T is for telephone....
(c)2006-2018 Sarah B / Planet-Tharg (update 2015_7)
Line and mobile phones, how secure are they?
In years gone by... back when I was a nipper... the only kind of telephone most people had was the kind
connected by a pair of wires to your local exchange. These lines were routed via poles, man-holes, and
the road-side green boxes. This was open season for telephone tappers. All you needed to do was identify
the pair going to your target's house / office using an oscillator and probe, and connect your kit to the line.
I have here in my office four complete telephone exchanges that I use for my equipment tests. So this
is old-hat to me. I have been involved with monitoring / tapping / bugging for years...
Common bugging/tapping devices and methods for line-telephones were/are..
1/ RF transmitter. To be received locally in a car/van/house.
2/ RF-flooding transmitter. Received in much the same way, but would also provide
audio from the target even if the phone was not being used!
3/ Tape recorder, voice activated if required. to record calls for analysis later.
4/ Speaker / amplifier or linesman's type handset to monitor locally.
5/ Or connect the target's line to a spare pair and route it anywhere you like...
Some targets believed that using a public 'phone box was safe. This was only the case if they travelled
about, and used a different one each time! Pay 'Phones can be tapped too. Not many people had the early
car telephones, and these were even easier to monitor, as they were transmitting non encrypted speech.
I'm not admitting to anything here, (not until I'm an OAP). People who know me well enough, know the deal!
Then came the gsm / digital mobile 'phone...
The mobile/GSM telephone has become a large part of our lives, Some of us who use them for business
and in our private life, now wonder how we survived without them. Few people though even concider
privacy of their calls and SMS messages.
First, what is a mobile telephone? A mobile telephone is a networked terminal which is capable of
sending voice, text, pictures and other messages as data across the network. In the same way,
you can send e-mails pictures and voice messages with your computer on the internet.
It may be a telephone, a modem card in a lap-top, a cell-router, a vehicle tracking device,
Industrial/medical telemetry device, or be a part of an alarm system. Sending data from place to
place has changed over the last few years, and GSM telephone networks are now being used more and more
for data transfer by small and medium sized networks. Basically GSM mobiles can turn up almost anywhere!
It's also easy to set up a micro GSM base station to get the target mobile to log into it and use that to
recover info from the device. Such base stations are set-up with devices such as a raspberry-pi and an
SDR transciever like the Hack-One, and an added pre-amp and power-amp, to boost the rangeand of couse antenna
so for a couple of hundred pounds worth of kit and the software (down-loadable from the net) you have your
own cell-phone base site.
The servers used by the commercial operators are often "non PC based" commercial computer systems running
the UNIX operating system. This is done not only for reliability, but also for ease-of-use and to shorten
development times for new software and applications. There are whole ranges of specially designed,
RF-screened / NEBS-Certified systems catering to the needs of the telco-industry. The Sun Microsystems "Netra"
systems were/are quite common, and very well known for their reliability. Non PC based servers running UNIX
being very secure, stable and reliable platforms, and allowing the use of the existing inherent networkability
of these systems, As well as easy development of software using the many established UNIX development tools.
For those of you who are aware of the security implications applying to your computer networks, this may
already be ringing some alarm bells! We are now used to the internet, and can appreciate that the tcp/ip
packets sent from Scotland to London may well be sent over a route which is not exactly the shortest path!
Also packets can be monitored and forwarded to any other location no matter where their source and destination
may be. We can get and idea of the route our data takes over our networks, and the internet using tools such as
traceroute. But with our data going across the telephone service provider's networks, we don't have this ability.
Although most 'phones or other devices are used with the same SIM card for the greater part of their life,
it is not un-usual for people to have work and private SIM cards in their 'phones. A business involved with
the sale, repair or un-locking of 'phones may run many cards through the same 'phone every day for testing etc..
It is common for those involved in crime / criminal activity to use many different SIM cards in their 'phone
believing that this will conceal the users identity and activities. This is however a waste of time as the
Electronic Serial Number of the telephone remains the same no matter which SIM card is fitted. This only
serves to associate the SIM cards and the telephone handset together. SIM card and ESN information can be
compared against a model / pattern of un-usual behaviour and can be an indication of "suspicious activity"
which can trigger further monitoring. so if you need another number for your "other activities" it's best
to use a basic-model (without built-in sat-navigation). and use a seperate sim card just for that phone.
There is a common assumption that SMS messages are secure due to their very short transmission duration,
this is only the case if you are expecting to have your location sought by more traditional radio-location
and RDF techniques, and in this case, a "turn it on, send message, turn it off" system works well. This method
was / is taught to army/military types to make their comms more secure. However All SMS and voice calls
are capable of being searched for keywords. Keywords are a list of words which are searched for to assist those
monitoring to pick the "good bits" out of the mire! (such words as terror, bomb, prime minister,queen, kill,..
get the idea?..). By the time a text message is received. It can be snooped, scanned for keywords and
forwarded elsewhare. and yes, the mobile telephone does encrypt it's data, but by using a device to simulate
a mobile base station it is an easy job to capture the 'phone and to turn off the encryption. and the telephone
will not,(in this country), indicate that this has been done! you may just get one of those "system message-
please delete" text messages. (Search for imsi box, emmi box, imsi-catcher and algorithms A5/1,2,3 etc...)
Voice calls too can be searched for keywords. This is a newer technology and still a bit hit-and-miss. But
it is being used none the less. a similar keyword hunting system is used to the text messaging system
for many years the government/security agencies here in the UK have been actively bulk-monitoring our calls
sms and e-mails. If you arein any doubt. Just do a simple google-search for such things as "telephone tap tower"
and you will find some interesting links. The telephone tap tower was a fake water-tower used to intercept
a BT point-to-point link, and was installed in the grounds of a nuclear power station. (Told ya nuke power was bad!)
Calls and other messages can, and are being routed overseas to exempt the authorities from requiring a UK warrant
for the interception of calls. This, effectively by-passing any rights you have to privacy. In these times of
terrorist activity this is becoming more and more common. Monitoring of communications is now even easier
with mobile telephones than it is with land-line (wired) telephones! It is well known that all satellite
routed calls, faxes, etc.. have been able to be monitored over the past 20+ years by those at locations like
C.S.O.S. Morwenstow, (now called GCHQ Bude) and forwarded to Cheltenham for analysis by UK and American
intellegence services. I have some photos of the old and new GCHQ sites, and of CSOS too. I may pop some up here.
I wonder what the legal standpoint would be? If a digitised voice transmission is recorded/monitored overseas
to avoid a warrant being required in this country for the interception of communications. It would probably be
OK if the data was routed there at all times, even when not being monitored. But this would probably not be legal
in this country if the data was sent to the other country to be recorded, and in this case the challenge may
well be that the interception is actually happening in this country,at the point in the system where the data had
been seperated and routed elsewhere, and the data/audio merely being recorded overseas. Does any one fancy running
this through the courts in the UK to test it? The security services have, understandably, been quite secretive about
their methods in cases such as this, I wonder why? If this form of tapping turns out to be illegal, they may have to
start releasing people from prison as the evidence against them would have be obtained illegally and may be
inadmissible in U.K. courts. The "cannot give details of the intercept for security reasons" line is used in court.
Oh, and don't forget, your phones location is known to an accuracy of 100 yards or less even if you have turned-off
the phones location-services / GPS, And you don't even need to be using it, It just needs to be switched on.
Also, How do you pay for your "pay as you go" service? and where do you pay for it? by credit card? Do you
pay over the internet? or do you buy vouchers with cash, either singly or in groups? Transactions done
electronically can be traced-back. and therefore can be traced back to you...
Also mobile telephones have been used as simple bugging devices for the past few years now. A mobile phone
is modified, having it's loudspeaker removed. it is then set to auto-answer and hands-free mode. If the
'phone is called, it will answer and pick up any sounds in it's area and send them back to the caller, and
because the 'speaker is not there it does not ring, and the person being bugged hears nothing from the listener.
it's an easy job to install modified mobile-phones into cars, and have them charge their batteries from the
vehicle. This can be done in the UK without a warrant for tapping or the interception of communications, as
this method is apparently not covered by either of these acts. also it's not illegal bugging from a radio
perspective, as it's a mobile-phone. and not transmitting on un-licensed frequencies.
The mobile phone as a trigger for bombs? Yes it's been done before and I have tried it too. I connected a small
relay instead of the vibrate motor. and simply connected this to a safety/isolator switch and a mini-detonator
I could then call the mobile from anywhere in the world and cause an explosion.
My prediction for the future? Voice encryption devices built into your hands-free-kits. After all, you
wouldn't want to rely on any built into the 'phone would you? And have a phone jamming device handy for when
you want a bit of privacy!