing with all the mobile communication protocols. The only reason there hasn't been a complete breakdown yet is that it's difficult for amateur researchers to exploit, you need expensive RF hardware and the mobile communication protocols are huge bodies of closed committee designed standards. But it is without a doubt in the reach of the NSA, and they are probably actively exploiting baseband processors already.

(Interestingly, since baseband processor have grown in complexity, most smartphones can now update the firmware on them, so there are lots of firmware images floating around. I highly recommend just even running strings on them, its quite enlightening. Some examples from a Nexus 4 radio:

    Failed do spoof USB cable disconnection
    Assertion os_mutex_pool_ptr[mutex_index_in_pool].is_available == 0 failed
    hsu_al_ser_open: hsu_al_ser_base_open for port NMEA (%d) returned failure
    Conversion to UTF-16 failed! Returned %d, expected %d
    Unexpected IP family %d - assuming IPv4
    inflate 1.2.3 Copyright 1995-2005 Mark Adler 
    Received ARP Request
    CxM - Received WLAN Early Grant Release
(Yes, these are format strings! And this device has all the good stuff: classic 2005 zlib, a homebrew network stack, homebrew character conversion routines, homebrew operating system, homebrew USB stack...)


The only proper way to turn off a phone is to remove the battery, in lieu of nuking it from orbit (just to be sure).


But is that the only battery? Is there a battery or cap powering the clock for example? Can that be corrupted?


Phones certainly don't have big enough capacitors to store enough power to run a radio. There's probably only a few pF of capacitance in an entire iPhone for example, though it not having an easily removable battery makes that a little moot.


I've had a look at a few teardowns but can't find another battery. My 'phone copes with the battery being removed while in offline mode so there's power somewhere.


But they probably do have enough power somewhere to silently turn themselves on, say briefly, according to some schedule or event. Not saying it's being done, but it could be done.


Where? No other components store power in any way. There's a few small capacitors lying around, but they're so small that you could never power anything from them. If something like this existed, people would have noticed a long, long time ago.


The "battery to keep your clock on time problem" was a problem of the offline PC world. Cellphones just need to get network time when they boot if they lost time. Thus manufacturers shouldn't need to include a separate clock battery in the limited space on a phone body.


Sorry, you're wrong.

Samsung Galaxy S1:

http://www.techinsights.com/uploadedImages/Public_Website/Co...

The internal battery is located at the top-right - a circular coin cell soldered to the board.

Samsung Galaxy S2:

http://i295.photobucket.com/albums/mm148/rprosperojr/IMG_120...

The internal battery is located at the center-top

Edit: In case of the SGS2 it's located next to the WLan/BT module.


That's no good. You might power your phone back on in an area without network coverage, or the signal might take too long to receive after power up, or you are running in flight mode on a plane, or ...

Basically, you still need a local clock.


A Faraday cage should also ensure that no one can track you.


Totally unrelated, but I'd like to quote something you wrote on the 'academia vs industry' thread. Could you please contact me? (email in my user profile)? Thanks! (this would only work if marvin is monitoring his comments; apologies for the noise, everyone...!)


As seen on KS:

http://offpocket.com/


Seems like the price is a bit steep for a little bit of fabric.


Indeed, a metal cocktail shaker works as a faraday device as well.


Maybe a use for that old microwave.


or a tinfoil hat!


Cryptophone GSMK has a 'baseband firewall' that will shut down the stack if its continuously active without the application cpu also being active, meaning shenanigans are afoot like being spammed with type0 SMS to track you silently. They test it by walking into airports which all have some kind of national security baseband attack going on


That's nice, but it is one hell of a side channel :)

Some people have been trying to implement detection for e.g. silent SMS or IMSI catchers in osmocombb (the first open source baseband), see [1], but there doesn't seem to be any recent progress.

1: https://opensource.srlabs.de/projects/catcher/wiki


I guess end to end encryption with Redphone or Ostel would defeat stingray/imsi catchers but no idea with type0 sms spam tracking. Use a faraday pocket :/

Chaos Computer Club reverse engineered some Qualcomm basebands to find them running in ARM supervisor mode with no NX bit. NSA must love that


"Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to “find cellphones even when they were turned off."

Since this technique pre-dates smartphones, it is unlikely to involve installing software on the phone. At best, the NSA might have found that a given model of phone didn't properly power-down its radio when the phone was powered-down. Given access to the cellular network it might be possible to ping the phone and make it disclose its position via triangulation.

Very hard to see how this could be anything other than deliberate disinformation by the NSA though.


A remote command capability was revealed in the trial of a mob boss. The FBI used a non-smartphone as a room bug. A reasonable surmise is that the phone can be commanded to periodically power on and listen for commands. Those commands could include turning on the speakerphone, jacking up the agc, and auto-answering without indicating the phone is on.

Turning on periodically so it can be tracked would be one part of what it takes to implement a room bug.


There's tracking a phone while it's off, and then there's realtime tracking of a phone while it's off. Two very different things, and two very different attacks.

"a new NSA technique enabled the agency to find cellphones even when they were turned off"

The current administration is very careful with choosing their words. I haven't seen WP's source, but I wonder if this is more about the phone blipping its receivers to record some local MAC addresses and scrambling codes and then uploading the data the next time the phone's powered on.

You know when the word "collect" doesn't mean what you think it does, I wouldn't bet on nailing the word "find". :-)


Personally I've never understood why with every single Laptop and Mobile I've ever owned (where I could remove the battery) if I turned off the device, with full battery, eventually the battery dies...

Yet if I power off the same device, take the battery out and leave it for the same amount of time, then put it back and power it on, its a full battery...

On the same note, my iPhone 4, 15" Mac Book Pro w/ Retina, and Lumia 925, all when turned off completely, eventually the batteries die...

Just slower than if they were turned on...


Just guessing, but a battery inside a computer/phone, even if turned off is probably still powering at the very least a few wires. Even if they don't go anywhere (i.e. they are not connected anywhere else) they probably are slowly eating away the battery. On the other hand, I don't know how modern computers/phones turn off, but I doubt they involve a full circuit cut (i.e. there is no big red button making a click sound and closing all wires coming out of the battery)


From what i found with my phone, I would like to confirm that even if phone is turned off, power is still supplied to few wires. When i remove battery from my phone and then put it back and turn it on, it would ask me to configure date settings. But if I just turn the phone off and then turn it on, it doesn't prompt me to configure date settings. so I can tell that at least the clock on my phone uses battery even when the phone is turned off.


Two reasons:

1. Battery leakage. You can't charge a battery and leave it somewhere disconnected and expect to come back to a full charge. Small amounts of power leak all the time. Look for "self discharge". There are lines of batteries (particularly Sanyo Enelopp) that are marketed as low self discharge i.e. they can be stored charged and will still be usable in time. There is still a high resistance when something is connected which is enough to help with self discharge.

2. Most phones have a non mechanical on/off switch so a tiny bit of current is still used to have soft on/off functionality and watchdog circuitry online.


Thats one reason I nearly never use my smartphone.

My old Nokia dumpphone has a battery life of more then 2 weeks. But the Motorola Defy+ will eat a full battery even after shutdown within a week. So it does not even make sense as a water proof camera for sailing.

In result: The Defy+ is eating more battery when powered down, then my old Nokia when powered up. Imho, thats enough power to say "here I am" regularly.


Does your laptop support Wake-on-LAN[1]? I know I have it activated (and sometimes use it), which means though that it doesn't power down 100%, since the NIC still has to be reachable by magic packets. That's just one reason why it might still drain battery.

[1]: https://en.wikipedia.org/wiki/Wake-on-LAN


Oh, didn't even know that existed. When I fire up my laptop I'll take a look. Cheers.


If I were tasked to implement this, I would arrange for the phone to appear to be powered down when in fact is is not, and for malware to do this when shutting down from inside the normal OS. If you "powered off" from software (by shutting down from a menu or holding the power down until the screen goes blank, but not the many seconds it takes to trigger a more hardware-level hard power off), then I would make the screen go blank and make all other inputs unresponsive, except for the normal power on input.

For bonus points, I would arrange for the baseband to transmit only very minimally as necessary, so it isn't noisily detectable from RF pickups such as nearby speakers.

The technical details would get simplified, and management would hear that I can track a "powered-down" phone.


That's exactly what FinFisher police spyware does: pretends to shut off your phone but the mic is still recording


Thanks to Snowden we know the NSA backdoor crypto code and have leverage over the telcos to get the help they need. We also know that solutions are plausibly deniable as far as the big name companies that we know about. So the same thng could go on here.

If I had to put this in place I would get something that worked even if there were no cellphone masts in the area. Get the radio to listen to something entirely different, broadcast from some box that could be put in a car or in one of those electronic listening planes the military have. Have it work at the radio level on the phone so the cpu does not need to be used. The reply could be an entirely different identifier to the IMEA or SIM identifier with it being a simple database 'select' to get these codes.


If there's any sort of oscillator still running in the phone, or any other circuit switching with a predictable pattern of rising/falling edges, you'd think it might be possible to pick up EM radiation with a sensitive enough receiver/antenna.

A bit more "out there", maybe it is possible to pick up a powered down antenna? Think that an antenna is a (typically passive) conductor, designed to resonate at a particular frequency. If the antenna is irradiated with that frequency, wouldn't the antenna couple to the field and disturb it is some way? If those disturbances can be measured, then the antenna (and consequently the phone) can be detected.


Sounds like you're describing The Thing[1]. It might work -- but then how could you tell cellphones apart?

[1]: https://en.wikipedia.org/wiki/Thing_%28listening_device%29


My Sony Ericsson K310i used to discharge in a week when turned off with a SIM-card present and only lose 5% in a month when turned off with SIM-card removed.

At the time I thought it was due to poor power management, but now it really makes me wonder.


I wonder how a hypothetical 'bugged' phone would do the data transmissions? I used to have a phone on a contract that had excessively high data charges. As a result, I only used it for voice / SMS. If a bug had been planted on it, and it used normal IP networking, it would be obvious when I got my bill.

I wonder if there are ways that a pwned phone could transmit to an attacker without hitting the billing system? Non-billed SMS? Or are there other techniques on GSM? (e.g. network operator updates get pushed to phones and they aren't billed; there must be some other low-level two-way messaging capabilities)


The tracking might refer to listening to conversations that takes place near a shut down phone. The technique might be similar to the one used in laser microphones (http://en.wikipedia.org/wiki/Laser_microphone), but instead of measuring vibrations, to measure the electro magnetic field variance of phone's microphone.


Are NFC enabled 'phones both NFC devices and NFC readers or just NFC readers?

If they start adding RFID tags to 'phones, the only safe way to not be tracked will be not to carry the 'phone.


In some devices the NFC transceiver is part of the battery, assuming it has it's own CPU and firmware it could be easily exploited to be trackable from relatively large distances.

Other "near field" devices have, such as payment cards and passpoets, have been successfulyy communicated with or exploited using directional antennas from further away than you might think.


how about Faraday cage for your phone?


Why is it that when flying, we are sometimes requested to put phones into flight mode before switching them off?


At a guess it might be so that if you turn it back on during flight it's already in airplane mode?


Good thinking.


one of the ways that coiuld be used to track feature phoned while they were switched on however was sending specially crafted messages sent to the phone that would force a location update which you can use to grab the cell id, and basically determine movement once you have a few of them.


As long as we have non free software running on their phones, it would be hard to believe the claim as is.


Why?

It's quite possible to check if a phone is transmitting, without even opening it.

Additionally, it is usually possible to see what parts of a device are consuming power (or at least have current).


Though, it might not be transmitting all the time when off. Imagine a schedule when a switched off phone transmits once a day, at a random time. Although it is not impossible to record such transmissions, it isn't quite simple.


It doesn't need to transmit. Perhaps it is just listening and recording signals from cell towers, wifi, gps etc? When the phone is turned 'back' on by the user, it could then transmit these at will.


Spread spectrum, if done properly ands below noise level, is virtually undetectable - especially if he noiselevel is dynamically measured, rather than just modeled.


Never go outside without a large hat. Switch vehicles at underpasses or car parks. Don't forget the milk.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: