Forgot your password?
typodupeerror
Privacy Government The Courts News Technology

FBI Taps Cell Phone Microphones in Mafia Case 274

Posted by Zonk
from the lots-of-conversations-about-merchandise dept.
cnet-declan writes "We already knew the FBI can secretly listen in to car conversations by activating microphones of systems like OnStar. A new Mafia court case suggests that the FBI can do the same thing to cell phones. The judge's opinion and some background information [pdf] are available for reading online. The most disturbing thing? According to the judge, the bug worked even if the phone appeared to be 'powered off.' Anyone up for an open-source handset already?" From the article: "This week, Judge Kaplan in the southern district of New York concluded that the 'roving bugs' were legally permitted to capture hundreds of hours of conversations because the FBI had obtained a court order and alternatives probably wouldn't work. The FBI's 'applications made a sufficient case for electronic surveillance,' Kaplan wrote. 'They indicated that alternative methods of investigation either had failed or were unlikely to produce results, in part because the subjects deliberately avoided government surveillance.'"
This discussion has been archived. No new comments can be posted.

FBI Taps Cell Phone Microphones in Mafia Case

Comments Filter:
  • by ZDRuX (1010435) * on Saturday December 02, 2006 @07:32AM (#17079342)
    The fact that they are using a cellphone case as a carrier for the secondary microphone or that they somehow got a hold of the Mafia's cellphone without them knowing?!

    And an open-source cellphone will do you no good when the seperate mic runs straight off the battery inside the phone regardless if your phone is on or not. This is not much different then having the FBI tap your watch, cd-rom drive, or shaver... but I guess that would be pointless since you don't talk to any of those about your secrets right? ...do you?

    The real puzzle here is how they managed to swap the real phone with the one that was wired by the FBI, there must have been a mole. And since they got a court order to "monitor" the suspects, is it really that *alarming* that it worked even when the phone was off? Are there limitations as to when you can and cannot monitor dangerous suspects? For example when they sleep, or go to the bathroom, or between the hours of 9-5? Anybody know?
  • Re:The Solution (Score:3, Interesting)

    by rjdegraaf (712353) on Saturday December 02, 2006 @08:03AM (#17079450)
    ... or stick on one of those funny led-light-devices which lights up when the phone transmits data.
  • I must then ask (Score:4, Interesting)

    by the_REAL_sam (670858) on Saturday December 02, 2006 @08:09AM (#17079474) Journal

    Which phone manufacturers did NOT sell all of its customers out to the government? Perhaps there are specific model numbers that are not compromised? Or perhaps before a certain year?

    Anyhow...if I unplug the phone battery it's off for sure...right?

  • by femto (459605) on Saturday December 02, 2006 @08:40AM (#17079586) Homepage

    According to c/net it was the internal microphone [com.com]. They give some consideration to the possibility of a separate bug but conclude the weight of evidence points to the internal microphone being activated without the owner's knowledge.

    While I'm at it I'll repeat a comment I posted on Technocrat:

    Given that all mobile/cell phones are required to be locatable (its for your own safety remember?) and need to be accurately synchronised with a base station, what are the chances of forming a phased array using all microphones within a certain radius of a point? That way one could eavesdrop on a conversation well away from the nearest mobile phone.

    I would guess that there is no need for a super accurate location or time. Measure the two as close as possible then record all streams from mobiles in the area. Next feed the whole lot into a super computer and do a big cross correlation with sliding windows centred about the best guess at relative phase (based on the measured location and time).

    It is worth noting that the wavelength of the radio signals a mobile phone uses is comparable to the wavelength of the audio frequencies of the human voice. Thus in theory it is possible for a mobile phone base station to locate a mobile phone to within a fraction of an audio wavelength, exactly what is needed for a phased array.

  • by Anonymous Coward on Saturday December 02, 2006 @08:49AM (#17079628)
    NOT TRUE! LIES!

    Parent poster is lying and trying to coverup the shocking truth! (parent is a fed shill?)! Parent post did not cite section three PROPERLY of wiretap judge affidavit.p1.120106.pdf. Read it yourselves folks and spot the blatant parent post lie The FBI used the blanket method "OR OTHER MEANS" as clearly specified in the document. No modification to the cell phone was made AT ALL. No mods needed. (or feasable)

    There are actually a few secret goodies available to the feds in many modern cell phones.

    First... Sat based GPS is NOT required in most cells phones to silently get precise location, as per FCC device regulations and as per millions of dollars in levied and honored fines to lagging noncompliant cell providers.

    also part of underwraps subsections of ETSI LI spec framework for LI (Lawful Interception) hint at leveraging the E911 feature that makes a cell not be able to disconnect if a 911 operator toggles a cell phone into "stay online no matter what" mode. Heck, ive played with that mode once... had to rip out the battery! (no way to hang up). Technology was added to prevent poor signal drops during a 911 call, but then used to keep line open while victim is delirious or expiring. For docs, Just look for harvesting all spec docs starting with S3LI03 prefix on the net. Or hang around Cryptome or usual places.

    Regarding the gov tracking your movements in real time (if battery not removed from your non-GPS cell : 1996 the FCC defined a fancier "E911 Phase 2" for more precise ALI information to PSAPs using latitude and longitude information, and to identify a mobile caller's location within 125 meters (410 feet) 67% of the time to the PSAP. A PSAP is one of over 6,000 Public Safety Answering Points (PSAP), some route , some deal directly with initial public calls. FCC 97-402 CC Docket No. 94-102 rules (October 1, 1996). besides the 34-bit Mobile Identification Number (MIN), being sent in Phase I of E911, the 34 bit MIN accepted a "call back' even without a valid phone number, as the 1996 regulation also stipulates that CELL PHONES WITH NO CONTRACT OR DORMANT DEVICES MUST HAVE FREE ACCESS TO 911 service, no matter what. The tracking protocol is independant of billing accept/reject.

    To allow the cell to be detected within 410 feet WITHOUT GPS, cell phone towers use triangulation methods automated with cellular geolocation systems involving time difference of arrival (TDOA) and angle of arrival (AOA)

    As for REMOB mode of cell phone (remote observation) the details seem to be partially vender unique, but it is suspected that the table is trivially assigned via Mobile Identification Number (MIN) table lookup in REMOB snitch mode.

    PLEASE NOTE that the court documents allowing the voice tapping of the MAFIA suspect stated "OR OTHER MEANS". the "OR OTHER MEANS" is the non modified NON_ALTERRED original cell phone being merely set in a VOX mode for packet burst with simple threshold to sleep unless steady VOX activation, controlled partly by other terminal point. Otherwise battery of a modern cell will last only a few hours.

    I cannot believe all the fools in this thread that actually believe the FBI has ability to add devices INSIDE a modified cell phone. Yeah... like there's lots of empty space!!! The judges papers said OR OTHER MEANS and this other means is the REMOB mode. Similar to onstar silent snitch mode in Cadillacs.

    If you really want to panic... the FBI buys the RFID scans of all the points on NY turnpike that record car tire RFID that the TREAD act mandates to allow gov to uniquely track movements of all cars by untamperable chips in the tires... even at 90 miles and hour adn 12 feet away (though instead of overpasses for RFID car tires as in parts of I-75, reading coils UNDER the pavement are used, as with the RFID tire impressions collected at canadian border customs booths.

    sorry for all the lazy typos. I am very tired. an i know that factual anon posts stay +0 until the FBI shills squelch them to -1 rapidly with there grooming accounts they use here to stifle agitator insider posts like this one.
  • by SaberTaylor (150915) on Saturday December 02, 2006 @09:00AM (#17079662) Homepage Journal
    Maybe they just bought a commercial off the shelf (COTS) bugged phone, and surreptitiously replaced the phones after copying the user settings.

    These phones went the rounds of the blogs a while ago so I think they're real:
    http://www.spyphones.com/ [spyphones.com]

    Not to mention you can use a phone itself as a remote GPS tracker. See this link from cruel.com in August:
    http://forums.accutracking.com/viewtopic.php?t=494 &postdays=0&postorder=asc&start=0 [accutracking.com]
  • by jackalope (99754) on Saturday December 02, 2006 @09:10AM (#17079706)
    The FBI probably would not need physical access to the phone. They could just use the over-the-radio firmware upgrade feature many phone have to send the target phone some new firmware with the bug software integrated into it.

    Yes, the software has bugs, it is supposed to have bugs.
  • by Anonymous Coward on Saturday December 02, 2006 @09:52AM (#17079870)
    WRONG! The feds do in fact log all car tires that pass secret monitoring points on certain highways and have for many years since T.R.E.A.D. was enacted by law. License plates are transferrable and also not 100% discernable.

    It is a US felony to commercially import or sell auto tires that do not have a sanctioned spy chip RFID radio transpnders in them, with a unique GUID for every tire.

    A secret initiative exists to track all funnel-points on interstates and US borders for car tire ID transponders (RFID chips embedded in the tire).

    Your tires have a passive coil with 64 to 128 bit serial number emitter in them! (AIAG B-11 ADC v3.0) . A particular frequency energizes it enough so that a receiver can read its little ROM. A ROM which in essence is your GUID for your TIRE. Multiple tires do not confuse the readers. Its almost identical to all "FastPass" "SpeedPass" technologies you see on gasoline keychain dongles and commuter windshield sticker-chips. The US gov has secretly started using these chips to track people as far back as 2002.

    I am not making this up. Melt down a high end Firestone, or Bridgestone tire and go through the bits near the rim (sometimes at base of tread) and you will locate the transmitter (similar to 'grain of rice' pet ids and Mobile SpeedPass, but not as high tech as the tollbooth based units). Sokymat LOGI 160, and Sokymat LOGI 120 transponder buttons are just SOME of the transponders found in modern high end car tires. The AIAG B-11 Tire tracking standard is now implemented for all 3rd party transponder manufactures [covered below].

    The US Customs service uses it in Canada to detect people who swap license plates on cars when doing a transport of contraband on a mule vehicle that normally has not logged enough hours across the border.

    Photos of untamperable tracking chips before molded deep into tires! :
    http://www.sokymat.com/index.php?id=94 [sokymat.com]

    the first subcontracter secretly hired for providing gear for bulk logging of tire RFID on highways in 2002 was :
    http://web.archive.org/web/20021014102238/telemati cs-wireless.com/divisions.html [archive.org]

    ALL USA cars can be radio tracked using the tires. Refer to tire standard AIAG B-11 ADC, (B-11 is coincidentally Post Sept 11 fastrack initiative by US Gov to speed up tire chip standardization to one read-back standard for highway usage).

    The AIAG is "The Automotive Industry Action Group"

    The non proprietary (non-sokymat controlled) standard is the AIAG B-11 standard is the "Tire Label and Radio Frequency Identification" standard

    "ADC" stands for "Automatic Data Collection"

    The "AIDCW" is the US gov manipulated "Automatic Identification Data Collection Work Group"

    The standard was started and finished rapidly in less than a year as a direct consequence of the Sep 11 attacks by Saudi nationals.

    All tire manufacturers were forced to comply AIAG B-11 3.0 Radio Tire tracking standard by the 2004 model year.

    (B-11: Tire & Wheel Label & Radio Frequency ID(RFID) Standard)

    http://mows.aiag.org/source/Orders/index.cfm?task= 3&CATEGORY=AUTOIDBC&PRODUCT_TYPE=SALES&SKU=B-11 [aiag.org]

    (use google cache to glance at that link if you are a hacker, all access to that page is watched by the feds, as are orders.)

    A huge (28 megabyte compressed zip) video of a tire being scanned remotely was at http://mows.aiag.org/ScriptContent/videos/ [aiag.org] (the file is "video Aiagb-11.zip").
    THAT LINK was still valid as recently as Feb 2004, long after my 2002 ignored warnings on slashdot. But in July 2004 died after feds saw my origianl warnings regarding T.R.E.A.D. act (RFID citizen tracking)
  • Easy countermeasure (Score:5, Interesting)

    by uglyduckling (103926) on Saturday December 02, 2006 @10:00AM (#17079906) Homepage
    There's an easy countermeasure to this. The method described is effectively causing the phone to make a call without the GUI showing that a call is being made. You can get very cheap toys that detect the microwave signal when the phone is making a call and light up - some are in the form of a novelty hand or other cradle that the phone sits in. I've found with mine that is will blink every so often as the phone syncs up with the nearest cell. If a call is being made it blinks all the time. So just carry one of these, and if you see it blinking constantly, somebody within 30cm or so is making a call. Take the battery out of your cellphone and see if it stops - if it does, you've been bugged.
  • by takeya (825259) * on Saturday December 02, 2006 @10:01AM (#17079914) Journal
    No Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    Sounds like the judge should be impeached, because my constitution doesnt make any exemptions.
  • by ronanbear (924575) on Saturday December 02, 2006 @10:10AM (#17079948)
    The Irish networks are GSM and it's reasonably well known that the networks can turn on and control phones with the signature of a sufficiently senior police officer.

    I'm actually surprised more people here hadn't heard about it.
  • by Anonymous Coward on Saturday December 02, 2006 @10:12AM (#17079954)
    Given that all mobile/cell phones are required to be locatable (its for your own safety remember?) and need to be accurately synchronised with a base station, what are the chances of forming a phased array using all microphones within a certain radius of a point?

    I work with sonar systems, not cell phones, so I don't know how accurately you can timestamp the data stream from a cell, or how accurate the position location information is. However, given the speed of sound in air (333 m/s) and band of interest (200-4000 Hz), I can say you would need position accuracy within a few centimeters and timing accuracy better than tens of microseconds.

    That said, if you had a hell of a lot of processing power, you could tap all the cell phones in an area and use a process called bicorrelation (or maybe even tricorrelation) to try to dig out individual voices, without having to know exactly where the phones are, or having them synchronized. It's just an O((n log n)^2) = O(n^3) algorithm or so.

    All that said, I've been told that if you have the cell phone's serial number, you can remotely command it to switch on the microphone, and record the audio stream coming back from it, if you control the local cell network. The phone may indicate that it is switched on, and you can probably turn it off, but you have to notice it. The phone won't ring or vibrate if you turn the microphone on remotely.
  • by aussersterne (212916) on Saturday December 02, 2006 @10:54AM (#17080140) Homepage
    I'm not surprised that someone is shocked by this, but what I don't get is how Slashdotters are shocked by this? I mean? This is a technical site, right?

    Listen: you have an embedded device that in its normal state is always on-network on a packet network. It has a limited range of connectivity, but this limitation is mitigated by having a large number of serialized access points that are geographically situated so as to make connectivity seamless. The embedded devices are reasonably computationally powerful (much moreso than PCs of a few years ago) and have a digital or soft-user-interface (including the power circuitry, which is not a physical full-throw SPST that connects or disconnects power, but is rather an input that runs through the embedded software). The software itself is secured and controlled by the network administration, and software and content can be "push" downloaded to the devices by the network.

    From this description, all of the following seem technically obvious:

    1 - You have no control over the software in your phone; the vendors and networks do.

    2 - Since said software controls the power interface and user interface, you have no control over (or reason to trust as being consistent with your expectations) these interfaces either.

    3 - Your phone could thus be easily set by the network to be "always on" without having any such indications in the user interface. The user interface could continue to give the appearance that you are controlling such functions as power and connectivity when in fact the phone is doing everything opposite from what you believe it is doing. There is no technical reason why a phone can't show "no signal" when it has "full signal" or a blank screen when the rest of it is still live, or that it is not transmitting or engaged in a call when actually it is transmitting.

    4 - While on-network (and as we've already established, you as a mere user have no way of knowing with real certainty whether it is on network or off network, you have only your trust in the consistency with your expectations of the embedded software) it is a simple matter to observe at any moment to which access point a given user is connected. In fact, you should know that this is recorded already, or how should they know when you are "roaming" and when you are not. The side effect of this information's recording is that (even if we assume they don't automate triangulation with tower handoffs/multiple towers, which is a silly assumption) it is always known to within a few hundred feet exactly where a given phone is, since the network can clearly see to which tower it is connected.

    ---
    ---

    I mean... duh.

    A cell phone is a bug. Period. Anyone who doesn't get this has clearly not been paying attention. There is absolutely no technical reason (and in some cases it's technically unavoidable) why your cell phone isn't right now:

    - Reporting your position to the network, and thus, to anyone who has access to the network's database (e.g. government)

    - Altered by software "pushes" from the network to seem off when it's still on, or to transmit whatever the mic pics up anytime you happen to be in a certain part of town between the hours of 7pm-10pm, or to transmit whatever the mic pics up for the 10 minutes after you call some specific number

    - Sending your complete contacts list and recent and missed calls lists to the network provider (e.g. government)

    I mean, come on, people. Technically this isn't even a question. Whether this actually happens or not is just a matter of policy ("Do we want to track location and bug people?") on the part of networks and the government, certainly not a matter of technology ("Can the equipment do it?")

    Of course the equipment can do it.

    ---
    ---

    Thought experiment for the dubious.

    Imagine that you have been assigned by work to carry a laptop with you at all times. This "GovCorp" laptop has a solid-state hard drive so that you can't tell if it's
  • by TheCarp (96830) * <sjc&carpanet,net> on Saturday December 02, 2006 @11:31AM (#17080318) Homepage
    maybe, maybe not.

    Sure you can buy the tires in cash and put them on with no paper trail to tie them back to you. However, how hard would that be to correlate?

    As soon as you go through a toll booth or a detector with a camera nearby, it would be trivial to tie your tire IDs to your cars License plate. In fact, they wouldn't even need to do it en mass. All they need to do is store the data.

    Then when they have an ID to look for, they can go back and see when they saw it previously, or where it has been since.

    Once you have detectors in place, it becomes a data mining issue. Put some of them at toll booths, where they already have cameras, and hell, with speed pass, they should be able to correlate your tires with your car the first time you use your speed pass.

    -Steve
  • by Dun Malg (230075) on Saturday December 02, 2006 @11:35AM (#17080344) Homepage

    Actually, all new cell phones in the US are required to have internal GPS receivers so they can be located when dialing 911.
    A nice idea in theory, but in practice it's largely useless. The nature of GPS is such that the receiver needs to have a fairly unobstructed view of a large sector of sky for a goodly amount of time in order to calculate position. It works passably well when someone's outdoors, not under any cover (including trees), and holding the phone up to their head. When the phone in your pocket, on your belt in a case, indoors, or in the car, GPS is not going to work.
  • by Anonymous Coward on Saturday December 02, 2006 @12:16PM (#17080710)
    Ok, so I just pulled up the text of the TREAD Act and I do not see any mention of RFID or any other on-the-move uniquely identifiable law-mandated technology. Perhaps I am missing something. Anyway... Heres a link to the act http://thomas.loc.gov/cgi-bin/query/D?c106:5:./tem p/~c106P3ZfKY [loc.gov]:: .
  • by ericartman (955413) on Saturday December 02, 2006 @12:17PM (#17080716)
    Yeah OK the whole thing sounded pretty crazy to me but I just went down to put tires on my car at the local Wheel Center. The dealer wanted my name address and phone number even though I was paying cash, " For the Warranty". "Leaving the state" I said so there was no need. So after placing all 4 tires in back of my car, I told him I was getting them mounted somewhere else as I have Mag wheels and could get them mounted free. Again out came the paperwork and the dealer asked me if I was sure that this was the car that the tires were going on, I said yes and the dealer proceeded to try and write down the VIN number of the car. I asked why and he said , since the Firestone fiasco it was the store policy to write down the number of the car and send it to corporate. I then asked him if there was anyway I could just buy tires and leave. Never came up before he said and then yes he let me leave without id but how do I know if he wrote down my license plate or not or got the vin? Paranoid? Yup but I used to sell tire and we never had any restrictions on sale. The guy today sure didn't seem happy not knowing where his tires were going. Then I came home and read this about tracing tires. Now all the dealers responses seemed reasonable but......?
  • by Junta (36770) on Saturday December 02, 2006 @01:25PM (#17081310)
    That's why it isn't by and large traditional old GPS, it's aGPS [wikipedia.org]. That's why they also can quickly get location lock instead of taking some time. And yes, I believe for E911 operation phones are required to implement some sort of way to give precise location, such as aGPS.
  • by KWTm (808824) on Saturday December 02, 2006 @02:36PM (#17081838) Journal
    Please quit trying to coverup the shocking truth with lies denying these truths. When I claimed the feds have databases of car movement on certain highway chokepoints (I-75 for example) that use soley tire RFID, I am not making it up.

    But now expect me to end up with an inexplicable poisoning death/suicide for taking the time to point out these facts.

    I was also the one to point out the forensic yellow dots in us printer firmware 5 years before the press learned about it.

    I also exposed gasoline taggants first. (The gas taggants, NOT CAR TIRE TREADS, were used to back trace the purchase of the fuel used in the many georgia arsons a year back to catch the prankster-arsonists) The fbi falsely claimed tire tread and good hard work caught the arsonists... it was the chemical taggant forsed into all gasoline batches by secret federal laws. (a binary number based on trace non-volatile chemicals, semi unique per gas station delivery).


    I don't know if what you claim is true or not. It sounds credible.
    For these and other statements posted as AC, it would be useful to establish a GPG-verifiable identity. I think this should go for all "whistleblower" type AC posts. That way someone else can't log in as AC and muddle the claim with some post like "Just kidding! I was messing with your mind!" or something.

    The posting would need to be in plain text, with pre-defined line breaks (or else the GPG-signature wouldn't verify). It's a bit of a hassle --I tried to post with a GPG signature, but I couldn't let Slashdot wrap my lines for me. Hmm --oh, well.
  • by crucini (98210) on Saturday December 02, 2006 @04:10PM (#17082716)
    I don't really see how that's possible. When the handset is on-hook, the microphone is disconnected. This is a requirement for BABT compliance.

    1. Unless you disassemble and inspect the phone every time you enter the space, you have no idea what's inside. (And even then, if your adversary has sufficient resources). There are lots of ways to modify a phone for remote monitoring - search for "hook switch bypass". In this scenario, if the officers executed a search warrant earlier, they could have modified or substituted the phone.
    2. Since at least the 70s, intelligence agencies have been eavesdropping via light bulbs, flourescent light ballasts, phones, and other electrical equipment. The eavesdropper sends a high-powered RF carrier down the wire, and the equipment modulates the carrier in response to voice pressure. I haven't heard of this technology being used by law enforcement.
  • by Anonymous Coward on Saturday December 02, 2006 @05:10PM (#17083284)
    I have seen a demonstration where a $250k piece of kit from BAE could be used to turn on the microphone of any CDMA or GSM phone. The owner would not be aware that the microphone was on but the phone did have to be on (so that it could recieve the "off hook" command). I was assured that no hackery was involved so the phones must have been designed with this feature. I have no idea why phones would have this feature.
  • Re:In Soviet Russia (Score:1, Interesting)

    by Anonymous Coward on Saturday December 02, 2006 @05:41PM (#17083556)
    The analog POTS system fully disconnects the microphone and speaker when on hook, as per design standards going back to the 1870's

    I think it is very clear that very intelligent people knew that allowing phones to be used in the way described in this article is an unacceptable abridgment of privacy. I do no think it is any coincidence that the judge who ruled in this case in favor of the surreptitious "roving" (i.e., non-specific) surveillance is none other than Judge Lewis Kaplan of anti-DeCSS fame. [cryptome.org] It sucks when a Federal judge neither believes in Free Speech nor in basic privacy.
  • by crucini (98210) on Sunday December 03, 2006 @04:53AM (#17087594)
    I got my info from a book by a KGB defector - can't remember his name. He worked on COMSEC for Russia. Didn't provide any technical details (voltages, frequencies, etc.). But the book has lots of interesting stories.
    An eastern-block agency was spying on a Russian agency with this method. They parked a car underneath the building's overhead power line, and extended a thin wooden pole that nearly touched the power line.
    Also, when the US opened a new embassy in Moscow, the joke was that the flowers would always wilt immediately (due to massive RF power levels).
    Soviet cipher clerks in embassies around the world frequently got leukemia, because they spent hours in a small metal box with an RF jammer as powerful as a TV station.

    Searching for 'rf flooding' or 'frequency flooding' gets some related hits, but nothing good.

    Sorry I don't have anything more concrete.

Some people carve careers, others chisel them.

Working...