Your cellular telephone has three major security vulnerabilities:
Before discussing these vulnerabilities, here is a brief tutorial on how cellular phones function. They send radio frequency transmissions through the air on two distinct channels, one for voice communications and the other for control signals. When a cellular telephone is first turned on, it emits a control signal that identifies itself to a cell site by broadcasting its mobile identification number (MIN) and electronic serial number (ESN), commonly known as the "pair."
When the cell site receives the pair signal, it determines if the requester is a legitimate registered user by comparing the requestor's pair to a cellular subscriber list. Once the cellular telephone's pair has been recognized, the cell site emits a control signal to permit the subscriber to place calls at will. This process, known as anonymous registration, is carried out each time the telephone is turned on or picked up by a new cell site.
Vulnerability to Monitoring
All cellular telephones are basically radio transceivers. Your voice is transmitted through the air on radio waves. Radio waves are not directional -- they disperse in all directions so that anyone with the right kind of radio receiver can listen in.
Although the law provides penalties for the interception of cellular telephone calls, it is easily accomplished and impossible to detect. Radio hobbyists have web sites where they exchange cell phone numbers of "interesting" targets. Opportunistic hobbyists sometimes sell their best "finds." Criminal syndicates in several major U.S. metropolitan areas maintain extensive cell phone monitoring operations.
Cell phones operate on radio frequencies that can be monitored by commonly available radio frequency scanners.
It is easy for an eavesdropper to determine a target's cellular phone number, because transmissions are going back and forth to the cellular site whenever the cell phone has battery power and is able to receive a call. For a car phone, this generally happens as soon as the ignition is turned on. Therefore, the eavesdropper simply waits for the target to leave his or her home or office and start the car. The initial transmission to the cellular site to register the active system is picked up immediately by the scanner, and the number can be entered automatically into a file of numbers for continuous monitoring.
One of the most highly publicized cases of cellular phone monitoring concerned former Speaker of the House of Representatives Newt Gingrich. A conference call between Gingrich and other Republican leaders was "accidentally" overheard and then taped. The conversation concerned Republican strategy for responding to Speaker Gingrich's pending admission of ethics violations being investigated by the House Ethics Committee. The intercepted conversation was reported in the New York Times and other newspapers. 1
Pagers have similar vulnerabilities. In 1997, police arrested officials of a small New Jersey company, Breaking News Network, that was monitoring pager messages to New York City leaders and police, fire, and court officials, including messages considered too sensitive to send over the police radio. They were selling the information to newspaper and television reporters. The offenses carry a penalty of up to five years in prison and fines of $250,000 for each offense. 3
Vulnerability to Being Used as a Microphone
The user doesn't know the telephone is in the diagnostic mode and transmitting all nearby sounds until he or she tries to place a call. Then, before the cellular telephone can be used to place calls, the unit has to be cycled off and then back on again. This threat is the reason why cellular telephones are often prohibited in areas where classified or sensitive discussions are held.
Vulnerability to Cloning
Cellular telephone thieves don't steal cellular telephones in the usual sense of breaking into a car and taking the telephone hardware. Instead, they monitor the radio frequency spectrum and steal the cell phone pair as it is being anonymously registered with a cell site.
Cloning is the process whereby a thief intercepts the electronic serial number (ESN) and mobile identification number (MIN) and programs those numbers into another telephone to make it identical to yours. Once cloned, the thief can place calls on the reprogrammed telephone as though he were the legitimate subscriber.
Cloning resulted in approximately $650 million dollars worth of fraudulent phone calls in 1996. Police made 800 arrests that year for this offense.5 Each day more unsuspecting people are being victimized by cellular telephone thieves. In one case, more than 1,500 telephone calls were placed in a single day by cellular phone thieves using the number of a single unsuspecting owner. 6
The ESN and MIN can be obtained easily by an ESN reader, which is like a cellular telephone receiver designed to monitor the control channel. The ESN reader captures the pair as it is being broadcast from a cellular telephone to a cell site and stores the information into its memory. What makes this possible is the fact that each time your cellular telephone is turned on or used, it transmits the pair to the local cellular site and establishes a talk channel. It also transmits the pair when it is relocated from one cell site to another.
Cloning occurs most frequently in areas of high cell phone usage -- valet parking lots, airports, shopping malls, concert halls, sports stadiums, and high-congestion traffic areas in metropolitan cities. No one is immune to cloning, but you can take steps to reduce the likelihood of being the next victim.
Cellular Phone Security Measures
The best defense against these three major vulnerabilities of cell phones is very simple -- do not use the cell phone. If you must use a cell phone, you can reduce the risk by following these guidelines:
Link back to the Western Region Security Office home page.