Menu
homeTelephone

The simpler the phone, the more difficult it is to listen. Details on how to protect your phone from wiretapping

Let's think for a second what it would look like hacker phone?
What functions would it have, what would it be stuffed with from hardware and software.
In the meantime, let’s see what is on the market, what custom solutions have already been implemented, and what we can spy on from them.

Let me show off my new pipe with a little lyricism in front of the harsh IB terms and concepts.

Heaviness is good. Heaviness is reliable.



Yes, this is a Snatch phone (DEXP Ixion XL145). My fellow countrymen from Vladivostok took it and competently redesigned/rethought the Highscreen Zera S Power (they cut off the corners at the back, added a “leather-like” finish, doubled the number of cores from 4 to 8, upgraded the camera from 5 to 8 MP).

How is this phone connected to information security?

Firstly, I got it using the method of “soft” social engineering. But I can’t write about this yet.

Secondly, it will now be easier for me to take videos and photos of spy devices.


(to the article about bug detectors, field indicators and legal bug emulators)

For example, this is how an acoustic safe squeals:

For reference, the Dexp Snatch costs 7,500 rubles (although the Dexp line includes models with a large battery for both 4,500 and 14,000 rubles), and the acoustic safe costs about 10,000 rubles.

I have a lot of respect for long-lasting phones. I always used old Xeniums. Apparently, Vladivostok residents have it in their blood - they are too lazy to recharge every day, so they created a whole line of 10 models with powerful batteries. A 4000 mAh battery (6-8 video recordings of reports from DEF CON) and a case thicker than a centimeter. (Nearby is an old, good, faithful telephone “for bribes”, which has served me as a flashlight for more than 5 years.)

Looking at Boris, you'll hit the Razor, I come to the idea that very often a simple and crude method can be effective. For example, you can protect yourself from secretly turning on a microphone by simply installing a mechanical toggle switch to turn the microphone on/off.

On the right in the top photo is a smart phone case “Cocoon” (acoustic safe), which they gave me to play with at Detector Systems when I took an armful of field indicators and bug emulators from them. (Review coming soon.)
An acoustic safe is a product designed to protect speech information circulating in the places where the owner of a cell phone is located in the event that it is activated for the purpose of listening through cellular communication channels. Protection is provided by automatic acoustic noise of the speech information transmission path when an attempt is made to secretly remotely activate the microphone of a cell phone handset. Products “Ladya” and “Cocoon” have passed certification tests in accordance with the requirements of the State Technical Commission of the Russian Federation (Certificates No. 697, 698) and can be used in designated premises up to category 1 inclusive.

The cell phone is placed inside the “Cocoon”. In the case of covert remote activation of the phone into listening mode, the only unmasking sign is a change in the strength of the electromagnetic field (i.e., the cell phone transmitter is switched on to transmit without authorization). This change is recorded by a field indicator included in the product, which gives a command to automatically turn on the acoustic noise generator. In this case, the entire path of speech information transmission becomes noisy in such a way that there are no signs of speech at the receiving end.

Specifications:

  • Noise level at the point where the cell phone microphone is placed: at least 100 dB
  • Effective spectrum of noise signal: 250 - 4000 Hz
  • Continuous operation time from one set of batteries: at least 6 months
  • Power supply for the “Cocoon” product: CR 2032 lithium battery
  • Continuous operation time from one set of batteries: at least 2 months

Story

The first mentions of the confrontation between intelligence services and “hackers” in the field of telephony appeared in 1993-1995.

ZRTP (2006)

A cryptographic key agreement protocol used in voice over IP (VoIP) systems. ZRTP describes a method for obtaining keys using the Diffie-Hellman algorithm for the Secure Real-time Transport Protocol (SRTP). ZRTP carries out key negotiation in the same RTP stream over which the audio/video connection is established, that is, it does not require a separate communication channel. Developed by Phil Zimmermann (author of Pretty Good Privacy), Jon Callas and Alan Johnston in 2006. The protocol description was submitted to the IETF on March 5, 2006.

2009
Karsten Nohl, a member of the German hacker group CCC (Chaos Computer Club), announced at the group's conference on December 28 that he had managed to crack the data encoding algorithm in GSM networks.

Karsten Nohl, founder of Security Research Labs, announced the discovery of a vulnerability in SIM cards with the DES (Data Encryption Standard) encryption standard. This is an outdated standard, which, however, is used by a large number of manufacturers, and hundreds of millions of SIM cards support DES. So, this vulnerability allows you to receive a 56-bit key in the response message when sending a fake message to your phone from a telecom operator (the response is sent automatically, and about 25% of DES cards are susceptible to such “deception”).

(A small and not very hardcore note that flashed on Habré)

Wiretapping of mobile phones and their protection

How operators protect their networks

When developing GSM technology, as well as at the stage of its implementation, all requirements from the controlling government were taken into account. authorities to the level of protection. It is because of these requirements that in many countries around the world the sale and purchase of special equipment, such as powerful encryptors, crypto equipment, scramblers, as well as very secure technologies for public communications, are prohibited. But mobile operators themselves ensure the protection of their radio channels using signal encryption methods. Encryption uses very complex algorithms. Which cryptographic algorithm will be used for encryption is selected at the stage when a connection is established between the base station and the subscriber himself. The degree of probability of a leak of subscriber information from the operator’s equipment, as MTS employees assured journalists, is practically zero. Why to zero, we asked - and all because of the complexity and control of access to the operator’s facilities and equipment.

How can you “listen” to mobile phones?

There are only two methods of wiretapping subscribers - the active method and the passive method. When passively listening to a subscriber, you need to use very expensive equipment and have specially trained workers. If you have money (read - a lot of money), you can purchase special systems on the “black market”, using which you can listen to the conversations of any subscriber within a radius of up to 500 meters. Ask why you need to have a lot of money? The answer is simple - the price of one such set starts from several hundred thousand euros. What such a kit looks like can be seen in the next photo. There are many sites on the Internet where you can familiarize yourself with the description and operating principle of such kits and listening systems.

As the manufacturers of such listening systems convince, their systems can monitor GSM conversations in real time, because the operating principle of the equipment is based on access to the SIM card of the mobile subscriber, or directly to the database of the cellular operator itself. Although, if those listening to you do not have such access, they can listen to all your conversations with some delay. The amount of delay depends on the level of encryption of the communication channel that a particular operator uses. Such systems can also be mobile centers for listening and tracking the movement of objects.

The second method of wiretapping is active interference on the air with the authentication process and control protocols. For this purpose, special mobile complexes are used. Such mobile systems, which are essentially a pair of specially modified phones and a laptop, despite their apparent simplicity and small size, are also not a cheap pleasure - their price varies from a couple of tens of thousands to several hundred thousand US dollars. And again, only highly qualified specialists in the field of communications can work on such equipment.

The attack on the subscriber is carried out according to the following principle: since the complex is mobile and is located at a close distance to the subscriber - up to 500 meters - it “intercepts” signals to establish a connection and transmit data, replacing the operator’s base station. In fact, the complex itself becomes an “intermediary bridge” between the nearest base station and the subscriber himself.

After “capturing” the desired mobile subscriber in this way, this complex can actually perform any control function over the intercepted channel: for example, connect the person being listened to with any number necessary for those listening, lower the encryption algorithm or even disable this encryption for a specific communication session, etc. .d.

What such a complex looks like can be seen in the photo below.

image

As experts shared, it is impossible to determine 100% that the subscriber’s phone is being tapped at this very moment. But, you can get indirect evidence that may indicate that such a possibility exists. In the recent past, some mobile models (namely push-button phones) had a special symbol-icon in the form of a lock in their functionality. If the lock was closed, then the signal is encrypted, and vice versa - if the lock is open... well, you understand everything yourself.

But in phones over the last 5-6 years there is no such function... It’s a pity. Although, for some smartphone models there are special applications that will signal the phone owner about the configuration of the settings used in the current communication session. One option is to notify the user about the mode in which his conversation is transmitted - using encryption algorithms or openly. Listed below are a few of these applications:

EAGLE Security

It is one of the most powerful applications for protecting your mobile phone from wiretapping. This program prevents any connections to false base stations. To determine the reliability of a station, a check of signatures and station identifiers is used. In addition, the program independently monitors and remembers the location of all base stations, and if it is detected that a base is moving around the city, or its signal disappears from time to time from its location - such a base is marked as false and suspicious and the application will notify the owner about this phone. Another useful feature of the program is the ability to show which of the applications and programs installed on your phone have access to your phone’s video camera and microphone. There is also a function to disable (prohibit) access to any software you don’t need to the camera.

This program differs from the previous one and its main function is to monitor any suspicious activity on the network, including the use of SMS, which can be sent without the permission of the phone owner. The application evaluates in real time how secure your network is, what encryption algorithm is being used at that moment, and much more.

Android IMSI-Catcher Detector

This application also helps protect your smartphone from any connections to pseudo-bases. The only disadvantage of this program is that you will not find it on Google Play and if you still want to install it, you will have to tinker with this procedure.

CatcherCatcher

The CatcherCatcher program, like its analogues above, is engaged in identifying false base stations that attackers (or special services?) use as intermediate “intermediary bridges” between the subscriber and the real base station.

Overview of solutions for protecting telephone conversations
(Some material is taken from promotional brochures, so healthy skepticism and comments are welcome)

TopSec GSM, based on the Siemens S35 phone by the German firm Rohde & Swartz, provides “total traffic protection.”

The device is a regular Siemens S35 phone, upgraded with a special crypto-chip. Encryption is enabled by a special option in the phone menu. In protected mode, the phone can work with both a second TopSec phone and an ELCRODAT 6-2 ISDN phone from the same company.

Security is provided by encrypting traffic with a 128-bit key, and the session key is calculated using a 1024-bit key, which provides additional security. A distinctive feature of this phone is that encrypted packets are created in such a way that they are transparently perceived and transmitted over GSM networks, like regular GSM packets.

The price of such a phone: $2700. Such a high price, however, did not prevent the high popularity of TopSec GSM. Thus, the Bundeswehr (German armed forces) entered into a contract for the supply of such phones for their own needs.

A slightly more fashionable version from the same company is a wireless headset.

Short description:
TopSec Mobile is a voice encryption device that can be connected to any mobile phone using Bluetooth interface. TopSec Mobile provides privacy and protection against wiretapping anywhere in the world.

Peculiarities:

  • Connecting to the user's phone via Bluetooth interface
  • TopSec Mobile works with almost all modern mobile phones
  • Can also be used with Bluetooth modems and satellite phones
  • Cannot be identified by mobile operator
  • Voice encryption using Advanced Encryption Standard (AES), 256-bit key

The device uses a combination of asymmetric 1024-bit and symmetric 128-bit encryption to provide a high level of security.

To establish a secure connection, after dialing the number, the user simply needs to press the button labeled crypto (“encryption”). The other party must also use a TopSec GSM telephone - or a similarly equipped landline telephone, such as the ELCRODAT 6-2 ISDN model from Rohde & Schwarz. This company began selling such devices after acquiring the hardware encryption department from Siemens Information & Communication Mobile.

The TopSec GSM phone operates in two frequency bands - 900 and 1800 MHz, so it can be used in any region where GSM 900/1800 networks are available. The company sells new models in many countries around the world for about $3,000.

Minus This approach is the presence of a dedicated call management server between subscribers registered on the server. But this is a necessary condition for building distributed interaction systems:

no comments, except that it’s cool that they are creating “their own AppStore” for safe applications



Pipes of Russia

Scrambler
(Meanwhile in the USSR Russia)


"GUARD Bluetooth" from the LOGOS company.
To quote Lukatsky:
Original Soviet device. There is no design as such. The headset is tightly “sewn” into the device and can only be replaced together with the device. But the protection of conversations is guaranteed - the device connects via Bluetooth to a transmitter - a computer or phone (not a word is said about protecting the Bluetooth channel using E0). I haven’t tested the device, but you can find a review of it online. The appearance of “GUARD Bluetooth” in comparison with the same TopSec Mobile gives a very good idea of ​​how domestic and Western CIPFs compare (in appearance, ease of use, and functionality). But this device does not require any external server to operate - point-to-point operation is possible.

Description from user
Description from the manufacturer

PDA Referent
Hardware and software kit for protecting conversations in GSM networks
The software and hardware product “Referent-PDA” is designed for devices such as smartphones (communicators) running the Windows Mobile 2003/2005 operating system. “PDA referent” allows you to prevent eavesdropping on conversations between two communicators. The kit consists of an SD/miniSD module, software and a Qtek-8500 smartphone.

The program interface contains: a dial field, call control buttons, a button for canceling the entry of the last digit, and an indicator that displays the number being dialed, the number of the caller for an incoming call, the state when a connection is established, etc.
The program starts automatically when the SD/miniSD module “Referent PDA” is connected, and an icon indicating that the program is running in the background appears on the communicator screen in the lower right corner. To call another subscriber in protected mode, you need to click on the indication icon, and then perform the same actions in the “PDA Referent” program that opens as for a normal call. When a call is received from another PDA Referent set, instead of the “telephone” program, the “PDA Referent” program interface automatically opens, then all actions are the same as for a regular call.

During the connection establishment process, special information is exchanged for mutual authentication of devices and generation of a session key.
Receiving and making an unprotected voice call is carried out using standard communicator software.

The main difference between the product and its analogues is the use of a low-speed data transmission channel (up to 1600 baud), which allows it to work with a weak GSM signal (in areas of poor reception), in roaming, when using different operators, etc.

Let's just call it "phone"


(I got this mobile phone from Kostya, who represents Hideport.com)

Chips - mechanical acoustics control (on/off button for microphone), case integrity control (hidden alarm when trying to get inside the pipe)

It seems that this thing has a means of connecting to other networks (cable modem, analog/digital modem, radio modem, satellite terminal or GSM modem). But I still have to find out about this.

I also infiltrated the production of phones for the special services, and they allowed me to take a couple of photos:

crumbs of detail

This phone operates in four bands (850, 900, 1800 and 1900 MHz), it has a subscriber encryption principle, an ACELP class speech compression algorithm of 4800 bps, good, high speech quality; The encryption algorithm is a well-known standard in Russia, GOST 28147, issued in 1989. Due to the full encryption involved, cryptographic synchronization is required, so you need to wait 10 seconds for the connection to be established before you start speaking. The phone also has an FSB certificate.

On the side of the case there is a button that turns on the crypto mode. The talk time in closed mode is 4 hours, and in open mode – 4.5, and the difference is explained by the fact that in closed mode the script processor starts working in the phone.

Phones that implement this additional encryption can work both with a national operator (MTS, Megafon) and, if you are traveling, with an international one; in Latin America it is 850/1900, and in Europe and Asia it is 900/1800. And the phone will function in international networks, provided that not only is there roaming, but also that the operator supports the BS26T data service. The crypto button allows you to switch the phone either to encryption mode or to work mode, from which you can call a regular phone - talk with friends, family, and so on.

Subscriber encryption method

Unfortunately, the GSM standard was designed in such a way that it was impossible to install your own encryption algorithm into the phone, providing a continuous band of guaranteed security.

Switches use transcoders that do the following: when you speak words into your phone's microphone, the phone's vocoder works and compresses the speech, creating a 12-kbit stream. This stream, encrypted, reaches the base station, where it is decrypted and then, in compressed form, reaches the switch. On the switch it is decompressed, creating a stream of 64 kbit - this is also done so that security authorities can listen to you. Then the stream is compressed again and goes to the second mobile subscriber. And if you take and encrypt a channel from subscriber to subscriber, then decompressing and compressing the stream on the switch will not allow you to decrypt the incoming information. Unfortunately, it is impossible to disable this transcoder when working in the speech tract, so in order to provide a subscriber encryption method (and this is necessary for guaranteed protection from everyone and everything), we are forced to use a data transmission channel. The GSM standard has the BS26T service for data transmission at a fairly low speed - 9600 bps. In this case, the transcoder is turned off, and you actually have a direct communication line, without additional transformations. Low speed, really.

Accordingly, in order to transmit speech, it must be compressed, and quite strongly - no longer like standard GSM, at 12 kbit, but even more strongly, up to a speed of 4.8 kbit/s. Then it is encrypted, and all this encrypted information passes freely through any switches in the world - if you are in Latin America, and the other person is somewhere in the Far East, you will pass through a lot of different switches and some other equipment, but if you established a data transmission channel, this connection will work.

And nowhere in the world, not a single intelligence agency, not a single enemy of yours will be able to eavesdrop on you, because the speech is encrypted in your phone, and can only be deciphered by the interlocutor. But for this principle of encrypted speech transmission to function, it is necessary that operators support the BS26T service.

Almost all operators in the world support it, but parts of Latin America, Asia and Australia are exceptions. To protect yourself from the imposition of special SMS messages that put your phone under audio monitoring, you need to have a good understanding of the device’s circuitry and software.


Keys are very important in this technique; they are loaded into the phone from a disk using a computer; it cannot only be connected to the Internet; if it has Wi-Fi, it should be blocked at all times. The session key for encryption is formed from two keys: a fixed one, which is loaded from disk using a computer (this key changes once a year), and a random one, which is generated by the phone for each communication session. The random key changes every time, and the previous keys are physically erased from memory after the connection is broken, so you can be absolutely calm: even after restoring the fixed key, no one will be able to reproduce your conversations.


Generating keys and connecting new users

StealthPhone
I held the StealthPhone Touch in my hands.

I also saw this model

The encryption algorithm used is the symmetric Tiger guaranteed strength encryption algorithm, which is the company’s own development.

The key length is 256 bits.

The algorithm belongs to the class of synchronous gamma stream ciphers. Synchronization is carried out using an initialization vector (sync message), which is transmitted (or stored) in clear text along with the ciphertext. The length of the sync message varies from 4 to 12 bytes and is determined by the context of use of the encoder.

To bring the encoder into working condition, an initialization procedure is performed, the input of which is supplied with a secret key and a sync message. The output of the initialization procedure is the values ​​of all elements of the encoder state that determine its operation.

The HMAC-SHA256 algorithm is used as the basic algorithm for calculating the data authentication code.

The Stealthphone and Stealthphone Tell systems use 384-bit elliptic curves (the NSA has approved the use of 384-bit asymmetric elliptic curve cryptographic algorithms for processing top secret documents).

a little more details

Cryptographic algorithms for VoGSM speech encryption
To protect speech in GSM voice transmission channels, time-frequency conversion of the speech signal of guaranteed strength, resistant to double vocoder conversion, is used.

The main elements of the transformation are:

  • Splitting the speech signal into elementary segments;
  • Nonlinear transformation over elementary segments;
  • Rearranging segments of speech among themselves;
  • Processing of the received signal for transmission via the AMR speech codec and the GSM channel.
  • Transformation parameters (number and length of speech signal segments) depend on the key.

The parameters of the nonlinear transformation are also determined by the cryptographic key.
The total algorithmic and system delay (introduced by the cellular network) does not exceed 2.5 seconds.

Cryptographic speech encryption algorithms for IP telephony programs
To ensure the protection of speech information when using IP telephony applications, including Skype and Viber, time-frequency conversion of the speech signal with guaranteed durability is used, converting the transmitted speech into a speech-like signal.

Conversion includes:

  • A comb of N filters (filter bank);
  • Dispersive delay line (filter with random phase-frequency characteristic);
  • Length substitution N.
Transformation parameters (number of filters, delay line parameters) depend on the key.
The permutation of spectral bands in the filter bank is specified by the session key when establishing a connection.
For dynamic conversion, the stripes are rearranged once every 3–5 seconds.
The algorithmic delay does not exceed 1 second. The bandwidth of the processed speech signal is 300 – 3400 Hz. The minimum length of a substitution N is 24.

Depending on the bandwidth of your Internet connection, several conversions are allowed. The allowed maximum delay is 2 seconds. If the Internet connection is unstable or low-speed, it is possible to use an algorithm that does not require synchronization. This ensures quick connection and stability of the crypto connection.

But how I went to visit Stealthphone will be in another article.


Stealth phone
It is not visible on the Internet, but it exists.

  • Changing IMEI (international telephone identification number)
  • Protection against active and passive systems (interception of conversations and remote control of the phone and other attacks on the device from the operator or GSM mobile complex)
  • Deleting information about calls from the phone’s memory (deleted information is stored in special memory compartments and is available to specialists)
  • Inability to localize the phone and its owner (as well as determine the main phone number and other phone numbers associated with it)
Additional functions

Using a virtual number for calls

You can use any SIM card, any operator. The system automatically links the SIM card number to the virtual number. They call you on a virtual number and automatically get to your phone. When making an outgoing call, you can change your number to any number (for example, your virtual number). There is a voice changing function (with background examination it is impossible to identify the caller). Even if your virtual number is put under control, there will be no information on this number.


From the description of the tube

False base stations

A special device called an IMSI (International Mobile Subscriber Identity) decoy pretends to be a real cellular telephone network base station for nearby mobile phones. This kind of trick is possible because in the GSM standard, a mobile phone is required to authenticate itself at the request of the network, but the network itself (base station) does not have to confirm its authenticity to the phone.

Once the mobile phone accepts the IMSI trap as its base station, the repeater device can deactivate the subscriber's encryption feature and work with a normal clear signal, passing it on to the real base station.
Using IMSI traps, false calls or SMS can be sent to a phone, for example, with information about a new service of a false operator, which may contain an activation code for the microphone of a mobile device. It is very difficult to determine that a mobile phone in standby mode has its microphone turned on, and an attacker can easily hear and record not only conversations on the phone, but also conversations in the room where the mobile phone is located.

Identity falsification

In recent years, the use of a mobile phone as proof of personal identification has become increasingly popular. For example, a way to recover a lost Google account password is to send an SMS confirming the code to the phone owner. Some banks use similar two-step authentication, sending codes to special mobile numbers to confirm a customer's identity before making a transaction. Mobile versions of Trojans have been discovered that can intercept SMS messages with passwords sent by banks and destroy two-step authentication.
PDF)

If there is a mobile phone near you (within 10 meters), act as if you are live on channel one.

So, are we going to make an open source DIY phone with strong software and hardware cryptography?

  • Open Source
  • mechanical control of receivers-transmitters
  • built-in light and sound indicator of receiver-transmitter activity
  • strong cryptography (hardware and software)
  • base station selection control
  • acoustic steganography, masking the fact of encryption
  • monitoring the integrity of the phone case
  • checking for leaks via third-party channels
What else should I add?

Only registered users can participate in the survey. Come in, please.

In recent years, we have witnessed many scandals related to wiretapping and illegal collection of personal information by intelligence services. Even the sensational story of Edward Snowden is only a small part of the mosaic that shows large-scale government interference in private life. Tracking phone calls, monitoring online correspondence, intercepting SMS, searching for a phone via satellite, hacking social networks and other actions are actively used against citizens.

And it’s not so important that all this is covered up with noble motives “for your own safety.” The truth is that information obtained illegally can be used in any way in the future.

Unfortunately, government surveillance is the lesser evil of other security threats associated with personal information. There are also various kinds of hackers, terrorists, scammers and other criminals. As well as business competitors, unscrupulous partners or simply ill-wishers who can use programs to record calls and other tracking tools against us.

All of the above raises the question: “How to preserve important confidential information?” One answer could be . By ensuring reliable and secure communication, you can minimize the risk of illegal intrusion into your life.

Why is it worth buying a wiretapping-protected phone?

In the modern world, we use various means of communication every day to transmit information. However, only a few users know that more than 80% of all devices are protected using software that is relatively easy to hack. As a result, more and more often people who care about the safety of information are trying to buy a special cryptophone. In Moscow you can find several interesting options for such devices that use reliable encryption mechanisms.

What threats does a mobile phone protected from illegal wiretapping prevent?

It is in order to be guaranteed to avoid these problems that you should buy a crypto phone. The cost of losing important information or falling into the hands of criminals is sometimes too high.

What can a modern crypto phone do?

Currently, you can buy a cryptophone in Moscow at a price that is comparable to the cost of a good mobile phone. At the same time, some secure phones can have the same functionality as a regular mobile phone. The only difference is that the device will encrypt all data, making it inaccessible to wiretapping using special keys. And also that communication is often carried out not via GSM, but via the Internet (VoiP telephony).

The second option is to purchase a communication device from which you can only call a similar phone. Buying a similar cryptophone in Moscow is also not difficult; some models can be found on the Internet. Of course, here the user already receives a phone with limited functionality, but with a high degree of protection against eavesdropping. There are models capable of generating one-time encryption keys, which are immediately deleted from the phone after a conversation.

The third option is a cryptophone scrambler. Or, more simply, a regular phone with a scrambler installed that encrypts conversations. Here, too, as a rule, a secure line is created only for communication with a subscriber who has a scrambler with a similar encryption mechanism. That is, the telephone has limited functionality.

Anti-tapping protection for iPhone

To wiretap an iPhone, special spyware is usually secretly installed on the mobile phone. Such a program works secretly, without revealing itself in any way. At the same time, the application can transmit “outside” a huge amount of information: incoming and outgoing calls, SMS correspondence, the subscriber’s current location, etc. Moreover, through the microphone in the phone, which is used as a “bug,” it is possible to listen to the surrounding space.

How to protect yourself from such a situation? If you are hesitant to buy a cryptophone (you’re not happy with the price or something else), then you can try to protect the iPhone itself as much as possible. For this, both software and hardware protection of your iPhone from wiretapping can be used.

Software protection

Here we are talking about special anti-spyware applications that prevent unauthorized interception of your information. This “anti-wiretapping” device is installed on the iPhone and monitors the operation of the phone. It can not only detect spyware, but also prevent them from carrying out their activities.

Hardware protection

These are special devices - “bug detectors”, which record hidden Internet connections, characteristic of “spyware”. Such detectors help detect the very fact of wiretapping. To counter espionage activity, “anti-wiretapping” devices are used. These are devices that not only detect unauthorized phone activity, but also automatically mute the microphone.

Recently, the question of how to check a phone for wiretapping has become increasingly relevant. Indeed, in the world of progressive technologies, along with the active use of computer equipment, telephones, radio and the Internet, various spy applications and programs are created that can damage office equipment and communication devices. Today it is not difficult to independently check whether the phone is wiretapped. How to do this is described in the article. This does not require any special skills or assistance from specialists.

Distinctive features of wiretapping

Cell phone wiretapping itself has its own characteristics, by which it can be easily distinguished. It's quite easy to access another person's phone. And if you suspect that your own device is being tapped, then it is better not to hesitate and send it for diagnostics.

Detectives and other specialists know exactly how to check a phone for wiretapping, but since you can do it yourself, it makes no sense to spend money on the services of other people. Of course, such diagnostics cannot guarantee a 100% result, but the presence of an extraneous network will certainly be detected.

Signs of attachment to a listening device

Not every person knows how to check a phone for wiretapping, but you definitely need to remember the main signs of attachment to a listening device. These include the following factors:

  1. The battery drains quickly. This symptom cannot always be called an accurate indicator, since in most cases it is present in devices on which many applications and games are installed. It’s a completely different matter when the phone is not in the hands of its owner all the time and there are no programs running on it. If, in a calm state, a mobile device is discharged in just an hour or two, then this is the first signal that there is wiretapping on it.
  2. The device automatically turns off, reboots or turns on the backlight. If all of the problems listed are not related to disruptions in the operation of the system, then there is a high probability that interference is being created on the side. When the phone is still tapped, nothing new or unnecessary is displayed on the screen, but periodic glitches may occur during operation.
  3. During a conversation, extraneous sounds are constantly heard. The presence of other connected networks prevents the subscriber from calling another number, since this takes many times longer than without wiretapping. In addition, as soon as a special listening program is connected to a telephone conversation, minor interference and a very noticeable echo of both voices are observed. Sometimes there are situations when one subscriber hears only himself, but not his interlocutor.
  4. Cell phones interfere with radio, TV, and stereo systems. Even when turned off, the phone may make noise when approaching any other devices.
  5. Literally half an hour after replenishing the account, an impressive amount of funds was written off for no reason. If such a problem is detected, you should immediately call the operator to clarify the circumstances. If his mistake is not here, then we can assume that along with the funds, all the information it needed about calls and messages was sent to the listening program.

If you suspect the operation of eavesdropping systems, it is recommended to contact law enforcement agencies. Based on the fact that modern devices operate according to innovative principles, only special equipment can better understand them.

It is necessary to remember that you can install wiretapping on every phone, regardless of its cost or year of manufacture. Of course, the very first models lend themselves to this only after installing bugs, and not using a network or the Internet, since they do not have operating systems, but even these cases are a cause for concern and contact the authorities.

More details on how to check a phone for wiretapping in Russia will be discussed below. This information will make many people think about the state of their device. Every person needs to check their phone, since it certainly won’t make things worse, but it wouldn’t hurt to make sure there’s wiretapping.

Number combinations

Wiretapping of a mobile phone, or rather its presence, can be freely checked by dialing a certain combination of numbers. They are few known, but each is valid. The best combinations of numbers are:

  1. *#43#. This number allows you to see call waiting information.
  2. *777# (for Ukrainian subscribers). The combination shows the current balance and operator menu.
  3. *#06#. The code automatically displays a window where the IMEI data is displayed.
  4. *#21#. This code helps you check your phone wiretapping in just 5 seconds. This number allows the user to find out who, besides himself, receives notifications about calls and SMS to this number.
  5. *#33#. In this case, data is displayed about the services that support the mobile device and the devices from which they originate.
  6. *#62#. The combination shows the number to which calls and data are forwarded, if available.
  7. ##002#. This code is used to disable call forwarding and configure calls to be accepted only by the owner of the phone.
  8. *#thirty#. A set of numbers provides information to clearly identify the numbers from which incoming calls are made.

All these combinations make it possible to provide your phone with reliable protection from connecting to unknown networks that cause harm. In fact, there is nothing difficult about checking your phone for wiretapping. The combination of numbers is available to all subscribers. But you should keep in mind that not even all operators know about it, so you shouldn’t check your device too many times.

Hidden codes for iPhone

Owners of devices from Steve Jobs probably guessed that they had hidden functions, or rather codes. Thanks to them, you can view a lot of information: from signal strength to the forwarding status itself.

The phone allows you to:

  • hide your own phone number (#31#);
  • find out the signal strength (*3001#12345#*);
  • familiarize yourself with the unique code (*#06#);
  • determine the point where messages arrive (*#5005*7672#);
  • bar calls and call standby mode.

Hide number

At the same time, how to check your phone for wiretapping, you should also know how you can hide your number. To do this, you just need to dial the combination given above and call other people's numbers as an unknown subscriber.

Find out the signal strength and unique code

Sticks and dashes are now the embodiment of signal strength, which lacks precision. After turning on the field mode, you need to dial the number indicated above, and then hold down the power button. When the screen goes dark, you need to press the center button and wait until the home page appears. The number in the upper left corner will indicate the signal strength.

To determine the phone code, just dial *#06#. The settings will immediately appear there, where the required item will be present.

Where do messages go?

Each SMS message, before reaching the subscriber, passes through a special center using an identification number. You can recognize it using the combination *#5005*7672# and the call button.

Call barring and call waiting

This mode makes it possible to block calls both incoming and outgoing. "Waiting" allows you to hold an ongoing or incoming call. You can perform interesting manipulations with the following combinations:

  • *33*PIN# - enable call barring;
  • #33*PIN# - disable the previous ban;
  • *#43# - call in standby mode;
  • *43# - turn on standby mode;
  • #43# - disable waiting;
  • *#21# - forwarding.

A few tips from experts who have encountered similar problems more than once will help eliminate the possibility of your mobile device being tapped:

  • Do not transmit confidential information over the phone;
  • For business negotiations, a cell phone is not the best way;
  • a conversation carried out in a car on the move is much more difficult to listen to due to noise and frequency changes;
  • There is no need to take risks and trust your phone repair to an unfamiliar company with dubious customer reviews.

Knowing how to check your phone for wiretapping, you don’t have to fear for the integrity and safety of the device, as well as for yourself. Now it is clear that this is not so difficult to do, so you should not immediately turn to specialists who will carry out diagnostics for a long time. The help of specialists will be required only if the wiretapping is serious and it cannot be removed using simple combinations.

Is it possible to eavesdrop on you through a switched off phone?

In addition to the legend about calculating the location of a phone using the triangulation method, there is another popular “horror story” periodically mentioned in the media.

It sounds like this: “Special services or criminal elements can secretly turn on the microphone in your phone and eavesdrop on the conversations you have while next to the phone.”

As with triangulation, carefully mixing fact and fiction can produce a fairly plausible-looking fiction.

Let's try to figure out how realistic such listening is.

The main tenets of the legend of eavesdropping

  • IN any A mobile phone is initially equipped with the ability to record and listen to conversations, even when the mobile phone is turned off. We are not talking about equipping any one specific phone with eavesdropping tools to spy on any one specific person - all GSM phones have this capability.
  • Eavesdropping can be activated at any time by intelligence agencies or attackers with sufficient resources. Listening happens remotely, without the use of additional equipment or human resources.
  • The phone user cannot independently detect the fact of eavesdropping - it happens secretly.
  • This opportunity secret. Any descriptions, documentation, etc. accessible only to special services and those close to them.

Let's start from the end - with secrecy.

Who came up with this and who has access to it?

The text of legislative acts regulating the wiretapping of telephone conversations during operational-search activities and the technical means necessary for this are available to anyone in most countries. It is not difficult to find on the Internet a description of the requirements for operational intelligence assistance systems (SORM) used in Russia, or lawful interception systems used in the UK or the USA. Having familiarized yourself with them, you can be sure that they are talking about listening telephone conversations of specific subscribers(phone numbers). About listening carried out at the central switching nodes of the network. There is no talk about any “remote microphone activation”.

Could it be that documents that speak of such a possibility exist, but are classified?

Since listening tools are built into any GSM phone, then there must be some specifications, which describe the parts and principles of their operation. Since intelligence agencies can use these capabilities, mobile operators have support for these functions in their equipment. In order for all this to be reliably classified, the following must be involved in the case:

  1. The GSM Consortium, which has developed specifications for these listening tools, but keeps them secret (despite the fact that all other GSM specifications are available to anyone on the website http://www.3gpp.org). The specifications must describe, at a minimum, how to activate and deactivate phone tapping - what commands are sent to the SIM card or phone, how they interact with each other, and how all elements of the operator's network (switches, base station controllers, base stations, etc.) etc.) participate in the transmission and processing of these commands.
  2. Manufacturers of GSM modules who do not produce phones themselves. They must have access to the secret specifications of the GSM Consortium and implement them in their products. That part of the documentation that describes the wiretapping system must be kept securely secret and transferred only to those clients who are also participating in the conspiracy of silence.
  3. Manufacturers of equipment for building mobile networks (switches, base stations, etc.). They must also have access to the secret specifications of the GSM Consortium. Accurate implementation of classified specifications is especially important because mobile operators like to build their networks from equipment from different manufacturers - it is necessary that the different components of the eavesdropping system integrate well with each other, even if the system is made by different suppliers.
  4. Integrator companies building mobile networks. They must be able to organize the operation of all subsystems of the mobile operator, including listening. To do this, their employees must attend secret courses organized by equipment manufacturers.
  5. Mobile operators. They must provide access to the wiretapping system to the intelligence services of their country and ensure that the intelligence services of other countries do not gain access to them. But operators must also cooperate with each other to ensure that the listening system works even when the subscriber is roaming.
  6. Mobile phone manufacturers. It is their responsibility to ensure the secrecy of eavesdropping - so that the phone supports all secret functions, but the subscriber cannot guess about their activation. Their warranty repair services must know that phones have the corresponding secret modules, be able to diagnose and repair them.
  7. Intelligence services. They must be aware of how to work with operators.

This list could be continued further (adding SIM card manufacturers, etc.), but even in its current form it looks quite fantastic. After all, the secrecy of the specification implies that everyone who knows is silent, and no one knows. In the same time The current situation in the GSM equipment market is characterized by quite fierce competition, and there would definitely be manufacturers producing phones without a listening function. Extra microcircuits on phone boards and “bookmarks” in firmware would be found by enthusiasts whose bread is “unlocking” mobile phones. There would be specialists who would disable the ability to listen to your device for money. But nothing like this is observed in real life.

For comparison, the standard lawful interception functions:

  1. Openly documented.
  2. Their support is implemented at exactly one point in the network - on switches. Manufacturers have available documentation on the operation and administration of this functionality; the name, schedule and program of relevant training courses, etc. can be freely accessed.
  3. They do not require any special support from manufacturers of phones, SIM cards, GSM modules, etc.
  4. They do an excellent job of listening to telephone conversations of a specific subscriber, complementing other possible covert surveillance mechanisms.

Let us assume that such a global “conspiracy of silence” does exist. How does the secret listening system work? How can you implement such listening and transmitting what you listened to “where it’s needed?”?

Since listening occurs secretly, we can assume, for example, that the phone has alternative systems for encoding and storing information that is transmitted over a radio channel to some special antennas using a radio wave modulation system that is not similar to GSM. This assumption does not stand up to criticism: firstly, the GSM modules of modern phones are similar to each other, the microcircuits used and their functions are well known and described. If such eavesdropping capabilities are built into any phone, this means that neither enthusiasts who disassemble phones for repairs and upgrades, nor third-party repair shops have noticed anything suspicious in their design. But hiding another module in the phone, similar in functionality to a GSM transceiver, and even with its own separate antenna, is completely impossible. “Extra” details will be visible to any specialist. In the end, there is simply no place for this in a modern phone.

Secondly, transmitting what you listen to through alternative channels implies building a global network of receivers, the scale of which any mobile operator would envy, not to mention the fact that the question of financing such a project and dividing access to it between the intelligence services of different countries remains open.

However, supporters of the presence of undocumented capabilities do not go that far in their statements. Typically they say that after “activating the microphone” the phone makes a call to a certain number without the owner’s knowledge, after which everyone “on the other side” listens carefully and writes down.

The "hidden call" hypothesis

Can a phone make a call (using standard GSM network functions) to a certain number without the owner’s knowledge, and secretly? A number of uncomfortable questions immediately arise:

  1. Why is the fact that there is an active call not visible in the phone interface?
  2. How long will your phone battery last with constant listening?
  3. What to do with the characteristic interference on the speakers of surrounding radio equipment that arises during a conversation?
  4. Why is the call used for listening not visible in the detailed printout of the subscriber's calls? Who pays for it?

Point 1 is usually explained either by the participation of mobile phone manufacturers in a global conspiracy, or they write that intelligence services or a mobile operator remotely implement software into the phone that will hide suspicious activity from the user. Fortunately, there is currently no way to push active content to a phone that will run on any GSM phone.

There is no good counterargument to point 2, so in articles about miracle listening it is usually passed over in silence. After all, in modern phones the batteries last for about four to five hours of continuous conversation maximum - this is clearly not enough to organize constant listening.

Point number 3 is also usually passed over in silence. Obviously, for covert eavesdropping, the presence of such a “side effect” is completely unacceptable.

Point number 4 assumes that the intelligence services are in collusion with mobile operators. As part of this agreement:

  1. The operator has nothing against the fact that his voice channels are used for wiretapping, and he doesn’t receive a single cent for hours of calls (we don’t consider the “secret services pay for the wiretapped” option as completely fantastic).
  2. The operator excludes calls to intelligence service numbers from the detailed call printout and from all internal databases.
  3. If the listener is in the coverage area of ​​another network (or in roaming), the operator additionally bears the costs associated with international roaming.
  4. This conspiracy is valid at least for all operators in the country where the intelligence services in question operate.

Technically all this is feasible. However, what should be the motivation of the operators for them to agree to such a conspiracy, and a secret conspiracy at that?

The collusion involves significant financial losses on the part of the operators, so the incentive for cooperation must be quite significant. Obviously, we are not talking about the fact that operators were obliged to participate in the conspiracy by law or through blackmail - history shows that any attempts at extra-market pressure on operators by government structures immediately result in a wave of publications in the media. There is only one option left - the intelligence services paid the operators for work on modifying billing and the costs associated with wiretapping. You can, without a doubt, evaluate the realism of such a scenario for yourself.

So what do we have? Thanks to the global conspiracy of the main players in the mobile communications market, a secret method was invented and implemented to remotely activate the microphone of a mobile phone to carry out covert surveillance of the subscriber. Recorded conversations are transmitted “wherever they need to be” using standard GSM network tools. The intelligence services of a particular country are using this secret capability, and they are not stopped by the fact that their potential opponents have developed it. The intelligence services agree with all local mobile operators to conceal the fact of calls to a secret number belonging to the intelligence services. Now, at the risk of being noticed every second by the rapid discharge of the battery and interference from nearby radio equipment, intelligence services have the opportunity to listen to you for about 4-5 hours if you played into their hands and pre-charged the phone.

Think about whether the gamble is worth the candle for the intelligence services, given that there are many less global, less expensive and more effective ways to listen to a specific person.

conclusions

Talk about the hidden ability to remotely activate the microphone of any phone is nothing more than talk. On the other hand, there is a standard documented technical ability to listen to and record telephone conversations of a specific, previously known subscriber.

Many of the methods below are legal. But not all.

As a rule, if you are not doing anything illegal or are not under suspicion, then you will not be wiretapped. But this does not eliminate the chance of wiretapping by business competitors, criminals and other ill-wishers.

Just know all this information and sleep well.

SORM

The system of operational-search activities is official, state, total wiretapping. In the Russian Federation, all telecom operators are required to install SORM on their PBXs and provide law enforcement agencies with access to user conversations and correspondence.

If the operator does not have SORM, he will not be issued a license. If he disables SORM, the license will be revoked. By the way, not only in neighboring Kazakhstan and Ukraine, but also in the USA, Great Britain and many other countries, the same system operates.

The installation of SORM is determined by the Law “On Communications”, order of the Ministry of Communications No. 2339 dated August 9, 2000, order of the Ministry of Information Technologies and Communications of the Russian Federation dated January 16, 2008 N 6 “On approval of the Requirements for telecommunication networks for carrying out operational investigative activities”, and as well as a dozen other regulatory documents.

SORM includes:

  • Hardware and software that is installed by the telecom operator;
  • Remote control center, which is located at law enforcement agencies;
  • Data transmission channels, the operation of which is provided by the provider to establish communication with a remote control point.

SORM is usually divided into three generations:


Operators in the Russian Federation predominantly use SORM 2. But in practice, for 70% of companies, the system either does not work at all or works with violations.

First of all, SORM is expensive to install (and the operator must do this at his own expense according to an individual plan approved by the local FSB department). For most operators, it is easier to pay about 30 thousand rubles in fines in accordance with Part 3 of Article 14.1 of the Code of Administrative Offenses of the Russian Federation.

In addition, the operator’s SORM may conflict with FSB complexes. And because of this, it is technically impossible to record user traffic.

Operators do not control how intelligence agencies use SORM. Accordingly, they cannot prohibit listening to your specific number.

However, intelligence services formally need a court decision to wiretap. In 2016, courts of general jurisdiction issued 893.1 thousand such permits to law enforcement agencies. In 2017, their number decreased, but only slightly.

However, it doesn’t cost law enforcement officials anything to include someone’s number in a wiretapping kit as potentially suspicious. And refer to operational necessity.

In addition, the security level of SORM is often low. So there remains the possibility of unauthorized connection - unnoticed by the operator, subscriber and intelligence services.

The operators themselves can also view the history of calls, messages, and smartphone movements across base stations.

Signaling network SS7 (SS7)

SS7, OKS-7, or signaling system No. 7 is a set of signaling protocols that are used to configure PSTN and PLMN telephone exchanges around the world. Protocols use digital and analog channels to transmit control information.

Vulnerabilities in SS7 are found regularly. This allows hackers to connect to the operator's network and listen to your phone. Generally speaking, there were practically no security systems built into SS7 - it was initially believed that it was protected by default.

Typically, hackers infiltrate the SS7 network and send a Send Routing Info For SM (SRI4SM) service message through its channels. As a message parameter, he specifies the wiretapping number. In response, the subscriber's home network sends the IMSI (International Subscriber Identity) and the address of the MSC switch that is currently serving the subscriber.

After this, the hacker sends another message - Insert Subscriber Data (ISD). This allows him to infiltrate the database and upload his address there instead of the subscriber's billing address.

When a subscriber makes a call, the switch accesses the hacker's address. As a result, a conference call is carried out with the participation of a third party (the attacker), who can listen and record everything.

You can connect to SS7 anywhere. So the Russian number may well be broken from India, China, or even from distant hot Africa. By the way, SS7 allows you to use USSD requests to intercept SMS or transfer balance.

In general, SS7 is the “mother of all holes” and the most vulnerable point of a mobile system. It is now used not only for wiretapping, but also to bypass two-factor authentication. In other words, to access your bank accounts and other protected profiles.

Trojan applications

This is exactly the simplest and most common method. Installing an application while your significant other is in the shower, or using social engineering methods to force you to follow a link, is much easier than negotiating with the authorities and the FSB.

Applications allow you not only to record cell phone conversations or read SMS. They can activate the microphone and camera to secretly listen and film everything that happens around them.

The most popular Trojan of this kind is FinFisher. In 2008-2011, it was installed on the iPhone through a hole in iTunes, which Apple for some reason did not close. Brian Krebbs wrote about the vulnerability back in 2008, but everyone pretended it didn't exist.

In 2011, the Egyptian government used FinFisher during the Arab Spring. Moreover, it purchased the official version for 287 thousand euros. Shortly after this, WikiLeaks showed on video how FinFisher, FinSpy and other Gamma Group developments collect user data. And only after that Apple was forced to close the hole.

How can you be persuaded to install a spy for wiretapping? This could be an update of a popular game from a “left” catalog, an application with discounts, or a fake system update.

By the way, law enforcement agencies also use spy applications – for example, when they cannot go the official route and obtain court permission. Trojans for 0day vulnerabilities in Android and iOS are a multimillion-dollar market, products on it are in demand in many countries around the world.

Remote wiretapping

There are three options here - a mobile complex, a femtocell or a fake base station. All of them are not cheap, so the average user will not be tapped in this way. But we’ll still tell you how it works.

The mobile complex is installed at a distance of up to 300-500 m from the smartphone being monitored. A directional antenna intercepts all signals, the computer stores them and decrypts them using rainbow tables or other technologies. When the wiretapping is completed, the complex simply leaves.

The fake base station (IMSI interceptor) has a stronger signal than the real one. The smartphone sees that such a station will provide the best quality of communication, and automatically connects to it. The station intercepts all data. The size of the station is slightly larger than a laptop. It costs from $600 (handicraft) to $1500-2000 (industrial options).

By the way, fake stations are often used to send spam. In China, craftsmen assemble such devices and sell them to companies that want to attract buyers. Often, fake BS is used in combat areas to misinform the military or the population.

Femtocell is a smaller device. It is not as powerful as a full-fledged communication station, but it performs the same functions. Femtocells are usually installed by companies to listen to the traffic of their employees and partners. The data is intercepted before it is sent to the base stations of cellular operators. But the same femtocell can be installed for spot wiretapping.