Understanding Cellular Telephone Security and Privacy
© 2007, Simson L. Garfinkel
This guide summarizes all cellular telephone security and
privacy issues that I am aware of. If you know of issues that are not on this
list, please let me know.
Kinds of Cell Phones
There are many different kinds of cell phones, each with a
different security profile. Before you can understand the security of your cell
phone, you need to know what kind of cell phone you have.
Analog Cell Phones, also called AMPS (Advanced Mobile Phone
System). These were the first cellular telephones. Developed in the 1970s and
deployed in the 1980s and still used today. These phones transmit voice as an
analog signal without any encryption of scrambling. As a result, they can be
eavesdropped upon using handheld scanners sold at places like Radio Shack. Analog systems are widely deployed
throughout the US,
especially in rural areas. Although analog cell phones are still sold but not a
good deal, as analog providers generally charge a lot of money, the phones do
not have good battery life, and the sound quality is generally poor. The big
advantage of analog cell phones is that they have the best nation-wide
coverage, but that’s changing fast. If you have an analog cell phone, you probably
want to get a new one. (Note: many “dual-mode” digital phones support have
analog for roaming in remote areas; roaming fees are sometimes included in a
one’s monthly plan, but other times they are extra.)
GSM (Global System Mobile, recently renamed Global
System for Mobile Communications) is the cell phone system used by most of the
world, and increasingly by carriers in the United
States. GSM phones usually have a “chip” in
them that contains your account number and other information. GSM phones use
digital, encrypted communication between your phone and the cellular telephone
base station. At the base station your voice is decrypted and sent over the
telephone network. Like all digital systems, GSM phones provide substantially
more voice privacy than analog systems, but they can still be eavesdropped upon
by either the cellular telephone company, the government, or any organization
that has access to the telephone network’s switching equipment. The GSM
encryption algorithm (called A5) can also be cracked by a suitably motivated
TDMA (Time Division Multiple Access) is the digital
telephone standard that was deployed by AT&T in the 1990s. AT&T’s
telephones had a “voice privacy” or “voice security” setting which enables
encryption. Unfortunately, if your turned this feature on, your phone won’t
work with AT&T’s network, because AT&T never enabled the encryption
feature in their base stations. As a result, TDMA phones can be eavesdropped
upon using a some kinds of digital scanners and “soft radios.” In practice,
this equipment is not generally available. AT&T is migrating its network to
GSM; if you buy an AT&T phone today, you’re running GSM.
CDMA (Code Division Multiple Access) is the digital
telephone standard that was developed by Qualcomm and deployed by Sprint PCS
and by Verizon. CDMA used RC4 encryption but the protocol doesn’t keep the keys
secret, so in practice CDMA communications can be eavesdropped by a motivated
attacker. In practice, though, it’s must easier to wiretap a CDMA telephone on
the provider’s network. Today CDMA is used by the Sprint part of
Sprint/Nextel and by Verizon.
iDEN (Integrated Digital Enhanced Network) is a
technology developed by Motorola for multiplexing fleet radio systems in the
1980s. This technology was adopted by Fleet Call which renamed itself Nextel.
Besides providing digital telephone communications, iDEN has a “push-to-talk”
feature that allows the units to be used as if they were a walkie-talkie. It’s used by the Nextel part of the
Privacy Risks with Cell Phones
There are many privacy risks inherent in using cell phone
Eavesdropping. The primary risk that
privacy activists focus on is eavesdropping --- that is, someone being able to
“listen in” on the phone call without the knowledge of those on the line. There
are many locations that an attacker can eavesdrop on a cellular telephone phone
- Loud people. Many people speak loudly when they are on a
cell phone. It is not uncommon to hear people conducting business and
discussing extremely confidential materials in restaurants, on trains, or
on the street. These individuals have a significant risk of being
- Environmental microphones. Your telephone call can be monitored by
someone who places a microphone in your room.
- Intercepting the wireless link. The wireless link between the phone and the
cell can be monitored by a third party. Digital links are less susceptible
to interception than analog links; encrypted links offer better security
- Interception at the cell site.
The cell sites provide an ideal location for monitoring the
communications of all individuals who are using it.
- Interception at the telephone switch. Cell sites of a provider are connected by
leased-lines to a telephone switch.
Law enforcement agencies typically place court-ordered wiretaps at
- Interception on the leased-lines. The leased lines that connect base stations to
the telephone switches can be monitored as well. These “lines” can be
physical wires, channels of a fiber optic cable, channels of a microwave
link, or even virtual circuits within an ATM network. Indeed, a typical
“leased-line” will often travel through multiple different transport
layers as it travels from the cell site to the telephone switch: each of
these locations provides an opportunity for monitoring.
Risks of Recording. In addition to these locations, there are other ways
that an attacker might be able to record a cellular telephone conversation:
- Answering machines. It is not uncommon for telephone conversations
to be inadvertently recorded by answering machines. This risk applies to
both wired telephones and to wireless ones.
- Handset voice recorders. As the memory in cell phones increases, it is
expected that cellular telephones themselves will increasingly be equipped
with the capability to record “voice memos” or to record even record
entire telephone conversations.
Traffic Analysis. Even if the conversation itself is not recorded,
other confidential information can be disclosed, including:
- Call detail information. Cell phone providers typically record the time, date, duration, calling number,
called number, and location of the cell phone for every phone call placed on their network.
Some (but not all) of this information is presented to subscribers on
their telephone bill. Both the records in provider’s computers and the
printed (or downloaded) bill could disclose a caller’s relationship or
location without their knowledge.
- Call history. Cell phones will record call detail information
and store this information in the phone itself as a “history” of recently
placed, received, or unanswered calls. This information can be disclosed
to anyone who is holding a telephone.
- Phone book. Just as the call history can contain confidential information, so
can a telephone’s phone book.
order to function properly, the telephone network needs to know where the phone
is located. It’s been widely reported that some telephone providers keep this
location information on file for extended periods of time. This information can
be made available to the police or other organizations under certain circumstances.
As a result of the US E911
regulations, many phones sold in the US are now also equipped with a
Global Positioning System receiver. This makes it even easier for the
provider to establish the cell phone’s position.
- Tracking. If you don’t want your positioned tracked, turn
off your cell phone!
Some phones allow themselves to be locked. If locked, both
the phone’s call history and the phone book cannot be accessed unless the phone
is unlocked. Be aware, however: all phones have “administrative codes” that
allow them to be unlocked in the event that the subscriber forgets the password
they used to lock the phone.
Other Cell Phone Security Risks
Cell phones have additional security risks because they are,
fundamentally, general purpose computers.
code. Many of today’s cell phones
allow code to be download and run. The code can be downloaded by the phone’s
user or it can be “pushed” by the provider. This code could change the
behavior of the cell phone. For example, it has been widely reported in England that
the police have downloaded “wiretapping” code to certain cell phones. This
code turns on the microphone whenever the police want, allowing them to
use the phone to bug a room. The only way to protect yourself against this
kind of threat is to remove the battery.
- Recovery of deleted messages. Just like any other computer system, phones
do a poor job of actually overwriting the data when a user tries to delete
a message. In practice, this means that SMS messages, call logs, and even
the list of cell towers that your phone has touched can be retrieved by a
- Targeting of Missiles. Cell Phones emit radiation. This radiation can
be used for targeting weapons. HARM (High-Speed Anti-Radiation) missiles,
in particular, can use the radiation emitted from a cell phone as a homing
Cell Phone Financial Risks
your phone is stolen and you do not report the theft, you may be liable
for calls that are made with the stolen phone.
you use an analog phone, your phone’s Mobile Serial Number (MSN) can be
“cloned,” allowing someone to make phone calls on your account as if they
were using your phone.
can be roaming on another provider’s network without your knowledge. In
this case, you may incur a bill of hundreds or thousands of dollars and be
responsible for paying it.
you have a GSM phone, someone can steal your chip without your knowledge.
Your phone will no longer work, but you may not notice this for several
hours. In the meantime, the thief can make phone calls on your account
without your permission. The thief can also intercept calls that are destined
for you—or just look at the caller ID to see who is calling.