Is Your Cell Phone Tapped

Careful your cell phone may be eavesdropping. Thanks to recent developments in “spy phone” software, a do-it-yourself spook can now wirelessly transfer a wiretapping program to any mobile phone. The programs are inexpensive, and the transfer requires no special skill. The would-be spy needs to get his hands on your phone to press keys authorizing the download, but it takes just a few minutes—about the time needed to download a ringtone.

This new generation of -user-friendly spy-phone software has become widely available in the last year—and it confers stunning powers. The latest programs can silently turn on handset microphones even when no call is being made, allowing a spy to listen to voices in a room halfway around the world. Targets are none the wiser: neither call logs nor phone bills show records of the secretly transmitted data.

More than 200 companies sell spy-phone software online, at prices as low as $50 (a few programs cost more than $300). Vendors are loath to release sales figures. But some experts—private investigators and consultants in counter-wiretapping, computer-security software and telecommunications market research—claim that a surprising number of people carry a mobile that has been compromised, usually by a spouse, lover, parent or co-worker. Many employees, experts say, hope to discover a supervisor’s dishonest dealings and tip off the top boss anonymously. Max Maiellaro, head of Agata Christie Investigation, a private-investigation firm in Milan, estimates that 3 percent of mobiles in France and Germany are tapped, and about 5 percent or so in Greece, Italy, Romania and Spain. James Atkinson, a spy-phone expert at Granite Island Group, a security consultancy in Gloucester, Massachusetts, puts the number of tapped phones in the U.S. at 3 percent. (These approximations do not take into account government wiretapping.) Even if these numbers are inflated, clearly many otherwise law-abiding citizens are willing to break wiretapping laws.

Spyware thrives on iPhones, BlackBerrys and other smart phones because they have ample processing power. In the United States, the spread of GSM networks, which are more vulnerable than older technologies, has also enlarged the pool of potential victims. Spyware being developed for law-enforcement agencies will accompany a text message and automatically install itself in the victim’s phone when the message is opened, according to an Italian developer who declined to be identified. One worry is that the software will find its way into the hands of criminals.

The current predicament is partly the result of decisions by Apple, Microsoft and Research In Motion (producer of the BlackBerry) to open their phones to outside application-software developers, which created the opening for spyware. Antivirus and security programs developed for computers require too much processing power, even for smart phones. Although security programs are available for phones, by and large users haven’t given the threat much thought. If the spying keeps spreading, that may change soon.

Security Researchers Claim To Hack GSM Cell Calls

The creators of the in-development technology say they’ll be able to crack GSM encryption with only about $1,000 worth of equipment.

Security researchers presenting recently at the Black Hat D.C. conference in Washington, D.C., demonstrated technology in development that they say will be able to greatly decrease the time and money required to decrypt, and therefore snoop on, phone and text message conversations taking place on GSM networks.

Many mobile operators worldwide use GSM networks, including T-Mobile and AT&T in the United States. The 64-bit encryption method used by GSM, known as A5/1, was first cracked in theory about 10 years ago, and researchers David Hulton and Steve, who declined to give his last name, said today that expensive equipment to help people crack the encryption has been available online for about 5 years.

Until now, however, it’s been prohibitively expensive for people to get their hands on this technology. If it works, the technology Hulton and Steve are developing should be able to crack GSM encryption in less than 30 minutes with about $1,000 worth of equipment, or in about 30 seconds with $100,000 worth of equipment. The technology could potentially be helpful to law enforcement investigators, but could also be taken advantage of by malicious hackers. Hulton says he plans to commercialize the more expensive version of the technology.

Other hardware Hulton and Steve referenced uses two different techniques to snoop on GSM calls and can cost between $70,000 and $1 million. So-called “active” systems simulate a GSM base station and don’t rely on encryption because they trick phones into connecting to the GSM network through them. Other, so-called “passive” systems snoop on the traffic and are far more expensive.

Hutton and Steve’s technology relies on the use of an array of devices known as field programmable gate arrays to first create a table of all the possible encryption keys — in this case 288 quadrillion — and then decrypt each of those over the course of three months. The resulting tables of keys could then be used by software to decrypt GSM communications, which first have to be intercepted using a receiver that can listen in on GSM frequencies.

During their talk, Hulton and Steve also discussed the vulnerabilities of mobile device SIM cards, noting that GSM networks broadcast SIM cards’ unique IDs in unencrypted text, which can tell attackers or law enforcement what kind of phone someone is using. The GSM network also can tell snoopers how far a phone is from a base station, within 200 meters of error. They noted that SIM cards run Java Virtual Machines that operators have access to, and suggested that it could be possible for malicious attackers to install applications on user’s phones without them ever knowing, potentially rerouting traffic to a third party who listens in to phone conversations.

The GSM Association, a trade group representing more than 700 GSM operators, said it could not comment on the specific claims Hulton and Steve are making. However, spokesman David Pringle said in an e-mailed statement that while researchers have showed how A5/1 could be compromised in theory, none of their academic papers have led to “practical attack capability that can be used on live, commercial GSM networks.” He also noted that more advanced encryption is beginning to be deployed for GSM networks and that other networks, including 3G networks, don’t use A5/1.

Cell Phone IED Revisited

Almost anything that blows up can be turned into an IED, from grenades to plastic explosives to leftover mines. The most everyday of electronics — a cell phone, a garage door opener, a child’s remote-control toy — can be recast as a trigger. And the hiding places for the handmade bombs are everywhere: in the ground, aboard a truck, even inside an animal carcass.

So far, the strongest push to silence the bombs has come from the Army, which has ordered thousands of radio-frequency jammers from Simi Valley, California, firm EDO Communications & Countermeasures. The devices, called Warlock Green and Warlock Red, intercept “the signal sent from a remote location to the IED instructing it to detonate,” an Army official told military newsletter Inside Defense. The signal “cannot make contact, therefore when it can’t make contact it doesn’t detonate,” he added. “(It’s like) the cell phone never gets through, but (enemy forces) think it goes through.”

The Army won’t say much about the machines. But last week, service chiefs signed a contract with EDO for an additional 1,440 Warlock jammers, to be delivered in May at a cost of more than $56 million.