When President Obama was allowed to keep his BlackBerry several months ago, most media attention had to do with the security of the device itself. Could it be hacked? If the communications are business oriented, would they be easily discoverable?
The White House has said that his device will contain extra security measures. But a greater risk could be that the typical BlackBerry also acts as a portable location device, because any phone using cell technology can be tracked.
Many smart phones have built in global positioning systems. Senior members of the Bush Administration and other politicians reportedly turned that capability off. But cell transmissions are different. The cell device’s locations are monitored via towers by phone companies, which are required to keep data in case of an emergency.
“There’s no way you can make [cell phones] untraceable,” says James Atkinson, president of Granite Island Group, an engineering firm near Boston that specializes in technical surveillance countermeasures.
Initially, the challenge would be associating a device with a specific individual, he says. The easiest way to do this would be to monitor a location, such as the White House or a target’s office.
Although modern cell phones use encryption to send personal data, the IMEI, or serial number, and other basic information is transmitted in plain text. There are a few ways to get this information in a form that can be “seen” on a monitor.
One technology, triggerfish, reportedly used by the government and law enforcement, can simulate a cell tower, tricking nearby phones into transmitting data be- fore sending the call to a tower.
A less expensive way would be to gain access to a phone company’s tracking data by getting an employee’s user name and password; this information is supposed to be protected, but frequently it gets shared, says Atkinson. “One day 10 people know them, the next day 300 do.”
Cell towers can locate a phone to within about 50 feet on average; in highly populated areas with more towers, it could be within 10 feet. Someone could learn whose phone is whose by a process of elimination.
There are, however, countermeasures that can help to mask the cell phone user’s whereabouts. These strategies are advisable not just for the President but for any professional who might feel that tracking could pose personal or professional risks.
One countermeasure is to have different phones for different purposes, he says. An executive might have one phone for daily business, another for sensitive meetings, and another for traveling.
It can also be important to divide phones by geographic region. An executive might have different phones for different cities; another might be used only to make travel arrangements.
Assigning phones to an executive based on location does have some flaws. A tracker might be able to see, for instance, when a target had returned from a trip. That’s why shuffling phones can be extremely effective, says Atkinson. At some companies, certain executives will hand their phone to a colleague every week or so, he says.
Another security tip concerns removing the battery. Simply turning a phone off is rarely effective, as many devices still contact nearby towers when in “off” mode. Atkinson advises removing the battery without hitting the off button.
It might also make sense to keep a phone a certain distance away at times, such as for certain meetings.
Ideally, each phone should only be used once, but this is unrealistic, Atkinson says. In his experience, professionals who tend to have the most concerns about tracking include business executives, scientists, and certain journalists. Atkinson teaches a seminar for journalists on how to protect a source by using and properly disposing of a temporary prepaid “burner” phone (a term that originally came from criminals hoping to avoid being surveilled by law enforcement officers).
The most secure option, of course, is to avoid using a cell phone. “If someone wants to surveill you, you make it about a thousand times easier by using an electronic device.”
Not using a cell phone, however, may not be possible in today’s business environment.