Editors note: This is an excerpt from the book, “COMSEC: Off-the-Grid Communications Strategies for Privacy Enthusiasts, Journalists, Politicians, Crooks, and the Average Joe.”
CHAPTER 1: THE INSECURITIES OF PHONES
If you purchased this book, it is very likely that you already know why you need it. What you may not realize is the full extent to which you need it. All of us generally assume that no one is listening in on or recording our phone calls. If we assumed otherwise we wouldn’t use the device. And mostly, we’re right. But the risks of using a cell phone go much deeper than this. And it wouldn’t feel right to open a book like this without exploring the breadth of what is possible.
What separates your iPhone X or Google Pixel from an old Nokia candy bar or Motorola RAZR from the very early 2000s? The main thing that most will point out is the large monitor (which we call a screen) and the addition of a computer. And you wouldn’t necessarily be wrong; those things are different. It is useful to think of today’s Smartphones as consisting of two major components: the true “phone” and a computer. The computer is the portion with which we interact with on a daily basis. It consists of a processor, RAM, storage, operating system, and is made usable via the screen. It runs apps. It operates the camera. It works with the magnificent sensor array installed into the phone. It makes the phone “smart”. There is no doubt that today’s phones are more beautiful, powerful, and sleek than those basic candy bar and flip-phones of just a few years ago. But when it comes to how the device interacts with the cellular network, the real answer to the question with which we opened this paragraph is, “not much.”
THE BASEBAND PROCESSOR
The cellular modem in your iPhone X or Samsung Galaxy S9 is almost indistinguishable in function from those found in the old bag- and car phones of yesteryear. The cellular modem (called the baseband processor or baseband modem) that allows your phone to connect to the network hasn’t evolved very much in a couple of decades. Consumers don’t see this part of their “phone” and even if they did, probably wouldn’t care much about it. But it is extremely problematic from a privacy standpoint and most of our readers probably care a great deal.
Your device’s baseband processor is discrete from its Application Processor (AP) for a couple of reasons. First, your connection to the cellular network is largely dependent on a radio signal that must be extremely finely timed with the network’s clock. Each tower can handle hundreds or thousands of users by separating them though time-based multiplexing. By separating the baseband processor and the AP, the baseband is freed to run a Real-Time OS (RTOS). The RTOS is capable of handling the exacting timing demands of the network. Additionally, the baseband hardware is optimized for radio transmission and reception. Neither of these are tasks at which the Smartphone’s “computer” (AP) would excel.
Secondly, many regulatory bodies (including the Federal Communications Commission [FCC] in the United States) require that all devices that interact directly with the cellular network be certified. Separating the baseband processor allows it to be certified separately, relieving the hardware manufacturer of certifying the entire application processor. This has some benefits to the end user. It allows manufacturers to update the Application Processor Operating System (APOS) much more frequently without having to go through lengthy certification processes, resulting in much faster updates to the APOS. This is far from a perfect model, however.
Privacy Problems with the Baseband Processor
The problems with baseband processors are widely known and have been for years. Cellular Service Providers (CSPs), governments, and hackers are all well aware of these issues. Unfortunately. the cellular providers and hardware manufacturers have made only token moves to correct them. The following is a list of concerns you should be aware of if you own a mobile device.
User Inability to Control the Baseband: The biggest danger represented by the baseband is not the malicious actions it can be exploited to take. Instead it is your inability to control this processor. Because this processor is hidden from view, both physically and through any software settings, it is impossible to control. As long as the device has power the baseband processor may be on. Initiating the phone’s “power down” sequence only has a guaranteed impact on your device’s AP. In effect this means that all of the actions listed below may be taken whether or not the phone is visibly powered on.
The only way to fully defeat the baseband processor is to fully remove its power source. While once extremely easy, this is no longer a possibility to the vast majority of Smartphone owners. Most hardware manufacturers have moved to cases that are not designed to let the user remove and replace the battery, leaving us all at the mercy of the baseband processor.
A note on terminology: Because the baseband processor cannot, with any certainty, be turned off by the user, we will not reference “turning off” or “powering down” the device. Instead we will use some variation of “placing the phone in a dormant mode” to refer to this process. We feel this is an important distinction and we do not wish to perpetuate the myth that a Smartphone can be fully turned off.
Since removing the battery in most modern Smartphone is an impossibility, so is controlling the baseband processor. Even if your phone is in a dormant mode, the baseband may be manipulated to perform any of the actions described below.
Location Tracking: Because this processor may be constantly engaged it may be collecting your location at all times. We consider this to be one of the greatest threats to your privacy. All Smartphone now offer the ability to somewhat control location services on the application processor level through software settings. It is impossible to control the baseband processor, however. One noteworthy example of this is the Android phone debacle that made news in late 2017.
The online magazine Quart broke a story in late December detailing Android’s data collection. Even with location services fully disabled, it turns out that Android phones were still reporting their location to Google (the maker of the Android AP operating system). This was all made possible thanks to the baseband processor. Even with location services completely disabled and no SIM card present, devices were able to record their locations in relation to cellular towers. Google admitted to this practice immediately and agreed to end it. This still does not protect you from the cellular carrier, however.
Each time a cellular phone “talks” to a cell tower it creates a record that will be maintained by the carrier who provides that tower for a minimum of five years. This creates a massive amount of historical data about your movements and activities. This should be especially alarming if you are an individual who works diligently to protect his or her personal privacy in communications and movement. All of your hard work may be undone one day. When it is and the phone’s IMEI is associated with your name, all of your historical data is, too. This unmasks you not only into the future, but also into the past, and with anything you have done and anywhere you have been with that device.
It would be reasonable to assume that these records are only created and stored by the service provider that you have contracted to provide service. You would be wrong here, too, however. When your phone interacts with any cellular tower a record is created. The phone sends some basic subscriber information (including its IMSI, see definitions below) to the tower. The tower will determine whether or not that device is authorized to access its network. If it is allowed a process called an “IMSI Attach” will proceed, allowing your SIM card to connect to the tower and utilize the network for service. If your device is not authorized on that network it will be rejected. This will be stored in the tower’s rejection logs. Even cellular providers other than your own are tracking your location!
Where Does All This Data Go?
As we have seen, carrying a mobile device exposes you to constant location tracking that you cannot disable and cannot opt-out of. Where does all this data go, and how is it used? Cellular service providers are not blind to the fact that they have amassed a treasure trove of marketable data.
Cellular service providers vary in the volume and types of data they are willing to share with advertisers. For example, Verizon’s “Precision Market Insights” is one of the most aggressive collection and monetization policies we’ve ever seen. Verizon sells your location data, lists of apps you have installed, and the websites you visit. Supposedly this data is anonymized, but we don’t place a lot of trust in anonymization. This data is also sold to third-parties that put it into mappable databases, which are sold to law enforcement agencies. Because the phone number or IMEI is obscured by an “anonymized” identifier, such behavior does not (at least theoretically) violate federal wiretapping or surveillance laws.
Customers of most CSPs have at least some ability to opt-out of data collection and monetization. Verizon is now running a program called Verizon Selects that is even more intrusive but requires an opt-in (in exchange for “rewards”). Though we have picked on Verizon, AT&T, Sprint, T-Mobile, and others all participate in similar data collection and sharing programs. Conduct some research on your cellular service provider to find out how to opt-out of this information sharing.
NOTE: The IMEI and IMSI are numbers that are unique to your phone and its service provider/plan. It would be inappropriate to continue further into this book without discussing these identifiers and what they mean.
International Mobile Equipment Identity (IMEI) – This number is hard-coded onto your device and will never change. Even if you change your service provider, SIM card, and telephone number, the IMEI will link old and new together. Though the IMEI is not shared with the cellular towers your phone sees, this number is recorded when you purchase your device. Even if you switch service providers this number will follow you as long as you own the same device.
International Mobile Subscriber Identity – The IMSI is not related to hardware on your device. This identifier is derived from the SIM (Subscriber Identity Module) card that is issued by your cellular service provider. This number is shared with the towers to which your phone sends connection requests. This number is associated with your service plan and the location where the IMSI was initially activated.
Electronic Eavesdropping – Your cellular service provider (and any government that can influence your cellular service provider) can access the baseband processor at will. This can be used to invade your privacy to a degree that most individuals would never imagine or consider feasible if they did. The phone’s microphone can be accessed and activated at will. This can allow eavesdropping on not only telephone conversations, but anything that can be received by the device’s internal microphone.
Many privacy enthusiasts take measures to prevent their communications from being intercepted in transit. This largely consists of using encrypted messaging and voice applications. There is certainly merit to this strategy as it protects your communications in transit. If the device’s microphone is compromised these applications will do you little good. Your communications may be captured directly at microphone if your adversary has access to your baseband processor.
This access to the baseband can also potentially allow an attacker to activate the device’s camera. This is alarming to consider, but it is generally less problematic than the microphone being compromised. First, cameras can be fitted with “hack-proof” covers (see Chapter 6). Next, the compromising images the camera captures are few relative the vast number of images of the inside of your pocket or purse. Though it may catch some here and there, the microphone has the potential to capture every word you utter if you spend all waking hours within earshot of your phone or cellular-connected tablet or other device(s), and is much more dangerous as a result.
Firmware Vulnerabilities – The firmware that runs baseband processors is infrequently patched. This means that billions of phones all over the world are running baseband processors and RTOSs that have unpatched security vulnerabilities. Security researchers have warned of the dangers of these processors for years, but the industry has paid little mind. In the last year we have seen numerous reports of vulnerabilities discovered in baseband processors.
Protecting yourself from the two sides of your Smartphone (the Baseband/RTOS and the AP/APOS) require different strategies. The first chapter of this book will cover protecting yourself from your device’s computer. Successive chapters in this work will discuss protecting yourself from the vulnerabilities inherent in the existence of a baseband processor.
To be continued in part two later this week.
ABOUT THE AUTHORS
Justin Carroll is a former Marine, plank-owner in the elite Marine Special Operations Command (MARSOC) and has worked on a contractual basis with another government agency. After completing his last overseas deployment, Justin spent five years teaching digital security and identity management to hundreds of soldiers, sailors, and Marines of the United States Special Operations Command (USSOCOM) and was instrumental in the development of a highly technical surveillance program currently in use abroad by US Special Operations Forces. Justin resides just outside of Nashville, TN and is the author of Your Ultimate Security Guide: Windows 7, and Your Ultimate Security Guide: iOS. He co-authored The Complete Privacy & Security Desk Reference and is the co-host of The Complete Privacy & Security Podcast.
You can follow and contact Justin through his blog: https://operational-security.com
Drew is a Detective in one of our Nation’s largest cities assigned to high profile cases that often require covert investigative skills. He investigates crimes involving narcotics, gangs, adult & child sex crimes, human trafficking, and Internet crimes against children (ICAC Task Force). As an open source intelligence analyst and computer forensics and cyber-security specialist, he utilizes these skills to assist in criminal and private investigations of all types. He is a veteran investigator at his agency, and forever a proud United States Marine with overseas deployment experience. First and foremost, he is a privacy and security advocate with a passion for teaching digital operational security and identity management solutions. His classes are available nationwide to law enforcement, military organizations, and select groups in the private sector.
You can follow and contact Drew through his blog: https://hidingfromtheinternet.com
Pick up your copy of “COMSEC: Off-the-Grid Communications Strategies for Privacy Enthusiasts, Journalists, Politicians, Crooks, and the Average Joe” on Amazon.