This article is the second in a multi-part series about the security and privacy of a smartphone’s various radios. In last week’s post I talked about security and privacy surrouding smartphone Wi-Fi. In this post I will discuss the smartphone cellular interface. Because of the complexity of the cellular radio, this article took a little more time than usual to write. There are a number of security and privacy concerns here.
Smartphone Cellular Interface Tracking
Your phone is a tracking device. Smartphone, iPhone, Android phone, dumb phone, $20 “credit card” phone – it doesn’t matter. Your phone is a voluntary tracking device that you carry with you absolutely everywhere. Your wireless provider didn’t sell it to you as a personal tracking device, but it is, although this isn’t it’s primary function. For a cellular phone to work, it must be connected to towers that actually provide the network connectivity. The locations and coverage footprints of each towers is geographically referenced. When your phone connects to one (it will prefer the one with the strongest signal) it has created a record. The tower has recorded the device (by IMEI – International Mobile Equipment Identifier), and date/time. I’m sparing the details of the T3212 Location Update Timer and some other details, but this is the essence of how it works.
There is some controversy about the accuracy of this tracking. The tower can’t say definitively “she was at this address” or “he was in this building”. All it can say is that “she was somewhere in the footprint of this tower”. In densely populated areas, however, may have overlapping coverage. The footprints of these towers overlap like a Venn diagram. If you are in the overlapping area of two or more towers your location may be recorded with more accuracy than it otherwise would. Tower infomration may not be used in a vacuum; other information can be added to it to paint a clearer picture.
Let’s assume you are driving along I-40 through New Mexico. There are few people and even fewer cell towers, so you aren’t going to be in the footprint of 10 towers at once. However, information from 10 completely separate towers can reveal how fast you are traveling and your direction of travel, and rule out pretty much everything except a drive on the I-40. Cell tower information can also “see” when two phones in close proximity turn off. It can see when two phones come together, or when two phones spend the night beside each other. It can see what phones are in a certain area when a certain purchase is made. This list could go on endlessly. If you want more information, the audio portion of this article explains how cell phones are tracked in pretty good detail.
Your location information is available in near-real time (NRT) and historical. Your cellular provider will hold on to this information more or less indefinitly where it is available to them, their partners and affiliates, and governement agencies. This is somewhat good news: currently this information isn’t totally open source. However, we all know that even the government’s ability to protect data is questionable at best. Also, if you are worried about government and corporate surveillance this information should be incredibly alarming to you.
Countermeasures: Sadly, there isn’t much you to do to prevent this form of tracking. The options you do have also severely limit the usefulness of the device itself, so they aren’t practical for most of us. You can put your phone into airplane mode or power it off. These are half-measures, and if you really need this level of protection you should probably also be using a Faraday bag†. The other option is to leave your phone behind. This is hard to do, but I try to leave it in the car before I go in a store, leave it at home if I’m just running out for quick errands. I agree that it’s difficult to be without constant connectivity, but it also feels liberating to know that I’m “running free” occasionally, and that I’ve gone a few places that aren’t recorded anywhere.
Smartphone Cellular Interface Traffic Inspection
All of the unencrypted traffic (read: traffic you haven’t encrypted yourself) that is transmitted or received over your cellular radio is vulnerable to inspection. This includes your voice communications and SMS communications. Though the content of these communications may not be stored indefinitely, the metadata about them are. Your browsing data is not safe either. The so-called “supercookie” is a unique tracking code inserted by your wireless provider. The code (fifty digits long, in Verizon’s case) can be used by the provider to see the websites that you visit. Unfortunately, these cookies can also be seen by the websites themselves. This allows websites to track you from site-to-site based on the same tracking code. Though Verizon was the first company caught doing this, it was far from the only one.
Countermeasures: What can you do about traffic inspection and “supercookies”? Not to sound like a broken record, but… use a virtual private network. You should also use apps like Signal, Wickr, Threema, and even iMessage to protect content.
Smartphone Cellular Interface Baseband Access
Your cell phone actually has two operating systems. The first, on the front-end, is the one you interact with every day. The other runs the “baseband processor”. The baseband processor (and the operating system that controls it) manages the cellular radio. Unfortunately it also allows an extraordinary level of access to the device, and the security of this OS is minimal. Baseband access is what makes things like the “NSA turning on your phone remotely” possible. The baseband processor is also what makes attack like this one possible. Sadly, this is also one of those vulnerabilities that it’s hard to do much about. You can go without a phone, or you can set up an device that lacks a baseband processor. This is what I was going for in my Ultra-Private iPod series back in July.
The Bottom Line
A cell phone is a compromise. You are giving up some major privacy and security in exchange for some major benefits. I don’t expect anyone here to give up their phone (including me). There are just too many benefits. You should at least be aware of the dangers and take the steps you can to mitigate them. Every countermeasure you implement is one more layer, and every data point you preserve is one more chunk of your privacy. In the next installment of this series I will address Bluetooth and NFC, and maybe a couple of other items like GPS and services like “Hey, Siri” and “Ok, Google”.
†To be clear: a Faraday bag only prevents the phone from transmitting or receiving – it does not prevent it from potentially recording your conversation to transmit it at a later date. If you are having sensitive conversations that you really want to keep to yourself, you should also phsyically separate from the device before having your conversation.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.