INFO SECURITY: Cell Phone Security – The spy in your pocket…

Be wary of using your cell phone for anything but casual conversation

Who reading this article has a cell phone.  I’d probably be pretty close in saying that at least 95-98% of the people reading this article have a cell phone of some sort. It may not be a smart phone (iPhone, blackberry, ms mobile, etc), but I’m willing to lay money that you’ve got one.

These are one of the most destructive pieces of personal privacy ever invented.

How you ask? – Well, let’s take a look.

There are applications out on the public market (and ones in the government sector that we’re not going into) that can track you, listen to your phone calls, read your e-mail and text messages, get your calendar items and MUCH more.  it can even turn on your video camera and take photos through your phones camera.

Any and all of these items can be done without your knowledge and/or consent. Spyware can be installed either through a text message, e-mail, physical or remote connection to the phone via Bluetooth, wireless or Wi-Fi. Some services online will allow tracking of someone based on their phone number and what cell towers they are connecting to.

Old poster – good advice

Simple surveillance can be as easy as logging in to a web site, enter the targets phone number and then send a text message to it.  The text message is key, it will ‘ping’ the phone, then associating to it.  From that point forward,  you can pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

There are applications out there that will turn your phone against you hard.  You think you’re turning your phone off?  Possibly, or the ‘spy’ could have turned the off button into a “you think I’m off” button. it will turn the screen off, disable the normal keys, turn the sound off, turn vibration off and make it even look like it’s going through the power down process.

What it does though is actually run a subroutine to do all of this, but remain powered on so that they would be able to use the camera for either pictures, videos, voice or data communication.  Including using it as a Wi-Fi access point.

Smart phones are the easiest to get software onto and provide the most ‘services’ that can be tapped. Other phones provide video, audio, picture and possibly GPS positioning.

There is also ways of accessing any data on the phone itself by collecting the SIM card from the phone.  Duplicates can be made and the card replaced so the owner is not aware of it.  How many of you remember the scene in the one Bourne movie where he knocked out the agent, duplicated the sim card, got to a car and plugged this card into his phone.

He now sees all of the texts, listens to voice mails, get’s phone numbers and calls?  Well, it’s possible.  It may not be as simple as how he does it, but it is possible. (at least not as simple if you don’t have government or ‘black hat’ backing).

Just because something’s in the movies and it seems out there, doesn’t mean that it’s not true.

Someone wishing to listen-in on your cell phone calls wont have to have tradecraft training like Jason Bourne to clone a phone – anyone can buy the needed equipment on the internet

This is happening on a daily basis, not only by criminals, but also by governments.  In 2003 and 2004, the FBI used cell phone spy software to eavesdrop on organized crime families.  They were also able to use that information during prosecution.  It’s the same as a wire tap or search warrant.

Most government law enforcement agencies have their own special teams working on just this specific thing. NSA, CIA, FBI, DEA, they all have teams that are working on new ways of gaining information by using the cell phone and mobile devices such as the iPad.

Some indications that you may be a target of spyware or spying are;

- Screen lights up for no reason
- The flash on the camera goes off for no reason
- Noise in the background when you’re on the phone (not from the other person)
- Strange text messages
- The battery is warm even though you aren’t using it or charging it
- The battery goes dead faster than normal
- Notification lights blink or stay on even though they shouldn’t
- The memory of the phone is lower than it should be
- Strange phone numbers that you don’t recognize are in the phones memory or storage
- Strange applications that you aren’t aware of downloading or installing.

Remember, just because any or all of these are happening doesn’t mean you’re a target of spying, but it’s a good possibility -  Especially if you’re:

- In a foreign country
- Have an ex-wife/husband
- Ex-girlfriend/boyfriend
- Ex-anyone
- Work for a government agency
- Are a civilian contractor
- Are a very attractive person (male or female)
- Have pissed someone off

Also some additional things to keep in mind are that over 200 companies sell spy-phone software online.  They range in price from $50.00 to more than $3-500.

If you EVER suspect that spyware is on your phone, get a new phone or re-install the operating system.  Your provider should be able to help you with that. Also, never ever let your cell phone out of your control or out in the open unattended.  It only takes a minute or two to compromise it and you’d never know.

If you’re working with sensitive information, please be careful of what you say, where you say it.  Cell phone spying isn’t the only way to gather information from your phone; it could be overheard as well.

Comments, questions, let me know in the comments – Thanks for the time.

—————————————————————————————

~Norm W.
Information Security Correspondent

Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.

Be Sociable, Share!

30 thoughts on “INFO SECURITY: Cell Phone Security – The spy in your pocket…”

  1. Great info Norm as per usual. I have a love hate relationship with cell phones. I tell clients that I work for that the first thing we do is ditch their phones and go low tech. Most of the tech and spyware that is used today is for today’s high tech phones. So my logic leads me to think just go the opposite direction. I have a passel of phones from just when sim cards and text messages became the norm. They have no GPS and no spare memory to hide a program on. The best someone could do is ping a nearby tower and that I believe is about it.

    But I like my Iphone and is what I use personally, however I am don’t love it so much that I won’t drop it in a puddle of water if I suspect someone has accessed it that has malevolent intentions(or if people won’t stop texting me. I freaking hate texting). But it is strictly for personal use and I abide by my rules with my work phone which is a low tech old Motorolla Moto phone. As well as a few spares just in case.

    But I guess the question I have for you norm is what are some of the better phones or companies that let you have better access to controlling your security, if there are any? Any programs? Further steps you can take?

    Personally I have my phones set for a code log in and if someone can’t get the code in within a certain number of times the phone gets wiped. My Iphone is a 4 digit, but my old nokia was a 9 digit. I would think something simple like that, that is kind of a time consumer and annoying to punch in every time I access it, but I figure it is at least a minor barrier to prevent someone from at least hacking your phone if it is out of my hands. My employer works in the high tech industry and sometimes I am forced to leave my phones at the front desk with the 12 buck an hour flashlight cop.

    Thanks Norm.

      (Quote This Comment)

  2. Take the battery out if you are discussing sensitive information, or even better leave the phone at home.

    Any cell phone can be triangulated using the location of the towers. And like PC’s nothing is ever forgotten.

      (Quote This Comment)

  3. When I signed up for my Sprint/Nextel phone, part of the service contract included (buried in completely unrelated jargon) the fact that *all* phone communications were subject to monitoring at any time. When I pointed it out to the Sprint rep, he was genuinely shocked, saying “I never knew it was there. Nobody ever reads those.” I always assume any conversation is being “monitored”.

      (Quote This Comment)

  4. But I guess the question I have for you norm is what are some of the better phones or companies that let you have better access to controlling your security, if there are any? Any programs? Further steps you can take?

    Personally I have my phones set for a code log in and if someone can’t get the code in within a certain number of times the phone gets wiped. My Iphone is a 4 digit, but my old nokia was a 9 digit. I would think something simple like that, that is kind of a time consumer and annoying to punch in every time I access it, but I figure it is at least a minor barrier to prevent someone from at least hacking your phone if it is out of my hands. My employer works in the high tech industry and sometimes I am forced to leave my phones at the front desk with the 12 buck an hour flashlight cop.

    phones, companies etc, forget it. They’re all about the same that I’ve come across. I’ve had service since the late 80′s, been through AT&T, Cingular, Sprint, Verizon, Cellular One, Centel Cellular, each and everyone of them are pretty crappy when it comes to having better access. As far as the phone security itself, anything that has a way to trasnmit (including those that have no ‘memory’ is a way to spy with. Even if it’s just triangulating your location. I can say that Apple (yeah, I know, go ahead and call me a fanboy) has a decent grasp on phone ‘security’ itself. Sort of…

    You have the ability to lock the phone remotely, change the passcode, erase the phone, track the phone (within 3 meters I think) as well as being able to make it play a sound even if the volume and silent mode is on and send a message to it. This could work both ways, as long as the site to access this is secure, you’re ok, but someone hacks your account and get’s in there, they’ve basically got a copy of your data with almost no trouble.

    As far as programs and steps you can take? There’s a few phone scanning applications out there such as Autoberry for the Blackberry software (not 100% sure if it’s available outside of a corporate environment) and a few others. Nothing spectacular though. Best idea to keep it secure is to keep it on your person at all times and when it’s not turned on, take the battery out. Other than that, something like the loksak that was mentioned here would work very nicely. Another thing to do is as soon as you get a new phone, have the company that you got it from re-install the software right off the bat, makee a backup copy of the software on it as soon as you get home (most phones have a pc interface software for backups, etc).

    Do NOT ‘jailbreak’ your phone, Wipe it and re-install daily. keep your eyes on the warning signs that I mentioned in the article. Other than that, it’s pretty much a crap shoot. You can turn off the GPS portion, turn off blue tooth (which defeats the purpose of a BT headphone), turn off wi-fi and location services, etc. Disable java on it if the phone has it, but other than that, there’s not much.

    The log in code is great, unfortunately, there are fairly simple ways around it, even with a non-jailbroken phone. I’ve read about software that can do it upon initial connection to the phone.

    As far as carrying it with you, leave it in a signal vault in the car or in your pack whenever you’re working. I would NEVER relinquish my electronic devices to a security guard, LEO, Gov official, etc. There’s no telling what they will do with it. Yes, I know there’s LEO’s out there as well as security and government officials. No, I’m not trying to ostrasize or slam you. There are a LOT of good people in those fields but there’s also the ones that don’t have the same scruples as the rest of us. I don’t know about you, but I’d rather not take the chance.

    Take the battery out if you are discussing sensitive information, or even better leave the phone at home.

    Any cell phone can be triangulated using the location of the towers. And like PC’s nothing is ever forgotten.

    Good points.

    http://www.loksak.com/products/shieldsak  

    I’ve seen similar items as this one, I like them, it’s a nice idea. I personally have a bag similar to this, I played around with RF blocking material and anti-static bags and came up with a solution on my own. It’s about time I actually invest in something like the loksack though.

    When I signed up for my Sprint/Nextel phone, part of the service contract included (buried in completely unrelated jargon) the fact that *all* phone communications were subject to monitoring at any time.When I pointed it out to the Sprint rep, he was genuinely shocked, saying “I never knew it was there. Nobody ever reads those.”I always assume any conversation is being “monitored”.  

    THAT is scary. It’s another reason why we should all read all of the documentation. It’d take days to get anything done, but just how much is your security/safety worth?

    Of course, I’m guilty myself of not reading all of it either.

    Guys, GREAT questions here. Great comments, and thanks for the good words.

      (Quote This Comment)

  5. Norm, you just described all of the odd behaviors of my work phone. Camera clicking, battery drain, etc. You write some really great articles, man. Thanks for this one.

      (Quote This Comment)

  6. Great reply norm. Thanks a lot.

      (Quote This Comment)

  7. Norm, you just described all of the odd behaviors of my work phone.Camera clicking, battery drain, etc.You write some really great articles, man.Thanks for this one.  

    I’d get it checked as soon as possible. Especially if you rely on it heavily. If you work for a company that provides it, I’d turn it in and let them know what’s going on. It could be just getting old, but, better safe then sorry. If you are providing the cell yourself, burn it. Buy a new one and change the number (if that’s possible), DON’T transfer the SIM card to the new phone, it’s like taking an infected floppy disk from your old computer and putting it in the new one.

    Good luck with it, hope things don’t go south and/or hope you caught an issue before it became something life threatening.

      (Quote This Comment)

  8. I wanted to say, based on the responses I’ve gotten so far, I’m glad you guys are getting a lot out of this article, it’s what I strive for when I’m write for DVM.

    I also rely on you guys to let me know when the articles not up to par. :)

      (Quote This Comment)

  9. Great reply norm. Thanks a lot.  

    Not a problem.

      (Quote This Comment)

  10. And no need to worry for being called a fanboy. I am a semi recent convert to Apple myself. Though I am surprised upon my research into App store that there hasn’t been some viable security app that can defeat or at least detect some of the potential attacks on the phone itself.

      (Quote This Comment)

  11. Though I am surprised upon my research into App store that there hasn’t been some viable security app that can defeat or at least detect some of the potential attacks on the phone itself.  

    There are, actually, but, you would need to jaibreak it first. That in itself is sort of a security break though, so…you’re taking it into your own hands if you do jailbreak it. :)

    However; from what I hear, the new OS will allow background apps to run, so, we’ll see.

      (Quote This Comment)

  12. Just wanted to say that this was an eye-opener. Some stuff I did know about, but what I did not know was some remedies. That list of phone’s strange behaviour was particularly helpful.

      (Quote This Comment)

  13. Another love/hate cellphone relationship. I’ve been missing the pre-cellphone days, but I have had my ass saved in a couple medical emergencies by having one with me. I am tempted to just carry a unactivated cellphone for making 911 calls (and credit card or collect calls through the American Roaming Network in a pinch), but otherwise just go back to having a landline. Best compromise I can think of.

      (Quote This Comment)

  14. Norm – thanks! You verified something I told my niece a couple weeks back when she thought she might have to “leave quick” for parts unknown. I don’t know crap about anything high tech, but I told her specifically that if she left, pull the battery out of her cell phone and leave it out. No matter what. She thought I was more crazy than usual – but I was guessing that a phone could be found pretty easily if it’s on. Hey, I saw it in a movie once, and as you said, sometimes that movie stuff really can happen.

      (Quote This Comment)

  15. Its interesting how attached people get to their phones. I love dopers phones, its like hitting the jackpot for evidence (after legal search of course) and they almost never have any type of security in place.
    Good article!

      (Quote This Comment)

  16. Norm,

    Can you recommend any follow-up reading I can do on this subject. Or even some of the software used etc. I was discussing this with some people the other day, and most of us carry either iphones or crackberrys for work and personal use and the more I know the more I can do to prevent problems. Also, I may be starting a job with a govt subcontractor and don’t really feel that they need to know what personal subjects I talk about with my wife or friends.

    Outstanding article btw, I forwarded the link to this page to a lot of people who need their eyes opened. I’m just a civilian, but I’ve learned a ton that helped me with some of the work I do as an investigator. Thank you guys so much.

      (Quote This Comment)

  17. Excellent stuff.

    I am assuming satphones are equally susceptible, is that accurate?

      (Quote This Comment)

  18. Norm,
    This was an excellent article! Lots of stuff I did not know. Thanks for the info.

      (Quote This Comment)

  19. Its interesting how attached people get to their phones.I love dopers phones, its like hitting the jackpot for evidence (after legal search of course) and they almost never have any type of security in place.
    Good article!  

    You know, that’s one thing that I didn’t honestly give thought to when I was writing this article, but I think you just gave me an idea for a follow up article. Thanks for the idea.

    Norm,Can you recommend any follow-up reading I can do on this subject. Or even some of the software used etc.
      

    I’ll have to go back and see if there’s specific books or resources made just for this topic, I don’t have the links or names right off the top of my head, but there are many books that do cover the topic as a part of the whole. Also, I know there’s a lot of information out there from the NSA, CIA, FBI, etc, that may or may not be available to the general populace. I’ll see what’s out there for general consumption.

    I’ll start a post under Info Security in the Forum for links, etc related to articles.

    Excellent stuff.I am assuming satphones are equally susceptible, is that accurate?  

    I’m not as familiar with satphones, but they do fall under similar rules as far as their programming, etc. There’s not as popular as prevalant as standard ‘cell phones’, but it is possible to track information from them. It’s not as easy to get a GPS lock on them due to the nature of their programming/connection, but yeah, I’m pretty sure most of this also applies to them.

    Again, a LOT of great questions and it looks like this one also hit the nail on the head in terms of what you guys are looking for.

    I appreciate that you are spreading the word not only about my articles, but about DVM as well. The more readers we have, the more input we get, the better we can cover articles that you are looking for.

    It’s comments and discussions from you guys like this that’s the reason a lot of us are doing this. I’m just glad I could help out.

    Also, like I mentioned earlier, I’ll start posting links and additional follow up information in the forum under the same topic post as the articles. I do ask that you bear with me over this weekend, it may be a few days to get it up there, but it’ll be there.

      (Quote This Comment)

  20. Using a program like EnCase I can get absolutely every text, call, GPS reading and whatever other information is stored or passed through a phone – in some cases I can even get the audio from past calls even if you don’t have a call recorder on your phone (some cell phones store audio in a temp buffer).

    A cell phone is basically a computer that you pass all your calls and texts through – your home computer is hardly private or secure, you should look at your cell phone no differently.

    Sat Phones are pretty much the same – but they require a higher level of technology to track for non-government folks.

    Great article Norm!

    ~James G

      (Quote This Comment)

  21. I’m surprised, I’ve at least heard of most security related topics, but this is a first. Thanks for sharing this one, it’s research time now :)

      (Quote This Comment)

  22. Interesting on the satphones. We have them at work, since the senior staff spends a lot of time traveling. All I know is our IS security guy said they were absolutely public, just like cell phones.
    A really great article. Can’t imagine the times I have discussed stupid things over my cell phone, will have to pay a lot more attention. On the other hand, I honestly wonder where a person would find a pay phone (landline) anymore. Norm – I will really be studying the links you get posted out here. Thanks again, much appreciated.

      (Quote This Comment)

  23. So, I know I am being spyed on remotely on my smartphone. The question is: Is there an application to secure my mobile phone so this person cannot access my phone? or should I just get a new phone and SIM card?

      (Quote This Comment)

    1. My personal opinion is that if you know that you’re being spied on, dump the phone, dump the sim card and get a new number. It’s the safest way to make sure that they don’t have access to you.

      Also, make sure you don’t leave it out of your sight and don’t let anyone else have access to it.

      It’s going to cost you a few bucks, and some hassle to notify of your new number, but it’s the best way.

      When notifying people of your new number, make sure they are the only ones that are getting it and not someone else. Be careful if you e-mail it to them as if someone is targeting you via your cell phone, it’s a good chance they’ve got something on your computer as well.

      Good luck.

        (Quote This Comment)

  24. Your right Norman! It is the best thing to do even if it cost you a few dollars at least you now know with your new phone that you are safe. Just be careful from now on.

      (Quote This Comment)

  25. I amused to see that you decided to use a picture of IDF soldiers at the beginning of this article. Currently serving in a combat unit in the IDF myself I have experienced this lack of cellphone security awareness quite a bit. We always get warned about what we say on the phone, as well as where you are allowed and not allowed to take one, two things which I was already very aware about. Yet soldiers over here thing that it is all a game.

    For example, a couple of months ago we were all put on high alert on the boarder where I was stationed. This was a big deal, one that was emphasized by our company commander quite firmly. He also made sure to tell us not to talk about this to anyone during that time so that OPSEC would not be ruined. Yet not even 10 minutes after he left I could hear people telling their parents that they would not be home during the weekend due to terrorists on the boarder.

    One can also tell when the country is preparing for war over here due to the increase in cellphone activity. This leads to us (the grunts) sometimes not knowing that we are going into an operation until only a few days before. Which in turn means a potential lack of preparation on our part.

    Everyone really needs to take this issue to heart and be aware, sometimes lives depend on it!

      (Quote This Comment)

  26. I read a lot of interesting articles here. Probably you
    spend a lot of time writing, i know how to save you a lot of
    work, there is an online tool that creates readable, google friendly articles in seconds, just
    type in google – laranitas free content source

      (Quote This Comment)

  27. I copnstantly emailed this website post pzge to all my contacts, since if
    like to read it the my contacts wikl too.

      (Quote This Comment)

  28. I couldn’t refrain from commenting. Perfecrly written!

      (Quote This Comment)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Upload Files

You can include images or files in your comment by selecting them below. Once you select a file, it will be uploaded and a link to it added to your comment. You can upload as many images or files as you like and they will all be added to your comment.