17

Watching the Snowden interview last night, Brian Williams asks him what degree of control the NSA has over smartphones -- in particular, whether or not they can remotely turn them on in order to collect data. Snowden replies "Yes" and goes on to say some scary things about the kinds of data that government agencies can collect.

I've never heard of this before. What kind of mechanism would facilitate this? Do iPhones have some kind of wake-on-LAN feature? Is this an actual feature which is well known, or conjecture by Snowden? I see this question provides concrete evidence in the case of smart TVs in addition to some hazy assertions that "anything is possible" -- has such a thing been demonstrated to exist?

Patrick Collins
  • 273
  • 2
  • 5
  • 2
    Robert Graham wrote about this on his blog on Wednesday. [No, you can't remotely turn on phones](http://blog.erratasec.com/2014/05/no-you-cant-remotely-turn-on-phones.html) – Xander May 30 '14 at 17:01
  • 1
    Possible duplicate of [Can a powered down cell phone be turned on remotely?](http://security.stackexchange.com/questions/12740/can-a-powered-down-cell-phone-be-turned-on-remotely) – WhiteWinterWolf Jul 18 '16 at 09:55
  • Here is an [in-depth paper](https://www.tjoe.org/pub/direct-radio-introspection) on the topic (co-authored by Snowden himself). Also good point is brought up in comment to [this question](https://security.stackexchange.com/questions/12740/can-a-powered-down-cell-phone-be-turned-on-remotely) that old dumb phones are able to trigger the alarm clock even if powered off (i.e. if you set the alarm and power phone off it will turn itself on and start the alarm, at set time), what it suggests is that phone is not completely **off** when it is powered down. –  Dec 08 '19 at 02:24

2 Answers2

22

There is a semantics issue at play here that make answering definitively very difficult.

What precisely did Mr. Snowden talk about when he said "Yes they can turn your phone on."

Did he mean activate a device that is in a shutdown (not standby, low-power-ready-to-function) state?

  • Doubtful.

Did he mean activate a device in a low-power, standby state?

  • Possibly. This is a no brainer, and exactly one of the features a "stand by" state is intended to facilitate. A carrier or gov agency exploiting it via code or warrant is nothing surprising.

Did he mean 'turn on the microphone or other sensors when an active call is not in progress, to allow recording of ambient noises and conversations near the device?'

  • Probably, and this is a known capability of service providers and thus government agencies for some time.[1]

[1] http://en.wikipedia.org/wiki/Covert_listening_device#Remotely_activated_mobile_phone_microphones

0xSheepdog
  • 765
  • 5
  • 13
6

whether or not they[the NSA] can remotely turn them[smartphones] on in order to collect data.

What kind of mechanism would facilitate this?

We need to cover the meaning of off first. With a lightbulb controlled by a simple switch the light will be on or off (or burned out/broken). However with a dimmable lightbulb a light may be fully on, fully off, or somewhere in between.

Smartphones use a lot of power. They must power, RF transmitters, RF receivers, screen, camera, etc. Like a dimmable light bulb, parts of the smartphone may be turned off while other parts are on. Typically the highest power uses (like screen backlighting) are off more often then they are on. Analogous to the dimmer the last component to have power before the whole phone is off is a processor/controller that has the capability to turn other parts of the phone on or off.

Even though a typical user may believe their phone is off, a smartphone is never really off. It just goes down to the lowest possible power consumption so that it can save battery power until it receives a signal that the user wants to use the phone. For example pressing the camera button on phones with a dedicated camera button turns on power to the camera, screen, etc. The only time a smartphone may be said to be unable to function is when it is not physically connected to a power source: no connected to a charger or external power source, and they battery has insufficient voltage to power the phone at its lowest power mode.

So most smart phones wait around waiting to be turned more on. The real trick here is how does an adversary find a wireless channel to remotely control a smartphone without being detected. You won't be scared if someone had to reach in your pocket and press a button on the phone to get it to record your private conversations. Nor would you be impressed if remotely turning on the camera made the phone beep loudly.

The impressive trick is to remotely control specific recording devices on the phone without being noticed. This requires at least one of the many RF receivers on the smartphone (WiFi, Bluetooth, RFID/NFC, GPS, GSM, CDMA, LTE, etc) to be powered on. Without at least one of the many receivers in a state where it is capable of receiving signal, the phone is not remotely controllable.

Do iPhones have some kind of wake-on-LAN feature?

The some standard iPhones may, or they may not. What is required is a modification to the intended design of the phone to allow a remote adversary to exercise control over the phone. This may be done in hardware, software, or a combination of both.

LT;DR

Is this an actual feature which is well known, or conjecture by Snowden?

This is not conjecture. For the iPhone, search for "DROPOUTJEEP" this information was leaked in December of 2013.

has such a thing been demonstrated to exist?

From a document dated 2008 from the DailyDot.com "the NSA claims a 100 percent success rate when it comes to implanting iOS devices with spyware." Jay Hathaway on December 30, 2013

At that time it was necessary for the iPhone to be physically intercepted. Meaning that a agent intercepted the phone between Apple shipping the device and the individual customer receiving the device, and added special software to the phone to allow it to be remotely controlled.

Five years have passed and I believe it is no longer necessary to physically intercept the phone for the NSA to gain control over it.

forest
  • 65,613
  • 20
  • 208
  • 262
this.josh
  • 8,843
  • 2
  • 29
  • 51
  • 2
    "Five years have passed and I believe it is no longer necessary to physically intercept the phone for the NSA to gain control over it" What do you think have changed, exactly? – Rodrigo Feb 26 '16 at 14:36