posted November 09, 2007 01:51 PM         

DISCLAIMER: This is not an opportunity, nor is it a motive. This is a theory that one simple guy with a very strange mind concocted based on only a rudimentary guess-based understanding of how telephone networks might work. There aren't enough details here to actually pull off a cell phone takeover. Even with the money, knowledge and motivation, it would be a bit twisted and extremely unadvisable thing to do so. This information is for anti-propaganda purposes only and is not to be considered a guide. Any use of the information contained herein is at your own risk and is VERY ILLEGAL. Nuff said.

Why write this? Well again, strange mind at work here. I'm a bit ticked off at "the blobulous system's" latest outpouring of b.s. regarding cell phone hacking.

Let's get something straight:

If it is possible to take over a cell phone (and I believe it is) then every person who owns a cell phone deserves to know that the risk is there so that they can make a choice that fits them. Some will simply say, "Eh, what are the odds?" Others will pitch their cell phones in the garbage.

It's this second group that had the media, law enforcement, cell phone manufacturers and everyone scrambling to explain why it was "not possible" to take over someone's cell phone in response to the cell phone hackings in Washington.

Understand that the entire conglomerate of begrudged telecommunications allies, had recently spent billions on a new technology, complete with infrastructure. They were also hailing the various releases of several extremely anticipated models including the super-hyped i-Phone. Law enforcement, if this technology is real, now has a VERY powerful tool at their disposal for covert operations. And understand that the media pays it's bills by keeping it's advertisers and sources(read: Business and Government) happy. None of these powers has an interest in telling us that our phones can become spying devices. They all have an interest in denying it.

That's why I wrote this. To show that their response was a lie, and that it was a concerted, choreographed lie.

Because if a guy with only basic knowledge of cell phone technology can logically deduce enough of how that technology works to find an exploitable flaw, then someone with the money, knowledge and motivation could certainly do so. The phone companies, law enforcement agencies and the media all have such resources. For them to say it isn't possible..is patently absurd. (I know the hackers in the room are nodding their heads right about now.)

In the early 90's the government left behind clues that the ability to remotely activate and control cell phones is possible. Stories of the Army remotely activating an Iraqi official's cell to use as a missile homing signal are widespread. Here's an excerpt from a U.S. Army site which describes a device used during the 9/11 rescue efforts to locate people by activating their cell phones remotely. (Remember, the FBI claimed on FOX's Morning Show that this wasn't possible. Apparently I'm a better investigator than they are.) From a google search:

"Slide 56
Engineers and contractor teams from Fort Monmouth were deployed to New York City and were charged with finding survivors in the rubble by locating their cell phones. This developmental classified device could remotely activate and triangulate a cell phone. The idea was that the World Trade Center in New York probably had a higher concentration of cell phones than any other place on earth."

source: www.monmouth.army.mil/historian/updates/forthistorybrief_text062206.doc

Also from an FBI sting operation that brought down a Mafia boss, details that seem to hint at the possibility of just such a device, along with the common knowledge that newer cell phones can have software installed via "flash upgrading" in a matter of seconds without the owner knowing it:

"In his memorandum opinion, Judge Kaplan described the roving bug as a "listening device" installed in the defendants' cellular phones that functioned regardless of whether the phone was powered on. Many models of cellular phones, however, can have their microphones remotely activated via a download—even without the knowledge of the owners. That could be what happened with Ardito and Peluso's cell phones. It is also possible that the FBI installed a bug directly on the phones."

source: http://arstechnica.com/news.ars/post/20061203-8343.html

While admittedly the gray area allows for a physically installed bug, most agree that the bug installed was a remotely installed software bug, since the FBI itself admitted how hard it was to track down the suspect; using that as their justification for requesting a "roving wiretap." To have obtained his cell phone long enough to take it apart, install a bug, or even flash install new software? "Not likely" is the popular response to that query.

Those are just a few examples that I pointed to when the cover up first came out. Still, something told me that I could almost prove it. There are certain aspects of the way cellphones HAVE to work that seem exploitable beyond belief.

The first is the fact that a cell phone has to maintain a constant signal for you while you are moving...no matter how fast you are moving. This means that your cell phone must constantly be in touch with several cell towers at once. Taking the time to authenticate and switch towers as needed, would be too slow. That means the cell phone probably seeks out all tower signals (up to a maximum I'd assume) and performs authentication with them WHILE you are talking. As cell tower signals drop off, the signals waiting in the background are probably sorted according to signal strength, with the strongest being the preferred signal (for quality reasons.)

So imagine, if you will, Tarzan, swinging vine to vine, always choosing the strongest vine that lies along his path, not letting go of the previous vine until a second, stronger vine is grabbed first..or until the vine is too far behind him to hold onto anymore; then he falls. Your cell phone is Tarzan, the cell tower signals are the vines and the cell towers are like the trees those vines are attached to. The fall is a dropped call. That's how I envision a cell phone's signal acquisition strategy must be. The important point to this discussion is that the strongest authorized signal should always get priority on a cell phone.

The second interesting thing about the way cell phones work, is that they seem to work even in places where the "carrier" network is not present. For instance, a cell phone (with roaming enabled) should be able to pick up a signal in Mexico and give me the crackly recording of some Spanish woman's voice telling my that my phone doesn't work there, or giving me instructions for making a call. In many cases, my call should simply go through. It should be convenient for me, the end user and transparent. This means that there is probably some universal cell tower authentication protocol. It also means that there is some way that each LOCAL carrier authenticates the phone, authenticates the validity of that phone's account with the INTER/NATIONAL carrier, then authorizes the call, or sends a message to the phone telling the caller that there is no service available (usually in the local dialect.) That means that ANY cell tower should be able to communicate with ANY cell phone (within certain technological thresholds I'd imagine. I don't think an old 80s phone works anywhere anymore.)

These two "features" of the cell phone system could then prove to be a most exploitable flaw when combined. The solution to taking over a cell phone at this point, should be fairly obvious to anyone that gives it a bit of thought. In order to take over a cell phone, I need to become the strongest signal, and I need to learn (or record the transmission of ) the international authentication procedure between cell towers and cell phones.

What would be needed then is a van with a wooden or fiberglass side for the signal to get out, and a cell tower antenna. (I don't imagine a whole array would be necessary, since only one signal needs to be carried. Also shielding would need to be provided to the driver and passengers to protect them from the radiation coming off of their antenna. Alternatively, the antenna could be mounted on the roof of a relatively unmodified van, although this would be more conspicuous.) The van might then be placed in a location where its signal strength is higher than the closest cell tower's. (Ultra high power wouldn't necessarily be required if the van was parked close enough to the target phone.) At this point, the phone should acquire the new stronger signal and request authentication to begin.

Authentication procedures could be emulated, or recorded and played back through the fake cell tower. The same procedure could be repeated for the various phone carriers until their authentication procedures are understood so that all phones can be taken over universally OR...those authentication procedures could be recorded for each unique cell phone that is to be taken over. Then the authentication portion of the call could be retransmitted, fooling the cell phone. (IF the encryption key isn't time based, but account based that is. Remember, this is all guesswork based on logic, not details from actual phone company policy and procedure.)

Upgrade procedures would be specific to the phone model and so data would be available from the manufacturer on how to flash upgrade the phone. (Or some super tecchy could hack them out by recording, then reverse engineering the legitimate signals in the air. I'll admit, that this second possibility is a BIT remote.)

Once the software is uploaded and installed, the phone could be activated through the fake cell tower, or simply by calling from various preprogrammed pay phone numbers uploaded along with the software.The new software would wait until caller id was received before making any indication of a call. If the call came from one of the "select" numbers, the phone would remain silent, but would become active.

At least that's how it MIGHT work. But according to law enforcement, the cell phone companies, and our "protective friends" in the media, it's not possible. Hey, I guess that's another theory.