Is your cell phone being tapped?
The world is so arranged that any technical invention of the human mind that expands our capabilities and creates additional comfort for us inevitably contains negative aspects, a potential danger for the user.
Modern means of wireless personal communication (radio telephone, pager and cell phone) are no exception.
Yes, they have expanded our freedom, «untied» us from the telephone on our desk and given us the opportunity to contact the necessary subscriber at any time and in any place.
But not everyone knows that these «miracles of technology» hide very dangerous «traps» in the field of information protection and personal security.
Organizing wiretapping of a cell phone is much easier than is commonly believed.
After all, most of the security systems that mobile operators are proud of are in fact easily neutralized.
Meanwhile, many people trust their «mobile phone» with their deepest secrets. They naively believe that no one will hear their words except the person they are talking to.
In our country, fragments of transcripts of telephone conversations of famous people — politicians, officials, businessmen, journalists — regularly appear on newspaper pages and on websites.
This is just the tip of the iceberg called wiretapping of cellular networks.
In the West, as in Russia, wiretapping and recording conversations conducted via wireless communications is a common occurrence.
It is practiced by many «hunters for other people's secrets».
For example, private detectives, industrial spies, journalists, representatives of criminal structures, phreaks (people who specialize in illegally penetrating telephone networks), etc.
It has become so widespread that in mid-1998 a special term appeared — radio intelligence of cellular communication networks.
Many Western experts in technical intelligence say that this type of espionage has a great future.
After all, electronic interception of cellular communication is not only easy to implement, it also does not require large expenditures on equipment, and it is almost impossible to detect.
Meanwhile, the number of subscribers to cellular communication networks is growing every year. For example, in Europe it is already more than 100 million people.
It is clear that in Russia the figures are much more modest. By the end of 1999, there were 1.34 million mobile phone owners in our country.
Of these, 800,000 live in Moscow, and the rest live in 69 regions of the Russian Federation. And in 1993, their number did not exceed 38,000 people.
Most of them are users of the domestic radial radiotelephone system «Altai».
At that time, cellular communications functioned only in Moscow and St. Petersburg.
CELLULAR COMMUNICATION TECHNOLOGY
To understand how the eavesdropping process occurs and what difficulties arise, let's consider a typical scheme of the organization of a cellular communication system.
It consists of three components: radio transmitters (telephone handsets), base station systems and a communication center MTSO (Mobile Telephone Switching Office), which controls the operation of the entire system.
«Mobile phones» are miniature transceiver radio stations.
Each cellular telephone is assigned an electronic serial number (ESN), which is encoded into the phone's microchip during manufacture and communicated by the equipment manufacturer to service technicians. Some manufacturers also provide this number in the user manual.
When the device is connected to a cellular communications system, a mobile identification number (MIN) is also entered into the phone's microchip.
A cellular telephone has a long and sometimes unlimited range, which is ensured by the cellular structure of communication zones.
The entire territory served by a cellular communication system is divided into separate adjacent communication zones or «cells».
Telephone exchange in each such zone is controlled by a base station capable of receiving and transmitting signals on a large number of radio frequencies.
In addition, this station is connected to a regular landline telephone network and is equipped with equipment for converting a high-frequency signal from a mobile phone into a low-frequency signal from a landline telephone and vice versa, which ensures the pairing of both systems.
Periodically (at intervals of 30-60 minutes), the base station emits a service signal. Having received it, the mobile phone automatically adds its MIN and ESN numbers to it and transmits the resulting code combination to the base station.
As a result, a specific mobile phone, its owner's account number are identified, and the device is linked to a specific zone in which it is currently located.
When a user makes a call on his telephone, the base station allocates him one of the available frequencies in the area he is in, makes the appropriate adjustments to his bill, and passes his call on to its destination.
The communications center is the brain of the network.
Its main computer manages hundreds of thousands of connections in the area served by the center.
The MTSO assigns frequencies for radio communications to base stations and mobile radio telephones, and distributes calls within its zone between the cellular network and ordinary public telephone exchanges.
The cellular network databases contain information about the location of all its clients, as well as about interfaces with other such networks, which is necessary for identifying subscribers and checking their right to access the network.
According to Russian and foreign experts, the most vulnerable section is the gap between the repeater antenna and the telephone handset itself.
INTERCEPTION TECHNOLOGY
The interception procedure itself does not present any technical difficulties. There are many methods for implementing this procedure in practice.
After all, most cellular communication systems comply with one of the standards of analog (AMPS, TAGS, NTS, etc.) or digital communication (D-AMPS, NTT, GSM, etc.).
The principle of transmitting information by such devices is based on the emission of a radio signal into the air.
According to Russian law, each cellular operator must use a specific frequency range.
The most common cellular systems use the 450, 800, and 900 MHz ranges (NMT, AMPS, and GSM standards). Frequencies 824–834 MHz and 869–879 MHz are reserved for operators of narrowband cellular systems with frequency (FDMA), time (TOMA), or frequency-time (FDMA/TDMA) channel division.
Operators using the broadband code division multiplexing (COMA) radiotelephone system operate at frequencies of 828-831 MHz and 873-876 MHz. Knowing the frequency range, you can always select equipment with the required technical parameters.
Therefore, any person, having tuned the appropriate radio receiver to the same frequency, can hear your every word.
All the necessary equipment is freely sold in Russia. Although it is clear that the manufacturer and seller, if this is not special equipment intended for covert information collection, will not indicate such a possibility of their product or goods in the advertisement.
According to Russian «hunters for other people's secrets», it is possible to intercept a conversation even by slowly retuning the VHF tuner in older TV models in the upper band of TV channels (from 67 to 69), and sometimes even with the help of a regular radio tuner.
Another option is a modernized cell phone receiver.
It is clear that it should be designed to work in the same cellular communication system that needs to be listened to. A description of this technology can be found on the Internet among materials on phreaking (hacking telephone networks).
You can also use a modified modem with RCM1A boards.
In this case, a small reconfiguration of the modem connected to the cell phone is made to the region of lower frequencies relative to the carrier frequency of voice information transmission, that is, towards the frequencies at which control signals are transmitted.
All the necessary computer programs can also be easily found on the Internet.
With the help of such an «improved modem» and computer, it is possible to obtain not only service information (for example, about a frequency change), but also to record the conversation of the object of wiretapping on the «hard disk». This is a recipe from foreign «hunters for other people's secrets».
The use of digital cellular networks, such as D-AMPS, NTT, GSM, etc., is also unable to protect transmitted audio information from eavesdropping. They can be eavesdropped, for example, using a regular digital scanner.
According to Russian «hunters for other people's secrets», the use of the Cellular Message Encryption Algorithm (CMEA) does not guarantee protection.
It can be cracked by an experienced specialist in a few minutes using a personal computer.
The use of other special encryption algorithms, such as A5/1 in the GSM system, also does not guarantee protection.
In early 2000, it was officially announced that two well-known cryptographers, Adi Shamir and Alex Biryukov from the Weizmann Institute (Israel), had managed to crack this encryption algorithm.
Western experts in radio intelligence of cellular networks claim that one of the few effective methods of protection is the use of broadband radio communication systems.
Intercepting data in the channels of such communication systems is technically difficult to implement, and developers of equipment for such purposes experience certain difficulties.
Although in the field of radio intelligence this task has long been solved. And nothing prevents the use of military developments for commercial purposes.
In our country, until February 2000, it was extremely difficult to use broadband communication systems.
The situation in this area is described in detail in the text of the order of the State Communications Committee of the Russian Federation dated April 14, 1999 No. 67 «On the use of subscriber equipment in local telephone networks with subscriber radio access based on the IS-95 standard».
The specified American standard provides for the use of COMA technologies. In particular, this document stated that CDMA technology cannot be used for cellular networks.
The reasons were purely technical. Now this restriction has been lifted, and the order itself, partially or completely, has lost its force. Although this does not mean that broadband cellular systems will be widely used in Russia.
EQUIPMENT
All equipment can be divided into four categories.
The first is various homemade products and non-standard use of modems, «mobile» handsets, etc. Its description can be found on the Internet. This method requires minimal financial costs and manual skills.
The second is the use of various radio equipment, which is freely sold on the Russian market. Here the main problem is to choose exactly what you need.
Although basic knowledge of radio electronics or consultations with an experienced person is usually enough.
The costs are significantly higher.
Third — the use of special equipment for radio reconnaissance in cellular communication networks. Its main advantage is that it was originally designed to listen to cellular communication channels.
In other words, simplicity and ease of use.
There are many foreign and domestic models.
True, according to current Russian legislation, a special license is required for its development, production, sale and import into the territory of the Russian Federation.
And such products can only be sold to government organizations that are allowed to carry out operational-search activities (FSB, Ministry of Internal Affairs, etc.).
Fourth — equipment installed directly at the mobile operator itself.
For example, by order of the State Communications Committee of the Russian Federation dated April 20, 1999 No. 70 «On technical requirements for the system of technical means for ensuring the functions of operational-search activities on the telecommunications networks of the Russian Federation» the technical requirement for the system of technical means for ensuring the functions of operational-search activities on mobile radiotelephone networks (SORM SPRS, Appendix No. 1) was approved.
Even in the project of the Iridium mobile global personal satellite communications system, the Khrunichev Center, at the insistence of the Russian Ministry of Communications, agreed to make some adjustments. In particular, a clear procedure was defined for the placement of special services equipment in the future network so that they could easily carry out operational and investigative activities.
Recall that this system was put into operation in 1998 and currently has 50 thousand subscribers.
CELLULAR WITNESS
Another danger is determining the location of the subscriber.
Let's leave aside such an obvious possibility as identifying the address of a subscriber of a cellular communication system through the company providing him with these services. Few people know that having a mobile cellular phone allows you to determine both the current location of its owner and track his movements in the past.
The current position can be identified in two ways.
The first of them is the usual triangulation method (direction finding), which determines the direction to the operating transmitter from several (usually three) points and gives a location fix of the source of radio signals. The equipment required for this is well developed, has high accuracy and is quite affordable.
The second method is through the computer of the company providing the communications, which constantly registers where a particular subscriber is at a given moment in time, even when he is not conducting any conversations (using identifying service signals automatically transmitted by the telephone to the base station, which we discussed above).
The accuracy of determining the subscriber's location in this case depends on a number of factors: the topography of the area, the presence of interference and reflections from buildings, the position of base stations, the number of phones currently operating in a given «cell».
The size of the «cell» in which the subscriber is located is also of great importance, so the accuracy of determining his location in the city is much higher than in rural areas (the size of a «cell» in the city is about 1 sq. km versus 50-70 sq. km in open areas).
Finally, analysis of data on subscriber communication sessions with various base stations (through which base station the call was transmitted, to which base station, date of the call, etc.) allows us to reconstruct all the subscriber's movements in the past.
Such data is automatically registered in the computers of companies providing cellular communication services, since payment for these services is based on the duration of use of the communication system.
Depending on the company whose services the subscriber uses, this data can be stored from 60 days to several years.
This method of reconstructing the subscriber's movements is widely used by the police in many Western countries during investigations, since it makes it possible to reconstruct, with an accuracy of up to a minute, where the suspect was, who he met with (if the second person also had a cell phone), where and how long the meeting took place, or whether the suspect was near the crime scene at the time it was committed.
PROTECTION METHODS
Who and how can and should protect users of cellular networks from such troubles? Theoretically, this should be done by the state, the cellular operator and the user himself.
What can the home state do to protect information transmitted via commercial cellular channels? For example, ensure real control over compliance with the law in the area of using special equipment for organizing radio intelligence by individuals, non-governmental organizations and law enforcement agencies. (For more on this, see A. Rykov's publication «Who can listen to your cell phone?».)
Currently, FAPSI is working on creating equipment for cryptographic closure of cellular communication system channels. No one can name the exact date for commissioning of such equipment.
CELLULAR OPERATORS
According to one of the provisions of Article 32 of the Federal Law «On Communications», «all communications operators are required to ensure the observance of communication secrecy». It is clear that in real life this requirement is not observed. The main reason is of a purely technical nature: the lack of the necessary equipment to «close» communication channels.
This means that the owner of the information himself — the mobile subscriber — must take the necessary measures.
SOME TIPS that will help reduce the likelihood of successful wiretapping by the enemy.
1. Avoid or minimize the transmission of confidential information, such as credit card numbers, financial information, passwords. Use more secure landline phones for these purposes. However, make sure that the person you are talking to is not using a cordless phone at the time.
2. Do not use cellular phones for business conversations.
3. Remember that it is more difficult to intercept a conversation conducted from a moving vehicle, since the distance between it and the intercepting equipment (if it is not in the car) increases and the signal weakens. In addition, your signal is transferred from one base station to another with a simultaneous change of operating frequency, which does not allow interception of the entire conversation, since it takes time to find the new frequency.
4. Use communication systems that transmit data at high speeds with frequent automatic frequency changes during the conversation.
5. Use digital cellular phones, if possible.
6. Turn off your cell phone completely if you don't want your location to be known to anyone.