When a business allows the regular use of cellular phones in the workplace, the first thought is that by doing so the business empowers the employee and boosts their productivity.
After all, today’s smartphones can provide a near-virtual office on the go. Constant connectivity via text and email, teleconferencing, the ability to upload and download documents easily, the list is endless of how many ways smartphones enable employees to stay on the job no matter where they are and at any time of day.
What most businesses don’t realize is that by allowing the regular use of cellular phones in the business environment, sensitive and critical information related to their operations is put at risk. Every major business will say that information security is a top priority, yet allowing the regular use of cellular phones in the business environment can severely undermine that priority without the proper security measures in place.
Every function that makes these devices useful can also be infiltrated in a variety of ways; the smarter the phone, the more ways it can be used for surveillance. Eavesdropping on conversations on or off the phone; downloading, sending and deleting sensitive documents, the ability to read, copy and forward email, even visual spying in real time, Wi-Fi snooping and more can be done with surprising ease and relatively little cost. Such infiltration can lead to alarming amounts of information gathering that poses a serious threat to the proprietary information of a business.
In fact, the microphone can be open virtually all time which enables eavesdropping on face-to-face conversations. One under-appreciated example of this would be in newer phones with a Droid OS; all that’s needed to wake up the phone is to speak “Ok, Google” into it. Bottom line, devices and facilities need to be secured from this threat.
Downloadable “cell phone spy-ware” is easily found on the internet and can be priced as low as twenty-dollars; more expensive programs can even be remotely installed. Using these programs, a phone spy can take over the phone and do whatever they want with the stored data in addition to using the phone’s microphone, GPS, camera and every other function on the device they attack. Information stored on smartphones can be retrieved, collected, transmitted and removed from the targeted device via any connection to it, whether it’s a cell tower, a radio connection or an internet connection.
Your cell phone can spy on you just because it’s in the same room with you, you don’t have to be using it. Cell phone spy-ware as well as downloaded applications installed on a smartphone can use the devices various sensors including the camera and microphone to perform surveillance; all of which can be recorded. These types of software packages are the lowest cost and simplest way to attack a phone; including more expensive versions which can be installed remotely. Common criminal use for this type of attack includes industrial espionage, identity and data theft, domestic violence and stalking.
This brings us to an important tip to immediately improve your security protocols:
If you or your organization lists cell phone numbers on your business cards, immediately stop using them. Dispose of them as you would other sensitive information and have them reprinted without the cell phone numbers on them. It’s time to acknowledge that your cell phone is a powerful computer that is loaded with sensors and strapped to a wireless router and a radio none of which you have much control over. Your cell phone number has really become your cell phone’s “network address” (think IP Address); it should be treated as such.
Office phone systems usually have a forwarding feature as a standard feature and it’s really time to put it to use; only give out your desk phone number and have the office phone forward your calls to your cell phone. This methodology for network address management should sound familiar to information security professionals.
We’re going to step the skill level and budget up a notch now and discuss how a person can access a smartphone, bypass encryption, track its movement and monitor its activity and data by using a piece of hardware called an “IMSI catcher”. IMSI stands for International Mobile Subscriber Identity and it is the primary identifier for the subscriber of cellular service; this number is typically tied directly to whoever pays the phone bill. The function of IMSI catchers is to appear to be the best cell phone tower in the area (known as cell tower spoofing) so that phones within range of the IMSI catcher attempt to connect to it.
Commercially available under names like “Stingray, “Hailstorm” and “Gossamer,” these units are extremely mobile and are typically used by law enforcement. Due to their compact size (Gossamer is as compact as a large walkie-talkie), the hardware can also be easily used from a vehicle to monitor phone location as well as intercept communication, eavesdrop, deny service to a phone and more. Stingray is the widest known of these and “stingray” has even entered the vernacular as an over-arching term to describe this type of hardware.
Law enforcement agencies using handheld models for “official use” (and anyone else “unofficially”) can walk among a group of people and harvest identifying information about every phone around them. A larger model could be put inside a delivery van, parked several miles from an office building and still have the ability to eavesdrop on the phones inside without anyone inside the building ever knowing it. This capability presents a challenge for every business that demands confidentiality in any of its operations. Costs of these units via the commercial market run between the low five figures to over one-hundred thousand dollars based on features and capabilities.
While the price tag and marketing regulations of commercially available IMSI catchers may put them out of reach for many, wireless security experts have demonstrated their own version, with near-equal capabilities of commercial units and produced for less than two-thousand dollars. At this point anyone with a smattering of technical skill and some internet search time can use off-the-shelf components to build an IMSI catcher powerful enough to rival commercial models.
Susceptibility of cell phones to this kind of attack begins with the technology the phones employ. Cell phones are network dependent so communication is done between cell phone and cell tower; it is not a phone to phone transaction. In order for your service provider to know what cell phone towers will have the best chance of sending your next call, email, etc. the cell phones themselves are actively seeking out new towers to connect to – they don’t differentiate. Because of this, the analogy of a naive child talking to strangers when illustrating how cell phones behave is fairly accurate. Imagine your child with you as you walk through a large crowd and the child says “hello” to every single individual you pass. Should any one of them ask, it will tell them everything you’ve been doing all day long without you ever knowing about it.
In addition, the network is designed so the cell phone towers themselves (real or simulated) control the parameters of the communications session not the phone, the tower (real or simulated) makes the determination to use encryption or not. So, if someone is pretending to be a cell phone tower, they can employ a command to any phone that connects to it to simply turn off session encryption.
The “man in the middle” attack with an IMSI catcher takes advantage of these flaws and inserts itself between the tower and the phones. Once a cellular phone is within range of and connected to an active IMSI catcher, the phone is essentially under the control of someone else. The attacker can access, remove, copy and send all the information on the phone, as well as installing surveillance software for later use when the phone moves out of range. The real benefit to this kind of attack is that there is little to no paper trail left; only the person performing the attack really knows that it’s happening. The attacker can be right next door or over a mile away and even act as a relay so that the phone still functions as normal, while monitoring all traffic sent to and from it and everything picked up by its microphone and camera.
Many of these kinds of attacks happen even when the phone is turned off. How? The off mode of most cell phones does not turn the phone entirely off; it’s not like the switch on a wall. The screen may go dark, but the motherboard inside is still energized and waiting for signals from the things attached to it, like the power button or the radio it uses for communications. “Off” in this instance is like your television set being “off” until you point the remote at it and send it a wireless command to turn on. So, whether on or off (again - off is not entirely “off”), infiltration of a phone can go on undetected by the user; unless the screen suddenly lights up, there is almost no clue the user would have to their phone being remotely accessed by another device.
The general public largely thinks of smartphones as a trustworthy life-enhancer relying mostly on false assumptions on how they operate and who has access to them. Depending on the brand, advertising for smartphones positions them somewhere between an always-dependable lifeline and a way to save and share life’s moments. They are welcomed into our lives like a trusted member of the family. While smartphones do have the power to make our lives easier and connect us to others in a myriad of ways, the inherent danger they pose should be recognized. Their microphones and cameras are essentially on all the time, gyroscopes and SIM cards can be infiltrated and used in ways you wouldn’t expect, sensitive documents and emails can be retrieved, copied and sent to anyone – and more – all without the user’s knowledge.
As powerful as smartphones are to help us, everything about them can be used just as easily for productive purposes as it can be for detrimental purposes. The microphone can just as easily facilitate a call as it can eavesdrop on a conversation in a room when you’re not on the phone. The phones camera can capture insurance images of storm damage to your facility as easily as it can the confidential slides shown during your next meeting. Its various network connections (cellular, wi-fi) can transmit information that can close your next business deal just as easily as it can close the doors to your business.
The dots to the full picture of how susceptible cell phones are to hacking have been painted; it’s time to connect them. The resulting picture is that cell phone usage is the most under-considered security threat to businesses today.
In the early morning hours of September 13, 2008, a woman notified the Tallahassee Police Department (TPD) that she had been raped and that her purse, containing her mobile phone, had been stolen. Within 24 hours, the Florida capital’s police had contacted Verizon and obtained real-time ping information, which gave the police a “general area” where they might find the phone and thus, hopefully, the perpetrator of the crime. But that general area still covered plenty of ground—where exactly was the phone?
This newly released transcript (PDF) provides what is likely the first-ever verbatim account of how stingrays are used in actual police operations. And it shows that stingrays are so accurate, they can pinpoint the very room in which a phone is located.
"Every door and every window"
After learning the phone's general location, Tallahassee cops deployed a vehicle-mounted stingray and cruised the streets. Verizon had already provided them with the phone's unique IMSI identifier, which told the stingray exactly which handset to track. (“Stingray” is a trademarked product manufactured by Florida-based Harris Corporation, though it has since come to be used as a generic term, like Xerox or Kleenex.)
Such searches are controversial in part because stingrays necessarily capture data about all other compatible phones nearby. Christopher Corbitt noted that the gear evaluates "all the handsets in the area" as it searches for its target. When in use, stingrays force a connected phone to transmit at full power—depleting a handset’s battery faster than normal.
"We emulate a cellphone tower,” Tallahassee investigator Corbitt told a court during his testimony about the incident. “So just as the phone was registered with the real Verizon tower, we emulate a tower; we force that handset to register with us. We identify that we have the correct handset and then we’re able to, by just merely direction-finding on the signal emanating from the handset—we’re able to determine a location.”
The vehicle-based tracking eventually pointed to a particular apartment complex called Berkshire Manor, but police still had no idea which apartment might house the phone (and, hopefully, the woman's attacker). Corbitt deployed a team of officers with a handheld stingray to scour the complex.
“Using portable equipment, we were able to actually basically stand at every door and every window in that complex and determine, with relative certainty you know, the particular area of the apartment that that handset was emanating from,” Corbitt told the court.
Such searches are common; Corbitt said he had personally used the equipment “200 or more times” and that it worked with “100 percent” accuracy.
Eventually, Corbitt and his colleagues detected the phone inside apartment 251, the residence of a woman who was also hosting her boyfriend, the suspect James Thomas. Officers knocked on the door; when it opened, one inserted his foot in the opening to keep it from being closed again. Police then conducted a "protective sweep" of the apartment and waited while a search warrant was obtained.
Police did find the victim’s phone, purse, underwear, and ID card at the apartment, but was their "protective sweep" justified in the name of "exigent circumstances?" For investigators, the move had seemed necessary to prevent the destruction of evidence. At trial, the judge agreed and denied Thomas' motion to suppress the search evidence; Thomas was eventually convicted. Late last year, however, a state appellate court overturned that conviction on the grounds that the search had been improper (though without commenting specifically on the use of a stingray). It ordered a new trial.
“Testimony that a cell phone could be flushed down the toilet does not meet the test [of exigent circumstances],” the District Court of Appeal for Florida, First District, found, in a two to one decision.
“Really aggressive and invasive”
In an interview with Ars, ACLU attorney Nathan Freed Wessler said that having this level of detail about a stingray was highly unusual.
“I think it provides a vivid illustration of how invasive this technology is and how the courts regulate its use. It’s one thing to have a generic description of how it’s used; it’s another thing to read a first-hand account of how people are walking up to people’s doors and windows sending powerful signals to cells inside. This transcript illustrates both the fact that bystanders' phones were being tracked and that the police operating the device knew that’s what the device was doing.”
The Tallahassee Police Department did not immediately respond to our request for comment.
However, TPD Chief Michael DeLeo told the Tallahassee Democrat newspaper in March 2014 that he had ordered a full review of all incidents involving stingrays.
“My first concern as the new chief is what are we doing right now, are we doing it properly, do we need to change how we are doing it,” the paper quoted him as saying.
An initial inquiry of the cases from 2013, he noted, showed that warrants were obtained in 90 percent of the cases; the remainder involved emergency cases.
“What I’m seeing right now is the same process that is applied to any other search by the police department is being followed,” he said.
Still, the main issue that the ACLU has with this technology, as is the case with similar new digital surveillance tools, is that they might function more like "general warrants" than specific searches.
“That is a major concern that we have with this technology,” Wessler added. “We’ve tried to advance two general legal arguments about why the Fourth Amendment has something to say about stingrays: there’s an unsettled question as to whether use of these devices is like a general warrant, in that it could never be used. If there's no way to use a stingray without sweeping up hundreds or thousands of other phones, than maybe it’s not a reasonable search. At the very least, police need to go to a judge to demonstrate probable cause and get a warrant, and the judge needs to provide privacy guidelines.”
Legal experts not involved in the ACLU’s efforts were equally surprised as to the newly revealed information.
“The information that’s most interesting to me is the specific details of how the stingray was used in this case specifically (via two stingray devices, one mounted on a car and one handheld device) and the frequency by which Tallahassee police have used the device,” Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, told Ars by e-mail.
“I’ve heard about stingrays attached to drones but seeing them on a typical police car (combined with being used 200 times) suggests the device is far more frequently used and deployed than we’ve known before. The other thing that’s interesting is that the way these devices are configured and physically used shows how invasive they are. They force the phone to use more battery, capture all the information in the area around it and then require police to go from door to door to capture signals. These aren’t simple innocuous devices but really aggressive and invasive ones.”
A newly published letter from FCC Chairman Tom Wheeler to Rep. Alan Grayson (D-FL) states that Wheeler has created a task force that recently took “immediate steps to combat the illicit and unauthorized use of IMSI catchers. The mission of this task force is to develop concrete solutions to protect the cellular networks systemically from similar unlawful intrusions and interceptions.”
Relatively little is known about how stingrays are used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances. Worse still, cops have lied to courts about the use of such technology. Not only can stingrays be used to determine location, but they can also intercept calls and text messages. Grayson seems primarily concerned with stingray use by criminals, terrorists, and foreign government agents.
Grayson’s office did not immediately respond to further requests for comment.
The FCC didn't have much to add, either.
"I don’t have a lot to give you right now," Bartees Cox, an FCC spokesman, told Ars. "As the announcement was made only yesterday, but the task force will draw on expertise from across the agency."
“I am disturbed”
Grayson appears to have only been made aware of stingrays recently. The congressman does not seem to know that the best-known manufacturer of stingrays, the Harris Corporation, is based in Melbourne, Florida—just 70 miles from the congressional district that he represents.
Last years, Ars reported on leaked documents showing the existence of a body-worn stingray. In 2010, Kristin Paget famously demonstrated a homemade device built for just $1,500.
“Americans have a reasonable expectation of privacy in their communications and in information about where they go and with whom they communicate,” Grayson wrote to Wheeler on July 2, 2014. “It is extremely troubling to learn that cellular communications are so poorly secured and that it is so easy to intercept calls and track people’s phones.
“I am disturbed by reports which suggest that the FCC has long known about the vulnerabilities in our cellular communications networks exploited by IMSI catchers and other surveillance technologies. According to the Associated Press, the FCC licenses to American companies that manufacture such interception technology.”
Foxes guarding the henhouse
Christopher Soghoian, a technologist with the American Civil Liberties Union and one of the nation's experts on stingrays, told Ars that he applauded the FCC task force.
However, he also pointed out on Twitter that the FCC partially denied a Freedom of Information Act request filed by the ACLU to learn more about prior FCC discussion and actions pertaining to stingrays.
"They're still suppressing public discussion and debate about these issues and that combination is troubling because what it shows is that the FCC and many other parts of our government still consider it to be a secret technology even though graduate students and others have shown that they can build them themselves," Soghoian said.
"It was a secret 20 years ago; it's not a secret anymore," he continued. "What's happening is that the government wants to have its cake and eat it too. It's pretty unrealistic that this thing will remain a secret forever. Our view is that once you can buy these things online, once there are PhD dissertations describing the stuff in detail, and once you can download stuff from the Internet, then it's not a secret anymore, and the FCC should stop treating it as one."
Stephanie Pell, a professor at the Army Cyber Institute at the West Point Military Academy told Ars that she believed the task force is a "positive first step."
"Ultimately, however, a solution that is only focused on further 'outlawing' the unauthorized, unlawful use of the IMSI-catcher technology is not a strong, or likely successful solution," she said. "The FCC will need to examine the vulnerabilities in cellular networks that allow the technology to intercept our communications. Chinese spies and tech-savvy criminals won't be deterred because their use of the technology is illegal—they will be deterred and hopefully thwarted if cellular networks aren't vulnerable to IMSI catchers."
As far as the task force is concerned, Soghoian said he was not aware of the details of what precisely it would entail. He hoped that it would include bona fide technical experts who have well-known credentials in mobile security and privacy.
"If the task force is just NSA, FBI, and the Secret Service, then that's like asking a group of foxes to guard the henhouse," he said. "Really what we would hope that the task force would include the Federal Trade Commission, the Department of Commerce, the National Institute of Standards and Technology, and agencies that have a more protective mission with regard to protecting consumers from hackers and other threats to their privacy. What's clear is that the FCC has known about these things for 20 years. The only way you will protect members of Congress, journalists, lawyers, or doctors is through encryption. Any effort to go after the devices is futile."
Researchers from Stanford University in conjunction with National Research & Simulation Center Rafael Ltd. show that the gyroscopes found in most modern phones are sensitive enough to detect sound in the vicinity of the phone. Using filters and signal processing they can "identify speaker information and even parse speech".
iOS and Android require no special permissions to access the gyroscope, allowing apps and active web content that cannot access the microphone the ability to still eavesdrop on speech in the vicinity of the phone.
We'd love to hear from you. Call us at 888-783-5502 and we'll be happy to answer any questions you have.
This is an archive of educational materials relating to cell phones and privacy.
There is a lot of information on these pages so it can take a little while for all of it to load. Please be patient. We are pretty good at staying on top of things, but If you know of... read more
Cyber Defense Magazine - Smartphones in the business environment: Trusted Tool or Trusted Threat?
When a business allows the regular use of cellular phones in the workplace, the first thought is that by doing so the business empowers the employee and boosts their productivity. After all, today’s smartphones can provide a near-virtual office on... read more
Edward Snowden - Your phone can be used to spy on you, even when you think it's turned off.
So far since 2008 Joel Brenner, Edward Snowden and William Binney all former NSA employee's have all said your phone can be used against you even when you believe it is turned off. Mr. Brenner was Inspector General ... read more