Is it possible for the National Security Agency (NSA) to remotely power up a mobile phone and use it as a listening device? In an interview that aired last night (May 28), American NSA whistleblower Edward Snowden told NBC's Brian Williams that the agency can.
"Can anyone turn it on remotely if it's off?" Williams asked Snowden, referring to the "burner" smartphone Williams used for travel to Russia. "Can they turn on apps? Did anyone know or care that I Googled the final score of the Rangers-Canadiens game last night because I was traveling here?"
"I would say yes to all of those," Snowden replied. "They can absolutely turn them on with the power turned off to the device."
Cellphone security experts are divided over whether that's true — and whether Snowden knew what he was talking about. MORE: Best Android Antivirus Security 2014
Snowden's revelation technically isn't new. In July 2013, a month after the first Snowden leaks appeared, a Washington Post article on the NSA's use of cellphone surveillance reported that the NSA had implemented such a program years earlier to aid American forces hunting insurgents in Iraq.
"By September 2004," the Post reported, "a new NSA technique enabled the agency to find cellphones even when they were turned off. JSOC [Joint Special Operations Command] troops called this 'The Find.'"
Those few lines set off a firestorm of controversy in the cellphone-security community as experts tried to figure out how it might be possible to turn on a powered-off smartphone. Snowden's comments in the NBC interview last night restarted the conversation. As with most things, the issue is a bit more complicated than it sounds. Turning on a cellphone remotely would involve something called a baseband hack, and it's not simple to pull off.
"Snowden saw programs that were widely successful at getting intelligence from phones, but he doesn't understand the details," wrote Robert David Graham, founder of Atlanta security company Errata Security, in a blog response to the NBC interview.
"Yes, there may be a model of phone out there where the NSA was able to 'remotely turn it on' (probably because a baseband processor was never truly off)," Graham wrote. "But that doesn't mean that when you turn off your iPhone, the NSA can do anything with it."
Based on the Baseband
Smartphones actually have two computers in them: a baseband processor (the "phone" part that deals with radio waves) and the operating-system processor, which runs iOS, Android or Windows Phone and controls apps and the rest of what you see on the phone's screen. When you use your phone, you're interacting with the operating system, not the baseband.
When you power your phone off, you're shutting down the operating system. But are you turning the baseband processor off as well?
Back in 2004, when the NSA allegedly first gained the ability to remotely turn on cellphones, the answer may have been yes. When some so-called "feature phones" were powered off, their baseband chips still communicated with cell towers operated by carriers such as AT&T or Verizon Wireless. Only when the batteries were removed from such phones did the baseband truly turn off.
So do today's smartphones — many of which, such as iPhones, have no removable batteries — also keep their basebands on when the handsets are powered down (not just in resting mode in a pocket)? It's very unclear. Jonathan Zdziarski, a Boston-area independent security expert who specializes in retrieving information from iPhones, says that today's baseband chips may very well remain active even when a phone is powered down.
"The baseband has to be programmed to remain in a ready state while the device is powered off," Zdziarski told Tom's Guide. "I can't tell you with any certainty if that's how the iPhone baseband is programmed."
"The baseband could be programmed so, while the power source is connected, it stays in a ready mode," he said. "That seems to be at least a plausible assumption based on, and only based on, a number of other articles citing FBI and CIA and the agencies that have been able to locate these devices while they're turned off."
It's difficult to be certain whether a modern smartphone's baseband chip remains on in some capacity when the phone is switched off. Baseband chips are made by a handful of companies and run closed, proprietary code that few outsiders have access to.
It's also possible that even if baseband chips don't always stay on by default, the NSA may have found ways to push out tailored firmware updates to targeted cellphones to make sure the baseband chips do stay on for those particular handsets.
Rounding the basebands
That brings us to the next question: If the baseband chip somehow stays on, could you contact it and command it to turn on the rest of the phone, including the smartphone operating system, so that the phone can be used as a listening device? Does the baseband chip have that capability?
Connecting to the baseband in the first place is not difficult. There are plenty of ways to trick a phone into connecting with a malicious tower instead of with a carrier's tower. The FBI has a tool for this called the Stingray; it's been common knowledge for years, and similar methods have been demonstrated at hacker conferences.
But once you're connected to the targeted phone, how do you gain control of the baseband processor?
"The code in baseband processors is crap," wrote Graham. "It's relatively easy to find vulnerabilities that can be used to take control of the baseband processor ... The code is so fragile it's hard not to find a bug in it."