Phone Security

From The Black OP Security Wiki

  Main Page >> Tutorial Directory >> Phone Security

FAQ

Q. Is it safe to talk on a cell phone?

A. Usually it is not safe to talk on a phone. Land lines and cell phones are both easily tapped by LE, and both can also be tapped by non-LE as well. Some phones are encrypted, and in these cases it can be safe to talk on them. Unfortunately, encrypted phones tend to cost in the thousands of dollars and they only work with other encrypted phones, so this is not a good solution for most people. Skype has encryption, but it seems to be proprietary and close source, so who knows how much it can be trusted. I have heard law enforcement have not yet been able to break Skypes encryption, but I don't trust any proprietary encryption. In addition to the risk of having your communications intercepted by a wiretap, cellphones are extremely easy to trace back via triangulation.

Q. How should I talk with people if not phones?

A. Sensitive matters should be discussed via computer systems, primarily via GPG encrypted E-mails and PMs and OTR instant messages. Communications should be routed through the Tor network or similar.

Q. I absolutely must use a phone, what should I do?

A. You have a few options. First of all, you can buy encrypted cellphones if you are only talking to a few people. Expect to pay around $1,000 per encrypted cellphone, and understand that the encryption only happens if both phones are encrypted. This might be fine for some people, but not all groups can afford to spend that sort of money to have secure communications. Second of all, you can use Skype. Skype has some sort of encryption, and although it seems to be proprietary, it also seems to prevent LE eavesdropping so far. Skype is not a good solution for everyone either though, as the encryption only works for Skype to Skype phone calls you are still tied to a computer. Third of all, you can use encrypted text messages. Software that lets you encrypt your text messages can be found for much cheaper than software / phones that encrypt voice, and this solution might work well for you. Fourth of all, you can keep communications to pay phones. This can frustrate network analysis but it probably isn't that good of a solution. Another thing you can do is use no contract cell phones that are activated with cards you can buy for cash with no ID. This will not secure your communications, but can help to seriously frustrate network analysis. Such phones also come in handy for single time operations (not a persistent phone, but in cases where a number is temporarily needed). If you go with throw away phones, you should

change them up frequently.

Q. Are there any attacks on my security that require a cellphone to happen?

A. Yes. 1. Cellphones can be used as remote bugs. FBI can turn your cellphone on remotely, even if you have it powered off. They can then turn your microphone on and record conversations you have face to face. They can likely activate your camera as well. The only way to prevent this is to remove your battery.

2. A novel attack I have not heard of yet, but which is certainly possible: the keys on a keyboard make a unique noise depending on which one you hit. With the model of your keyboard, as well as recording of you typing, what you are typing can be determined. This can be solidified with traditional cryptanalysis statistical methods (certain keys will be hit more frequently, thus certain sound patterns will be heard more frequently). If you keep your cell phone near your keyboard, it could be remotely turned on and record the sound of you typing. This could be analyzed to eavesdrop on what you are typing, including things such as passwords.

3. Cellphones can be used to track your location. A skilled enough law enforcement or intelligence agency could use the records of your positioning at a certain time and try and correlate it to a map of WiFi hotspots that were used to access the internet. This can be used to track you down even if you use a different WiFi spot every time you connect to the internet. It can also be used for a lot of other things.

Q. What should I do if I am traveling with a cellphone and don't want my location revealed?

A. You can put the cellphone in an anti static bag. It will not be able to get calls or messages while it is in the anti static bag, but it also wont be able to trace your location.

Q. Should I talk explicitly on the phone?

A. You should imagine that everything you say on a phone is going to be played in front of a jury. Use code words, and don't use code words that are obviously code words or talk un-naturally when you say the code words.