If the iPhone is actually off and not in sleep mode, how can it be remotely turned on if no software is running and network communications aren't even activated until the device boots?
Asked
Active
Viewed 1,197 times
7
-
6What makes you think they can? Any proof for that? – Dmitry Janushkevich Jul 02 '14 at 16:45
-
Are you talking about wireless communications through the microphone? – Andrew Hoffman Jul 02 '14 at 16:55
-
1In interviews, Edward Snowden claims they could remotely turn on your phone, and I have seen evidence but for some reason I can't find it. If I do I will put it up. – Phoenix Logan Jul 02 '14 at 16:58
-
I have not heard Snowden make this claim. What I have heard him say is that they can own your phone as soon as it connects to the network, which is hardly surprising. – Ari Trachtenberg Jul 03 '14 at 02:21
-
Related: [_Snowden: “The NSA can remotely turn on your iPhone.”_](http://security.stackexchange.com/q/59093/38377) – IQAndreas Oct 26 '15 at 16:19
3 Answers
10
You make some wrong assumptions : "how can it be remotely turned on if no software is running and network communications aren't even activated until the device boots".
There are two computers in your average smartphone, the one that you more or less control, running e.g iOS or Android, and a second one, the Baseband Processor, handling radio communication with the carrier network. It has its own processor, its own memory, its own operating system and what its exact capabilities are is usually a trade secret. You have no reason to think it is actually off if it actually has access to a DC source, in this age of non removable batteries it should be at all time unless the battery is completely drained. Presumably the NSA got a good relationship with the american makers of such chips (e.g. Qualcomm), with the expected consequences, but they will deny it vehemently. They also possibly planted or found exploit for many chips whose maker are less susceptible to direct influence (e.g. Korean and Chinese ones). Your cellphone (well, the part that you control) is never talking directly to the carrier network, it talks to its baseband processor.
There have been some attempts to reverse engineer some chips, see e.g. Reverse engineering a Qualcomm baseband but you are unlikely to find an obvious backdoor here, more likely a subtle, well hidden vulnerability waiting to be exploited but being plausibly deniable.
WTS, Faraday cage, good price.
Bruno Rohée
- 5,221
- 28
- 39
-
1One more point I think it's worth making: older phones usually can "turn on" if you set an alarm. Smartphones don't do that, but the capability is there. This is the simplest proof of concept that a phone is never "off", unless as you said the battery is flat or removed. The trick is to program the phone do to so in advance, which I'm sure most government agencies can do. While smartphones don't seem to have this capability, one could program the phone to pretend to go off. – lorenzog Jul 02 '14 at 19:17
-
Older phones usually had RTC (Real Time Clock) which was connected so that it was able to boot the hardware. Some newer hardware is skipping RTC because it costs too much and phone can "always" acquire the correct time from network. – Mikko Rantalainen Feb 21 '17 at 17:15
-
1There are actually more than two "computers" in a phone (rather, Operating Systems). The sim card (JavaCard) has another one, and bluetooth and wifi chips have their own advanced DSPs these days, which come pretty close. But the baseband processor RTOS is the biggest threat - and it tends to use DMA to speak with the main SoC - which means all your main OS protections won't help you if the baseband is hacked. https://www.osnews.com/story/27416/the-second-operating-system-hiding-in-every-mobile-phone/ – nyov Feb 27 '20 at 10:18
3
Paralleling Bruno's comment ... you have no way of knowing that the phone is actually off, unless you physically take out the battery or attach an oscilloscope to measure draw.
If it is infected with an appropriate malware, the phone could fool you into thinking it is off by turning off the screen and ignoring input (except the power button), while still listening to your microphone or the like.
Ari Trachtenberg
- 822
- 6
- 14
3
Because your question is broad, I will answer it broadly.
As with any system, there is never* complete security. For the sake of completeness, I will call the NSA 'hackers' (albeit a form of ethical hacking).
There are so many threat vectors that a hacker can exploit on a modern smartphone. Iphones in general are usually better protected than their brothers (Android, windows, etc phones) because of two main reasons:
- IOS does a better job at locking down key functions of the phone.
- Apple has a relatively small market share overall.
For all phones, there is a serious issue of supply chain and third party attacks because so much is delegated and decentralized. For instance, an Iphone (and all Apple products) are assembled in China. China as you may know has been accused of some serious cyber espionage in the past. Huawei for example has been alleged of installing backdoors to phones and pcs (read about it here). However, Hauwei retorts by accusing the NSA of the same (read here). Nevertheless, there is a third concern in these cases as it is possible that either 'spying' side could have been compromised as the NSA claims here. Furthermore, the recent target breach has brought some more awareness to supply chain threats in regards to third party vendors. Learn more about supply chain threats here.
What does this mean for mobile security you ask? Well a lot! When you talk on your phone, you have very little control over the custody of your phones integrity. The manufacturer may have intentionally or unintentionally installed maleware or a backdoor or any manner of things. Additionally, the manufacturer could have been breached themselves and if quality control does not detect the malware, the end user gets a hacked phone.
Additionally, your network provider could be intentionally 'spying' on your data as it's transmitted via their network (or more likely just passively collecting data). Also note that because most every data provider uses shared resources (like cell towers) ATT or Verizon may be able to 'see' your data even if you have a Sprint contract. There are so many threat vectors here but just like the supply chain, it is very possible that an 'honest' mobile carrier could suffer a breach and inadvertently disclose your data.
Now putting all of this together, you can see that hackers have many tools/vectors to operate on. With the resources the NSA has at its disposal, it is possible that they could hack into any* system -even your mobile phone.
Moreover, under various legislation and executive orders, the NSA could conceivably 'legally' request much of this data without having to resort to 'hacking'.
To answer the question of how a phone could be turned on remotely:
As previously mentioned, you -the end user, have very little ultimate control of your phone. With IOS especially, the user has only access to none-vital components and pretty much none of the physical (device level) components such as the kernel (what starts before IOS starts).
What this means is that Apple reserves the right (and has the technology/knowledge) to access these more key areas. With what I mentioned about how the NSA can hack into your phone, it is not that much of a stretch to think a hacker could gain access to these key levels.
A follow up question you might consider looking into may be "How does one adequately protect against sophisticated mobile threats like supply chain attacks".
update Technically speaking, it's not that difficult to turn a device on remotely. There are apps out there that perform what's called "Wake on LAN" functions or conceivably a talented hacker could create a malware version. As far as I know the IOS makes this very difficult, but not impossible.
To clarify, if your device is truly powered off, then there is no physical way for it to receive messages/commands nor can it run internal processes (like a wake timer). However, virtually no modern device ever completely turns off (under normal use) because there is usually at least some small internal power supply to help aid in 'starting'. Further, unless you designed/built your phone and have complete control over its software, there is no way to secure against possible backdoors (malicious or otherwise).
p.s. Do not despair, cyber security is like encountering a bear -you just have to run faster than everyone else and in today's world, there are still people that click on those Nigerian scams if you know what I'm saying ;)
Matthew Peters
- 3,592
- 4
- 21
- 39
-
5Personally, I wouldn't call the NSA ethical hackers, but that's just a matter of opinion. – Jon Jul 03 '14 at 03:24
-
I don't see how it's ethical in one way. It's accessing someone's phone without their knowledge or permission, and because of the secrecy of their policies, possibly even without a judge's permission. That's just my opinion. – Phoenix Logan Jul 03 '14 at 19:47
-
The term 'ethical' implies morality judgement call. The NSA is a part of the National Defense Structure, thus (assuming there is Congressional oversight) whatever 'spy' actions are performed are by and large deemed ethical as their end goal is to defend America. To put it another way, the NSA could be called a Penetration Tester (for the world). They were commissioned by the USA (by extension it's citizens) to essentially 'act like a hacker' just like a commercial pen tester would. – Matthew Peters Jul 07 '14 at 12:13
-
1The difference between a penn tester and the NSA is that the penn tester discloses his findings afterwards, while the NSA only tries to get in and the data out, leaving all the holes open for the next time (and for the UK/French/German/Chinese/Russian/Iranian agencies). – Alexander Dec 08 '14 at 08:30