Is it possible for the National Security Agency (NSA) to remotely power up a mobile phone and use it as a listening device? In an interview that aired last night (May 28), American NSA whistleblower Edward Snowden told NBC's Brian Williams that the agency can.
"Can anyone turn it on remotely if it's off?" Williams asked Snowden, referring to the "burner" smartphone Williams used for travel to Russia. "Can they turn on apps? Did anyone know or care that I Googled the final score of the Rangers-Canadiens game last night because I was traveling here?"
"I would say yes to all of those," Snowden replied. "They can absolutely turn them on with the power turned off to the device."
Cellphone security experts are divided over whether that's true — and whether Snowden knew what he was talking about.
Snowden's revelation technically isn't new. In July 2013, a month after the first Snowden leaks appeared, a Washington Post article on the NSA's use of cellphone surveillance reported that the NSA had implemented such a program years earlier to aid American forces hunting insurgents in Iraq.
"By September 2004," the Post reported, "a new NSA technique enabled the agency to find cellphones even when they were turned off. JSOC [Joint Special Operations Command] troops called this 'The Find.'"
Those few lines set off a firestorm of controversy in the cellphone-security community as experts tried to figure out how it might be possible to turn on a powered-off smartphone. Snowden's comments in the NBC interview last night restarted the conversation.
As with most things, the issue is a bit more complicated than it sounds. Turning on a cellphone remotely would involve something called a baseband hack, and it's not simple to pull off.
"Snowden saw programs that were widely successful at getting intelligence from phones, but he doesn't understand the details," wrote Robert David Graham, founder of Atlanta security company Errata Security, in a blog response to the NBC interview.
"Yes, there may be a model of phone out there where the NSA was able to 'remotely turn it on' (probably because a baseband processor was never truly off)," Graham wrote. "But that doesn't mean that when you turn off your iPhone, the NSA can do anything with it."
Based on the baseband
Smartphones actually have two computers in them: a baseband processor (the "phone" part that deals with radio waves) and the operating-system processor, which runs iOS, Android or Windows Phone and controls apps and the rest of what you see on the phone's screen. When you use your phone, you're interacting with the operating system, not the baseband.
When you power your phone off, you're shutting down the operating system. But are you turning the baseband processor off as well?
Back in 2004, when the NSA allegedly first gained the ability to remotely turn on cellphones, the answer may have been yes. When some so-called "feature phones" were powered off, their baseband chips still communicated with cell towers operated by carriers such as AT&T or Verizon Wireless. Only when the batteries were removed from such phones did the baseband truly turn off.
So do today's smartphones — many of which, such as iPhones, have no removable batteries — also keep their basebands on when the handsets are powered down (not just in resting mode in a pocket)?
It's very unclear. Jonathan Zdziarski, a Boston-area independent security expert who specializes in retrieving information from iPhones, says that today's baseband chips may very well remain active even when a phone is powered down.
"The baseband has to be programmed to remain in a ready state while the device is powered off," Zdziarski told Tom's Guide. "I can't tell you with any certainty if that's how the iPhone baseband is programmed."
"The baseband could be programmed so, while the power source is connected, it stays in a ready mode," he said. "That seems to be at least a plausible assumption based on, and only based on, a number of other articles citing FBI and CIA and the agencies that have been able to locate these devices while they're turned off."
It's difficult to be certain whether a modern smartphone's baseband chip remains on in some capacity when the phone is switched off. Baseband chips are made by a handful of companies and run closed, proprietary code that few outsiders have access to.
It's also possible that even if baseband chips don't always stay on by default, the NSA may have found ways to push out tailored firmware updates to targeted cellphones to make sure the baseband chips do stay on for those particular handsets.
Rounding the basebands
That brings us to the next question: If the baseband chip somehow stays on, could you contact it and command it to turn on the rest of the phone, including the smartphone operating system, so that the phone can be used as a listening device? Does the baseband chip have that capability?
Connecting to the baseband in the first place is not difficult. There are plenty of ways to trick a phone into connecting with a malicious tower instead of with a carrier's tower. The FBI has a tool for this called the Stingray; it's been common knowledge for years, and similar methods have been demonstrated at hacker conferences.
But once you're connected to the targeted phone, how do you gain control of the baseband processor?
"The code in baseband processors is crap," wrote Graham. "It's relatively easy to find vulnerabilities that can be used to take control of the baseband processor ... The code is so fragile it's hard not to find a bug in it."
Finding a bug in a baseband processor may only be a matter of time, but the NSA would need to find bugs in every single type of processor, and sometimes find new bugs when old ones get patched.
But even if you have control of the baseband, you still aren't into the operating system, which you would need to do in order to get really important information such as emails, contact lists, documents and more. Do the baseband processors have enough control over the operating-system processor to turn the phone on?
Dial 0 for Operating System
Accessing a phone's operating system from its baseband "requires a whole new set of exploits, which sometimes won't work," wrote Graham.
He argued that it's safe to assume that most phones are safe from remote activation. The NSA may be looking for such vulnerabilities, but that doesn't mean it always has them.
Zdziarski takes a different stance.
"Based on what we know NSA's abilities are," he said, "they are probably putting their best people on trying to find exploits for [mobile phones] and I think it's entirely possible they could have exploited certain phones to this degree."
Zdziarski pointed out that all smartphones have a number of strong links between the baseband and the operating system, such as the federally mandated ability to make emergency calls. Even if a phone's access screen is locked by a PIN or password, it can still call 911.
"If the baseband is the master of that main processor, I'd think one way or another, it would have some type of control over being able to power up that processor," Zdziarksi told Tom's Guide.
It's possible that a means of accessing the operating system from the baseband is built right into the phone. The NSA has put "backdoors" — hidden exploits — into other products, so it's not unreasonable to assume something similar happens in a mobile phone. Zdziarski has come across many undocumented features buried in iPhones that seem to be designed to yield the phone's data.
The NSA also has an enormous budget, and it's been known to pay top dollar for zero-day (previously unknown) exploits on the black market.
"I'm not saying this is easy. Even if [NSA] had zero cooperation [from phone companies], I can see a process like this costing tens of millions of dollars," said Zdziarski. "But the NSA has tens of millions of dollars to spend."
Ultimately, all of this is speculation. Snowden might have read a document about baseband hacks that has not yet been released to the public. Several independent hackers and researchers have published research on hacking a baseband, but so far no one has issued a proof-of-concept hack for remotely turning a phone on by going through the baseband.
Malware, that's where
There is another possible explanation for the NSA's alleged ability to turn on depowered smartphones, but it is far less broad, and requires compromising a smartphone before you're able to remotely activate it.
A phone infected with malware, ideally during a brief period when spies have physical possession of the device — sometimes called an implant — could be made to turn on via remote command, or do a number of other things.
But as Graham points out, it doesn't seem that Snowden and Williams were talking about implants.
"The question was Brian Williams holding a phone asking what the NSA could do to it — in the future (power it on)," Graham wrote. "He wasn't asking what they'd done to it in the past (install an implant)."
Baby turn me on
So how worried should you be that the NSA is turning your phone on? The answer is, unless you're a foreign spy or a very high-value target, probably not very much.
While the NSA does do some broad surveillance on all Americans, Snowden told Williams that most high-level smartphone hacks, including turning it on remotely, hacking the microphone or camera, or stealing data stored on it, are aimed at specific individuals.
"It's important to understand that these things are typically done on a targeted basis," Snowden told Williams. "It's only done when people go, 'This phone is suspicious. I think it's being held by a drug dealer. I think it's being used by a terrorist.'"