CHAPTER THREE

Wiretapping 101

You spend countless hours on your cell phone every day, chatting, texting, surfing the Internet. But do you actually know how your cell phone works?

Cellular service, which we use on our mobile devices, is wireless and relies upon cellular towers, or base stations. To maintain connectivity, cell phones continually send out tiny beacons to the tower or towers physically closest to them. The signal response to those beacons from the towers translates into the number of “bars” you have—no bars, no signal.

To protect the identity of the user somewhat, these beacons from your cell phone use what is known as international mobile subscriber identity, or IMSI, a unique number assigned to your SIM card. This was originally from the time when cellular networks needed to know when you were on their towers and when you were roaming (using other carriers’ cell towers). The first part of the IMSI code uniquely identifies the mobile network operator, and the remaining part identifies your mobile phone to that network operator.

Law enforcement has created devices that pretend to be cellular base stations. These are designed to intercept voice and text messages. In the United States, law enforcement and intelligence agencies also use other devices to catch IMSIs (see here). The IMSI is captured instantly, in less than a second, and without warning. Typically IMSI catchers are used at large rallies, allowing law enforcement to later identify who was in attendance, particularly if those individuals were actively calling others to join in.

Devices like these can also be used by commuting services and apps to create traffic reports. Here the actual account number, or IMSI, doesn’t matter, only how fast your cell phone moves from tower to tower or geographic region to geographic region. The amount of time it takes a cell phone to come and go from each tower determines the traffic status: red, yellow, or green.1

Your mobile device connects to a series of cellular towers whenever it’s powered up. The closest tower actually handles your call, text, or Internet session. As you move around, your phone pings the nearest tower and, if necessary, your call moves from tower to tower, all the while maintaining consistency. The other nearby towers are all on standby, so that if you move from point A to point B and another tower comes into range for a better signal, then the handoff is smooth and you shouldn’t experience a dropped call.

Suffice it to say that your mobile device emits a unique sequence that is logged on a number of individual cellular towers. So anyone looking at the logs of a specific tower would see the temporary mobile subscriber identity (TMSI) of all the people in the general area at any given moment, whether they made calls or not. Law enforcement can and does request this information from cellular carriers, including the back-end account identities of specific holders.

Ordinarily, if you look at just one cell tower’s log, the data might only show that someone was passing through and that his or her device contacted a specific cell tower as a standby. If a call was made or if data was exchanged, there would also be a record of that call and its duration.

Data from multiple cell-tower logs, however, can be used to geographically pinpoint a user. Most mobile devices ping three or more towers at a time. Using logs from those cell towers, someone can triangulate, based on the relative strength of each ping, a fairly exact location of the phone’s user. So the phone you carry around every day is essentially a tracking device.

How can you avoid being tracked?

Signing a contract with a cell-phone carrier requires a name, address, and a Social Security number. Additionally, there’s a credit check to make sure you can pay your monthly bill. You can’t avoid this if you go with a commercial carrier.

A burner phone seems like a reasonable option. A prepaid cell phone, perhaps one that you replace frequently (say, weekly or even monthly), avoids leaving much of a trail. Your TMSI will show up on cell tower logs, then disappear. If you purchased the phone discreetly, it won’t be traceable back to a subscriber account. Prepaid cell services are still subscriber accounts, so the IMSI will always be assigned to an account. Therefore, a person’s anonymity depends on how he or she acquired the burner device.

For the sake of argument, let’s assume you have successfully disconnected yourself from the purchase of a burner phone. You followed the steps outlined here and used a person unrelated to you to purchase the phone for cash. Is the use of that disposable phone untraceable? The short answer is no.

Here’s a cautionary tale: one afternoon in 2007, a $500 million container loaded with the drug ecstasy went missing from a port in Melbourne, Australia. The owner of the container, Pat Barbaro, a known drug dealer, reached into his pocket, pulled out one of his twelve cell phones, and dialed the number of a local reporter, Nick McKenzie, who would only know the caller by the name Stan.Barbaro would later use his other burner phones to text McKenzie, attempting to anonymously obtain information from the investigative reporter about the missing container. As we will see, this didn’t work.

Burner phones, despite what many people may think, are not truly anonymous. Under the US Communications Assistance for Law Enforcement Act (CALEA), all IMSIs connected with burner phones are reported, just as those subscribers under contract with major carriers are. In other words, a law enforcement official can spot a burner phone from a log file just as easily as he can spot a registered contract phone. While the IMSI won’t identify who owns the phone, patterns of usage might.

In Australia, where CALEA does not exist, law enforcement was still able to keep tabs on Barbaro’s many phones using rather traditional methods. For instance, they might have noticed a call made with his personal phone and then a few seconds later seen in the log files another call or text from one of his burner phones in the same cell site. Over time, the fact that these IMSIs more often than not appeared together on the same cell sites might suggest that they belonged to a single individual.

The problem with Barbaro’s having many cell phones at his disposal was that no matter which phone he used, personal or burner, so long as he stayed in the same spot, the signal would hit the same cellular tower. The burner-phone calls always appeared next to his registered-phone calls. The registered phone, listed in his name with a carrier, was entirely traceable and helped law enforcement identify him. It established a solid case against him, particularly because this pattern was repeated at other locations. This helped Australian authorities convict Barbaro of orchestrating one of the largest ecstasy shipments in Australia’s history.

McKenzie concluded, “Ever since the phone buzzed that day in my pocket, and ‘Stan’ briefly entered my life, I’ve been especially conscious about how a person’s communications leave a trail, no matter how careful they are.”2

You could, of course, have only a burner phone. This would mean that you would need to purchase additional minutes anonymously using prepaid cards or Bitcoin from time to time, which you can do by using an open Wi-Fi safely after changing your media access control (MAC) address on your wireless card (see here), and being out of any camera view. Or you could, as suggested in the previous chapter, hire a stranger to pay cash at the store to purchase the prepaid phone and several refill cards.3 This adds cost and perhaps inconvenience, but you would have an anonymous phone.

Although it may seem brand new, cellular technology is more than forty years old, and it, like copper-wire telephone systems, contains legacy technologies that can compromise your privacy.

Each generation of cell-phone technology has offered new features, mostly intended to move more data more efficiently. First-generation phones, or 1G, had the telephone technology available in the 1980s. These early 1G networks and handsets were analog-based, and they used a variety of now discontinued mobile standards. In 1991, the second-generation (2G) digital network was introduced. This 2G network offered two standards: global system for mobile communications (GSM) and code division multiple access (CDMA). It also introduced short message service (SMS), unstructured supplementary services data (USSD), and other simple communications protocols that are still in use today. We’re currently in the middle of 4G/LTE and on the way toward 5G.

No matter what generation of technology a given carrier is using (2G, 3G, 4G, or 4G/LTE), there is an underlying international signal protocol known as the signaling system. The signaling system protocol (currently in version 7), among other things, keeps mobile calls connected when you drive along a freeway and switch from cell tower to cell tower. It can also be used for surveillance. Signaling system 7 (SS7) does basically everything necessary to route a call, such as:

image Setting up a new connection for a call

image Tearing down that connection when the call ends

image Billing the appropriate party making the call

image Managing extra features such as call-forwarding, calling party name and number display, three-way calling, and other Intelligent Network (IN) services

image Toll-free (800 and 888) as well as toll (900) calls

image Wireless services, including subscriber identification, carrier, and mobile roaming

Speaking at the Chaos Communication Congress, an annual computer hacker conference held in Berlin, Germany, Tobias Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, explained that they could not only locate cell-phone callers anywhere in the world, they could also listen in on their phone conversations. And if they couldn’t listen in real time, they could record the encrypted calls and texts for later decryption.

In security, you are only as secure as the weakest link. What Engel and Nohl found was that while developed countries in North America and Europe have invested billions in creating relatively secure and private 3G and 4G networks, they must still use signaling system 7 (SS7) as an underlying protocol.

SS7 handles the process for call-establishment, billing, routing, and information-exchange functions. Which means if you can tap into SS7, you can manipulate the call. SS7 allows an attacker to use a small carrier in, say, Nigeria to access calls made in Europe or the United States. “It’s like you secure the front door of the house, but the back door is wide open,” said Engel.

The two researchers tested a method in which an attacker uses a phone’s call-forwarding function and SS7 to forward a target’s outgoing calls to himself before conferencing (three-way calling) in their intended recipient. Once the attacker has established himself, he can listen to all calls made by the targeted individual from any place on earth.

Another strategy would be for the attacker to set up radio antennas to collect all cellular calls and texts within a given area. For any encrypted 3G calls, the attacker could ask SS7 to provide him with the proper decryption key.

“It’s all automated, at the push of a button,” Nohl said. “It would strike me as a perfect spying capability, to record and decrypt pretty much any network… Any network we have tested, it works.”4 He then enumerated almost every major carrier in North America and Europe, around twenty in all.

Nohl and Engel also found that they could locate any cell-phone user by using an SS7 function called an anytime interrogation query. That is, they could do so until the function was shut down early in 2015. However, since all carriers must track their users in order to provide service, SS7 provides other functions that still allow some remote surveillance. It should be noted that the specific flaws identified by Nohl and Engel have been mostly mitigated by the carriers since their research went public.

You might think that encryption alone would help keep cell-phone calls private. Beginning with 2G, GSM-based phone calls have been encrypted. However, the initial methods used to encrypt calls in 2G were weak and eventually broke down. Unfortunately, the cost of upgrading cellular networks to 3G proved prohibitive for many carriers, so a weakened 2G remained in use until around 2010 or so.

In the summer of 2010, a team of researchers led by Nohl divided all the possible encryption keys used by 2G GSM networks among themselves and crunched the numbers to produce what’s called a rainbow table, a list of precomputed keys or passwords. They published the table to show carriers around the world just how insecure 2G encryption using GSM is. Each packet—or unit of data between source and destination—of voice, text, or data sent over 2G GSM could be decrypted in just a few minutes using the published table of keys.5 This was an extreme example, but the team considered it necessary; when Nohl and others had previously presented their findings to the carriers, their warnings fell on deaf ears. By demonstrating how they could crack 2G GSM encryption, they more or less forced the carriers to make the change.

It is important to note that 2G still exists today, and carriers are considering selling access to their old 2G networks for use in Internet of Things devices (devices other than computers that connect to the Internet, such as your TV and refrigerator), which only need occasional data transmission. If this happens, we will need to make sure the devices themselves have end-to-end encryption because we know that 2G will not provide strong enough encryption by itself.

Of course eavesdropping existed before mobile devices really took off. For Anita Busch, the nightmare started the morning of June 20, 2002, when she awoke to a neighbor’s urgent knock on her door. Someone had put a bullet hole in the windshield of her car as it sat in the driveway. Not only that, someone had also left Busch a rose, a dead fish, and a one-word note—“Stop”—on the car’s hood.6 Later she would learn that her phones had been tapped, and not by law enforcement.

The fact that the scene with a bullet hole and a dead fish was reminiscent of a bad Hollywood gangster movie made some sense. Busch, a seasoned reporter, was at the time only a few weeks into a freelance assignment chronicling organized crime’s growing influence in Hollywood for the Los Angeles Times. She was researching Steven Seagal and his former business partner, Julius R. Nasso, who had been indicted for conspiring with the New York Mafia to extort money from Seagal.7

What followed finding the note on her car was a series of phone messages. The caller apparently wanted to share some information about Seagal. Much later Busch learned that the caller had been hired by Anthony Pellicano, a former high-profile Los Angeles private investigator who at the time Busch’s car was tampered with was already suspected by the FBI of illegal wiretapping, bribery, identity theft, and obstruction of justice. Busch’s copper-wire phone had been tapped by Pellicano, who knew by eavesdropping on her calls that she was writing a newspaper story about his clients. The fish head on her car was an attempt to warn her off.

Typically wiretapping is only associated with phone calls, but wiretapping laws in the United States can also cover eavesdropping on e-mail and instant messages. For the moment I’ll focus on wiretapping’s traditional use, in copper-wire landlines.

Landlines are the hardwired phones in your home or business, and wiretapping involves literally tapping into the live wire. Back in the day, phone companies each had physical banks of switches on which they performed a version of wiretapping. What that means is that the phone company had special appliances that the frame techs hooked up to the target phone number on the mainframe in the central office. There is additional wiretapping equipment that dials into this appliance and is used to monitor the target. Today, that way of eavesdropping is retired: phone companies are all required to implement the technical requirements mandated by CALEA.

Although a growing number of people today have shifted to mobile phones, many still retain their landlines for their copper-wire dependability. Others use what’s called Voice over Internet Protocol (VoIP) technology, which is telephony over the Internet and usually bundled in the home or office with your cable or Internet service. Whether it’s a physical switch at the phone company or a digital switch, law enforcement does have the ability to eavesdrop on calls.

The 1994 CALEA requires telecommunications manufacturers and carriers to modify their equipment for the purposes of allowing law enforcement to wiretap the line. So under CALEA, any landline call in the United States is theoretically subject to interception. And under CALEA, all law enforcement access requires a Title III warrant. That said, it’s still illegal for an ordinary citizen to conduct a wiretap, which is what Anthony Pellicano did to covertly monitor Anita Busch and others. His list of eavesdropping victims happens to include Hollywood celebrities such as Sylvester Stallone, David Carradine, and Kevin Nealon, among others.

His list of wiretap victims also includes my friend Erin Finn, because her ex-boyfriend was obsessed with her and wanted to track her every move. Because her phone line had been tapped, I, too, was monitored when I called her. The coolest part of the saga is that AT&T paid me thousands of dollars as part of a class-action settlement because of Pellicano’s wiretapping of my calls to Finn. Which is somewhat ironic, because on another occasion, I was the one doing the tapping. Pellicano’s purpose in wiretapping people was perhaps more malicious than mine; he was trying to intimidate witnesses into either not testifying or testifying in a certain way.

Back in the mid-1990s, a wiretap had to be installed by technicians. So Pellicano, or one of his people, had to hire someone who worked at PacBell to tap Busch’s and Finn’s telephone lines. The technicians were able to set up extensions of the target phones at Pellicano’s office, in Beverly Hills. In this case there were no taps done at the junction box, or the terminal at the side of the house or apartment complex, although that is also possible.8

As you may recall from reading my previous book Ghost in the Wires, I once drove down from my father’s apartment in Calabasas to Long Beach to set up a physical wiretap on a phone line used by Kent, a friend of my late brother. There were many questions surrounding my brother’s death, from a drug overdose, and I believed he had a part in that death, though I later learned he was not involved. In the utility space within the apartment complex where Kent lived, I used social engineering to pretend to be a line technician calling a particular unit within GTE (General Telephone and Electronics) to find where the cable and pair assigned to Kent’s phone were located. It turned out that Kent’s phone wires ran through a completely separate apartment building. And so in a second utility space, I was ultimately able to clip my voice-activated microcassette tape recorder to his phone line at the terminal box (the place where phone company technicians connect the lines to each apartment).

After that, anytime Kent made a call, I could record both sides of the conversation without his knowing I was doing so—though I should note that while the recordings were in real time, my listening to them was not. Every day over the next ten days I had to make the sixty-minute drive to Kent’s apartment, afterward listening to the retrieved tapes for any mention of my brother. Unfortunately, nothing ever came of it. Years later I learned that my uncle had likely been responsible for my brother’s death.

Given how easy it was for Pellicano and me to tap into private phone conversations, you may wonder how you can become invisible with a copper-wire landline phone that is apparently open to surveillance? You can’t, without buying special equipment. For the truly paranoid, there are landline phones that will encrypt all your voice conversations over copper wires.9 These phones do solve the problem of interception of private phone calls, but only if both ends of the call use encryption; otherwise they may be easy to monitor.10 For the rest of us, there are some basic telephone choices we can make to avoid being eavesdropped on.

The move toward digital telephony has made surveillance easier, not harder. Today, if a tap is necessary on a digital phone line, it can be done remotely. The switching computer simply creates a second, parallel stream of data; no additional monitoring equipment is required. This also makes it much harder to determine whether a given line has been tapped. And in most cases such taps are only discovered by accident.

Shortly after Greece hosted the 2004 Summer Olympics, engineers at Vodafone-Panafon removed some rogue software that had been discovered to be running in the company’s cellular network for more than a year. In practice, law enforcement intercepts all voice and text data sent over any cellular network through a remote-controlled system called RES (remote-control equipment subsystem), the digital equivalent of an analog wiretap. When a subject under surveillance makes a mobile call, the RES creates a second data stream that feeds directly to a law enforcement officer.

The rogue software discovered in Greece tapped into Vodafone’s RES, meaning that someone other than a legitimate law enforcement officer was listening to conversations conducted over its cellular network; in this case, the wiretapper was interested in government officials. During the Olympics, some countries—such as the United States and Russia—provided their own private communications systems for state-level conversations. Other heads of state and business executives from around the world used the compromised Vodafone system.

An investigation showed that the communications of the Greek prime minister and his wife—as well as those of the mayor of Athens, the Greek European Union commissioner, and the ministries of national defense, foreign affairs, the mercantile marine, and justice—had been monitored during the Olympics. Other intercepted phones belonged to members of civil rights organizations, antiglobalization groups, the ruling New Democracy party, the Hellenic Navy general staff, as well as peace activists and a Greek-American employee at the United States embassy in Athens.11

The spying might have continued longer had Vodafone not called in the hardware vendor for its RES system, Ericsson, while investigating a separate complaint—that its text messages were suffering delivery failures at a higher than normal rate. After diagnosing the problem, Ericsson notified Vodafone that it had found rogue software.

Unfortunately, more than a decade afterward, we still don’t know who did this. Or why. Or even how common this activity might be. To make matters worse, Vodafone apparently mishandled the investigation.12 For one thing, key log files covering the event were missing. And instead of letting the rogue program run after discovery—a common practice in computer criminal investigations—Vodafone abruptly removed it from their system, which may have tipped off the perpetrators and allowed them to further cover their tracks.

The Vodafone case is an unsettling reminder of how vulnerable our cell phones are to interception. But there are ways you can still be invisible with a digital phone.

Besides cell phones and old-fashioned landlines, a third telephony option, as I mentioned earlier, is Voice over Internet Protocol (VoIP). VoIP is great for any wireless device that lacks a native means of making a phone call, e.g., an Apple iPod Touch; it’s more like surfing the Internet than making a classic phone call. Landlines require copper wire. Mobile phones use cell towers. VoIP is simply transmitting your voice over the Internet—either using wired or wireless Internet services. VoIP also works on mobile devices, such as laptops and tablets, whether or not they have cellular service.

To save money, many homes and offices have switched to the VoIP systems being offered by new service providers and existing cable companies. VoIP uses the same coaxial cable that brings streaming video and high-speed Internet into your home.

The good news is that VoIP phone systems do use encryption; specifically, something called session description protocol security descriptions, or SDES. The bad news is that on its own, SDES is not very secure.

Part of the problem with SDES is the encryption key is not shared over SSL/TLS (a network cryptographic protocol), which is secure. If the vendor doesn’t use SSL/TLS, however, then the key is sent in the clear. Instead of asymmetric encryption, it uses symmetric encryption, which means that the key generated by the sender must somehow be passed to the recipient in order for the call to be unscrambled.

Let’s say Bob wants to make a call to Alice, who is in China. Bob’s SDES-encrypted VoIP phone generates a new key for that call. Somehow Bob has to get that new key to Alice so her VoIP equipment can decrypt his phone call and they can have a conversation. The solution SDES offers is to send the key to Bob’s carrier, which then passes it to Alice’s carrier, which then shares it with her.

Do you see the flaw? Remember what I said about end-to-end encryption in the previous chapter? The conversation stays secure until the recipient opens it at the other end. But SDES shares the key from Bob to Bob’s carrier and, if Alice’s carrier is different, the call is encrypted from Alice’s carrier to Alice. Whether the gap is significant is debatable. Something like this also happens with Skype and Google Voice. New keys are generated whenever a call is initialized, but those keys are then given over to Microsoft and Google. So much for wanting to have a private conversation.

Fortunately, there are ways to encrypt mobile VoIP from end to end.

Signal, an application from Open Whisper Systems, is a free, open-source VoIP system for mobile phones that provides true end-to-end encryption for both iPhone and Android.13

The main advantage of using Signal is that the key management is handled only between the calling parties, not through any third party. That means that, as in SDES, new keys are generated with each call; however, the only copies of the keys are stored on the users’ devices. Since CALEA allows access to any record of a specific call, law enforcement would in this case only see the encrypted traffic across the mobile carrier’s line, which would be unintelligible. And Open Whisper Systems, the nonprofit organization that makes Signal, does not have the keys, so a warrant would be useless. The keys exist only on the devices at either end of the call. And once the call ends, those session keys are destroyed.

Currently CALEA does not extend to end users or their devices.

You might think that having encryption on your cell phone would drain your battery. It does, but not by much. Signal uses push notifications, as do the apps WhatsApp and Telegram. Thus you only see a call when it is incoming, which cuts down on battery use while you’re listening for new calls. The Android and iOS apps also use audio codecs and buffer algorithms native to the mobile network, so again the encryption is not draining a lot of power while you’re making a call.

In addition to using end-to-end encryption, Signal also uses perfect forward secrecy (PFS). What is PFS? It’s a system that uses a slightly different encryption key for every call, so that even if someone does manage to get hold of your encrypted phone call and the key that was used to encrypt it, your other calls will remain secure. All PFS keys are based on a single original key, but the important thing is that if someone compromises one key, it doesn’t mean your potential adversary has access to your further communications.