# Tapping phones or how to avoid it



## Boneman (Oct 4, 2015)

So here's my problem: I want my heroine to be able to talk by phone to one other person without being tapped. If she buys two pay-as-you-go mobiles in America, they'll only work by a shared network here, right? Could she do it by the signal bouncing to the USA and back here, so nobody can trace it? Is there a way to do it relatively easily? Throwing away a sim card every time she made a call? All suggestions received gratefully.


----------



## Ray McCarthy (Oct 4, 2015)

It's trivial to to tap a phone call on Mobile. There are three methods:
1) A fake mobile Base station does a "man in the middle attack". Favourite by spies and governments, and been done without warrant.
2) A SDR setup and computer. Anyone can do it. If the operator is running 3G AND the best encryption, it might be harder. GSM and CDMA is trivial, as CDMA has no sensible encryption and GSM operators are still using compromised encryption (they can in theory deploy better).

Both these need radio range to EITHER phone.

3) A network attack. This can be covert in the operators central premises, a "back door" in the operators equipment or with secret cooperation from the operator.

Solution?
Use a server with VPN server on the Internet. Both people connect to it in Internet data mode (GSM, 3G or 4G works!). The VPN uses an app on the phone to provide encryption. If done properly even NSA or GCHQ can't decode the data (they can though record it and know how long the connection lasted, which masts both phones used, and what location they connected to on Internet via 1, 2, 3 or even regular suspicion and court order after the fact.).
You then use a low bit rate voice codec over the VPN (specialised VOIP app), or text or both.

I've done this on a laptop from central Europe to my server at home, with VPN cloaked as a website (we did that because the lads in college here found only Web ports open), a smart phone is just the same, the apps are available.


Boneman said:


> If she buys two pay-as-you-go mobiles in America, they'll only work by a shared network here, right?


1) Many PAYG US phones will only work in Europe if Triband or quad band, as USA uses different bands. USA CDMA phones don't even have a sim and only work on one operator and only in USA.
2) Two US phones that DO work in Europe, that have USA sims, will not actually route the call via USA. Only the meta data will go to home USA operator, the actual call will be routed locally via the Roaming partners. If there is no roaming partner, then you can't call anywhere on your USA phone, even if compatible.
3) You pay extra for a phone not sim locked. There is no advantage on a foreign phone with local anonymous SIMS. Eventually anonymous SIMs will be illegal, you can't get them in Spain and some other countries now.

If you have anonymous sims the unique phone IMEI is still logged by operator. GCHQ or NSA might be interested and investigate closer if the same phone is used repeatedly with different anonymous PAYG SIMs! They automatically get all of that.

Let me know if anything needs clarified. I've worked in Telecom related stuff off and on for a long time.

Even Tor users can be tracked, though that helps. But Mobile Phone Internet uses deliberate deep packet inspection and often proxies on the Edge Routers, so it's very trackable.
Fixed real broadband users of Tor, the GCHQ/NSA etc first has to know who your ISP is. They can figure that if they know where you live.

A call box (if you can find one) and they don't know you are using it is more secure, because while it's trivial to tap (for ANYONE), they have to be following you to know which one you are in. A phone is UNIQUE apart from the SIM and that info along with location, signal level, time and duration is logged, so they only ONCE need to connect your phone IMEI with you for SIM swapping to be pointless.

EDIT
I suspect you can tell from IMEI the make, model, when made and where the phone shipped to. If you are a Government. I can't. Well, I've not looked. Maybe someone has posted a database somewhere.

EDIT 2
Some phones you can edit the IMEI! Of course you need one that's registered somewhere. Called phone cloning. Usually the SIM is cloned too.
I don't think that helps. 


In general there is no value in buying anything electronic in USA for use outside USA, either to save money (as it might not be 100% or at all compatible elsewhere, even if made in Turkey / Korea / China) or for covert reasons.


----------



## Ray McCarthy (Oct 4, 2015)

Boneman said:


> Could she do it by the signal bouncing to the USA and back here, so nobody can trace it?


Just to clarify, ALL mobiles unless special Satellite* stuff (Thuraya, Immarsat, Iridum) use very local masts or don't work at all. The phone periodically sends a "I'm here" handshake with the nearest mast it receives that's on it's home network or a roaming partner. So even if you make NO calls, you can be tracked everywhere your phone claims to have connection / signal.  This is so that if someone calls you, only the nearest mast gets the traffic as otherwise every attempt to make a single call to a mobile would over whelm the networks. Many phones still do this when "off", you take out battery  to 100% avoid being tracked. The Phone signals IMEI and SIM ID in this periodic handshake. The base also tells your phone to turn up or down its power, depending on conditions (in the open inverse square law applies.).
The mobile networks are cellular. Which means at least two other masts can receive your phone. Each mast is usually three slightly overlapping 120 sectors,so it's common that even if over 1km from any mast, your location can be pinpointed to better than 100m. This is how the phone's location system works indoors as the GPS receiver usually can't get lock on satellites indoors.

[* Satellite phones MIGHT be secure from eavesdroppers actually in Tunisia when you are in Tunisia, but certainly not from the NSA, GCHQ, Chinese, Russians etc. This suggests that certainly certain satellite phones can't be tapped by certain people, as you'll get arrested for possession. GCHQ and NSA have though been tapping ALL satellite communications including phones since the beginning of Echelon.]


----------



## Boneman (Oct 5, 2015)

Brilliant, thanks Ray. I might have my heroine meet you clandestinely in London and you set it all up for her... You sure you haven't worked for the security services...?


----------



## Ray McCarthy (Oct 5, 2015)

Boneman said:


> You sure you haven't worked for the security services...?


Would you believe the answer?
Of course I haven't. But I have worked in telecoms, ISPs and  also setting up PCs &  Network securing from students*.
Good security is ever so much harder than "tapping".
During WWII the Germans foolishly used their secure encrypted  Morse to send radio weather reports. The British then stationed trawlers in the same coastal areas and then had "cribs" with which to brute force test for various keys as weather report is a standard format. Only a one time pad is secure from a crib based attack. So never use same content or headers in encrypted text, esp. if "Eve" knows you might include it.  Then when they had a key that worked on the weather they knew all the other messages for that day. The computers were used to derive keys from crib and message, then test them on various messages to verify the entire key.
(See Bob, Alice, Eve, Victor, Chuck, Frank etc)

(Listening  to Sea Area WX forecast at 1205 BST R4 LW as I type)

[*One tender, at the presentation, someone objected our proposals were over the top, the students aren't that smart. I pointed out they only needed one smart enough and besides people could look up stuff on the Internet. We got the job. I actually knew one of their students had hacked SMS of a phone operator and downloaded people's texts. He was genuinely baffled as to why I wasn't impressed. I advised him to tell no-one else and to resist the temptation in future.  In an other job the CEO asked me was it possible to steal everyone's banking and credit card details, (we were an ISP), I said that's the easy bit, the hard bit is transferring the money and yourself to somewhere with no extradition that you'd want to live in.]


----------



## Ray McCarthy (Oct 5, 2015)

If you thought I was kidding about taking out the battery, or being alarmist about phone taps ...
http://www.bbc.com/news/uk-34444233


----------



## Ray McCarthy (Oct 15, 2015)

More
http://www.theregister.co.uk/2015/10/15/headphones_make_smartphones_hackable/


----------



## Boneman (Oct 18, 2015)

Ray McCarthy said:


> If you thought I was kidding about taking out the battery, or being alarmist about phone taps ...
> http://www.bbc.com/news/uk-34444233




Bloody hell, you couldn't make it up... actually, when I put it into my book, people will say I'm making it up!


----------



## Ray McCarthy (Oct 18, 2015)

@Boneman
I bet at the start of the thread you thought I was being unduly alarmist 

There is more


----------

