Understanding Cellular Telephone Security and Privacy

© 2007, Simson L. Garfinkel

This guide summarizes all cellular telephone security and privacy issues that I am aware of. If you know of issues that are not on this list, please let me know. 

Kinds of Cell Phones

There are many different kinds of cell phones, each with a different security profile. Before you can understand the security of your cell phone, you need to know what kind of cell phone you have.

Analog Cell Phones, also called AMPS (Advanced Mobile Phone System). These were the first cellular telephones. Developed in the 1970s and deployed in the 1980s and still used today. These phones transmit voice as an analog signal without any encryption of scrambling. As a result, they can be eavesdropped upon using handheld scanners sold at places like Radio Shack.  Analog systems are widely deployed throughout the US, especially in rural areas. Although analog cell phones are still sold but not a good deal, as analog providers generally charge a lot of money, the phones do not have good battery life, and the sound quality is generally poor. The big advantage of analog cell phones is that they have the best nation-wide coverage, but that’s changing fast. If you have an analog cell phone, you probably want to get a new one. (Note: many “dual-mode” digital phones support have analog for roaming in remote areas; roaming fees are sometimes included in a one’s monthly plan, but other times they are extra.)

GSM (Global System Mobile, recently renamed Global System for Mobile Communications) is the cell phone system used by most of the world, and increasingly by carriers in the United States. GSM phones usually have a “chip” in them that contains your account number and other information. GSM phones use digital, encrypted communication between your phone and the cellular telephone base station. At the base station your voice is decrypted and sent over the telephone network. Like all digital systems, GSM phones provide substantially more voice privacy than analog systems, but they can still be eavesdropped upon by either the cellular telephone company, the government, or any organization that has access to the telephone network’s switching equipment. The GSM encryption algorithm (called A5) can also be cracked by a suitably motivated attacker.

TDMA (Time Division Multiple Access) is the digital telephone standard that was deployed by AT&T in the 1990s. AT&T’s telephones had a “voice privacy” or “voice security” setting which enables encryption. Unfortunately, if your turned this feature on, your phone won’t work with AT&T’s network, because AT&T never enabled the encryption feature in their base stations. As a result, TDMA phones can be eavesdropped upon using a some kinds of digital scanners and “soft radios.” In practice, this equipment is not generally available. AT&T is migrating its network to GSM; if you buy an AT&T phone today, you’re running GSM.

CDMA (Code Division Multiple Access) is the digital telephone standard that was developed by Qualcomm and deployed by Sprint PCS and by Verizon. CDMA used RC4 encryption but the protocol doesn’t keep the keys secret, so in practice CDMA communications can be eavesdropped by a motivated attacker. In practice, though, it’s must easier to wiretap a CDMA telephone on the provider’s network. Today CDMA is used by the Sprint part of Sprint/Nextel  and by Verizon.

iDEN (Integrated Digital Enhanced Network) is a technology developed by Motorola for multiplexing fleet radio systems in the 1980s. This technology was adopted by Fleet Call which renamed itself Nextel. Besides providing digital telephone communications, iDEN has a “push-to-talk” feature that allows the units to be used as if they were a walkie-talkie.  It’s used by the Nextel part of the Sprint/Nextel network.

Privacy Risks with Cell Phones

There are many privacy risks inherent in using cell phone technology.

Risks of Eavesdropping. The primary risk that privacy activists focus on is eavesdropping --- that is, someone being able to “listen in” on the phone call without the knowledge of those on the line. There are many locations that an attacker can eavesdrop on a cellular telephone phone call:

Risks of Recording. In addition to these locations, there are other ways that an attacker might be able to record a cellular telephone conversation:

Traffic Analysis. Even if the conversation itself is not recorded, other confidential information can be disclosed, including:

Geolocation. In order to function properly, the telephone network needs to know where the phone is located. It’s been widely reported that some telephone providers keep this location information on file for extended periods of time. This information can be made available to the police or other organizations under certain circumstances.

Some phones allow themselves to be locked. If locked, both the phone’s call history and the phone book cannot be accessed unless the phone is unlocked. Be aware, however: all phones have “administrative codes” that allow them to be unlocked in the event that the subscriber forgets the password they used to lock the phone.

Other Cell Phone Security Risks

Cell phones have additional security risks because they are, fundamentally, general purpose computers.

Cell Phone Financial Risks