A horror movie come to life
June 29, 2007 7:06 PM   Subscribe

For four months, the Kuykendalls, the Prices and the McKays say they’ve been harassed and threatened by mysterious cell phone stalkers who track their every move and occasionally lurk by their homes late at night, screaming and banging on walls. Police can’t seem to stop them. The late-night visitors vanish before officers arrive. The families say investigators have a hard time believing the stalkers can control cell phones without touching them and suspect an elaborate hoax. Complaints to their phone companies do no good – the families say they’ve been told what the stalkers are doing is impossible.
posted by daninnj (98 comments total) 14 users marked this as a favorite
 
My money is on all of this being caused by the teenaged daughter.
posted by mrbill at 7:08 PM on June 29, 2007 [2 favorites]


It's the rise of the machines.

Well, they had to start SOMEWHERE.
posted by IronLizard at 7:10 PM on June 29, 2007


It was me. But I didn't think they fucking freak out about it or anything.

Besides, she's lying...I said, "I prefer nectarines."
posted by baphomet at 7:11 PM on June 29, 2007 [2 favorites]


Get a MaciPhone.
posted by Alvy Ampersand at 7:17 PM on June 29, 2007 [1 favorite]


This seems like a lot of effort to go through to scare people. I guess the easy solution to the night banging is to have a cop stationed nearby, but I guess they'd probably figure that one out before the phone even got hung up!

Probably harmless, but what an involved sadist...
posted by invitapriore at 7:18 PM on June 29, 2007


Also, my money is that the person involved worked at/conned someone who works at a cell phone company.
posted by invitapriore at 7:19 PM on June 29, 2007


There's always that magical innovation known as "the land line" ...
posted by brain cloud at 7:19 PM on June 29, 2007 [2 favorites]


This does sort of strike me as the kid's doing.

I suppose its possible that a technically adapt psycho has decided to harass a girl and the people directly around her for no apparent reason -- possible, but unlikely.

I think its more likely that someone needs a little OMG ATTENTION PLZ!!!!!111!!!1 in her life.
posted by Avenger at 7:20 PM on June 29, 2007


Compromised switch.
posted by IronLizard at 7:20 PM on June 29, 2007 [1 favorite]


I just figured it was some poor bastard schoolmate of the girl that has some kind of inside track at a cell phone company.
posted by puke & cry at 7:25 PM on June 29, 2007


Sorta reminds one of the kids involved in the Salem Witch Trials.
posted by killdevil at 7:28 PM on June 29, 2007


My money is on all of this being caused by the teenaged daughter.

I parsed that as the "deranged daughter".



It's an interesting piece to be sure, though it certainly does seem like it would be easy to track down the cause. Has any one cut open any of the phones yet?
posted by niles at 7:33 PM on June 29, 2007


I would have thought that it wouldn't be possible to get this many people to go along with a hoax of this nature, but if they really were being harrassed/terrorized in this way, at least someone concerned would have just gotten a landline phone. Which apparently no one has. So I'm guessing elaborate, multi-person hoax.
posted by frobozz at 7:35 PM on June 29, 2007


Get rid of everyone's cellphones, you fucking birdbrains.
posted by flarbuse at 7:37 PM on June 29, 2007 [2 favorites]


The families and their friends have adopted a new routine: They block the cameras on their phones with tape. They take out the batteries to stop the calls

Whoa, those are some strong tactics. If my cell phone was watching my every move and started making creepy guttural noises on its own you can be sure I'd toss it into the nearest garbage heap.

I actually think whats going on is culturally interesting. In the sense that this, with minor details re-arranged, is what UFO stories are made of.
posted by vacapinta at 7:44 PM on June 29, 2007 [1 favorite]


It is both interesting and frightening that the old political adage, to treat any mic as an open mic, would seem to be becoming universally true.

Two things, however. Firstly, is it actually possible? I'd like to hear from some people who actually know about this sort of thing, to explain the technicalities of it. Secondly, what would be truly frightening about this is less its use to crazy or horrible individuals, and more the opportunity for invasion of privacy that it offers to governments. Of course, Big Brother is alive and well on the streets, but the idea that each of us has an open mic or two in our pocket every minute of the day seems to be a step forward (or back).

Of course, all advances in communications technology increase the possibility of surveillance, and there is a necessary debate about trade offs between different kinds of liberty; however, the idea that someone in an office on Millbank might be sat listening to me type right now is disturbing, to say the least.
posted by howfar at 7:48 PM on June 29, 2007


WTF? Smells funny to me somehow.
posted by malaprohibita at 7:50 PM on June 29, 2007


And by that I mean a hoax of some kind.
posted by malaprohibita at 7:51 PM on June 29, 2007


Seems a bit like this sorta thing.
Super Bluetooth Hack 1.07
posted by paxton at 7:51 PM on June 29, 2007


It's Mothman.

Here's an NBC interview. And we all know this is going to be some tool at her high school, right?
posted by Pastabagel at 7:52 PM on June 29, 2007


Listening to you type?

howfar's comment reminded me - wasn't there some big stink a few months ago about how "every" cell phone is a roving bug used to spy on the deeds of Joe Citizen?
posted by niles at 7:55 PM on June 29, 2007


niles, like I can type that fast!

odinsdream, cheers, I'll seek it out.
posted by howfar at 7:59 PM on June 29, 2007


It sounds scary.

It also sounds like an elaborate promotion of a new movie.

I wonder how it all ends?
posted by ashbury at 7:59 PM on June 29, 2007


I actually think whats going on is culturally interesting. In the sense that this, with minor details re-arranged, is what UFO stories are made of.

Viral marketing for the new UFone, competition for the iPhone.
Next: Y'allFone.
posted by weapons-grade pandemonium at 8:02 PM on June 29, 2007 [1 favorite]


THE CALL IS COMING FROM INSIDE THE PHONE!!
posted by daninnj at 8:03 PM on June 29, 2007 [7 favorites]


I've read about this on Websleuths, Something Awful and now MeFi and on each site the idea that the teenage daughter is responsible has come up early and often. Is this what attention seeking girls do now instead of banging cabinet doors and sending spoons flying across the kitchen telekinetically?
posted by Biblio at 8:04 PM on June 29, 2007


Note to self: When you start to feel like you're in a 'horror movie come to life...' you get rid of the scary doll/ leave the disturbing house/ stop using the possessed cell phones.

Of course, it'll turn out being more after-school-special than horror movie.
posted by tomboko at 8:08 PM on June 29, 2007


From a technical perspective there's nothing totally absurd about this story — cell phones are computers, after all, and it's easier to program a computer to lie to its user than to tell the truth. I don't know enough about actual cell phone firmware to say how easy these things would be in practice. But my money would be on the cell phones being at least partly a red herring. Maybe some cell phone hacking combined with old-fashioned under-the-eaves eavesdropping, a non-cellular bug, social engineering, or an insider (the daughter being the obvious suspect).
posted by hattifattener at 8:10 PM on June 29, 2007


How does that Bluetooth hack work? How well does it work? This could be an incredible prank.
posted by geoff. at 8:10 PM on June 29, 2007




Ah crap, the person has to accept the Bluetooth connection, which is what I figured. This is definitely a hoax though, too technically difficult without someone being in on it.
posted by geoff. at 8:19 PM on June 29, 2007


I really wish they'd given the models of the phones used, but I'm still betting on someone having/gaining access to their local switch.
posted by IronLizard at 8:20 PM on June 29, 2007


Sorta reminds one of the kids involved in the Salem Witch Trials.

I was thinking more "Blair Witch" than "Salem Witch", myself...
posted by inigo2 at 8:21 PM on June 29, 2007 [1 favorite]


It's a cry for help. The kind of help that can only be offered by the iPhone.
posted by Sailormom at 8:34 PM on June 29, 2007


i hadda come up with something after the whole duclod thing crapped out.
posted by quonsar at 8:36 PM on June 29, 2007 [7 favorites]


I don't know enough about actual cell phone firmware to say how easy these things would be in practice.

That would be somewhere between "bloody difficult" and "impossible" for the average hacker on the street. It couldn't possibly be done remotely, and even with physical access to the phone it really isn't possible for J. Random Hacker to modify the firmware in any meaningful way.

The phones I worked on contained multiple levels of security against unauthorized code modification. I'm not going to say what they were (and I don't even know what all of them were; they weren't even common knowledge in the firmware development team). What I will tell you is that it isn't just a matter of going in and modifying the FlashROM section where the code you want to change is located. If you do that, then after reboot the phone will display "Service required" and refuse to function.

That security is not in there to prevent things like this, though it would. It's in there to prevent cloning and other kinds of hacking that could make it possible for a phone to be used without paying a bill.
posted by Steven C. Den Beste at 8:39 PM on June 29, 2007


Here's a followup.
posted by Lusy P Hur at 8:42 PM on June 29, 2007


chappppp...stickkkkkkk!
posted by unknowncommand at 8:58 PM on June 29, 2007 [2 favorites]


This reminds me of when my family's phone--with four teenaged daughters abloom--was receiving heavy-breather crank calls around 1981. One sister single-handedly ended the harassment when she answered, "More baby, more, I love it, I love it."

Nobody called the news, and my sisters all got married and had kids really young.
posted by eegphalanges at 9:05 PM on June 29, 2007 [1 favorite]


Wait, did they change the numbers too, or just the phones?
posted by divabat at 9:11 PM on June 29, 2007


From Luzy P Hur's link:

“One of our tech guys who should be looking for child porn has spent 50 hours doing nothing but this."

Sounds either like a vicious attack on "tech guys", or a case of offender rehab gone badly wrong.

Whoever that poor guy is, I don't imagine he has many lighthearted chats about his working day with his friends.
posted by howfar at 9:22 PM on June 29, 2007 [2 favorites]


The followup article says they suspect a virus from myspace bulletins to download ringtones.

Rupert Murdoch owns Myspace.

WEB OF FEAR.
posted by Esoquo at 9:24 PM on June 29, 2007


This is pretty creepy. I'm looking forward to the real story getting revealed at some point.
posted by infinitywaltz at 9:27 PM on June 29, 2007


While baby-sitting a pair of local children, Courtney took them on an outing, said Darcy Price, her aunt. Courtney was carrying her phone so her mother could reach her. The lens of the phone’s camera was covered when the phone rang.

The caller said the stalkers knew where Courtney was, Price said. One of the children Courtney was watching, an 11-year-old girl, also had a phone. The stalkers called it, Price said, driving the child to fearful tears.



Okay. This seals the deal as bullshit.

I mean, okay, I suppose it's theoretically possible that someone could hack a cell phone and do some harrasing phone calls and voice mails.

But being able to somehow hack into the phone of a random 11 year old girl who just happens to be standing next to the victim? Thats some Matrix shit right there. Impossible Matrix shit, to be exact.

This is one of those moments where the police need to tell the family: "Look, we sympathize with you, but right now our only options are 1) Your daughter is crying out for attention or 2) You're being haunted by poltergeists and/or Machine Overlords from the Matrix. Either way, this is really beyond our jurisdiction."

I mean, really, what are the police supposed to do when presented with presumably impossible events?
posted by Avenger at 9:32 PM on June 29, 2007 [2 favorites]


Hey here's an idea.. take out the battery.
posted by MrLint at 9:46 PM on June 29, 2007


its a japanese horror film
posted by cazoo at 9:48 PM on June 29, 2007


to all the people commenting on how they should get rid of the phones, get land-lines, or get rid of the batteries, IT'S ALL IN THE FIRST ARTICLE!
posted by Snyder at 9:52 PM on June 29, 2007


The caller said the stalkers knew where Courtney was, Price said.

And Courtney didn't say: 'Where am I, assholes? Tell me!'
posted by ao4047 at 9:54 PM on June 29, 2007


and of course, it just doesn't occur to any one that they just ought to GET RID OF THE FUCKING CELL PHONES

just like it doesn't occur to us to just GET RID OF THE FUCKING A BOMBS

sometimes, i despair of the human race and its inability to get rid of shiny toys that are taking over our lives ... we're as bad as crows
posted by pyramid termite at 9:54 PM on June 29, 2007 [1 favorite]


It didn't OCCUR to anyone that IT'S fucking BIGFOOT in a fucking UFO using his PSYCHIC fucking POWERS because ELVIS is CONVINCED that the girl is THE ANTICHRIST? For God's sake, doesn't anyone else read the fucking Weekly World News? THINK, PEOPLE, THINK!
posted by stavrogin at 10:00 PM on June 29, 2007


to all the people commenting on how they should get rid of the phones, get land-lines, or get rid of the batteries, IT'S ALL IN THE FIRST ARTICLE!

keep the land lines, but use an answering machine ... or just leave the damn thing off the hook sometimes

after awhile these stalkers will find someone else to stalk

there was a time when we weren't always available by phone and just had to deal with the people in our vicinity if we wanted to talk to someone

now you'll have to excuse me ... i've got to take some geritol to perk me back up and you kids get off my damn lawn
posted by pyramid termite at 10:01 PM on June 29, 2007


Yeah, I figured it was either some screwed up classmate or a total hoax. I'm leaning towards hoax.
posted by puke & cry at 10:14 PM on June 29, 2007


Someone should in the dark at each one of the windows with a pellet gun. If the stalkers start banging on the windows, boom, face full o' pellets!
posted by papakwanz at 10:18 PM on June 29, 2007


Don't look at ME 'cuz I had NOTHING to do with it. Really. I'm incapable of the impossible anymore; hell, these days I can barely manage the incredibly likely.
posted by davy at 10:54 PM on June 29, 2007


Hear & Now on NPR spent about a half hour on the topic on Monday. The first guest is the mother of one of the girls. The last guest is a "security expert" who claims that this could be caused by a trojan horse embedded in a myspace page that could be loaded on the phone if the page was viewed in the phone's browser.
posted by pwb503 at 11:20 PM on June 29, 2007


My google-fu is failing me, but wasn't there a MeFi post not too long ago about "targeted individuals" - the people who thought that the government or scientists or what have you were watching their every move and doing things to fuck with them?

That's kinda what this reminds me of.
posted by Afroblanco at 11:22 PM on June 29, 2007


It seems possible to me, but the amount of expertise to pull this off seems amazing. Perhaps someone with intelligence training.
posted by parallax7d at 11:28 PM on June 29, 2007


It's all about oil.
posted by taosbat at 11:30 PM on June 29, 2007 [1 favorite]


I love that, despite the rampant anti-intellectualism that's swept the world a hundred-fold, people still think that something they can't personally conceive of must not be true.

Anyway, unless this involves everyone that's affected, realize that this must be a world of trauma for everyone else involved besides the perpetrator, be it the teenage girl or the mom or whoever.

As for finding the number of a girl standing next to another girl, if you're using Bluetooth to connect to one, isn't it a relatively easy task to discover whatever other devices are within range?
posted by setanor at 11:51 PM on June 29, 2007


And I don't mean to say that it's probably true, it just sets a bad precedent...
posted by setanor at 11:52 PM on June 29, 2007


From that girl's myspace:

THE NOTEBOOK! THATS MY FAV. MOVIE EVER!!! and ANY scary onez! i luv scary moviez
posted by setanor at 11:58 PM on June 29, 2007


and what has the Bush administration done about this?
posted by Cranberry at 12:01 AM on June 30, 2007


I'm betting it's the daughter, too. How many people keep their cell phone positioned just so to capture them as they slice limes in the kitchen? Unless their phones are equipped with fisheye lenses, how can the perp "see" everything he or she claims? If it is a real stalker he/she is peeking through windows, not cell phones.
posted by Oriole Adams at 12:06 AM on June 30, 2007


Honestly, the idea that one girl would go this far just for a little attention doesn't seem any more plausible than the techno-stalker theory. I mean, think about how profoundly twisted (and deeply resourceful) this child would have to be. She spends her days calling her family and friends in a deep husky voice threatening to murder them? She bangs on the wall of her own house in the middle of the night? She phones the 11-year-old kid she's babysitting even though she's standing right next to her? I just feel like this is too elaborate a hoax for one person to keep up on her own and too complex of a scenario for the whole family to be in on it together. My vote: the world is full of sickos and one of them is fucking with this family for shits and giggles.
posted by Help, I can't stop talking! at 12:23 AM on June 30, 2007 [1 favorite]


Oriole Adams said: How many people keep their cell phone positioned just so to capture them as they slice limes in the kitchen? Unless their phones are equipped with fisheye lenses, how can the perp "see" everything he or she claims?

That's an excellent point. I'm in agreement with those who suspect that the daughter is orchestrating most of this.
posted by amyms at 12:28 AM on June 30, 2007


It does seem like a hoax. But a friend of mine was stalked by a guy who had the most amazing powers to appear wherever she would be -- in a random subway station, all this crazy stuff. She changed her phone several times, no luck. She managed to get him to court, he'd almost convinced people that she was crazy... and then he let one detail slip, the judge asked him a few more questions and it all came out, and she got a strong restraining order against him. Over six months of her life on this and she felt she was lucky.

Still, those of you who mention poltergeist phenomena are I believe on the right track here. Note that polters are almost always associated with an adolescent girl -- just like here. One tends to believe that they are all hoaxes but, just like this, there are significant details that are hard to explain.
posted by lupus_yonderboy at 12:34 AM on June 30, 2007 [1 favorite]


So, do the Ghostbusters charge extra to clear infestations from an iPhone, or is that covered under AppleCare?
posted by IronLizard at 12:39 AM on June 30, 2007 [1 favorite]


Is it impossible to buy basic cell phones now? A phone that only makes and receives calls and has no camera or Bluetooth or anything else extra?

I'd check her neighbors -- any spotty boys living within Bluejacking range.
posted by pracowity at 1:07 AM on June 30, 2007


setanor wrote: "I love that, despite the rampant anti-intellectualism that's swept the world a hundred-fold, people still think that something they can't personally conceive of must not be true."

See, its not that I can't conceive of it -- because my imagination certainly can grasp the concept of omniscient-techno-boogeyman-stalking-my-family -- its just so ridiculously improbable as to virtually rule itself out.

Without getting into a MeFi Royal Rumble on the finer points of Epistemology, let me just say that while the possibility does exist that I'm not a real human, and am, in fact, a computer-literate houseplant by the name of Mr. Wibble, the probability of this being true is so low (judging from what we know about houseplants, computer-literacy, intelligence and so on) that we can pretty much rule it out with a certain degree of saftey.

Judging from what I know about teenage girls, stalkers, wireless technology (admittedly little) and human behaivor, I'm going to provisionally stand by my judgment above. If it does turn out that these families are being stalked by the All-Seeing Ghost of Prom Night Past, well, the eggs on my face.

I'm not holding my breath, though.
posted by Avenger at 1:26 AM on June 30, 2007 [2 favorites]


Stephen Beste: That may be true for some phones, but certainly not all of them. You can buy at least one model of mobile phone on ebay right now that come with modified firmware which effectively turns them into bugs which you can phone up at any time and hear whatever the phone can pick up, without the phone owner being aware of it.

Admittedly, the phone is question is a Nokia 3310, an older model. Newer models may be more difficult to hack.
posted by pharm at 1:52 AM on June 30, 2007


I knew that they made a big mistake canceling Veronica Mars.
posted by srboisvert at 2:29 AM on June 30, 2007 [2 favorites]


After listening to the NPR interview that pwb503 linked it seems like it's more likely to be some sort of myspace ringtone virus rather than a random teenage girl spending the enormous effort it would take to sneak around and do this personally. It's just not the sort of thing most teenage girls would do; it's much more haX0r style.
posted by AV at 5:42 AM on June 30, 2007


The caller said the stalkers knew where Courtney was, Price said.

Next him he calls, ask him if he knows where the WMD's are....
posted by NotMyselfRightNow at 6:16 AM on June 30, 2007


Are this family in any way related to John Markoff or Tsutomu Shimomura?
posted by PeterMcDermott at 7:13 AM on June 30, 2007


MetaFilter: buries the needle on the creepy meter.
posted by kirkaracha at 8:03 AM on June 30, 2007


I remember this. The kid is hiding in the barn.
posted by jimfl at 8:25 AM on June 30, 2007 [2 favorites]


In a thread over here, we note that the family in question lives in very close proximity to McChord AFB, which would appear to have an overabundance of hacking/jamming technologies. So, a jilted lover "borrows" some of daddy's air force toys, et voila. Or maybe not. It's near the the zenith of telecreepiness, regardless.
posted by moonbird at 9:31 AM on June 30, 2007


It has gone on far too long for it to be a hoax perpetrated by the 16 yr. old.
Once the authorities were called in and it continued I say that rules her out unless she is a provider of info. to the actual hoaxers.
The first thing the cops are going to have done is look at this from the 16 yr. old being part of a hoax angle.
Just imagine calling your local law enforcrment (unless you live in Mayberry) with a story like this. They'll spend a lot more time checking YOU out than your cell.
posted by notreally at 12:22 PM on June 30, 2007 [1 favorite]


What carrier do they have? If they have Tmobile, and someone has cracked into their My Tmobile web account, then even if the phone is confiscated, it should be possible to send texts from that number, using the web interface.
posted by honest knave at 1:27 PM on June 30, 2007


What I find mildly interesting is that only one person here seems to have considered that the cell phone might be a red herring, and he was ignored.

I'm with hattifattener, unless its a hoax, its vasly more likely that the stalker(s) are using a variety of spy gear and letting everyone think its the phones. It'd be much easier to use old fashioned bugs, a pair of binoculars, etc than it would be to try to do all that was described by cell phone; and that's assuming that its even possible to do it all by phone.

As for the incident with the 11 year old being babysat, it doesn't seem particularly remarkable. The stalkers would, if they're doing their job right, know who their victim was babysitting for and from there its pretty easy to look up the numbers for all the cell phones owned by that family. Yes, it'd be very difficult if not impossible to call person A, detect a nearby cell phone using person A's phone, and then call that nearby phone; this doesn't mean the incident didn't happen, it just means that if it did happen it happened through other means.
posted by sotonohito at 1:48 PM on June 30, 2007


Okay, who gave Wendell their cell phone number?
posted by misha at 1:54 PM on June 30, 2007 [1 favorite]


Maybe it's the same hackers that modified reklaw's hotmail account, cause he sure didn't!
posted by blasdelf at 3:02 PM on June 30, 2007 [2 favorites]


hell, these days I can barely manage the incredibly likely.

davy, you just need some zombo.com.
posted by quonsar at 4:05 PM on June 30, 2007


Still, those of you who mention poltergeist phenomena are I believe on the right track here.

Roger that, we have a code Whiskey Tango Foxtrot in thread 62510, all sanity units in the area are advised to respond ASAP...

Seriously, poltergeists? This story is batshit enough, we dont need any moon-batshit.
posted by baphomet at 4:50 PM on June 30, 2007


FYI, James Atkinson is the real deal. I've followed his work for several years, he's not easily fooled. Here's his bio & here's his company.
posted by scalefree at 6:41 PM on June 30, 2007


NPR story on the subject concluding with an interview with James Atkinson.

He says that this type of hacking is relatively easy to do, and puts it down to java-based viruses infecting web-enabled cell phones. One possible route of infection he cites is myspace guestbooks, where the signer says "click this link to my site" and doing so actually downloads code that mods your phone. At that point you've lost control and pretty much anything can happen.

He also says it is relatively straightforward, though expensive, to figure out what is going on by monitoring the network traffic between the phone and the and tower. There's just that one pipe, so you can see exactly what's happening if you have the right piece of equipment and the training to use it. (His price estimate for investigating this family's problem was $50K. His recommendation was that they buy s***-simple cell phones that don't have any capabilities beyond voice.)

He claims that this sort of thing is increasingly common and will only get more common and that the cell phone companies are well aware of it.

Of course, the most significant implication of the story is that it shows that the PopeSteve Jobs was right to not allow third-party apps onto the JesusiPhone.
posted by alms at 7:43 PM on June 30, 2007


[James Atkinson] also says it is relatively straightforward, though expensive, to figure out what is going on by monitoring the network traffic between the phone and the and tower. There's just that one pipe, so you can see exactly what's happening if you have the right piece of equipment and the training to use it.

James Atkinson is talking about TDMA. If their phone is CDMA, then it is very far from being straightforward to monitor network traffic using any kind of portable equipment.

For one thing, if you don't know the phone's ESN (and that is never transmitted so you can't pick it up) then you cannot form the long code mask, and that means your rake receiver won't produce a high enough EC/I0 for you to figure out what the phone and cell are sending to each other.

"There's just that one pipe" only there isn't. There's several pipes (several carrier frequencies) but even that isn't the issue. The problem is that the "pipe" is carrying 30 or more calls simultaneously, all mixed together. Teasing out the small part that you're interested in from the flood of stuff you don't want requires you to know a great deal -- and you don't know all of it.

I don't give a damn what his credentials are; he's full of it in this case.
posted by Steven C. Den Beste at 8:50 PM on June 30, 2007


Give me a couple pieces of Network General's fine wares, Sniffer Portable or maybe Sniffer Mobile, both with the Sniffer Voice module & the right place to put them, I bet I could pull it off. Granted, that's a lot more than just a couple teenagers with Icoms like it'd take for a TDMA setup. But Atkinson said it'd take maybe $50K so my gear falls within his budget.
posted by scalefree at 10:37 PM on June 30, 2007


SCDB: That makes sense, but can't you just tap the tower? Or somewhere else down the line? I mean, some computer somewhere has to know that Cell Phone X is calling Land Line Z - that's how it gets through, after all...
posted by niles at 10:47 PM on June 30, 2007


Also keep in mind that in the scenario under discussion, he would have access to the phones and to the tower. The phone users want to know what is going on, and the cell company should want to know what is going on, and law enforcement should be helpful.

Unfortunately, the cell company response was "the customer is not worth taking seriously" and the law enforcement response was "we don't know how to figure this out."

That was the context of Atkinson's remarks.
posted by alms at 6:42 AM on July 1, 2007


Heh.

People need to stop thinking of the cell networks as some magic land of happy security. They're not.

Steven -- sure, CDMA is going to be a pain to decode. But GSM isn't exactly rare in this country. One of my friends has actually been writing an open source GSM decoder -- note that Wireshark already had support for doing the decodes, he's just doing it with cheaper gear.

And anyway the best way to attack a cell phone is to hit the userspace portion of flash via MMS, see this link. OK, not entirely true, if you can impersonate a tower you can do all sorts of evil things, but MMS attacks have the advantage of giving you a complete path to a remote image parser. It also doesn't particularly care about CDMA vs. TDMA.

Regarding phone records -- I actually have no idea if spoofed Caller ID shows up on billing records. I suspect it does.

Regarding the phone turning on -- secure facilities require the battery to be removed. I don't know if phones that are off can be turned on via radio, but I believe on many phones the alarm functionality can turn the thing back on, so an interrupt is firing somewhere. Also, even an "off phone" needs to poll the on switch. Once you have control over the software, the phone really is yours to control.

Now, I'm not saying this particular case is legitimate or not. That this attacker actually showed up in person is the big thing I'm bothered by -- why be this technically savvy and expose yourself in person? Still, a couple of you are pretending that you know this is impossible, and (speaking as a professional security researcher) we break into the impossible-to-hack systems quite regularly. The problem is assumptions -- people assume bad guys will attack the parts of the system they secured. Bad guys don't care what you've secured, except to know to try somewhere else.

Now, the MySpace fear-mongering sounds a bit strange. MySpace reformats all images and doesn't allow Javascript. Now, there are some awful HTML parsers out there, but really, why lure the kid to MySpace when you can just send a malicious MMS? But then, there's a wild amount of anti-MySpace hype going on out there.
posted by effugas at 7:41 PM on July 1, 2007 [1 favorite]


Steven,

Wait, you're claiming the ESN has some sort of radio encryption properties? How exactly does the phone negotiate the spread spectrum sequence with the tower, which presumably doesn't know all the possible phones it'll talk to in advance?

Anyway, I took a look at ESN's -- according to Wikipedia, ESN's are 32 bits long, with only 18 actually being unique. Since that only provides 262K possible numbers, apparently they migrated CDMA to MEID's. Here, we have apparently 24 bits of entropy, randomly distributed via SHA-1. These 24 bits are, as you say, used to choose the PLCM.

OK. So suppose I can't just pick the PLCM out of the initial negotiation packets. There are only 16M possible PLCMs, and on average I'll guess the right one after 8M attempts. That's a 2^23 effort.

Oh n0z. We crack 2^40 problems in a matter of seconds, and that's literally more than a hundred thousand times more work. Sure, I've got a larger work effort per attempt, but not that much larger. This sort of spectral analysis should parallelize nicely.

Software driven radio has changed the name of the game, Steven. It really is one pipe now.
posted by effugas at 9:47 PM on July 1, 2007


A few thoughts:

- Not getting too deep into the geek side of it, yes, all this is technically feasible. Probably not just mobile-phone phreaking, but a combination of electronic surveillance techniques and good, old fashioned spying in the dark. The stalker claims it's all phone tricks to throw the hounds off his trail, and to make himself seem more terrifying and powerful. If I were the cops, I'd be packing the families' PCs off to the forensics lab soonest. Especially the ones with webcams.

- This guy is next-level serious, and next-level crazy. He's well funded, well equipped, smart as all hell and singleminded in his pursuit. This will end in blood and tears unless he is found and soon. It's beyond disturbing he's widened his scope to another girl fitting the profile of his first target. Why show up in person? He wants to terrorize in person, get the thrill of physical power. He's clearly building up to what he really wants to do, and that's beyond scary. Stalking is a behavior that can lead to murder in the right circumstance. This is one of those circumstances.

- Cops can sniff out a hoax. They're nasty and suspicious and good at leaning on idiots being idiotic to get them to quit it. I'd be willing to bet they made her life more miserable than the stalker for a few days before coming around to believing her. Not a hoax.
posted by Slap*Happy at 9:55 PM on July 1, 2007


Wait, you're claiming the ESN has some sort of radio encryption properties? How exactly does the phone negotiate the spread spectrum sequence with the tower, which presumably doesn't know all the possible phones it'll talk to in advance?

In IS-95 there is what is known as the "long code mask". It's built out of the ESN. The phone knows what the ESN is. During registration the phone sends its MIN (essentially, its phone number) to the cell, and the cell system consults a database to retrieve the ESN. (If the phone is roaming, the roaming cell system sends a request to the home system and retrieves the ESN from it.)

The ESN itself is never transmitted. (And just to forestall questions, the long code mask is used on traffic channels but not on the paging channel. The long code itself is not used on the pilot or sync channel.)

The long code mask is used to modify the long code, one of the pseudonoise patterns used on RF link. If you have the wrong long code mask, or don't use it at all, then you get a drastically increased chip error rate, which reduces the S/N ratio in the rake receiver by several dB. Since the system tunes transmit power so that the S/N ratio is barely adequate with the long code mask known, it means that if you don't know the long code mask then you won't be able to reliably decode the signal.

This was included in the system in order to discourage phone cloning, where a phone would be reprogrammed to pretend to use someone else's phone number. In that case, the phone sends the illicitly-changed MIN during registration, and the phone system retrieves the ESN of the phone that legitimately carries that MIN. The cloned phone uses its own ESN, and that means the phone and tower disagree about the long code mask -- which degrades the signal and makes the cloned phone not work properly. (Note that I'm simplifying this for explanation purposes.)

But it also serves as a security measure against people trying to intercept calls by monitoring the RF link.
posted by Steven C. Den Beste at 12:04 PM on July 2, 2007


Effugas, I am limited in what I can discuss because a lot of the information is proprietary. Certain things (e.g. the long code mask) are public knowledge and those I can talk about, but even if you think you can solve those problems (and it isn't as easy as you think it is) that doesn't mean you've proved it can be done.

But I can't show you why without violating my professional ethics. What I will say is this: there are very good reasons why technical experts are poo-pooing the idea of the cellphone being hacked into a remotely controlled spy-bot.
posted by Steven C. Den Beste at 12:09 PM on July 2, 2007


Steven--

I don't give a damn what his credentials are; he's full of it in this case.

That's pretty harsh. When you're not entirely correct, and especially when you have to resort to "I'd have to violate my NDA" style comments, it verges on problematic.

The ESN provided security in the pre-SDR era. When you actually had to choose which frequencies to tune into, you had to get the jump sequences right. You don't anymore; you really do just record the entire range and extract what you're looking for. Against such an attacker, the 24 bits of entropy provided by the pESN is irrelevant.

Obviously there are other layers of protection -- GSM has A5/3, and I assume something similar exists in CDMA nets. But the layer of protection you did bring up does not actually work.

Still, I don't think the attacker (presuming there is one) went after the phone at the CDMA layer. MMS is just so much easier. When you said:

The phones I worked on contained multiple levels of security against unauthorized code modification. I'm not going to say what they were (and I don't even know what all of them were; they weren't even common knowledge in the firmware development team). What I will tell you is that it isn't just a matter of going in and modifying the FlashROM section where the code you want to change is located. If you do that, then after reboot the phone will display "Service required" and refuse to function.

...I think you've really failed to recognize the modern era of attacking complex systems. Why go after the firmware, which is protected as you say, when I can just hit one of the image parsers? I send a single MMS, which overflows and gets code execution (as demonstrated publicly last year), and then I set the default background to the same image so it pops up on every hard reset. Done. I now have a persistent cell phone exploit, and I didn't hit your Service Required message.

I wouldn't be this harsh on you, but you did straight up attack this guy as incompetent. Clearly you know the cell world, of that there's no doubt. If I told you how radio propagation worked, there'd be a problem. You're telling me what I can't break. What we're finding out is that making unbreakable systems requires an entire culture shift in terms of development. I don't think this shift has hit the cell world yet.
posted by effugas at 1:06 PM on July 2, 2007


Effugas, there's no way some local stalker will have gone to the degree of effort required just so he can hassle the family of a girl he thinks is cute.

That was the point.

Of course you're right that if the NSA wanted to apply its full abilities to the problem, they could do it. But they wouldn't be using it to terrify a family in this way with silly threats.
posted by Steven C. Den Beste at 6:08 PM on July 2, 2007


Steven,

My friend decoding GSM ain't exactly working for the NSA, and the kids who 'sploited Yet Another Image Parser weren't feds. Look at the new scene like -- well -- cell phones have gotten powerful enough to run Win95, with all the security implications therein.

Again, I don't mean to be harsh. Everything's gotten a lot easier than it used to be. Even finding bugs is easier -- fuzzing has turned the fine art of binary disassembly into "throw a bunch of crap at it until it breaks".

Things change :)
posted by effugas at 7:12 PM on July 2, 2007


« Older Six degrees of Typhoid Mary. And that's just the...   |   Talking Moose lives. Newer »


This thread has been archived and is closed to new comments