Hacker OPSEC

STFU is the best policy.

A Fistful of Surveillance

The publication of this piece at The Intercept about NSA targeting via mobile phones prompted me to release this collection of notes. Some quotes and statements in the article wrongly promote the idea that the SIM card is the only unique identifier in a mobile phone. I’ve enumerated the identifiers that exist, and they go far beyond the SIM card. At a minimum the physical identifiers of a mobile phone are the IMSI and the IMEI, that is the SIM card and the mobile phone hardware itself.

This is a short collection of notes I’ve put together on how you can be identified via your mobile phone. If you want to securely use a mobile phone, you’ll need to use a burner. This is non-trivial. Here’s a good guide.

Clandestine Mobile Phone Use

Mobile phones should primarily be used for signalling, rather than for actually communicating operational information. Remember the golden rule of telephone conversations:

  • keep it short
  • keep it simple
  • stick to your cover

Identifiers

  • Location
    • Specific location (home, place of work, etc.)
    • Mobility pattern (from home, via commuter route, to work) – very unique, 4 loc’s will identify 90%
    • Paired mobility pattern with a known device (known as “mirroring”, when two devices or more devices travel together)
  • Network
    • numbers dialed (who you call)
    • calls received (who calls you)
    • calling pattern (numbers dialed, for how long, how frequently)
  • Physical
    • IMEI (mobile phone device ID)
    • IMSI (mobile phone telco subscriber ID)
  • Content
    • Identifiers, e.g. names, locations
    • Voice fingerprinting
    • Keywords

Mitigations

Turn it OFF, for real.

Know how to turn the phone to a completely off state. This means removing the battery, taking out the SIM card and placing in a shielded bag (if possible). This really off state is how you store and transport the phone when not in use.

A note on storage: it should not be at your house or anywhere that is directly linked to you.

Take a hike, buster

Where you use the phone is itself very important. Never use it at locations which are associated with you, that means never at home, never at the office/work, never at a friend’s house. Never have the phone in an ON state at locations that are associated with you, or your immediate social network. Never.

Do not turn the phone in the same location as a phone associated with you. Make sure that your real phone is somewhere else, but not in an OFF state if possible. You don’t want the disappearance of one phone from the network to coincide with the appearance of another. Paired events are indicators of relation, and you want to avoid those as much as possible. You also want you regular phone to appear with a typical usage pattern, which means keeping it on as you normally would.

Contamination, avoid it

Never use different phones from the same location.

Never carry phones for different compartments together (keep them turned off, batteries out)

Never carry phones turned on over the same routes you normally take. Avoid patterns and predictability.