Cellular Interception Techniques
by Thomas Icom IIRG/Cybertek
In order to understand the techniques detailed in this article, a basic knowledge of cellular telephony is required. Instead of rehashing what has already been written, those in need of the required education should refer to a good g-file on cellular telephony. The ones written by Brian Oblivion/RDT or Bootleg are recommended by the author; as well as Damien Thorn's articles from Nuts & Volts Magazine, and the numerous articles that have appeared in 2600. They should be considered required reading at this point.
Introduction
The Electronic Communications Privacy Act of 1986 (ECPA) prohibits the monitoring of cellular telephony communications; except for network testing, equipment troubleshooting, interference tracking, or warrant-sponsored surveillance. It also mandates that the Federal Communications Commission deny Part 15 certification (which is required to sell radio equipment in this country) to "scanning receivers" which are "readily modifiable" to receive cellular telephony communications and 800 MHz band frequency converters. This mandate does not apply to "test equipment," as technicians working in cellular industry obviously need the equipment to troubleshoot problems. Nor does it apply to the phones themselves, for reasons which should be obvious. Kits are also exempt from this mandate, as Part 15 compliance is considered the responsibility of the builder.
So far, the response of the courts have been mixed in regard to enforcement of the ECPA. In 1986, the U.S. Department of Justice stated that they would not enforce the law, as doing so would be impossible. This was back in 1986 with an administration that does not exist any more. The current administration might be a little less enlightened in regard to freedom of the airwaves. (They certainly are in regard to some other freedoms.) Some judges have held that since cellular telephony occurs over the airwaves, there is no "reasonable expectation of privacy." Others have maintained an opposite viewpoint. None of the judges with the former viewpoint have gone so far to declare the ECPA null and void.
From a practical standpoint, despite whatever laws may be on the books, if it goes out over the airwaves one might as well shout it from a rooftop. Successful interception of unencrypted cellular telephone or any other form of radio communications is undetectable and requires only a basic level of technical expertise.
A Realistic Appraisal of Cellular Phone Security
It should go without saying that any unencrypted RF transmission is naturally unsecured, ECPA notwithstanding. With that in mind, even though your cellular phone conversation is being sent out for anyone to intercept and listen to, there are a few other factors.
The design of the cellular phone system doesn't give it half the range of the old IMTS system. The old IMTS system had a maximum range of 50-75 miles; whereas a cell site might have a absolute maximum 20 mile range in a rural area where the cell sites aren't that close together. In an urban area, a cell site could have a range of less than one mile. The decreased range means less potential listeners.
The cell site is capable of adjusting it's power output and the power output of a phone in relation to it's proximity to the cell site. This can be as low as 30 milliwatts. What this means is that if one is close to a cell site, their signal's range will be decreased.
Scanners capable of 800 MHz reception are still considered "high-end" pieces of equipment and therefore are generally purchased by serious monitoring enthusiasts. Among said enthusiasts, cellular is not considered a popular listening item, as they feel that 90% of the communications are "boring," and the continuous nature of cellular transmissions lock up the scanner and make it worthless for listening to anything else.
With 832 channels and many different conversations to choose from, a quick, innocuous sounding call will probably go unnoticed among the drug dealers, stockbrokers, and Verifone systems that inhabit the cellular airwaves.
All things considered, unless the phone's MIN is flagged for some reason or the cell site being used is flagged, the chances that a given cellular will be monitored is slim. If the user keeps their calls short and avoids having "interesting" conversations, potential listeners will either miss the conversation all together, or monitor it briefly and go on to find a "less boring" conversation. If the phone's MIN is flagged, or the cell site being used is flagged, then expect the conversation to be monitored.
Usage Analysis
Cellular phones are used by anyone who feels they need instant phone communications despite their location, and can afford to have it. While this includes a lot of upper-class housewives, yuppies, and corporate executive wannabes, there are some more interesting users.
Political organizations make use of cellular phone communications. The Democrats made extensive use of cellular phones during their last national convention. On the other hand, the Republicans were smart and banned the use of cellular phones in their national convention.
Police agencies are another cellular user, using them on the assumption that communications are a little more private than over their radio system. The NYPD uses them for non-emergency communications in their Precinct-Activated Response Program, and for their highway callboxes.
The various departments of transportation and public works departments also use cellular. Their highway radio advisory systems operating on 530 and 1610 kHz are often equipped with cellular phones for remote programming.
Flea market vendors are mating Verifone systems with cellular phones in order to be able to validate credit card and check purchases while working a show. The Verifone systems are basically 300/1200 baud modems.
Alarm system companies are mating alarm systems to cellular phones for use as a secondary (or even primary in a remote area) means of communication between the alarm system at the customer's site and the central station.
Recently, the Metro-North commuter rail service in the New York City metropolitan area started offering public phone service on their trains. These phones use the cellular phone network.
As one can see, the use of cellular phones has come a long way from some yuppie calling his wife to say he'll be staying at the office late, and then calling his mistress immediately afterwards to tell her what hotel to meet him at. Those who like to listen to real-life soap operas however will be relieved to know that such conversations still occur over the free and open airwaves despite all the other activity.
Equipment Availability
In addition to outrageously expensive pieces of surveillance equipment sold to law enforcement agencies, (the Harris Corporation's TriggerFish being a prime example) there exist other types of equipment which can be used for interception of cellular telephony. Even if such a specialized function as tracking a specific MIN/ESN pair is required, the technical specifications of the cellular phone network are publicly available so any competent technician can design a piece of equipment to do the required job. An intercept station can be put together for about one-tenth the cost asked for by "law enforcement suppliers" and "spy shops."
Despite the ECPA, receivers capable of receiving cellular still abound. Readily modifiable scanning receivers made before the Part 15 revision are grandfathered, and the existing stock may still be sold. Since these units are "high-end" models and priced accordingly; they are still on the shelf waiting to be sold.
The specific wording of the new FCC Part 15 Regulations denies certification to "readily modifiable scanning receivers." Some of the new scanners put on the market since the Part 15 revision have been modifiable via a hideously detailed and complicated procedure. Apparently, a modification involving the desoldering and re-soldering of multiple surface-mount devices isn't considered "readily modifiable." One manufacturer has taken a different approach on their new models. The cellular frequencies are locked out via the programming in the scanner's ROM, so no modification is available short of burning a new ROM for the scanner. There is however, a code sequence which can be entered into the keypad that loads test frequencies into the scanner's memory channels for diagnostic purposes. Some of these test frequencies are within the cellular phone band. From there one can then tune above or below the test frequencies and receive the entire cellular phone band.
Most scanners that have 800 MHz capability will receive the cellular phone band via the image method. Due to the design of the receiver, a scanner will receive a signal at twice the Intermediate Frequency (IF) above the actual frequency. Most scanners have an IF of 10.7 MHz, so one is able to listen to cellular by listening 21.4 MHz above the cellular frequencies. If the signal is adequately strong, it will also be able to be received 10.7 MHz (of whatever the scanner's IF is) below the actual frequency.
Obviously, cellular phones are exempt form this regulation. Cellular phones can usually be put into a diagnostic mode that turns them into a standard receiver/transmitter in order to be more easily tested during the troubleshooting/repairing process. The OKI 900 and OKI 1150 (also known as the AT&T 3730 and AT&T 4740 respectively), have software available for them from Network Wizards that will enable it to track a specific MIN.
MIN tracking can also be done with the Custom Computer Services Digital Data Interpreter (DDI). Current versions of the DDI are unable to read Reverse Control Channel ESN data in an attempt to prevent cellular phone fraud. They will still however read the Forward Control Channel data. When used with an older Icom IC-R7000/IC-R7100 receiver, the DDI will automatically tune the Icom to follow the conversation.
Scanner frequency converter kits that enable non-800 MHz capable scanners to receive the 800 MHz band (including cellular) are still being sold. One can also make an 800 MHz frequency converter out of old UHF TV tuner that covers TV channels 70-83; which are now the 800 MHz band.
The Optoelectronics R10 near-field receiver is a device which looks for nearby radio signals between 30 MHz and 2 GHz and automatically tunes them in. It will also display the received signal strength and frequency deviation. It is classified by the FCC as a piece of test equipment. If one were to get close enough to a cell site or a in use cellular phone, the R10 will lock-in to the signals from the transmitter in question. If one is monitoring a mobile unit which is handed off to another cell site, the R10 is able to quickly reacquire the signal, as it is capable of searching through it's entire 25 MHz to 2 GHz coverage in 2 seconds. By adding the optional bandpass filter and/or attaching an antenna tuned to the cellular frequency range, the R10s effective range can be increased while also rejecting unwanted signals from outside the cellular telephone band.
Frequency counters are also a useful piece of equipment. After having experimented with the RadioShack unit, I have discovered that using the supplied telescoping whip antenna it will lock on a 3 watt phone running with a 5/8-ths wave antenna from a range of 50 feet. I'm sure the range could be increased by using a bandpass filter, amplifier, and/or cellular antenna. he Rolls Royce of frequency counters is the Optoelectronics Scout; which was intended for SIGINT operations. Among other interesting features, it is equipped with an OS456 interface and will automatically "reaction-tune" an OS456-equipped receiver to the whatever frequency the Scout picks up, and can send data on frequency acquisitions to a PC.
A laptop or Palmtop PC will also be needed if one desires to use the DDI or Network Wizards Oki Cellular Experimenters Kit. One should also have a copy of Video Vindicator's Cellular Manager software for reference purposes (converting frequencies to channels, finding what voice channels correspond to what control channel, and finding information about adjoining cell sites).
Interception Techniques
The most common intercept technique is to program the upper- and lower-limits of the cellular band into a scanner's search memories and use the search function to go through all 832 channels. With a scanner that searches at 25 channels per second, a complete search would technically take 33.28 seconds; not counting time spent initially listening to communications to determine if they contain relative content. This technique is adequate for highly-populated urban regions; where there are a large number of frequency groups used for a given area. In a lesser-urban, suburban, or rural area this technique wastes too much time, as only a small fraction of the channels are used. It is also difficult with this technique to reacquire a target when it is handed-off to another cell site.
A better approach is to program the frequencies being used in the area of operations into a scanner. Each control channel only handles 20 voice channels. So, if one has 10 control channels in their area of operations (equal to 10 cell sites in most areas), that's only 200 channels that have to be monitored. This technique will cut down on the number of frequencies that have to checked, and allow for more efficient coverage.
Those techniques are generally used for non-specific monitoring. Once an "interesting" conversation is noted, the target can then be identified and techniques designed to be aimed at a specific target can be employed. Typically, the control channel is determined by noting the channel being used by the target. Once the control channel is identified, the data stream can be monitored which enables easier tracking of the target during hand-offs and easier acquisition of the target on the network.
Target specific monitoring falls into two categories. The first is a target with a known MIN. The second is a target which has been visually acquired and noted to be using a cellular phone.
Tracking a known specific MIN is generally a matter of having the right equipment and being in the same general area as the target. If the target travels over a wide area, one will have increased difficulty with monitoring. If such was the case then the surveillance technician would have to maintain multiple listening posts in the various areas the target is known to frequent, or in the case of court-approved activity monitor the target at the MTSO. The tool of choice would be an Oki phone with the appropriate software, or the DDI unit hooked up to an older Icom IC-R7000/IC-R7100.
If one is on a budget and knows the target's voice, one can also manually scan through adjoining cell site frequencies until the conversation is reacquired. This will, however, result in losing part of the conversation.
For a target that one has visual acquisition on, one can determine the reverse channel frequency being used by means of a frequency counter. Once that is accomplished, the rest is easy. The forward channel operates 45 MHz above the reverse channel. As the target moves from cell site to cell site, the frequency counter would indicate changes in operating frequency. The ultimate would be an Optoelectronics Scout sending frequency information to a PC which would then automatically tune two separate receivers to the forward and reverse voice channels.
Under normal circumstances, the Forward Voice Channel will also repeat the Reverse Voice Channel audio (this is called talk-around or side-tone). If the target is using a hands-free unit however there will be no talk-around so as to avoid feedback. The result is that one will only hear half the conversation; the landline talking to the mobile; on the Forward Voice Channel. This can be a problem if one's receiver has no Reverse Voice Channel monitoring capability, or if one is too far away from the target.
Conclusion
For the cost of a good VCR or TV, one can listen in on cellular phone conversations and be able to track the phone's user as he goes about his/her business. Yes, it is illegal. Then again so are certain types of sexual activity, but I don't see that stopping anyone. From a practical standpoint the identification of perpetrators violating the cellular provisions of the ECPA is virtually impossible.
We all know that a law isn't going to stop people from listening to radio communications. Various totalitarian states have tried throughout modern history with no success. Nevertheless, the retailers of cellular telephone equipment continue to placate potential customers with the lie of "No one can listen in. It's illegal." As a result, users of cellular phones are misled into thinking their conversations are as secure as they would be over their home phone. They then say things which open them up to victimization by a very small minority of individuals who monitor cellular communications in order to find potential marks. I don't see this ending anytime soon.
Some might argue that by providing this information I've clued in certain miscreants who might go out and do just that. This might be true, but I've also clued in people who use cellular phones to the fact that what they say over the air isn't private at all.
If one wants to take the attitude that talking about something encourages it, then perhaps we should pass a law banning the media from talking about murders, drunk driving, and a whole other host of unpleasant things that we'd like to discourage everybody from doing.
I didn't think so.
Thanks go to Bernie S. for his assistance with this article.
References and Sources
Cellular Telephony by Brian Oblivion/Restricted Data Transmissions (RDT)
Cellular Secrets by Bootleg
The above g-files should be available on any decent H/P system.
Introducing Cellular Communications, The New Mobile Telephone System by Stan Prentiss, TAB Books
Network Wizards, PO Box 343, Menlo Park, CA 94026
Sells Oki Cellular Experimenters Kit.
Custom Computer Services, PO Box 11191, Milwaukee, WI 53211
Sells Digital Data Interpeter (DDI).
"You know your cellular phone conversations aren't private when you can pick them up with any old TV."
