Is my cell phone's security compromised?

[Luc the Geek]

I'm sure there are some bluetooth junkies out their that uses that direct networking or dialing feature. If a person goes to a meeting, you can see all shares, devices, and audio with or without the screensaver.

But only if Bluetooth is enabled (on a capable phone) and is accepting connections, no? I was always under the impression that you still have to accept the connection from before the link is made?

As for Amdocs, I googled it and from what I've read it's an Israel company that monitors 90% of US telephone networks and assists companies in their billing information of their clients, thus a large call tracker. Odigo is the text message equivilant. Large organizations like the FBI and CIA can abuse, but not something any Tom, Dick, and Harry can use unless I'm missing something?

Just striking conversation for understanding the topic. =)

[sequoia]

Click here for a Printer Friendly version Print or Email This Page



March 2007, Page 12

Is Someone Eavesdropping on Your Attorney-Client Conversations?
By Louis L. Akin

A lawyer and his client are sitting in a café having coffee while on recess in a major case. They turn off their cell phones so that no one will interrupt them. They lean forward for a highly confidential tête-Ã*-tête. However, they are not the only ones interested in their discussion. Unknown to them, a third-party — miles away — remotely turns on the lawyer’s cell phone and records every word of the conversation. When the conversation ends the lawyer turns on his phone, calls his investigator, and gets the latest on statements taken from key witnesses. The third-party records that conversation too, and while she is at it, downloads all the text messages and e-mails the lawyer has on his cell phone. She downloads the telephone numbers, dates, exact times, and duration of the conversations. Finally, she downloads information telling her the lawyer’s location when he placed or received cell phone calls during the past month. Fantastic? Futuristic? Not at all. It is happening now.

Activity Monitors
Technical surveillants, many of whom prefer to be addressed by the more Orwellian “Activity Monitors� appellation, have developed technical means of invading privacy. Eavesdropping has been around as long as eaves, the beams that form the two long sides of an A-frame roof. Eavesdroppers supposedly climbed up on the eaves to listen in on private conversations. Nowadays, that kind of physical eavesdropping is no longer a credible threat. While it may be trespassing, the Omnibus Crime Control and Safe Streets Act does not prohibit it.1

Common telephone taps are as old as the 1940s, but have grown progressively more sophisticated. The hook switch bypass was a device that circumvented the off button on the receiver of the old rotary dial telephones. In effect, the telephone microphone could be turned on remotely just as if it were off the hook, and someone miles away could listen to what was being said in a room. In the 1950s, Manny Middleman devised a way to activate a hookswitch bypass by calling a telephone that had one installed on it (which required a previous burglary to install) and blowing a certain key on a harmonica into the phone. He could then listen to conversations for as long as he liked from wherever he liked.

Taps are devices that are placed on telephone lines for purposes of covert eavesdropping. Bugs are devices placed in a room or area for the same purpose. Transmitters are physical objects that are easy to hide because of their incredibly small size, but they still require entry into the target area to plant.2 Hal Lipset, a San Francisco private investigator, waltzed around a cocktail party in the 1960s with a transmitter hidden in an olive in his martini.3 The toothpick was hollowed out for the antenna. Considering that he did it at about the time that color televisions were beginning to appear in homes in America, this was a considerable feat.

Eavesdropping devices have kept abreast of the times — advancing from ultrasophisticated electronics such as tiny frequency-hopping burst transmitters that compress and store conversations and transmit them through the air in short bursts that hop about in a preset pattern amongst multiple frequencies.4 To receive the messages, the eavesdropper has to know not only when they are going to be transmitted, but the exact order of frequency hops they will make during the short burst of transmission. The eavesdropper’s receiver has to hop with the transmitter to capture the electronic bursts and then demodulate them.

Eavesdropping devices can be physically installed on cell phones or computers in a matter of seconds by an intruder (a cleaning person, inspector, customer, client, sales person, acquaintance, police officer, or burglar). In the alternative, the device might be sent to the “target� by e-mail or text message. When programs are installed in the latter manner, they are called Trojans, a kind of virus that is packaged as something attractive or expected.

For example, a consumer might get a text message on his cell phone saying, “Call 314-666-1234 to update your Verizon cell phone software,� or “Download free new ring tones.� When the consumer calls to get the update, he or she gets a Trojan that installs in the cell phone as a digital eavesdropping device. No burglary required. The phone will turn on so the eavesdropper can listen to room conversation or autodial the eavesdropper and give such private information as the telephone number, date and exact time of each call, and the location (within feet) of each incoming or outgoing call the cell phone owner makes or receives. It will also send any text messages or e-mail to the eavesdropper.

FlexiSpy Products’s FlexiSpy Pro5 spyware cell phone tap ($49.95) is one of the latest commercially available cell phone eavesdropping devices on the market, but it is not the only one. Many competitors produce similar programs. Anti-virus software companies and tech writers condemn the program as blatant spyware that can turn on a cell phone (just like Manny Middleman used to do) and allow an eavesdropper to listen in on every conversation that takes place within earshot of the cell phone while the owner of the phone thinks it is off. Now, since most of us wear our cell phones on our belts . . .

FlexiSpy advertises its product as the “World’s Most Powerful Spy Software for Mobile Phones. FlexiSpy Pro is a mobile phone monitoring application that secretly records all activity on a mobile phone that has FlexiSpy Pro installed. Protect your children, catch cheating spouses. The possibilities are endless.�6 The possibilities for abuse are endless, too.

According to the FlexiSpy Web site:

“You can listen in on calls and read SMS/MMS messages. What’s more, even when the phone is not in use, you can remotely activate the microphone and listen in on non-call conversations. Of course, the legality of this falls in a grey area.�


Actually, it is plainly illegal to use the tap on anyone except your minor children. FlexiSpy adds the limp caveat:

“If you are the owner of your spouse’s (or child’s) cell phone, you are merely monitoring your property, but if you use FlexiSpy Pro on an unsuspecting neighbor, that’s a different story altogether.�


FlexiSpy Products adamantly denies that FlexiSpy Pro tap is a Trojan, stating that it has to be consciously installed by a real live human. Yet the critics disagree. “This application installs itself without any kind of indication as to what it is. And when it is installed on the phone it completely hides itself from the user,� says Jarno Niemela, a researcher for F-Secure.

This is a case in which both parties may be right — at least on the surface. A person has to consciously install the program, but that person does not have to be the cell phone owner. On the other hand, if it is sent as a Trojan, the person installing it may not know that it is spyware. The missing words are “effective legal consent of the cell phone user.�

F-Secure warns consumers8

“When FlexiSpy Pro is installed on the phone it will hide from Symbian’s built-in process menu and it does not have any visible user interface or icon. After FlexiSpy Pro is installed on the phone, the only indication that it is installed is that the application removal menu has an additional application named ‘phones’ in the list. This ‘phones’ application cannot be removed with the application manager.

FlexiSpy Pro has a hidden user interface that can only be accessed using a special code known to the person who has purchased the spying application and has installed it on the phone.

When FlexiSpy Pro is active on the device, it will record details of all voice call and SMS information, and then later send those details to the FlexiSpy Pro server.�

Law enforcement has a cell phone tap that is more limited but easier to install. When law enforcement officers get your cell phone number, they go to a Web site to find out the name of the service provider. They obtain a search warrant, call the service provider, and have the provider clone the phone on which they want to eavesdrop. The provider sends them a chip via overnight mail. Thereafter, each time the target uses the cell phone to make or receive calls or text messages, the police department receives the calls and records them. This technique is an updated version of the lease-line method of tapping land lines that was popular before cells phones came along.

Digital cell phone taps may be the newest technology available to the general public, but plenty of the old gear is still around and it works well. FM radio frequency transmitters that sell for $20 in electronics stores make ideal drop bugs, i.e., disposables. Disposables are transmitter bugs that can be left somewhere to transmit until their battery runs dry, and then they can be forgotten. The eavesdropper does not have to make a second entry to recover the devices. These bugs are cheap and untraceable; nearly every law enforcement agency uses them. They are also used by private investigators, people getting divorced, partners terminating a business relationship, possessive spouses, and others.

Carrier current devices are also available at electronics stores. They are sold as baby monitor systems. Strip off the baby blue or pink plastic case and the device can be hidden anywhere in a house or building’s electrical system, inside or out. It will transmit conversations from inside the house or office along the AC wiring to a receiver down the line. Room to room plug-in intercom systems do the same thing and are used by eavesdroppers for the same purposes. They are also commonly available in electronics stores.9 More sophisticated devices include light switches and wall plugs that really work to turn on lights or run a vacuum, but also work as transmitters when there is a conversation in the room

[sequoia]

It connects you to the world, but your cell phone could also be giving anyone from your boss to your wife a window into your every move. The same technology that lets you stay in touch on-the-go can now let others tap into your private world — without you ever even suspecting something is awry.

The new generation

Long gone are the days of simple wiretapping, when the worst your phone could do was let someone listen in to your conversations. The new generation of cell phone spying tools provides a lot more power.

Eavesdropping is easy. All it takes is a two-minute software install and someone can record your calls and monitor your text messages. They can even set up systems to be automatically alerted when you dial a certain number, then instantly patched into your conversation. Anyone who can perform a basic internet search can find the tools and figure out how to do it in no time.

But the scarier stuff is what your phone can do when you aren’t even using it. Let’s start with your location.

Simple surveillance

You don’t have to plant a CIA-style bug to conduct surveillance any more. A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

All you have to do is log on to the web site and enter the target phone number. The site sends a single text message to the phone that requires one response for confirmation. Once the response is sent, you are locked in to their location and can track them step-by-step. The response is only required the first time the phone is contacted, so you can imagine how easily it could be handled without the phone’s owner even knowing.

Once connected, the service shows you the exact location of the phone by the minute, conveniently pinpointed on a Google Map. So far, the service is only available in the UK, but the company has indicated plans to expand its service to other countries soon.

Advanced eavesdropping

So you’ve figured out where someone is, but now you want to know what they’re actually doing. Turns out you can listen in, even if they aren’t talking on their phone.

Dozens of programs are available that’ll turn any cell phone into a high-tech, long-range listening device. And the scariest part? They run virtually undetectable to the average eye.

Take, for example, Flexispy. The service promises to let you “catch cheating wives or cheating husbands� and even “bug meeting rooms.� Its tools use a phone’s microphone to let you hear essentially any conversations within earshot. Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on. The phone won’t even ring, and its owner will have no idea you are virtually there at his side.

Legal loopholes

You might be asking how this could possibly be legal. Turns out, it isn’t - at least, not in the ways we just described. Much like those fancy smoking devices designed “for tobacco use only,� the software itself gets by because of a disclaimer saying it doesn’t endorse any illegal use.

I did a little digging with our friends from Flexispy. You won’t find it on the flashy front page, but buried a bit further in the site, the company says you’re fine to use their program only “on a phone that you own, for protecting your children,� or for purposes like “archiving data.� It’s a bit of a contrast from the bold suggestions of “uncover[ing] employee espionage,� “catch[ing] cheating husbands,� and “bug[ging] meeting rooms� that fill the company’s materials. After a little more explanation, their answer as to the legality of the service ends with a broad statement: “Please consult a qualified lawyer in your country for the correct answer to this question.�

Let me make it easier for you: Once you get into listening in to private conversations without either party’s consent, you’re treading rough water that could sweep you straight into jail. Whether it’s an employee or a spouse on the receiving end of your mission, neither federal nor state privacy laws take violations lightly in America. Getting caught could cost you several years behind bars, among other serious penalties.

Detecting and protecting

Finding spyware on your phone isn’t easy. There are dozens of bug detectors available from surveillance companies, but the only true fix is taking your phone to your provider and having them wipe it out altogether. That will restore the factory settings and clear out any hidden software that’s running on your phone.

Security experts say there may be some subtle signs your phone is invaded:

* You seem to have trouble shutting it off, or it stays lit up after you’ve powered down.
* The phone sometimes lights up when you aren’t making or receiving a call, or using any other function.
* You regularly hear odd background noises or clicks when you’re on the phone.

Unfortunately, there isn’t much you can do to safeguard your cell just yet. I’m sure it’s only a matter of time until we see McAfee-style programs to firewall your phone and keep intruders out. For now, though, the only sure-fire form of protection is to keep a close guard on your phone. Don’t accept Bluetooth connections unless you know what they are. Most important, make sure no one has access to install something when you aren’t watching. Otherwise, they may soon be watching you when you least expect it.

By JR Raphael
Contributing Writer, [GAS

[Linen0ise]

thanks for mentioning Odigo and their text messaging. Before I started Amdocs, I had to sit around 3 weeks for a stupid background check. It was one of those lame what did you do in the last 7 years junk. As far as text messaging....i discovered cell billing and text bill are sorta seperate. Seperate enough for me to find out the 3rd party email service. .20 a message...unreal. That's why I feel good for hacking and resetting the ATT admin account for their listserver. I want them to know I'm still here.

[Linen0ise]

BTW......If you are a bittorrent user and you notice you switch or router keeps resetting but yet secured, it could be the rpc bug or some unknown hack. If you are on a linux machine with a current kernel level, you can spot the dropped links in your syslog or dmesg logs. It will show "Treason uncloaked!". The tcp stack repairs the bad packet and shows you the offending ip address. Make sure you put that ip address in your favorite blacklist file. The ip address always attempts to connect to your random listen port. Wonder who could this be....? Get those bastards....