I wrote this almost a decade ago, on usenet alt.phreaking. I just stumbled across it again, and decided to revise it heavily. It can use further improvements. For one, the advance in Phone Switch technology since the late 90’s includes the massive increase in VOIP (voice over IP) switching, and the forward march in traditional UNIX based Electronic Switching Systems. And two, increase in general knowledge of telephony.
In any case, for the paranoid, and technically interested out there, if your curiosity was piqued by movies like 7 days of the Condor, or Clear and Present Danger, here you go. Enjoy.
Disclaimer, this is based on what little knowledge I have of telephony technology, it is a very broad topic and can be approached in various ways. More knowledgeable readers are welcome to post corrections to my assertions.
Consider this to be a work of creative science fiction, or detective thriller fiction a la “The Pelican Brief.” I do not advocate committing any activities described herein.
A reader may need to communicate something that is legal but unpopular, that reader should realize the degree to which her activities can be monitored, and creatively think of ways to legally communicate safely.
What she communicates may be important for the whole of society. Or it may be for her physical safety, to prevent blackmail, to prevent a crime, to prevent others being endangered.
What she wishes to communicate may involve the crimes of others, crimes that endanger her community, her municipality, her state, or her nation. The media, journalists, and law enforcement authorities may not be aware of such crimes and her anonymous tip-offs may save lives and communities. They could be ecological crimes, or even matters of conspiracy and terrorism. Her opponents could have deep pockets and resources.
She may, therefore, in a work of fiction, say a thriller, find herself in a bind needing to communicate by voice securely…
The fact is that, in today’s world, it is possible for even innocent people to wind up in situations where they need to communicate securely. Let’s say they have an abusive spouse or partner, who is connected to “heavies”, or lets say they live in a non-Western totalitarian country, where they are simple peaceful freedom activists and find a collectivist totalitarian regime breathing down their necks.
Or lets say, one is a fiction writer, writing a thriller, and wishing to give a realistic portrayal of certain matters. Well look no further, the below is a guide for you. 1001 ways to trace a phone call, or less.
Phone calls are traced a number of ways. On Modern Lucent ESS or Nortel DMS switches the originating number of a call and its destination number remains in the switches scratchpad memory for the duration of the call, and then both are written to AMA tapes for billing purposes. There is also a way to pull up this information for specific calls in progress while logged into a control console.
For calls outside of the area that your Phone Company central office services;
Every call placed generates an ANI message, on older networks ANI is transmitted via MF tones (KP-I-ANI-ST), such networks are almost extinct in the USA, though one still has a couple floating around in extremely rural areas.
On more modern SS7 networks (the norm in most of North America) it’s transmitted via a high speed data links. The destination phone switch receives the ANI for your phone line, therefore tracing you is a simple matter of looking this up. THIS IS HOW CALLER ID WORKS, CLID simply displays the ANI readout received by your phone switch from the remote call (ok CID is much more complex than this, I’ll write up something on CID and ANI some day). On your local phone switch this can be read, again, from an operator’s console in seconds. Anyone, authorized or not, with master keys to Bell Central Offices can easily get access to these consoles and login, if they have the credentials to do so.
If you are a habitual paranoid, and take steps to bounce your phone call through multiple switches, for example if you are an authorized (or unauthorized) user of a few WATS extenders – say… a cheap prepaid calling card, or an authorized user connecting to a PBX’s inbound port and dialing out through its DISA feature (or you are an unauthorized user who hacked an access code to the same).
Then in some cases you can defeat your ANI being transmitted, because in many cases WATS extenders will not transmit the ANI of your incoming call, so what will be passed will be the ANI of the system that you are dialing out from. So a simple ANI trace will stop at the outbound port of the WATS extender you are coming from. This is trivial to get around for a tracer with a authority, she will just start the trace from the phone switch that services the actual physical line that the WATS number is mapped on, that phone switch may still have your originating number in its memory, or it may be retrieved from billing tapes/hard disk.
A way of obfuscating your trail here is to dial out through multiple WATS extenders. Basically, you daisy chain cheap phone cards, and 1-800 number accessed company PBX systems. This increases the work load of anyone trying to trace you, and in case some of these systems DO transmit your ANI, the probability of it getting stopped somewhere down the line increases.
It should be noted that calling into and daisy chaining 20 800 number outbound calls is a large expenditure of your time, and if you are doing this you are either pathologically paranoid, or up to things you really, really, ought not to be.
One switch somewhere in the chain WILL have the number for your phone line, it is simply a matter of finding the line’s ID and getting someone to locate it on your central office’s main distribution frame (assuming that the line is not bridged to another line on the frame).
This is the case for LAND LINE CALLS. All land lines, if not from inside a PBX, or VOIP, will terminate into a MDF frame, which is a massive rack of phone lines stretching from your house, to your neighborhood’s little distribution box (those cute green metal or plastic cans roadside) then trunked to your local Central Office, then up to the frame.
Someone very paranoid, and very criminal in intent, can physically bridge a line at their neighborhood’s distribution box, and then at the central office itself, using a tone box to generate a test tone that you can trace, by hand. In several million wires someone finding this would be difficult. If they were even looking for it.
It also involves a degree of technical knowledge and committing certain felonies that one is advised not to. So, do not do it.
Wireless calls are absurdly easy to trace.
For cordless phones, if one has an idea of where you are transmitting from, simply triangulating using directional yagi antennas, cut for the frequency of the phone, connected to some sort of transceiver or Spectrum Analyzer. Since a cordless phone is connected to a land line, you have the physical traceability above, plus the ANI transmission, which gives someone a good idea where you are physically.
Now an enterprising person COULD patch into someone else’s landline, in old urban area apartment buildings this is trivial given basement access. One gains building access, goes to the basement, finds the 100 year old patch panel, hooks up a modular cable with alligator clips at the end to any random line, finds a power source for the cordless phone unit, secures it somewhere, goes somewhere close by where one can be non observed, and dials away.
There are ways to do this with so much subtlety that even a physical inspection would take hours to yield anything of worth. A hint? Anything that transmits an electrical signal can be used to bridge lines, you have a cable pair, one cable is “tip” the other cable is “ring” so two discrete paths for electricity to conduct can lead to another physical location.
Signal loss will occur as distance increases, it should be noted that one can, in a large building, find several lines that are dead, and daisy chain through them, through other conducting material, a real distance away.
An opponent who is able to physically trace the matter back to its origin may or may not expect a cordless operation in place, and simply assume the physical destination is your destination. This tactic at best buys one time. Anyone expecting a cordless phone in operation simply has to triangulate you from there.
Spread Spectrum technology can buy one additional time. An electrical engineer or competent hacker could use their imagination to create boxes using spread spectrum technology based on the guts of cordless phones to devise something that could be bridged over multiple locations.
With some time, this scheme can be easily traced, and even if the perpetuator was long gone, well see my end notes below.
Cell phones, are absurdly easy to trace.
Either by officials, or non official opponents. Beyond surplus cell site transceiver equipment, there are now, on the market, dedicated CDMA and GSM tracing boxes. They are generally under $40,000 per unit, so an organization with official clearance can buy one with ease. A criminal organization can simply import them from another country.
With such devices one can determine which cell a person is in from the diagnostic messages generated by the network. Since urban cells are often very, very, small, because you may have multiple towers within just a 4 or 5 block radius (or even closer in dense cities) simply knowing the cell you are in, geographically places you in a very, very, small area. If you are on foot, or mobile, as you pass from cell to cell, this in effect is recording the direction of your movement.
So know a person’s cell, and you roughly know their physical location down to a couple of square miles, or even to a quarter mile. From there, one simply uses directional antennas and signal strength meters to narrow in on the transmitting signal.
Since I originally wrote this article, other advances have occurred. For one analog cell technology is deal, only GSM and CDMA rule, even rural areas have an impressive cell tower density making it trivial to locate your physical location within a couple of square miles out in the sticks, urban cell tower density is to the point of absurdity (given suspicions of grave health effects from the type of RF radiation cell towers emit) and recent legislation with e911 guarantees that every cell network broadcasts your EXACT location, even if your phone is turned off. The only way to evade this is to physically remove the battery (and given that it is trivial to turn most modern cell phones onto a room monitoring mode, which in effect makes it into a listening bug, EVEN IF THE PHONE IS OFF, prudent users may be advised to think well what they discuss in a room with cell phones physically present. Hint, bloody hint?)
Satellite phone calls are also not difficult to locate *with* the right equipment. The “right equipment” will tend not to be in the private sector, so this is something one only has to worry about if one is pissing off a government.
In the early 1990s this was how the hero of the Chechen resistance fighters, Dhokar Dudayev, was killed. He was transmitting from an Inmarsat terminal, and remained on his phone just a few seconds longer than he should have, which gave the Russians the opportunity to lock onto his signal’s frequency, and fire an anti-radiation missile at him. What such missiles do is to hone in on sources of strong RF energy, such as microwave transmissions. They are used to take out Radar terminals, and, well, Satellite phone users.
The US government reportedly tried to catch Usama ibn Ladin with similar techniques, several years ago. Reportedly without success. But then again, one never knows, after all, has anyone actually seen the bloke in years? No.
The bottlenecks at which a Satellite phone call may be traced or monitored will depend on destination. Your satellite phone transmits directly to a satellite transponder in orbit, this signal is then transmitted to an Earth-station, from whence it is modulated and re-transmitted to a satellite transponder, from whence it is in turn transmitted to the destination satellite phone handset. “Man in the middle” monitoring attacks can occur at the Earth Station, or by anyone with appropriate decoding equipment and software, and an antenna cut to the transponder’s frequencies if they are within that transponder’s “footprint”
VOIP Phone Calls.
VOIP tracing is so trivial that I will not even bother mentioning it. One phrase “packet sniffer installed at your local ISP.”
Given that anonymous Wi Fi networks are everywhere in urban areas, and someone using a non-Windows based laptop with appropriate VOIP software, a microphone, and encryption software, can turn their laptop computer into a highly secure phone, there may be creative possibilities for the clever thinking here. Especially combined with other physical techniques.
So Neo, the lesson learned ?
Do not piss off large organizations to the point that they are motivated to try to find you?
No, the other lesson.
Well, in today’s world, you have less privacy than ever before. And given that the current generation has been socially engineered to simply accept this, the odds of this trend increasing on simple social grounds is high. Most modern wireless devices are quite promiscuous about leaking information about you, your location, and activities, to the entire world. Everyone loves a slut, or rather everyone loves using a slut, but slutty communication devices give away your location and activities with absurd ease.
You can’t hide very well online without going through non trivial methods of operational security, and all but very few calls can be traced to your physical location, given enough time and persistence.
Even if you are long gone, in England, former land of the world’s most docile and meek free, CCD cameras in urban areas number in the millions, so just like the movie the Matrix, you are almost always on film somewhere. And in the USA, things are rapidly reaching a similar pitch in certain cities because anything the British do, we tend to do rapidly thereafter. The Canadians are a foregone conclusion because they are habitually almost as docile as the British (with real exceptions) so the probability of unpopular activities being caught on film, tape or flash memory, somewhere, is immense.
In today’s society the need to prevent crime and terrorism, must be balanced with the need for privacy and anonymous non-violent dissent, something our society was based upon. This is why voting is an anonymous activity. Peaceful, legal, dissent without immediate repercussion creates a free and thriving society.
We abandon this to our peril. Security and freedom both are priorities, if we are to live not in “The Matrix” or a world like the movie “Blade Runner”, then we must not allow security to trump privacy and freedom of expression.
We the people must keep our noses clean, and obey the law, but at the same time, simple non violent dissent must not be penalized. Once this happens then we are on a slippery path towards criminalizing any expression of opinion that is unpopular, and this is how tyranny reigns.
So there you go, this is how they do it in the movies and real life (in a dumbed down way)