GPS and Cell Signal Not Required For Cell Phone Surveillance

The common wisdom about surveillance is that your phone can only be tracked through its cell signal and through GPS. Relatively few people are aware that the WiFi and Bluetooth capabilities provide additional ways to track phones, and even fewer are aware that it’s possible to use malware to track phones that seem to have been turned off. Even among those who are aware of those possibilities, it’s generally accepted that a faraday bag can protect your phone from being tracked. Turning off the GPS and turning on “Airplane Mode” is supposed to produce similar results – but neither are actually enough to prevent your phone from being tracked (though they can prevent real-time tracking as well as the most common methods of electronic cellphone surveillance).

Every modern smartphone is equipped with three sets of sensors that can’t be disabled and can be accessed by applications without the user needing to grant access: magnetometers, accelerometers and gyroscopes. These sensors can be used to track the cellphone, and of the three only one can be blocked by using a faraday bag. Unfortunately, that one also happens to be the least useful for tracking purposes – the magnetometer. The gyroscope and the accelerometer are more than enough to track the movements of a cellphone that has an active power source through what’s called inertial navigation or inertial tracking.

Here’s how it works:

In short, these sensors allow your phone to track every movement it makes. When this is combined with a known starting or ending location, it’s enough to track your phone.

The magnetometer measures the strength of magnetic fields and the changes in them. This kind of environmental data can be useful for correlating with other information to enhance tracking, but its usefulness in this regard is limited as environmental conditions can change, along with the proximity of nearby sources of ferrous metal and magnetic fields. Measurements taken along the road, for instance, would give inconsistent results based on the amount of traffic and how much wireless traffic was in the area (including Bluetooth, GPS, cell signals, etc). Faraday bags are perfectly capable of preventing these signals from being sent or received, but they’re unable to do anything about accelerometers and gyroscopes.

Gyroscopes measure orientation and are useful for supplementing tracking information, but ultimately unable to track motion itself. For instance, a gyroscope could tell you when you had turned, or if the aircraft you were piloting wasn’t level, but it would be unable to tell if you were moving forward, backward or remaining stationary. The gyroscopes used in smartphones are typically micro-electromechanical gyroscopes which, due to the mechanisms which they operate under, are also known as vibrating structure gyroscopes. The gyroscope provides contextual information that clarifies the readings of the accelerometers, which tracks the actual movement of your phone. A piece of code can also turn your phone’s gyroscope into a microphone, one that doesn’t applications don’t need a user’s permission to access.

Accelerometers, which can be as small as a few hundred microns across, typically come in sets of three. They measure the pull of gravity and the magnitude of acceleration. Given a starting position and speed, and when combined with the gyroscope, this provides the relative position and velocity of the device. This type of inertial navigation system has been used with aircraft guidance, though it’s now typically augmented by additional information such as GPS coordinates. When employed with cell phones, these inertial systems augment their information regularly using WiFi points, cellphone towers, GPS signals and other indicators to refine their location. Typically, a phone being kept in a faraday bag (but not disabled) will be able to reference two anchor points – a departure point and a termination point.

Applying this to tracking

On longer trips, these two anchor points may not be enough. After an hour of travel, the margin of error for inertial tracking systems for aircraft can increase to several hundred meters. The margin for land-based vehicles, however, is considerably less. To begin with, land-based vehicles are essentially restricted to two-dimensions as they must travel along the surface of the Earth itself, along with occasional bridges. This eliminates the variable of one of the axis, while still allowing for the data to be collected as additional contextual information.

Land-based vehicles are also restricted to driving on roads and predetermined pathways, while air vehicles can go off course without crashing. This provides a limited number of pathways that a vehicle can travel, many of which have topographical features that can be used to identify the road. For instance, both the curve of a road and the placement of stop lights and stop signs can provide additional anchor points. A sufficiently sophisticated adversary, almost certainly State-sponsored, would be able to seek out additional information to create new anchor points. This can be as simple as using compromised security cameras to identify when a vehicle was at a particular place. Alternately, it could be as complicated as identifying nearby places that you frequent or might visit and using that to create a matrix of possibilities which are compared to the existing data for correlations.

These methods of surveillance tend to be harder to detect due to their passive nature and the lack of real-time monitoring. While these methods can also be used on specially built trackers, the prevalence of smartphones can often make this unnecessary. Many would assume that, in the United States, these methods are primarily used by the National Security Agency. They certainly could be, but lack the type of signal interception and metadata exploitation that the NSA tends to focus on. This method tends to require a more targeted approach, and in the U.S. is just as likely to be carried out by the FBI as the NSA.

TACOPS Surveillance

The FBI’s Tactical Operations Section (TACOPS) is a highly secretive group within the Bureau that was formed in the early 1990s in order to respond to high level threats including terrorism, espionage and corruption. TACOPS responsibilities included both physical and electronic surveillance. They carried out court authorized break-ins to plant microphones and cameras and snoop on the subjects computers. TACOPS field of responsibility included terrorists, members of organized crime, corrupt members of Congress, and foreign intelligence officers. The TACOPS unit would tranquilize dogs, stage accidents, road work, and other events to neutralize and manipulate their targets’ security. Once they broke into homes, offices, embassies, and cars and anything else they could compromise, they would alter and replace items with duplicates, plant bugs and compromise computers.

In the past, TACOPS would plant devices that would record for over twenty hours at a time before transmitting the information in compressed bursts. Some of the largest of these bugs were barely larger than a postage stamp, while others were considerably smaller. Since then, the surveillance technology has greatly improved and in cases the bugs produced in the FBI’s Engineering Research Facility are no longer needed. Instead, malware is installed on a subject’s phone. Physical devices are typically limited to duplicating an existing item and later replacing the original with one that’s been modified to conceal a microphone and/or camera. When they do have to physically modify a phone, the prefered method is often through replacing the battery itself. A modified battery can hide malware, hijack the microphone, interfere with the phone’s operations and conceal additional sensors or hardware.

Like the devices previously planted by the FBI, a phone can be easily programmed to record hours of information, delete anything outside of a certain decibel or pitch range, and then transmit the recorded information when a data signal becomes available. The same can be done with the motion tracking information, which can be reconstructed into a fairly accurate map of one’s movements.

How to deal with it

It should be entirely possible to build devices that generate white noise movements that prevent effective inertial tracking through gyroscopes and accelerometers, although it doesn’t appear that there are any off-the-shelf solutions existing at the moment. Until then, the safest thing is to leave your phone at home if you want to avoid surveillance; and like it’s safest to assume that every gun is loaded, it’s safest to assume that every microphone is turned on.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s