I got my first cell phone (Ericsson GA628) when I was a 8 years old. Cell phones were just for business people in those days. The rest of us used phone booths, which were handy and I thought they were fascinating (perhaps this should have been my first clue)?

I had connectivity long before HTML was around. Usenet technology was king and the notion of a worldwide community connected through the sharing of information and ideas is a distant dream realized to me. I learned about John Draper, Captain Crunch, and his 2600Hz whistling call from a cereal box that he used, took for a ride exploring the telecommunications architecture never meant to be explored.

That stuck with me. About how a system so intricate designed by engineers for a specific purpose was still a black box for people who had a mind to. That inquisitiveness is the seed of everything interesting I have learned about technology thereafter.

And that leads us to your phone, The second computer you carry everywhere!

To most people their phone is one device, one OS. It isn't. In every modern smartphone you will find at least two different computers. The application processor runs the OS you see, Android or iOS or whatever else you liked or were given, but the baseband processor sits behind a wall and runs all on its own firmware. Often times it's not even open source.

These two CPU are on the same package in most of the phones nowadays. They are assembled on the same chip. It is much easier for manufacturing, surveillance or security research but those two latter communities are not satisfied of this situation.

The baseband processor is responsible for everything related to cellular communication. Making voice calls, sending and receiving SMS, mobile data, network registration, location services. It constantly communicates with cell towers. It is aware of information about your physical location of which your application processor is never aware, because it does not need to be.

What the modem actually knows

My dad explain triangulation to me when I was young. You find out where you are by cross checking the strength of the transmission you receive from different locations. I was amazed. A wireless network covering the entire country, every person connected figured out to several meters, and we’re obliviously living in it.

That fascination has grown to be more complicated.

AT command set; the way we speak directly to the modem. Before the internet became the way it is today, it was actually a dial-up network. The AT command set was formulated for dial-up modems and extended over the years to encompass all the aspects of what's possible with a cellular modem. On a phone with proper root access like on Sailfish you can open a terminal, identify the node for the modem and chat directly with the hardware.

What you get if you bug the modem nicely is: current serving cell, cell ID, location area code, signal quality (more detailed, metrics wise, than most people know exists), timing advance (how far away you are from the tower accurate to a couple of hundred metres), and the neighbouring cells list which your phone is monitoring in case it has to hand you off.

The fact that communications were exchanged at all, who they were between, in what location and at what time is what the police have always focused on. The content is marginal.

This information is constantly reported by your phone to the network. Not sometimes. All the time. Regardless of whether you have permitted it. Every time you register, when your location is updated, during every one of its exchanges between towers. It's not a hypothetical ability- a detailed log of every place you've been, reconstructed from network records that are around whether or not you've wanted them to be- is a standard device.

The baseband problem

The Librem 5 did something I have a lot of respect for in the one step it took. They added a hardware kill switch that separated the baseband processor from the application processor. Physical separation. You can turn the modem off in such a way that it is enforced, it's hardware not software. This makes certain classes of attack enormous pains to accomplish in much the same way Pegasus a piece of surveillance software, has been used against journalists, activists, lawyers and politicians in enough countries that listing them take up more space than this post.

Pegasus leverages the weak points in the baseband to access a phone without the user having to do anything. No link to click. No file to read. The radio interface is the attack surface and the attack surface is always on because the modem is always on because that is what modems do.

I was not a fan of the integrated baseband. The way I have mitigated this with my current setup is to run without a SIM and insert a WiFi access point when I need access. This is a big usability penalty that I take in exchange for a considerably smaller attack surface. I understand what I choose here, I wouldn't recommend it to everyone, but I do think everyone should understand at the very least what you're accepting when you carry a device with an always on inspectable freeband.

You have nothing to hide argument is the argument you don't need curtains argument because you are not doing anything wrong at home. Surveillance of citizens by governments and others is wrong. The mere existence of the ability to do so does not make it right. The fact that it is being used on journalists and lawyers and activists in country after country does not make it a theoretical problem.

The sim card! The one most people ignore

If you are thinking about a SIM card, most will think of a tiny identity chip on a plastic card. A very small chip, telling the network who you are so they'll charge the right person. That's accurate and 50% of the story.

A SIM card is effectively a minicomputer. It runs applications by itself. The SIM Toolkit standard enables carriers to download applications to the SIM and run code on it. Most of what is run with it is harmless: menus for the carrier; checks to see how much credit you have; settings for roaming; the usual sort of thing. But the capability is much more wide ranging than that kind of thing.

Your SIM also keeps your IMSI or an International Mobile Subscriber Identity, which is really just a number that identifies you to your service provider. IMSI catchers (which are also called Stingrays) are pieces of equipment that pose as cell towers and grab the IMSI number of every phone that registers on them. They are used by the law enforcement agencies in many countries sometimes without warrants and sometimes without even informing the people being tracked.

Your IMSI is not your number. It is not a number you pick and it is not a number you can change so easily. It is a number that just exists at the layer below anything on your operating system can access.

What everyone should understand

Everyone with a phone is being watched every time their phone is on or near them. They have nothing to fear. It is not paranoia. It is the natural consequence of building a network with a requirement for customer information retention that colludes with the commercial interests of telcos and their customers with the surveillance capacity of state actors and others who have invested heavily in monitoring a system that was never built with privacy as a defining factor.

Typically we discuss the words we are saying when it comes to privacy issues on our phones. We wonder what aplik has given us permission to listen through our microphone what kind of security does the conversation between the two of us have (end end encryption). These are yes, valid questions.

They're also pretty much off-point. So much less important is what you say, as compared to who said it, to whom, from where, when, and how many times. That's all in network logs totally unrelated to the messaging app you used.

Captain Crunch discovered his whistle in a cereal box, and employed it as an instrument to examine the workings of a telephone network. The network wasn't designed to be discovered by a whistle, and curiosity and time, but it was still able to respond because, fundamentally, that's what systems do when they recieve the right questions.

The questions you should be asking about your phone are not the questions that the vendors will encourage you to ask. The best questions to be asking are about the computer you can't see running firmware you can't scrutinize communicating with towers you can't observe reporting your location to a system you will never verify.

Your phone understands your locations. If you have any known your locations at every hour for as long as you have had it and that information exists somewhere regardless of how often you think about it.

It gets you pondering.

https://crosscontrol.com/media/avcj2pck/telit_at_commands_reference_guide_r7.pdf