44

I know this is tin-foil hat fodder, but at least one judicial opinion referenced a bug that could track/listen in on the subject "whether the phone was powered on or off," although that may have been a judge misinterpreting the technobabble spouted at him, or an FBI agent overhyping their tech to the judge.

It seems like with smartphones all the rage now, it would be possible, e.g. to create a root kit that would simply mimic the phone entering a powered down state while still transmitting, although this would have an obvious effect on battery life unless it actually powered down most of the time and just woke up to transmit basic location information in a heartbeat configuration. Is there anything similar out there in use by either "good guys" or "bad guys" that you know of?

Anders
  • 65,052
  • 24
  • 180
  • 218
Sam Skuce
  • 583
  • 1
  • 4
  • 7
  • 14
    My old candy-bar dumb phone, when turned off, will still turn itself back on to sound a set alarm. So I've never assumed powering down a phone means anything except that it is in a state of deep battery conservation. – logicalscope Mar 15 '12 at 04:17
  • 1
    +1 to @logicalscope. My current flip-phone does this also. The question then becomes, is the radio still active when the phone is "turned off"? – Iszi Mar 15 '12 at 04:37
  • @Sam Skuce +1 we need more questions like this. – rook Mar 15 '12 at 06:12
  • 6
    @Iszi not proof, but whenever I go into a "highly secure" area (e.g. government, military, etc) I either have to leave my cellphone outside, or **remove the battery**. Some of this is "tinfoil-hat", as the OP said, but perhaps there is something to it. – AviD Mar 15 '12 at 06:40
  • Yep, they just keep on trying, poor things... Well, I remembered something about the *NO SUCH AGENCY* buzzing every mobile number every day to prevent terrorists from you know...being terrorists. ;-9 –  Mar 15 '12 at 05:56
  • 1
    @AviD♦ hold up, let me just remove the battery on my iPhone :) – rook Mar 15 '12 at 16:22
  • http://www.justanswer.com/android-devices/7o590-turn-android-3g-cell-phone-remotely.html Here is a link to a conversation outlining how to remotely power on an Android phone. Enjoy –  Dec 10 '13 at 16:52
  • It seems the guy who is answering in the thread you linked to is confused. He actually linked to an app called "remote turn OFF", which turns the phone off when it receives a formatted SMS message. Somebody in the app's thread even asked for the ability to turn the phone on, and was told the app couldn't do that. – Sam Skuce Dec 10 '13 at 18:08
  • They get you to take out the battery because that is the only way they can be sure that you've turned it off. The phone , once off, cannot be remotely turned back on. – munchkin Aug 11 '15 at 16:24
  • I heard an interview on BBC radio 4 with somebody from MI5 and he described tools exactly like this. They make the phone appear to be off when in fact they are still powered on. Apparently there are tools like this commercially available to buy and they are advertised as for use by government authorities for legitimate investigation purposes only, but of course who knows whether they actually check this. – rdans Jun 16 '16 at 12:58
  • 3
    Related: [Is it possible for a phone to be transmitting even while turned off and the battery removed?](https://security.stackexchange.com/q/65382/32746) – WhiteWinterWolf Jul 18 '16 at 09:58
  • Define "OFF". If you mean really, truly off, then it would not be possible, by definition. If you mean "appear off", then it is "simple" to do. – MikeP Mar 09 '17 at 23:30

7 Answers7

42

Who's to say that the phone is really off? If someone controls the firmware of the device then the off functionality could be replaced with state in which the phone appears to be "off" but is in fact maintaining a line of communication to a remote user.

However firmware cannot stop you from introducing a hardware switch to disconnect the microphone. A similar switch could be used to disconnect the battery. With physical control over the device you can just move to a lower layer than your attacker and cut them off.

rook
  • 47,004
  • 10
  • 94
  • 182
  • Accepted because you answered the question in the title, and it appears that no-one is willing to admit they know about such functionality being used in the real world =) – Sam Skuce Mar 20 '12 at 16:30
  • @Sam Skuce Yeah sorry i am not aware of this software existing int he wild. Also its not really proper to call this a rootkit per say, this functionality is below the kernel its in the firmware. – rook Mar 20 '12 at 16:41
  • @Rook, yeah if it's in the firmware from the manufacturer, it's not a root-kit, it's a feature! But the (hypothetical, I want you to think) rootkit I referred to in my question is an aftermarket add-on that can be surreptitiously installed by any of the usual malware methods, so the term would be accurate. – Sam Skuce Mar 20 '12 at 16:52
  • @Sam Skuce an attacker can flash the device's firmware, and telco's roll out firmware updates over the network all the time to make sure devices are "working properly". – rook Mar 20 '12 at 17:04
  • Sorry, had to update accepted answer because @John Deters pointed out a real demo at Black Hat. Still a good answer though! – Sam Skuce Dec 10 '13 at 19:32
29

A Korean researcher demonstrated this on Samsung Smart TVs at Black Hat this year. (Slide deck here.) He mentions that the malware was originally designed for cell phones, and that TV sets were even easier to attack because battery life did not give them away.

His basic premise is that if he owns your device, he owns the power indicators, too.

Remote power-on isn't a problem when it's never actually powered off.

Anko
  • 189
  • 10
John Deters
  • 33,897
  • 3
  • 58
  • 112
  • Very cool. Thanks! I see that it required root access, both on phones and the TV, which was the focus of the presentation. So it would require rooting the victim's phone first, which would require physical access or an unpatched vulnerability, e.g. in the browser. Probably not too difficult for a determined adversary to get in using one of those methods. – Sam Skuce Dec 10 '13 at 19:31
  • @SamSkuce Not necessarily. It may just require a privilege escalation exploit. – Mark Buffalo Feb 03 '16 at 18:13
  • And now the CIA is [using an attack like this in the wild](http://www.cbsnews.com/news/cia-hacked-samsung-smart-tvs-wikileaks-vault-7/) against Samsung Smart TVs. – Sam Skuce Mar 10 '17 at 15:10
4

As an example, iPhone alerts will wake up the phone even if it is turned "off" via the UI. The software is black-box and proprietary. With one of these common phones you have no assurances of anything.

Off has a different meaning now than it used to with respect to technology. There are different levels of power consumption: hibernate, sleep, deep sleep, off, etc. Ultimately, if there is power supplied (charged battery present) you don't really know what the phone is capable of unless you examine the source code of the software running on the phone and have an assessment of its hardware capabilities.

geoO
  • 320
  • 1
  • 5
2

A lot of these attacks exploit the fact that your phone isn't actually a single device; its main application processor is completely separate from its "baseband" processor (the cell modem). Frequently, the two communicate only over a serial line, and the baseband has direct access to the speaker and mic. (This is done for battery reasons; the baseband has hardware acceleration for the specific codecs that cell networks use.)

The baseband runs an OS too, and can be compromised just like the OS on the application processor. The difference, of course, is that when the application processor shuts off and tells the baseband to follow suit, a compromised baseband can ignore that command and continue to relay your mic data to a hacker, usually over a standard phone call (that's hidden from the application processor).

If done this way, the application processor will have no knowledge of what's going on and no control over it, so when you "turn your phone off" it will look and act like it's off, but not actually be off.

Reid Rankin
  • 1,082
  • 5
  • 10
  • Someone I knew did an internship with the [MIC](https://en.wikipedia.org/wiki/Military%E2%80%93industrial_complex). He was given a live demonstration of your hypothetical to explain why they had to stow their phones in lockers outside the Facility. The target device wasn't even a smartphone, and (unless I recall mistakenly) the battery was removed during the demo. – Michael Feb 24 '23 at 19:37
2

A pretty failproof test would be to:

  1. Fully charge battery, and verify it's 100% before proceeding
  2. Turn your phone completely OFF (Android = long-press on power button, then "Power Off")
  3. Leave it sit in "OFF" condition for as long as possible - at least 1-2 days
  4. When you power it back ON, then observe battery charge condition. If it's more than 1-2% lower than when you turned it OFF, then your phone's OFF isn't really OFF, as there should be zero power drain in that condition.

For any "hidden background processes" to be running and be able to "listen in" (or perform other unauthorized monitoring), you would still need to keep the cellular radio powered ON to listen for a remote "wakeup" command.

The cellular radio is one of the most power hungry parts of your phone. You can verify this by enabling "Airplane mode", which turns off all "radios" in your phone... cellular, Wifi and Bluetooth. If you do this, and leave your phone sit idle for an extended period (12 hours), it will throttle-down the CPU, and use almost zero power... expect to see maybe 3-5% usage over 12 hours of inactivity.

This is very useful for using the alarms overnight, without running the battery down if you don't have access to a charger.

You might think "airplane mode" would be as "safe" as turning the phone OFF... but it's not... because (as others have mentioned) as long as the CPU is still running, malware can still run and force the "radios" back ON at-will... but if the CPU is not turned ON at all (Power = OFF), nothing can happen.

The concept of a heartbeat "wakeup" mode isn't very realistic either... since if the device is truly OFF, loading all of the OS is still required to be able to run any real process... not much happens without loading the OS... which takes quite a while - with respect to a "heartbeat" type hidden process.

Until phones are designed with a "static-state" (whereby the complete state of RAM and CPU's are instantly resumed upon application of power)... so that the OS never needs to load, you can't really use this type of heartbeat process. (this type of design is exceedingly expensive... seriously)

25+ yrs of EE design experience speaking here... and in consumer products, it's just not feasible...

...yet

ronbot
  • 21
  • 1
1

Assuming it's not a "fake" off state (as other posters point out, a relatively easy thing to do if the phone is under control of the attacker), then: probably not. Most phones that are in an "off" state will turn off the radios (cellular, wifi, and bluetooth) to save power.

O'Rooney
  • 235
  • 1
  • 8
0

It wasn't that many years ago that I was reading in a respected scientific magazine that circuits/chips were being developed to be able to remotely activate or power down equipment mainly for space craft that cant be easily accessed once launched. They specifically mentioned that a system could be in a dormant state but could detect and respond to specific coded commands to power up perform a task and then basically power down again. This is exactly what would be used to remotely control a cell phone embedded with similar electronics.

major
  • 1
  • 3
    Hi Major. It would be good if you could include a link to any such magazine/chip producer to back that up. Cheers, – NULLZ May 27 '13 at 03:27