Anonymity & Privacy

Your mobile phone is SPYING on you. Here’s how πŸ‘€

If you think the VPN app on your phone is enough to guard your privacy, think again! In this short guide, I will explain how attaining privacy on mobile phones is almost impossible 😳

I try not to use the word ‘impossible’ often, but there are situations where something comes close to meeting the criteria. In this case, attaining privacy and anonymity whilst using a mobile phone.

Long gone are the days of intelligence agencies having to manually purchase and install tracking devices on their targets. In today’s world, the target willingly pays and installs the tracking device themselves.

As you will come to realise, there is no fool-proof way to protect your anonymity and privacy from organised adversaries, whether that be your carrier, or your government. We therefore must adopt a best efforts approach; recognising that the fundamental structure of mobile telecom systems are corrosive to privacy by default, and therefore we can only take steps to mitigate, and not eliminate, the risks posed.

Whether you own an iPhone or an Android phone, I have prepared this guide to explain how the telecommunication systems work, how they invade your privacy, and the steps you can take to mitigate the risks posed.Β 

Buckle up because, in this guide, we’ll delve into the world of mobile telecommunications, unraveling everything from SS7 vulnerabilities to IMSI catchers. We will start by distinguishing between privacy and anonymity, before delving in to an eye-opening journey into understanding and mitigating the privacy risks associated with using your mobile phone.

Privacy and Anonymity: what is the difference?

Before we proceed, there is a subtle – but important – distinction to be made between privacy and anonymity. Privacy refers to a state where someone knows who you are but not what you are doing, and anonymity refers to someone knowing what you are doing but not who you are. With our Privacy & Anonymity guides, I hope to help you attain both.

How cellular networks work

Before we can explore how our mobile phones can be tracked, we should first explore how cellular networks actually work.

At the heart of cellular networks are cell towers, strategically placed to create overlapping coverage areas. Each tower serves a specific geographical area known as a cell. When you make a call or use data on your mobile phone, it communicates with the nearest cell tower, establishing a connection that facilitates your communication.

The communication between your device and the cell tower involves the transmission of signals, including voice data or internet packets. This exchange relies on various technologies, such as 3G, 4G, and now 5G, each representing a generation of mobile communication standards.

To better visualise this process, imagine the cellular network as a vast spiderweb, with each thread representing the signals connecting your phone to the nearest cell tower. As you move, your connection seamlessly transfers from one tower to another, ensuring continuous coverage.

And therein lies one of the first vulnerabilities from a privacy and anonymity standpoint: cell phone triangulation.

Cell phone triangulation is a location-tracking technique that uses the signal strength from multiple cell towers to determine the approximate location of a mobile device. By analysing the time it takes for signals to reach the device from different towers, triangulation algorithms can estimate its position. It’s less powerful than GPS, but as a general rule of thumb, the more populated the area, the more cell phone towers, and thus, the easier it is to triangulate your exact location.

We will now move on to discuss some of the other key ways that mobile phones can compromise your anonymity and privacy.

Your carrier is tracking you. Here's how:

Whether it is Vodaphone or EE, by law and often by choice, mobile phone companies will track you. The extent of the tracking will depend on which country you are based in, however with that said you don’t even need to be in America to be tracked by the NSA. America’s equivalent to GCHQ, the NSA, can legally record any traffic that enters a US server – more on that in this article on the Snowden revelations.Β 

Before we move on to discussing how the SS7 protocol, Pegasus spyware, and how IMSI catchers work, lets begin by looking at what your carrier is learning about you.Β 

Your carrier can store your data, and meta data about you

Your carrier can record your voice calls, record the contents of your unencrypted internet traffic (HTTP protocol), store SMS and MMS messages, and record your MAC Address.Β 

Furthermore, your carrier retains metadata – information about information. This encompasses details like who called whom, the location of the callers, and the timing of the calls. The extent of metadata collection by carriers and the governments overseeing them was unveiled through revelations made by Edward Snowden.

When I say that everything can be logged, I really do mean everything. Even turning your phone off can work against you.

For instance, if your phone is normally turned on throughout the day, and then it is turned off within the same half hour that a robbery takes place and there is other evidence linking you to the crime, this fact won’t do you any favours. If you were an intelligence officer or agent working overseas and your phone was usually turned on during the day, and then suddenly turned off, this could alert a hostile surveillance team that you have become operational.Β 

Regardless of your situation, any deviance from your normal patterns and behaviour can be flagged as suspicious.Β 

What is Tower Dumping and how does it compromise my privacy?

A “tower dump” refers to a law enforcement practice where authorities request and obtain a record of all mobile devices connected to a specific cell tower during a particular time frame. This request allows law enforcement to collect information such as the unique identifiers (IMSI or IMEI numbers) of all devices connected to that tower, as well as the time and duration of their connections.

Tower dumps are often used as an investigative tool in criminal cases to identify potential suspects or witnesses in a specific location and timeframe. However, this practice has raised privacy concerns as it involves the indiscriminate collection of data from all users connected to the tower, regardless of their involvement in any criminal activity. Critics argue that tower dumps can infringe upon individuals’ privacy rights, and there are ongoing discussions about the appropriate legal and ethical boundaries for their use. Legal frameworks and regulations vary across jurisdictions regarding the permissible scope and conditions for conducting tower dumps.

What is a silent SMS?

A “silent SMS,” also known as an “invisible” or “stealth” SMS, is a short message sent to a mobile device without the user’s knowledge. Unlike regular text messages, a silent SMS does not display any notification, sound, or alert on the recipient’s device. It operates discreetly, and the recipient is typically unaware that a message has been received.

Law enforcement and intelligence agencies may use silent SMS to determine the location of a mobile device. The device responds to the silent SMS by interacting with nearby cell towers, allowing authorities to triangulate its position. It is more difficult – although not impossible – to send a silent SMS to an iPhone. However it is definitely a threat that is still worth taking seriously.

Signalling system seven (a fundamentally insecure system)

It’s not just your carrier who can spy on you. Anyone, from anywhere in the world, can spy on you if they have two things: your mobile number, and access to SS7.

SS7, or signalling system seven, is a set of protocols required to connect networks together and route calls between switching services. And it is a system that is fundamentally insecure.Β 

With SS7, an adversary only needs access to your phone number and access to SS7 to read all your text messages, listen to your phone calls, initiate denial of service attacks, and track your location from anywhere in the world.

SS7, or Signaling System No. 7, is a set of telephony signaling protocols that are used to set up and manage telephone calls in a public switched telephone network (PSTN). It is an international standard defined by the International Telecommunication Union (ITU) that facilitates the exchange of information between network elements.

Originally designed for voice communication, SS7 has been widely used in traditional telecommunication networks. It also allows roaming when you are abroad and try to connect to another network.

However, with the evolution of technology, SS7 vulnerabilities have been exploited for malicious purposes. One notable concern is related to SS7 attacks, where attackers can exploit weaknesses in the SS7 protocol to intercept and manipulate telecommunications traffic, including voice calls and text messages.

Access to SS7 can be purchased from network operators, and vendors are currently selling products that exploit SS7. Many of these companies state that they only sell access to SS7 to government entities, however this is hardly reassuring. Almost anything is purchasable for the right price.

SS7 is here to stay, and as a mobile phone user you use the protocols every day. But that’s not the only cellular vulnerability to concern yourself with: next, we will discuss the threats posed by IMSI catchers.

IMSI Catchers

IMSI catchers, also known as cell-site simulators or Stingrays, are physical devices used for mobile phone surveillance and tracking.Β 

‘IMSI’ stands for International Mobile Subscriber Identity. It is a unique numerical identifier assigned to each subscriber in a mobile network. The IMSI is stored on a SIM (Subscriber Identity Module) card, which is inserted into a mobile device. The IMSI is an essential component in the authentication and identification processes within a cellular network.

An IMSI Catcher is a device that pretends to be a cell tower that captures traffic and provides the data to a third party (such as a police force, intelligence agency, or even a hacker).

I won’t delve into the details of how IMSI catchers work, and limit this passage to describing how they compromise your privacy. An IMSI catcher allows for the capture of sensitive information like call details, text messages, and in some cases, the content of the communication.

In recent years, developments have been made allowing for the detection of IMSI catchers. You can learn more about this process by clicking here.

Mobile phone malware

Up until now, we have discussed the fundamental flaws of telecom systems. Now its time to look at vulnerabilities within mobile phones themselves.

Up until now, we have discussed the fundamental flaws of telecom systems. Now its time to look at vulnerabilities within mobile phones themselves. I covered what Spyware is and how it works in my guide to the fourteen types of common malware. But in short, spyware is a form of malware that has powerful surveillance capabilities. Spyware could involve a keylogger, which records everything you type. Or it could record through your camera, activate your microphone, take screen recordings, and so on.

One of the most infamous forms of spyware is Pegasus; one of the most sophisticated forms of malware that was developed by the Israeli NGO Group. Pegasus primarily targeted iPhones and was notorious as a zero-click exploit. This meant that a device could be compromised without the user having to interact with it (ie. click a link, download a file, execute a program, and so on). Pegasus was targeted malware; only subjects of high interest to governments would be targeted.

Pegasus aside, Android phones are more susceptible for malware than iPhones are. This is due to Apple’s ‘walled garden‘ approach; in other words, if you want to download a program on your iPhone you must go through the App Store which has strict criteria.

PCs are much more likely to have malware than mobile and tablet devices, but that doesn’t mean that we should forget that fundamentally phones are computers that are connected to a network, and thus could be prone to an attack.

How to become anonymous whilst using a mobile phone... coming soon!

I will write a full guide on what it takes to guard your privacy and anonymity whilst using a mobile phone, packed with tips and tricks that I guarantee you won’t find anywhere else. Get notified when it is released πŸ‘‡

How to improve your privacy and anonymity

As international telecom systems are fundamentally insecure, we are adopting a ‘best efforts’ approach. There are a few steps we can take to improve our security, privacy, and anonymity when using mobile phones:

Multiple phones

Containerising multiple identities on different phones can be a practical approach for maintaining separation and privacy between various aspects of your digital life. Assign each identity to a dedicated phone. This physical separation helps prevent unintentional crossovers between personal and professional identities.

When containerising identities, it is important that there is no crossover or cross-contamination. In other words, don’t have both phones in close proximity, pay for them using the same debit/credit card, and so on.

Employ counter-forensics

If you are ever arrested, the police will often send your phone to a computer forensics team depending on the crime you are alleged to have committed. There, they will use specialised software to extract everything from your phone for analysis. There is nothing stopping other threat actors from using similar techniques, and this is where counter-forensics could come in useful. I have argued the case for counter-forensics here, and I will write a detailed step-by-step counter-forensics guide soon.

But for the time being, there are two steps that you can take on iPhones to make your phone harder to crack. They are:

  • Enabling lockdown mode; this may be overkill for most people, but assuming your security, privacy, and anonymity needs are high it is definitely worth doing. You would be surprised as to how tolerable this mode is, even with all the security bonuses.
  • Using a super (and I mean super) strong passphrase. A strong passphrase adds an additional layer of protection to your device. Unlike simple passwords or PINs, passphrases are longer and more complex, making them significantly harder to crack. Ensure that your passphrase is indeed a sentence, is at least 25 characters, and has numbers, letters, and symbols.Β 


Graphene OS: A Possible Solution

GrapheneOS is an open-source operating system based on the Android platform, focused on security and privacy. It is developed by a small team led by Daniel Micay, who is known for his contributions to Android security and privacy. GrapheneOS is designed to provide a more secure and privacy-focused alternative to standard Android distributions.

GrapheneOS includes several security and privacy features, including hardened kernel and user-space, filesystem and network traffic encryption, verified boot, and secure bootchain. The operating system also includes a number of privacy features such as fine-grained permission control, network traffic filtering, and background app restrictions.

GrapheneOS is not intended to be a user-friendly operating system for mainstream users. Instead, it is targeted at advanced users who are willing to invest the time and effort to set up and maintain a (more) secure and private operating system. The project is funded by donations, and the source code is available on GitHub for anyone to view, modify, and contribute to.

Wrapping it all up...

In conclusion, the pervasive integration of mobile phones into our daily lives comes with a trade-offβ€”unseen surveillance that extends beyond our awareness. The realisation that our devices may be silently collecting and transmitting personal data raises important questions about privacy and security.Β 

Mobile Telecoms are fundamentally insecure, and things will likely get much worse before they get better. Therefore, we can only adopt a ‘best efforts’ approach.

Hey! Can we make it official? 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe πŸ˜‡

Anonymity and Privacy

Living off the grid with TAILS OS πŸ‘»

Your mobile phone is SPYING on you. Here’s how πŸ‘€

Anonymise yourself with TAILS OS… the operating system used by Edward Snowden πŸ‘»

What is really on the ‘Dark Net’, and how does it work? πŸ‘€

How do VPNs work (and how they don’t) πŸ‘€

Stylometry: how intelligence agencies track you by your writing style ✍️

The 2024 Complete Guide To Online Privacy πŸ€“

Fifteen Steps to maximising firefox privacy πŸ”’βœ…

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity.Β 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me πŸ˜‡

Access free subscriber only content 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties πŸ˜‡

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.