The following article is a fusion of substantive summary and selective compilation of various public domain write-ups on smartphone surveillance/ security. All the references are denoted at the end of the article.

“The ‘Enlightenment’, which discovered the liberties, also invented the disciplines.”

― Michel Foucault, Discipline and Punish: The Birth of the Prison

HOW CAN A SMARTPHONE BE SPIED ON?

Smartphones are playing an increasingly central role in our lives. They are ubiquitous, as we carry them nearly everywhere, and entrust them with sensitive and sometimes deeply personal information. We use them to carry out day-to-day tasks from communicating with family members and socialising on social media apps to tracking our health and taking care of our finances on banking apps.

But it is also a device with a camera, a GPS and a microphone that you have next to you at all times. Unfortunately, mobile phones were not designed for privacy and security. Turning this hardware into a surveillance tool is much easier and effective than you think. Not only they do a poor job of protecting your communications, they also expose you to new kinds of surveillance risks.

Surveillance is always an enactment of power in the sense that it is an imparting technique in practices of governance. It is an external influence to an individual, which seeks to control and discipline, entailing a risk of exploitation and privacy invasions.

Here, we will describe all the ways that smartphones can aid surveillance and undermine their users’ privacy. So, prepare yourself for an in-depth read, as we attempt to go over each and every aspect of smartphone surveillance.

1. Mobile Signal Tracking — Cell Tower

How it works

The mobile network/ SIM-card operators themselves have the ability to intercept and record all of the data about visited websites, who called or sent SMS to whom, when, and what they said.

Your Wi-Fi internet provider offers DNS as part of your service, which means your provider can also log your DNS traffic — in essence, recording your entire browsing history.

Any mobile network operator can also precisely calculate where a particular subscriber’s phone is located whenever the phone is powered on and registered with the network. The ability to do this is called triangulation.

One way the operator can do this is to monitor the signal strength that different towers observe from a particular mobile phone, and then calculate where that phone must be located based on the observations. The accuracy with which the operator can figure out a subscriber’s location varies, depending on many factors including the technology the operator uses (2G/3G/LTE) and cell tower numbers in the vicinity.

Normally only the mobile operator itself can perform this kind of tracking, though, these information might be available to local or foreign governments through official or informal arrangements. In some cases, foreign governments have also hacked mobile operators’ systems in order to get secret access to users’ data. Also, Stingrays (explained below) can be used by someone physically nearby you to intercept communication packets.

Ukrainian government used a tower dump, to make a list of all of the people whose mobile phones were present at an anti-government protest.

Another related kind of surveillance request is called a “tower dump”; in this case, a government asks a mobile operator for a list of all of the mobile devices that were present in a certain area at a certain time. Oftentimes, law enforcement agencies (LEAs) use tower dumps to investigate a crime, or to establish criminal relationships.

Preventative Measures

There is no way to “hide” from this kind of tracking as long as your mobile phone is powered on and transmitting signals to an operator’s network. The best way not to get detected? Don’t connect it to the network or to any other computer, a practice known as air-gapping. Though, in a world where practically every machine connects to the internet, this is not easy.

However, for ultra-sensitive files and tasks — like storing Bitcoins or working with confidential blueprints — the inconvenience of working entirely offline can be justified, despite all the trouble. For these situations, the highly cautious rely on Faraday cages or bags. These are essentially metal-lined phone cases that block all radio frequencies. No signal can go in or out. These are easily available on Amazon for relatively cheap.

However, while the cage or bag might block your phone from revealing its location, it doesn’t really prevent it from spying if it is already been hacked with a spyware — before it got air-gapped.

The safest practice is to assume that traditional calls and SMS text messages have not been secured against eavesdropping or recording.

The situation can be different when you are using secure communication apps to communicate (whether by voice or text), because these apps can apply end-to-end encryption (E2EE) to protect your conversations. Such apps with reliable E2EE implementation and strong anti-forensics capabilities can provide more meaningful protection.

The level of protection that you get from using such apps, depends significantly on which apps you use and how they work. One important question is whether there is any way for the app developer to undo or bypass the encryption and what all chat metadata they are collecting.

We recommend Signal, a strongly encrypted chat and voice/ video call app, developed by Signal Foundation.

2. Mobile Signal Tracking — IMSI Catcher

Governments can also snoop on a mobile communication directly with a Cell Site Simulator — a portable device that generates fake cell phone tower to “catch” the particular users’ mobile phone and detect their physical presence and/or spy on their communications, also sometimes called an IMSI Catcher or Stingray. Though, the IMSI catcher needs to be taken to a particular location in order to find or monitor a mobile device at that location.

IMSI Catchers are able to determine the IMSI numbers of mobile phones in its vicinity, which is the trademark capability from which their name is derived. Using the IMSI, they can then identify mobile traffic on the network and target traffic for interception and analysis.

Once the IMSI Catcher has completed the connection to a mobile device, it can try to prevent that mobile device from connecting to another legitimate base station (network tower stations) by transmitting an empty neighbour cell-tower list or a list with neighbouring base stations that are unavailable to the mobile device.

Based on documents leaked by Edward Snowden, there are some advance IMSI Catchers that can locate cell phones even when they were turned off. This was accomplished by wirelessly sending a command, via an IMSI Catcher, to the phone’s baseband chip to fake any shutdown and stay on. The phone could then be instructed to keep just the microphone on, in order to eavesdrop on conversations, or periodically send location pings.

The only hint that the phone is still on is, if it continued to feel warm even though it had been shut off, suggesting that the baseband processor is still running.

This concern has led to some people physically removing the batteries from their devices when having very sensitive conversations.

How it works

Attacks on mobile network include cracking network encryption, passive network interception, and active network interception. IMSI catchers fall into the last category, actively interfering in communications between mobile phones and base stations by acting as a transceiver (simultaneously transmitting and receiving). IMSI catchers use a “man-in-the-middle” attack, by simultaneously posing as the fake mobile phone to the real base station and as the fake base station to the real mobile phone.

Downgrade Attack: This is a form of cryptographic attack on an electronic system or communications protocol that makes it abandon a high-quality mode of encrypted connection in favour of an older, lower-quality mode of encrypted connection that is typically provided for backward compatibility with older systems. An example of such a flaw is SS7 attack.

Signalling System 7 (SS7) — a signalling protocols technology used in telecommunication, is implemented across most of the world’s Public Switched Telephone Network (PSTN). An SS7 attack is an exploit that takes advantage of a weakness in the design of SS7 to enable data theft, eavesdropping, text interception and location tracking.

Stingray — How Agencies Are Listening To Your Calls

Preventative Measures

Currently there is no reliable defence against all IMSI catchers. Some apps, e.g. SnoopSnitch for rooted Android device, claim to detect their presence, but this detection is imperfect.

On devices that permit it, it could be helpful to disable 2G support (so that the device can connect only to 3G and 4G networks) and to disable roaming if you don’t expect to be traveling outside of your home network’s service area. These measures can provide some protection against certain kinds of IMSI catchers.

We recommend Orbot for Android; a TOR based proxy app that empowers other apps to use the internet more securely by encrypting and bouncing your internet traffic through a series of relays around the world. Similarly, Onion Browser is the alternative for iOS devices.

3. Wi-Fi and Bluetooth Tracking

How it works

Smartphones also have various other radio transmitters in addition to the mobile network interface, including Wi-Fi and Bluetooth support. Whenever Wi-Fi/ Bluetooth is turned on, the smartphone transmits signals that include the MAC address, a unique serial number of the mobile device, and thus let nearby Wi-Fi/ Bluetooth receivers recognise that — that particular device is present.

Using this, the MAC address can be observed even if a device is not actively connected to a particular wireless network, or even if it is not actively transmitting data. This form of tracking can be a highly accurate way to tell when a person enters and leaves a building.

Also, home Wi-Fi router is a prime target for hackers wanting to infiltrate your network by remotely delivering a payload. A small vulnerability in the home Wi-Fi network can give a hacker access to almost all the devices that connect to that Wi-Fi. Once infected with the malware/ spyware, the router can perform various malicious activities like redirecting the user to fake websites while visiting secure communication services, banking or other e-commerce sites. In addition to stealing personal and financial data, hackers can also infect smart IoT devices connected to the home network.

Preventative Measures

Know Your Network: Before you connect, be sure you know whose network you are connecting to, so you don’t fall prey to Wi-Fi honeypots. Also, check to make sure your smartphone is not set up to automatically connect to some unknown Wi-Fi networks — or set it to ask you before connecting.

Use a VPN: If you use a VPN service, anyone trying to snoop will see only encrypted data, even if you are connecting to some non-secure sites using HTTP.

We recommend TunnelBear VPN or Vyper VPN for both android and iOS devices.

MAC Address Randomization: Certain smartphones with latest android and iOS versions have a function called “MAC Address Randomization” under the Wi-Fi settings. This feature randomly changes the MAC address reported by the phone, making tracking a lot harder, if not impossible.

This feature is not used consistently by all android phone manufacturers, on rooted android devices, though, it is physically possible to change the MAC address so that other people can’t recognise your Wi-Fi as easily over time.

Deactivate AirDrop: AirDrop — a wireless file sharing protocol for iPhone users, when activated, broadcasts an iPhone’s availability to other nearby iOS devices. That makes it simple for any other surrounding iOS devices to request permission to send files.

While convenient, AirDrop is a protocol that has been hacked in the past. Therefore, it is recommended to set the preferences for this protocol to “Receiving Off”, unless required.

For iOS 11 and later: Go to Settings > General > AirDrop.

For iOS 10 and earlier: Swipe up from the bottom of your iOS device to find a shortcut to AirDrop in your Control Center.

Wi-Fi Router Security

Update Router Firmware: Updating your router’s firmware is an important security measure to help protect your router against the latest threats and vulnerabilities. Many routers no longer get firmware/software updates. If the last update for yours was a couple years ago, it is time for a new router.

Change Router Credential: Traditional routers come with a default password (Not a Wi-Fi password) created by the manufacturer. While it may look complex and resistant to hacking, there is a good chance most models of the same router share the same password. These passwords are often easy to trace or find on the internet.

Make sure you change the username and password of your router during setup. Choose a complex alphanumerical password with multiple characters. Don’t use a dictionary word as your password.

Change SSID and Wi-Fi Encryption: If your Wi-Fi network use a default SSID (network name) then change it. Do not pick a name that makes it obvious that the network belongs to you.

For Wi-Fi encryption, use WPA2 with AES. It is perfectly secure as long the password is long, because it is critical that passwords be long enough to fend off brute force attacks. (The German government recommends 20 characters long password.) Also, disable WPS.

Get rid of any risky or unused services: Turning off features you are not using reduces the attack surface. You should probably consider disabling Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN), SNMP, NAT-PMP and Telnet access to the router.

If you’re not connecting any IoT devices, it is safer to turn off UPnP service. UPnP service exposes a router to the Internet at large where, if it is vulnerable, it can be hacked.

Change the entire LAN side subnet: This helps prevent many router attacks. Guide

Setup a guest network for smart home devices: A guest network has its advantages. It provides your guests (IoT devices) with a unique SSID and password and also restricts outsiders from accessing your primary network.

4. Infecting Phones with Spyware/ Malware