Legal Spying Via the Cell Phone System 139
An anonymous reader writes "Two researchers say they have found a way to exploit weaknesses in the mobile telecom system to legally spy on people by figuring out the private cell phone number of anyone they want, tracking their whereabouts, and listening to their voice mail."
Obligatory (Score:1)
You missed something (Score:1, Informative)
In Soviet Russia, phone calls you!
You missed a small detail. It's supposed to be funny, too.
remove battery? (Score:1)
Re: (Score:2)
I believe that is true.
I've had a cell phone "turned off" for about a month one time to find the battery completely drained. Some activity must be going on. Just my personal experience. You don't have to buy my FUD though.
Re: (Score:2)
I had a Motorola mobile phone that drained faster while off than it did while on. It could just be poor design or corrosion.
Re:remove battery? (Score:5, Informative)
Or maybe batteries just have a tendency to run dead when not in use due to self-discharge [wikipedia.org]. Now get off my tech site.
Re: (Score:2)
He may not have been right about suspecting being spied on because of battery discharge, but the government can in fact remotely activate some cell phones and eavesdrop on nearby conversations with them:
FBI taps cell phone mic as eavesdropping tool [cnet.com]
Re: (Score:1, Funny)
Dude, it gets worse, I saw this documentary where this rich guy used all the cell phones in a city to listen to the whole city. It got so bad his friend was, like, made at him and everything. I think the police were in on it cause they had this light thing that signaled him when they wanted him to work for them or something.~
Read your own link smartass (Score:2)
The worst case mentioned on that page was 30% discharge per month.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re:remove battery? (Score:5, Informative)
I once worked in a secured facility (DOE lab) where security briefings included being told that one of the reasons cellphones are not allowed is that they can be remotely tracked, accessed, and the microphones can be activated--even when the phone is off.
Whether its true or not, at a minimum, the people involved in setting security protocols for the DOE certainly think it is.
Re: (Score:2)
There is no question that all of those things can be done.
Re: (Score:2)
It is technically possible to manufacture a phone to do these things, but phones are not normally capable of doing this. Perhaps they were concerned about people bringing in fake phones, or phones that were tampered with or otherwise designed to pretend that they were off? Or maybe they've heard all of the urban legends and, being a "government" facility, they adopt security practices that assume even urban legends are true? Isn't there a phone OS out there that's open source?
Re: (Score:2)
Re: (Score:2)
no, it's a bunch of crap. All phones have a battery-less location feature but it's only turned on if you dial 911. Otherwise, having the battery in your phone or not doesn't affect whether or not you can be tracked.
Batteries will naturally dissipate on their own, usually to the tune of 3-30% per day depending on the capacity of the battery. Higher %age on smaller batteries. Have you never heard of that?
Re: (Score:2)
no, it's a bunch of crap. All phones have a battery-less location feature but it's only turned on if you dial 911. Otherwise, having the battery in your phone or not doesn't affect whether or not you can be tracked.
I think you mean service-less emergency dial feature. Battery-less the phone isn't going to dial anything.
Re: (Score:1, Interesting)
If it's off for the purposes of an airline, (that is, radio off in order prevent interference), then it's off for the purposes of this, since it depends on the phone communicating with the cell tower.
Re: (Score:2)
It's theoretically possible since it's a soft power-off. Hypothetically, the phone could still be operating while giving the appearance of being turned off. By the same token, it could be taking pictures and transmitting audio even when you're not on a call and not using the camera, or even when "off". Whether this is ever actually done, I don't know.
Re: (Score:2)
I have been demonstrated exploit code for the n900 which does that. Haven't heard of it in the wild, though...
Re: (Score:1)
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:2)
Is the hamster named Faraday?
Re: (Score:2)
Why not just live in one [youtube.com] (1:03 in)
Re: (Score:2)
My house has aluminum siding, and I assure you, it works. I get four bars outside the house, but had to purchase a repeater to get signal inside, or all of my cell phone use at home would have to be while standing next to a window that faces a cell tower.
Re: (Score:1)
Re: (Score:2)
Any decent operation could set up a small shell script to take geographic coordinates from their whole customer base and keep them in a database by number/subscriber/account as an index. With a decent warrant they could also use the remote activation features of most phones to gather this data discretely.
Once that information is in a DB those PIs can just look it up if they have the right access/connections.
24 isn't a fantasy, it is the NSA showing off last year's technology
Re: (Score:1)
I have an iPhone you iNsensitive clod.
It's not a weakness, it's a feature....for iSpy, inc.
Uhm, bad headline. (Score:5, Insightful)
Re: (Score:1)
Just because it's possible doesn't make it legal.
With good enough lawyers, everything is legal.
Re: (Score:1)
It's only illegal if you get caught.
it's not the headline that's bad. (Score:5, Interesting)
With the ability to read the constitution - and reason above a third grade level - it is 100% clear that spying on a US citizen's communications without probable cause AND a warrant is not an authorized power for the US government or a US state. It is also doubtful that there exists, or can exist with constitution as currently constructed, a justification for a private citizen exercising such a power.
Re: (Score:2)
With the ability to read the constitution - and reason above a third grade level - it is 100% clear that spying on a US citizen's communications without probable cause AND a warrant is not an authorized power for the US government or a US state. It is also doubtful that there exists, or can exist with constitution as currently constructed, a justification for a private citizen exercising such a power.
The Constitution's prohibitions against search and seizure do not apply to private citizens at all. There a
Re: (Score:2)
I said justification. Not law. Not the same thing at all. It is 100% clear that the constitution was intended to make the feds recognize, and obey, the existence of certain bounds of privacy [fyngyrz.com] that already existed in our society, which private citizens are already expected to comply with.
Please. (Score:2)
Arrogant? No. I'm entitled to an opinion, and to state that opinion. As a citizen, there is no requirement that I keep said opinion(s) to myself. You, on the other hand, are absolutely entitled to counter it. By all means, do so. Every mistake of mine I can correct improves me, and I'm all for that. Calling names, however, gets you nowhere. Try not to worry about my willingness to state my position, and instead, look at the actual position, and if you have a counter, let fly.
Also, I am bound to point out
Re: (Score:3, Informative)
You started out so well...
With the ability to read the constitution - and reason above a third grade level - it is 100% clear that spying on a US citizen's communications without probable cause AND a warrant is not an authorized power for the US government or a US state.
But then you had to go and ruin it:
It is also doubtful that there exists, or can exist with constitution as currently constructed, a justification for a private citizen exercising such a power.
The Constitution does not apply to private citizens. It is a document which enumerates the powers granted (or explicitly withheld from) the federal government and the states. It may be argued (though I would disagree) that the Constitution permits the federal government to prohibit private citizens from sending or receiving the radio signals required to eavesdrop on the cell phone system. If so, this would be in the domain of the FCC. However, not
Re: (Score:2)
I didn't ruin anything. I said justification. Not law. See this essay on privacy [fyngyrz.com]. The constitution codifies social rules for privacy in order to limit the authorized powers of the feds. Those rules already existed and they were, and are, quite obvious to anyone in our society that isn't brain damaged or so socially inept they must be kept under supervision.
Re: (Score:2)
Those rules already existed and they were, and are, quite obvious to anyone in our society that isn't brain damaged or so socially inept they must be kept under supervision.
I'm so glad that you decided to keep this thread civil...
The constitution codifies social rules for privacy in order to limit the authorized powers of the feds.
Only because the feds are granted powers private citizens don't have. To limit abuses of these powers they are required to get a court to sign off of on violating the property rights of others before they can legally mandate that others grant them access to their private property for search or seizure—something which private citizens are not permitted to do under any circumstances. This has nothing to do with "social rules for privacy".
In the co
Re: (Score:2)
It has everything to do with them. It has been well understood for centuries that privacy was important; the 4th (and to some extent the 3rd) amendment is specifically a mechanism intended to restrain the government from violating privacy unless it has good and sufficient reason, reason it is required to show in order to pursue such a violation. "persons, houses, papers, and effects" precisely define the domain, as of the time of writing, where pri
Re: (Score:2)
Of course, US presidents have been wiping their asses with the Constitution for 10 (30? 100?) years now, so...yeah.
Re: (Score:2)
George Bush jr. caused a US citizen to be incarcerated (very) long term without recourse to a lawyer or even a phone call, and he hasn't been charged with any wrong doing either, or impeached, as would have been entirely appropriate for the gross violation of his oath. So what's your point? That application of justice under the constitution and the law is imperfect? I think we all know that already. The po
Re: (Score:2)
Re: (Score:2)
Just because it's possible doesn't make it right.
Unfortunately, everything that they are doing short of the voicemail hacking is currently legal in 49 states, and possibly 50 states.
They are exposing the extremely weak security of the overall telecom industry. What they did was considered normal operations. Maybe not something that an average person would be doing, but not against any TOS or laws.
It boils down to Caller ID spoofing. Create strong laws, stronger than the ones currently in Congress, and yo
Re: (Score:2)
Before anyone latches on to your caller ID spoofing part, these people are not spoofing ID info to a third party - they are generating an incoming call to themselves with spoofed data. From what I can see, the proposed bill does not outlaw that, so they aren't doing anything in this step that *will* be illegal.
And the matching data they buy is not legal in any of the states. They have to buy it from European companies, which obtain it from US companies. So saying it's "legal" is misleading - it's more ac
Re: (Score:2)
That's what I mean by much stronger Caller ID laws. I think that you should be able to prove ownership of a number, on demand, before you can use it as Caller ID. When you are getting an LNP (local
Re: (Score:1)
DePetrillo said. "We created software that iterates through these numbers and can crawl the entire phone database in the U.S. within a couple of weeks... We have done whole cities and pulled thousands of records." "It's not illegal, nor is it a breach of terms of service," Bailey said.
How is this not illegal? its not an open DB that anyone can browse at freewill. You would need a way to hack/social-engineer the servers in order to get into it. I highly doubt that Verizon/ATT/etc have their entire customer DB's open for anyone to peruse with a data-miner. I'm sure the telco's aren't too happy bout this news.... and i bet they would pay high $$ to see them/this disappear. :)
Re: (Score:2, Insightful)
Clearly it ought to be legal though.
What the fuck are you smoking that makes you think this should be legal?
Re: (Score:1)
Re: (Score:2)
Clearly it ought to be legal though.
What the fuck are you smoking that makes you think this should be legal?
Um. Whoosh! I think? I'm not sure that post was entirely sincere. Or maybe I'm assuming sarcasm where there isn't any. Either way, maybe you should get ahold of some just to curb some of that hostility brah.
Re: (Score:1)
What the fuck are you smoking that makes you think this should be legal?
Whatever it is, it's not legal.
Re: (Score:2)
But it ought to be.
Re: (Score:3, Insightful)
Saw a line about spoofing caller id info. That isn't legal.....now.
Legal? What about the new caller ID law... (Score:4, Interesting)
Re: (Score:3, Insightful)
Plus the whole breaking into voicemail boxes thing.
Re: (Score:2)
It is. And yes, they are doing it on a massive scale to pull thousands of records. So how long before a lawsuit?
Re:Legal? What about the new caller ID law... (Score:4, Informative)
Re: (Score:2)
What if he has multiple personality disorder? Or maybe like many car salesmen I know, he openly lies to himself so he can sleep at night? I wouldn't be so quick to assume there's no deception here.
On a more serious note, I was wondering something along those lines myself. I have T-Mobile and I could have sworn that mine used to do caller ID with name years ago. Now it only does it if the number's in my address book, and I was trying to figure out when that changed, or if I'm just insane (strong possibility
Re: (Score:1)
Re: (Score:2)
I believe it depends on the intent.
You can still spoof as long as you aren't doing so to deceive or defraud.
Re: (Score:2)
You can still spoof as long as you aren't doing so to deceive or defraud.
Seems to me that spoofing caller ID in order to trick the database into delivering information on some other phone user constitutes intent to defraud.
Re: (Score:2)
Sometimes actions reveal intent, but I don't think it does in this case.
These researchers have apparently tried the attack described in TFA on themselves with no intent to defraud.
If you spoof caller id to trick a database, only a machine has been deceived (and that's arguable). What you do (or intend to do) next is the big question.
Re: (Score:2)
So if instead of displaying "Michael" I make my phone display "Mike" I'm deceiving someone? Just checking.
Re: (Score:1)
Re: (Score:1)
In Germany? (Score:2)
Anyway unless the software he's using is illegal or the order of key strokes he's typing is illegal then nothing he's doing is illegal, well unless the result of using that software with those keystrokes is illegal, but then according to common-law it's up to the law enforcement body to prove he knew what the result would be.
Re: (Score:1)
From TFA:
I thought spoofing caller ID was now illegal...
Not yet. The bill passed the US House of Representatives, but not the Senate.
Re: (Score:2)
And once it IS signed it's still legal if you're in one of a number of other countries when you do it. (I wonder if the EU laws on personal information apply to the caller-ID info retrieval step if it's done there?)
As far as I can see (IANAL) the only step that's currently illegal in the US is cracking past the voicemail password. That's illegal under the Computer Fraud and Abuse act (accessing a protected computer) and occurs at the server location even if it's initiated from outside the US so there's ju
Foot meet bullet. (Score:4, Interesting)
I get mailed revised TOS and privacy policies from companies on a weekly basis. Now that this is publicized, how long will it stay 'legal'? Usually, loudly exclaiming "nener-nener-boo-boo you can't catch me" to one of the largest, consumer unfriendly, profit motivated industries gets their attention.
What makes them think this is legal....? (Score:5, Insightful)
Yes, IAAL, but IANYL.
Re: (Score:2)
Yes, IAAL, but IANYL.
Thats pretty pre-emptive of you, you don't even know how much they'd be willing to pay you should you win the case or not!
Re: (Score:2)
Re: (Score:2)
As far as I can tell, they assert that it is legal, therefore they think it is legal.
That's a good point. They forgot their "IANAL" disclaimer, just so people understand exactly how much their "legal opinion" is worth.
This means that the average Slashdotter is more legally savvy then these two "researchers".
Re: (Score:2)
You're right. This sounds like this'll easily run afoul of stalking laws.
Re: (Score:2)
well going by your logic (Score:2)
Every civilian in the US can be found guilty of cocaine dealing & have all their property forfeitured, just through the uncorroborated testimony of a paid snitch with a dubious past, & no other evidence what so ever - Ever heard of Mobile, Alabama & Union, Texas? Or look at all the prosecutor/judge/jury combos that have put innocent people to death.
Re: (Score:1)
Not quite (Score:3, Insightful)
Re: (Score:2)
just use the same argument the police use for why they don't need a warrant..
we aren't tracking the person - we are tracking the phone, they aren't required to carry it.
Re: (Score:3, Insightful)
Nelson Rockefeller said of his grandfather, John D. Rockefeller, "He didn't break any laws. But a lot of laws were passed because of what he did."
Re: (Score:2)
2) Tell friend they're spying on him
3) Friend sues them
4) Profit!!!!
Re: (Score:2)
> 1) Hire them to spy on a friend
> 2) Tell friend they're spying on him
> 3) Friend sues them
> 4) Profit!!!!
5) Thank $DEITY, that friend will never utter 'I got nothing to hide' again...
6) Move to next person/GOTO 1
What's new? (Score:1)
Re: (Score:2)
Oliver Queenan: All cell phone signals are under surveillance, due to the courtesy of our Federal friends over there.
Ellerby: Patriot Act, Patriot Act! I love it, I love it, I love it!
Re: (Score:1)
It's nearly illegal (and will be soon). (Score:2)
From TFA: "DePetrillo used open-source PBX software to spoof the outgoing caller ID..."
Last week Congress passed the Truth in Caller ID Act of 2010 [gpo.gov] which will make it illegal "to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive."
Once that's signed into law they will be on very thin ice arguing that they did not intend to defraud or deceive when they spoof their caller ID to obtain information that they normally would not be able to
Maybe not (Score:5, Insightful)
Re: (Score:2)
They may successfully argue that it is still legal. Their method is to call themselves with spoofed caller-id. The network fills in the name associated with the phone number and they build their database. Since they are only calling themselves and they know they are spoofing, they are not "intending to defraud or deceive" anyone.
Possibly, but I think most reasonable people would agree that using spoofing to trick the phone company into providing database information you shouldn't have falls under the "deceive" label.
Trespassing? (Score:1)
Re: (Score:1)
"Collecting data is only the first step toward wisdom, but sharing data is the first step toward community" -IBM
Charging for data is the first step toward business
Not "perfectly legal" for much longer (Score:2)
Re: (Score:2)
While I agree that this won't be legal for much longer (assuming it is now), that bill won't make it illegal. the bill makes it illegal to spoof caller ID with intent to deceive. The intent here is not to deceive so they aren't covered.
Old news... (Score:1)
And how do you define "legal"? (Score:2)
I find it interesting that they claim this is "legal"; I suspect they mean "we don't know of or haven't thought of the laws that one would be breaking by donig this".
Sure, they point out specific steps of the process that don't break specific laws even though you might think they would; but in the end, a series of actions that would each be legal on its own can add up to a crime. Spying on another individual, tracking their whereabouts and spying on their phone calls, is in and of itself illegal no matter
Re: (Score:2)
Yeah, they don't seem to grasp the concept that laws can prohibit any and all actions that lead to specific results.
<sarcasm>Because we all know it's not really 'murder' that's illegal, it's every single action that can result in someone else's death that's illegal. If you invent a new way of killing someone, that's legal until they plug up that loophole.</sarcasm>
Gaining access to voice mail you're not supposed to have access to is illegal no matter how you do it, on top of any crimes you mig
Legal - where? (Score:2)
Obviously Illegal - check the CFAA (Score:1)
Title 18, Part 1, Chapter 47, Section 1030(a)(2).
It's a crime if someone:
"intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains
Given the scale of their activities, it's almost certainly a felony too.
This reminds me... (Score:1)
Can't you get the same information (Score:2)
Can't you get the same information by purchasing it from the cell providers? There's already precedent on this.
-- Terry