Can the NSA Remotely Turn On Mobile Phones?

Is it possible for the National Security Agency (NSA) to remotely power up a mobile phone and use it as a listening device? In an interview that aired last night (May 28), American NSA whistleblower Edward Snowden told NBC's Brian Williams that the agency can.

"Can anyone turn it on remotely if it's off?" Williams asked Snowden, referring to the "burner" smartphone Williams used for travel to Russia. "Can they turn on apps? Did anyone know or care that I Googled the final score of the Rangers-Canadiens game last night because I was traveling here?"

"I would say yes to all of those," Snowden replied. "They can absolutely turn them on with the power turned off to the device."

Cellphone security experts are divided over whether that's true — and whether Snowden knew what he was talking about.

MORE: Best Android Antivirus Security 2014

Snowden's revelation technically isn't new. In July 2013, a month after the first Snowden leaks appeared, a Washington Post article on the NSA's use of cellphone surveillance reported that the NSA had implemented such a program years earlier to aid American forces hunting insurgents in Iraq.

"By September 2004," the Post reported, "a new NSA technique enabled the agency to find cellphones even when they were turned off. JSOC [Joint Special Operations Command] troops called this 'The Find.'"

Those few lines set off a firestorm of controversy in the cellphone-security community as experts tried to figure out how it might be possible to turn on a powered-off smartphone. Snowden's comments in the NBC interview last night restarted the conversation.

As with most things, the issue is a bit more complicated than it sounds. Turning on a cellphone remotely would involve something called a baseband hack, and it's not simple to pull off.

"Snowden saw programs that were widely successful at getting intelligence from phones, but he doesn't understand the details," wrote Robert David Graham, founder of Atlanta security company Errata Security, in a blog response to the NBC interview.

"Yes, there may be a model of phone out there where the NSA was able to 'remotely turn it on' (probably because a baseband processor was never truly off)," Graham wrote. "But that doesn't mean that when you turn off your iPhone, the NSA can do anything with it."

Based on the baseband

Smartphones actually have two computers in them: a baseband processor (the "phone" part that deals with radio waves) and the operating-system processor, which runs iOS, Android or Windows Phone and controls apps and the rest of what you see on the phone's screen. When you use your phone, you're interacting with the operating system, not the baseband.

When you power your phone off, you're shutting down the operating system. But are you turning the baseband processor off as well?

Back in 2004, when the NSA allegedly first gained the ability to remotely turn on cellphones, the answer may have been yes. When some so-called "feature phones" were powered off, their baseband chips still communicated with cell towers operated by carriers such as AT&T or Verizon Wireless. Only when the batteries were removed from such phones did the baseband truly turn off.

So do today's smartphones — many of which, such as iPhones, have no removable batteries — also keep their basebands on when the handsets are powered down (not just in resting mode in a pocket)?

It's very unclear. Jonathan Zdziarski, a Boston-area independent security expert who specializes in retrieving information from iPhones, says that today's baseband chips may very well remain active even when a phone is powered down. 

"The baseband has to be programmed to remain in a ready state while the device is powered off," Zdziarski told Tom's Guide. "I can't tell you with any certainty if that's how the iPhone baseband is programmed."

"The baseband could be programmed so, while the power source is connected, it stays in a ready mode," he said. "That seems to be at least a plausible assumption based on, and only based on, a number of other articles citing FBI and CIA and the agencies that have been able to locate these devices while they're turned off."

It's difficult to be certain whether a modern smartphone's baseband chip remains on in some capacity when the phone is switched off. Baseband chips are made by a handful of companies and run closed, proprietary code that few outsiders have access to.

It's also possible that even if baseband chips don't always stay on by default, the NSA may have found ways to push out tailored firmware updates to targeted cellphones to make sure the baseband chips do stay on for those particular handsets.

Rounding the basebands

That brings us to the next question: If the baseband chip somehow stays on, could you contact it and command it to turn on the rest of the phone, including the smartphone operating system, so that the phone can be used as a listening device? Does the baseband chip have that capability?

Connecting to the baseband in the first place is not difficult. There are plenty of ways to trick a phone into connecting with a malicious tower instead of with a carrier's tower. The FBI has a tool for this called the Stingray; it's been common knowledge for years, and similar methods have been demonstrated at hacker conferences. 

But once you're connected to the targeted phone, how do you gain control of the baseband processor?

"The code in baseband processors is crap," wrote Graham. "It's relatively easy to find vulnerabilities that can be used to take control of the baseband processor ... The code is so fragile it's hard not to find a bug in it." 

Finding a bug in a baseband processor may only be a matter of time, but the NSA would need to find bugs in every single type of processor, and sometimes find new bugs when old ones get patched.

But even if you have control of the baseband, you still aren't into the operating system, which you would need to do in order to get really important information such as emails, contact lists, documents and more. Do the baseband processors have enough control over the operating-system processor to turn the phone on?

Dial 0 for Operating System

Accessing a phone's operating system from its baseband "requires a whole new set of exploits, which sometimes won't work," wrote Graham.

He argued that it's safe to assume that most phones are safe from remote activation. The NSA may be looking for such vulnerabilities, but that doesn't mean it always has them.

MORE: 13 Security and Privacy Tips for the Paranoid

Zdziarski takes a different stance.

"Based on what we know NSA's abilities are," he said, "they are probably putting their best people on trying to find exploits for [mobile phones] and I think it's entirely possible they could have exploited certain phones to this degree."

Zdziarski pointed out that all smartphones have a number of strong links between the baseband and the operating system, such as the federally mandated ability to make emergency calls. Even if a phone's access screen is locked by a PIN or password, it can still call 911.

"If the baseband is the master of that main processor, I'd think one way or another, it would have some type of control over being able to power up that processor," Zdziarksi told Tom's Guide.

It's possible that a means of accessing the operating system from the baseband is built right into the phone. The NSA has put "backdoors" — hidden exploits — into other products, so it's not unreasonable to assume something similar happens in a mobile phone. Zdziarski has come across many undocumented features buried in iPhones that seem to be designed to yield the phone's data.

The NSA also has an enormous budget, and it's been known to pay top dollar for zero-day (previously unknown) exploits on the black market.

"I'm not saying this is easy. Even if [NSA] had zero cooperation [from phone companies], I can see a process like this costing tens of millions of dollars," said Zdziarski. "But the NSA has tens of millions of dollars to spend."

Ultimately, all of this is speculation. Snowden might have read a document about baseband hacks that has not yet been released to the public. Several independent hackers and researchers have published research on hacking a baseband, but so far no one has issued a proof-of-concept hack for remotely turning a phone on by going through the baseband.

Malware, that's where

There is another possible explanation for the NSA's alleged ability to turn on depowered smartphones, but it is far less broad, and requires compromising a smartphone before you're able to remotely activate it. 

A phone infected with malware, ideally during a brief period when spies have physical possession of the device — sometimes called an implant — could be made to turn on via remote command, or do a number of other things. 

But as Graham points out, it doesn't seem that Snowden and Williams were talking about implants.

"The question was Brian Williams holding a phone asking what the NSA could do to it — in the future (power it on)," Graham wrote. "He wasn't asking what they'd done to it in the past (install an implant)."

Baby turn me on

So how worried should you be that the NSA is turning your phone on? The answer is, unless you're a foreign spy or a very high-value target, probably not very much.

While the NSA does do some broad surveillance on all Americans, Snowden told Williams that most high-level smartphone hacks, including turning it on remotely, hacking the microphone or camera, or stealing data stored on it, are aimed at specific individuals.

"It's important to understand that these things are typically done on a targeted basis," Snowden told Williams. "It's only done when people go, 'This phone is suspicious. I think it's being held by a drug dealer. I think it's being used by a terrorist.'"

Email or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • InvalidError
    There is an easy way to check if the baseband is really off: check the voltage regulator feeding it. If the regulator output is off or external filter caps for their integrated regulator read under 0.4V, you know with 100% certainty that the baseband is off at the time of measurement.

    Another possibility would be to use a high-speed scope to analyze the noise on supply rails and detect unexpected activity: if the baseband chip is capturing and analyzing signals, the activity should generate noise on supply rails as the baseband processes packets to detect something addressed to it. Every packet received should have a corresponding noise burst on the supply rail that may stop just after packet headers.
  • DalaiLame
    They can do it while the media will point the finger at China, as usual.
  • neon neophyte
    so you really do have to completely remove the battery

    just watch, theyre going to start making phones with a tiny backup battery soldered into the mainboard.
  • koga73
    Perhaps everyone is overthinking this. Keep it simple. Hacking the baseband may be possible but there may be another way. A microphone is essentially a reverse speaker. Even if the phone is off the microphone is still going to generate electromagnetic fields and electrical signals. Perhaps the NSA simply found a way to monitor these changes produced by the microphone whether the device is on or off.
  • dstarr3
    Since when did everyone in the country start wearing tin foil hats? If you're really that concerned about privacy, throw your cell phone and computer in a river, move out to a log cabin in the middle of Montana and never speak a word out loud again. I mean, the NSA will still be spying on you, but at least I won't have to hear about it.
  • fimbulvinter
    Since it was proven with 100% certainty that everyone is being watched. You were the type before the revelations that would accuse anyone of making such a claim as a "tinfoil hat" wearer, but somehow all along knew this to be fact after it became fact.
  • Esteban Thirion Mouvet
    I don’t even understand why we ask this question, because everyone knows the answer, is not it?

    Of course the NSA can open mobile phones. It says that the USA is the land of freedom, but I think it is also a country where one is the most watched. There is often scandals over the NSA spying agency or other U.S. security. I think we know that unfortunately the visible part of the iceberg. Information now go faster and faster and we don’t know too much control. In addition, we don’t know where they are going.

    I find the name of security, we allow too many things.
  • nocona_xeon
    After reading, I was thinking of a better and much cheaper solution but I'm unsure if it would work. I believe that the tiny holes in your microwave oven's glass are that size because the microwave wavelength cannot shoot through them (the waves are too big). Is that correct? Therefore, why doesn't someone just fabricate some sort of "carrying case" that snugly contains your cell/smartphone and blocks ALL electromagnetism from entering and exiting? Better yet, if the case could have a clear window pane (somehow), perhaps its apps that don't require wireless could still be used while your phone is still absent from the network? My two bits. The inability for me to completely disable my cell/smartphone is unacceptable. As in Get Smart, I want my Cone of Silence, haha.
  • truerock
    OMG... I see this all the time. Tech nerds so deep in the issue that they are completely out of touch with normal people. Snowden was probably just referring to "off" as 99% of the worlds population does - when the phone is put to "sleep". Many (if not most) users do not know the difference between sleep-mode and power-down.
  • Zeroplanetz
    And yet more and more smartphones are being made to where you cannot remove the battery. Hmmmm.