[ubuntuftw]

>and even law enforcement cannot look up the cell tower logs to see where it's been.

I'm not so sure about that...

I worked at a TV news station in a major city where police told us they could track cell phones that were turned off. IIRC, it came up during an interview after they apprehended a suspect in a big rape/murder case. The suspect's phone was off, but they were able to track him. They told us they didn't really want the public to know they could do this, but it seems it's too late for that [1].

I'm not sure what the limitations are-- whether it'll work if the battery is removed (maybe there's amother battery?) or whether it only works with certain phones.

[1] https://www.quora.com/Can-law-enforcement-track-someone-by-t...

[dogma1138]

When the phone is off it is off. Same goes with flight mode.

The NSA* or any other similar actor can load malware to your phone that would prevent it from being completely turned off, the police most likely cannot.

The police does have a vested interest in making the public think that turning the phone off is pointless.

*on older phones like late 90's very early 2000's there was enough power leaking from from the antenna into the modem part that you could ping turned off phones remotely even if the battery was removed I've seen this in action. This doesn't or shouldn't work on new phones which require considerably more power and have very complicated hardware.

[Johnny555]

on older phones like late 90's very early 2000's there was enough power leaking from from the antenna into the modem part that you could ping turned off phones remotely even if the battery was removed I've seen this in action

I don't see how that could work - even if power through the antenna did cause the phone to transmit something, more than the radio would have to be powered up to get the phone to return any kind of identifier. But I'm skeptical that any transmitter could be powered through the antenna like that.

I could believe that if you transmit enough power that some sort of oscillation would occur in the phone to return a signal that can be detected, but I don't see how you could determine what phone returned that signal.

[dogma1138]

It wasn't transmitting a proper cell signal, it was transmitting something that they could detect.

I would assume that you would profile phones (of a certain make and model) and based on the return signal identify them. This was used in the early days of in places where there wasn't high cellphone density to begin with.

[cmdrfred]

I wonder how that passed the FCC.

[dogma1138]

I don't think this actually violates any FCC regulations given the right circumstances a can of coke can probably be induced to create enough backscatter to be trackable via RF.

[ubuntuftw]

>The police does have a vested interest in making the public think that turning the phone off is pointless.

An interesting point, but...

If I were a criminal (I am not), and I were going to commit a crime (I am not), and I knew turning off my phone was pointless because the police can still track it, then I would just leave my phone at home, or give it to a friend.

[nxzero]

Where was the power coming from if the battery was removed?

Only device that I'm aware that's able to do this is designed for this application.

[dogma1138]

It's very old phones, with external antennas the power came from the same place that the power came from to say power the LED in the aftermarket NOKIA antennas that would light up when you are getting a call or a text - wireless power. The phone had enough leakage to modulate the return signal sufficiently to be detected, it would not be the same thing as tracking a phone via its normal cellular signal it would just indicate the presence of one.

[quesera]

I don't believe this.

Those aftermarket lighty-uppy things work by sensing your phone's response burst, which is a much stronger signal, being driven by the phone's battery, and radiated from the very nearby antenna.

I do believe that you can induce a signal in a powered-off phone that can be detected nearby (several feet), by virtue of the tuned antenna if nothing else. I'm skeptical of the claim that a normal arbitrarily-distant cell transmission could do so. Regardless, I do not believe the induced signal could be detected back at the cell tower.

This would be wireless power. Not possible, at the levels and ranges asserted.

[dogma1138]

Believe what you want but at least read it through first. This isn't about powering a cell phone via wireless power and make it connect to a cell tower this is about inducing enough power into the cell phone's RF parts to make it modulate the signal sufficiently to be able to be picked up. Essentially this isn't that much different than the passive wifi or any other backscatter communication based system.

I've seen this demonstrated around 5 years ago at an Intelligence Technology seminar open to the public at the intelligence community heritage museum, it was done across the room during a demonstration which showed active and passive phone tracking techniques (they put the phones in and out of a faraday cages during the demonstration). The phone that was used in the demonstration for the "powerless" tracking was a very old Ericsson (before it became Sony Ericsson) phone from the mid to late 90's, during that demonstration we've also been told that this method of tracking became obsolete around the early 2000's. They did not elaborate exactly what ranges this work on but what they said is that the emitter and receiver were usually separated in order to accommodate operational requirements.

[quesera]

As I read it, that's a fine way to detect the presence of a cell phone. It might be able to discriminate between several models of cell phones. But it will not be able to identify a specific cell phone.

Am I misreading your statements?

[cyphar]

> When the phone is off it is off. Same goes with flight mode.

You're forgetting about the baseband. Modern phones have a secondary processor loaded with proprietary software that has a secondary battery soldered on. You can't turn that device off, and it has the ability to phone home. Even removing the battery won't help you.

[dogma1138]

No i didn't forget about the baseband, hence the NSA grade malware. That said I haven't seen a single phone that when in airplane mode or off showed any signs of transmitting anything. I've also done testing with RF fuzzing phones and nothing happened. Other people did more analysis including power consumption monitoring etc. and there is no "on by default" home phone feature on basebands. Can a base band be backdoored? sure, can the police do that most likely not, if anything the "quality" of commercial cellphone malware is fairly low most of it requires physical access to the phone or social engineering to install. US Law enforcement relies mostly on cell provider and IMSI catcher based tracking, some departments might have access to commercial RAT products ala FinFisher but I have seen no evidence that anyone has access to baseband based exploits. If anything it seems that even state actors do not have turn key solutions for remotely accessing the basebands of commercial mobile phones and often have to resort to compromising the supply chain to launch targeted attacks. So yes the baseband is a CPU, it's probably considerably less secure than you would want, but saying that every baseband or even the top 10 most popular ones are or can be compromised at will doesn't pass the current smell test.

[chrisfosterelli]

When you worked at that TV news station, were Blackberry phones prevalent? Blackberrys had two types of "off" -- one type periodically checks the network for texts and the other is an actual off.

As far as I know phones today don't do this.

[Macha]

This sounds like Android Doze, except Doze isn't (a) manual or (b) explained to the user as being off.

[tgb]

I don't buy it. The top quora response you link to makes claims that tracking happens when off, but it's sources make no such claims. Specifically, I highly doubt that GPS is useful towards tracking an off phone.