Sign in with
Sign up | Sign in

NSA Tracks Turned-Off Phones — But Phone Makers Don't Know How

By - Source: Tom's Guide US | B 53 comments

Tracking a cellphone is easy, especially for the National Security Agency. But can you track a cellphone that's been turned off?

It sounds impossible, but the NSA apparently has been able to track powered-down mobile phones since 2004, as reported by The Washington Post in July 2013.

The Post's mention of this ability was brief. It was buried within a longer narrative regarding the NSA's partnership with the U.S. military's Joint Special Operations Command (JSOC) to track and kill high-profile al-Qaida targets in Iraq:

"By September 2004, a new NSA technique enabled the agency to find cellphones even when they were turned off. JSOC troops called this 'The Find,' and it gave them thousands of new targets," the Post reported.

MORE: NSA Leaks 2013 – A Timeline of NSA Revelations

Hoping for more information, British watchdog group Privacy International in August wrote directly to eight major mobile-phone manufacturers and operating-system providers asking how that could be possible.

So far, Ericsson, Google, Nokia and Samsung have responded — and, as far as they know or can say, it shouldn't be possible to track powered-down cellphones.

All four companies claimed to be unaware of any exploit or vulnerability that would make tracking a powered-down phone possible, since pressing the "off" button on a phone entirely deactivates its network connectivity.

"When a mobile device running the Android Operating System is powered off, there is no part of the Operating System that remains on or emits a signal," Google told Privacy International.

Similarly, Samsung Vice President Hyunjoon Kim wrote: "Without the [mobile phone's] power source, it is not possible to transmit any signal, due to the components being inactive. Thus the powered-off devices are not able to be tracked or monitored by any 3rd party." (You can read Samsung's letter on Privacy International's website.)

Nokia's Chad Fentress had a similar statement, but his phrasing raised eyebrows at Privacy International: "Our devices are designed so that when they are switched off, the radio transceivers within the devices should be powered off." (Nokia's statement is also available on the website.)

Privacy International research officer Richard Tynan told Ars Technica that Nokia's wording, particularly the "should," is suspicious.

"Nokia's wording is very nuanced," Tynan said. "They don't say that transceivers 'are' switched off."

However, both Ericsson and Samsung suggested that it might be possible to place spyware on a phone that would keep some of its network functions active even after users pressed the power button to turn it off.

Without confirmation from the NSA, or access to the documents leaked by former NSA contractor Edward Snowden, it's impossible to tell exactly how, or even if, tracking powered-down mobile phones is possible.

Privacy International is still waiting for responses from Apple, HTC, Microsoft and BlackBerry. The organization plans to reach out to LG, Motorola, Sony and others in the near future.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Display 53 Comments.
This thread is closed for comments
Top Comments
  • 12 Hide
    ocilfa , November 12, 2013 10:48 AM
    @gggplaya That's why you remove the battery.
Other Comments
  • 0 Hide
    gggplaya , November 12, 2013 10:45 AM
    It's literally impossible to track a powered off phone. The operating system is not functioning, the cellular signal is not active, the circuits are powered down.

    However, it is possible to install a software program to make the user think the phone has been powered off. When they press "power off", it visually gives them an indication that it is booting down, but in reality is still running.
  • 12 Hide
    ocilfa , November 12, 2013 10:48 AM
    @gggplaya That's why you remove the battery.
  • 6 Hide
    InvalidError , November 12, 2013 11:00 AM
    "Powered Down" might be a relative term: do phones actually have a MOSFET that physically breaks electrical continuity between the power source and RF chips or do phones rely on the RF ICs themselves to manage their own power?

    If the RF ICs are managing their own power, it would be possible for Broadcom, Qualcom, etc. to have their own reporting routine in their RF chips' firmware that powers up independently from the main CPU/OS.

    So there is at least one way it could happen.
  • 6 Hide
    figgie , November 12, 2013 11:12 AM
    For all Intents and Purposes... the receiver is off.

    but it is simple RF. regardless if it is off or not, send a strong enough signal and it will resonate ;)  the military application has been there for ever... don't query the object, query the oscillator.

    Now the question is filtering the noise out.

    Let me put it to you this way. We were able to track powered off radar speed guns in patrol cars.
  • 0 Hide
    Baldarhion , November 12, 2013 11:15 AM
    Yes InvalidError. And even without battery, some capacitors couls do the job too.

    Well... I guess the only option is a a microwave oven: (yes, luckily, it's wave proof, so
    pizza Industry will be a pain in the a** for the NSA and save our privacy, i suppose...
  • 0 Hide
    realibrad , November 12, 2013 11:18 AM
    I thought this was already assumed? Here is an ABC article about how the FBI can listen in on phone calls, even when the phone is off.

    http://abcnews.go.com/blogs/headlines/2006/12/can_you_hear_me/
  • 0 Hide
    razor512 , November 12, 2013 11:20 AM
    It depends in the phone is able to still periodically power on the cell radio, but I guess that will be spotted during the fcc test. Other than that, the only way to track a device is if you are very close and it has some kind of RFID, or something else that can respond to RF without having a local power source. Most cities have a wide range of RFID trackers for collecting traffic data, though there is nothing saying that they cannot track other things that can respond to a similar fashion to RFID

    PS modern smartphones never fully power off, if you run it through a multimeter, you will see that even when powered off, they will pull quite a few microamps (though it may be for the soft power switch, clock and other needed components to listen for that button press)
  • -4 Hide
    cgharvey , November 12, 2013 11:34 AM
    what happens when you phone is off and you get a call? It says the phone is off.. so..im guessing they can "ping" your phone.. Yes? because you get back a message the subscriber can not be reached.
  • 1 Hide
    burmese_dude , November 12, 2013 11:42 AM
    NSA has the all knowing Miss Cleo. She can tell everything in fake Jamaican accent.
  • 0 Hide
    das_stig , November 12, 2013 11:48 AM
    How about the cpu itself running internal code to access the radio ??
  • 3 Hide
    MPrice , November 12, 2013 11:56 AM
    "what happens when you phone is off and you get a call? It says the phone is off.. so..im guessing they can "ping" your phone.. Yes? because you get back a message the subscriber can not be reached."

    How about the concept that your phone can be assumed to be off because it cannot be pinged? Makes a bit more sense right?
  • 0 Hide
    koga73 , November 12, 2013 12:19 PM
    Figgie's comment sounds about right.
    Quote:

    but it is simple RF. regardless if it is off or not, send a strong enough signal and it will resonate the military application has been there for ever... don't query the object, query the oscillator.


    Something else to consider is the phones GPS. GPS satellites are constantly beaming down signals and normally the device would triangulate its position. It seems possible that the GPS signals could "bounce" off a GPS chip or create some sort of interference even if powered down.
  • 1 Hide
    coolitic , November 12, 2013 12:44 PM
    However, both Ericsson and Samsung suggested that it might be possible to place spyware on a phone that would keep some of its network functions active even after users pressed the power button to turn it off.

    That's what I was thinking.
  • -1 Hide
    coolitic , November 12, 2013 12:44 PM
    However, both Ericsson and Samsung suggested that it might be possible to place spyware on a phone that would keep some of its network functions active even after users pressed the power button to turn it off.

    That's what I was thinking.
  • -1 Hide
    coolitic , November 12, 2013 12:44 PM
    However, both Ericsson and Samsung suggested that it might be possible to place spyware on a phone that would keep some of its network functions active even after users pressed the power button to turn it off.

    That's what I was thinking.
  • 1 Hide
    Akizu , November 12, 2013 12:52 PM
    "what happens when you phone is off and you get a call? It says the phone is off.. so..im guessing they can "ping" your phone.. Yes? because you get back a message the subscriber can not be reached. "

    No, it doesn't work that way. When you turn off your phone, it sends one last signal that tells the service provider that it has been powered-off. That's why you get different message if you powered-off the phone and different one if it went out of signal range.

    As for a solution to tracking: after powering-off your cell phone just warp it in a tin foil. Yes. Tin foil. That simple.
  • 0 Hide
    onichikun , November 12, 2013 1:07 PM
    "what happens when you phone is off and you get a call? It says the phone is off.. so..im guessing they can "ping" your phone.. Yes? because you get back a message the subscriber can not be reached. "

    As Akizu mentioned your phone will broadcast a power-down message.. Even if that message isnt sent the cell towers know your last cell location.. if it can't ping it's last location and your phone is not present in a certain number of adjacent cells, your phone is deemed unreachable.

    While "querying the oscillator" does indeed work due to resonant circuits, the noise you would have would prevent any unique characteristic identification solely on that -- the resonance of the RF circuit isn't going to trigger a ID broadcast to identify what oscillator you are querying.

    It's more likely they have some low-powered heartbeat signal that continues when your phone is "off". To fix it just wrap it in tinfoil, or any conductive cage... the NSA can't beat physics.... hopefully :3
  • 0 Hide
    vhawk , November 12, 2013 1:09 PM
    Mmmmh - maybe I should start selling Faraday covers to the paranoid ....
  • 0 Hide
    Onus , November 12, 2013 1:37 PM
    This kind of thing is why, in secure environments, cell phones are either simply not allowed, or must have their batteries removed.
  • 0 Hide
    ddpruitt , November 12, 2013 1:42 PM
    The article is pure bunk designed to sell papers. When powered down the phone can't be tracked. The OS unloads all of the drivers so it isn't done in software (unless you think the NSA is willing to build OS drivers for all the devices out there) and the radios are powered down. You can't ping a signal off of the device to figure out were it is. First of all GPS decoding is done on device, and as anyone who's ever done Navigation knows, this is a massive power drain. You can't ping the transceivers because the phone has to be in a sleep state in order to respond. Etc, etc, etc.

    As for the phone receiving calls, well it's not powered down at that point, just in standby.

    If you really need proof that the device can't be tracked turned it off and see how long your battery lasts.
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter