Obama's BlackBerry brings personal safety risks

When the mainstream media first announced Barack Obama's "victory" in keeping his BlackBerry, the focus was on the security of the device, and keeping the U.S. president's e-mail communications private from spies and hackers.

The news coverage and analysis by armchair security experts thus far has failed to focus on the real threat: attacks against President Obama's location privacy, and the potential physical security risks that come with someone knowing the president's real-time physical location.

President Obama and his BlackBerry at the White House in late January.

(Credit: UPI Photo/Ron Sachs/Pool)

Serial numbers
Before we dive in, let's take a moment to note that each mobile phone has a unique serial number, known as an IMEI, or MEID. This unique number is transmitted in clear text, every time the phone communicates with a nearby cell tower. Thus, while the contents of a phone call or the data session (for e-mail) are usually encrypted, anyone with the right equipment can home in on a particular IMEI and identify the location of the source of that signal.

The most common device used to locate a phone by its IMEI is a "Triggerfish", a piece of equipment that is routinely used by law enforcement and intelligence agencies. This kind of device tricks nearby cell phones into transmitting their serial numbers and other information by impersonating a cell tower.

The devices, which are actually fairly low-tech, were used to hunt down famed hacker Kevin Mitnick back in the 1990s. Most interesting of all, according to Department of Justice documents, Triggerfish can be used to reveal a suspect's location "without the user knowing about it and without involving the cell phone provider."

The expensive brand-name Triggerfish devices, made by the Harris Corp., are sold only to government agencies. However, it is almost certain that foreign governments have similar technology. Furthermore, someone with a low budget could likely use the open-source GNU Radio platform, which can already decipher GSM signals, to roll their own phone sniffer.

Finding Obama
We know that the president has been given a White House-issued BlackBerry phone. As a result, Obama's smartphone is broadcasting its IMEI serial number for anyone with the right equipment to detect.

Of course, the president is never alone, and so it is likely that anyone sniffing the wireless spectrum near the president would pick up hundreds of different BlackBerrys in the area.

However, Obama's aides do have to go home at some point, whereas Obama sleeps at the White House. This means that over the course of several days or weeks, it should be possible for a patient adversary to determine which IMEI belongs to the president's phone, and which IMEIs are associated with the phones of aides, simply by following the president (at a distance) and monitoring the spectrum at all hours.

As staffers go home for the evening, and Secret Service agents rotate out of duty, an adversary can strike their IMEI numbers off of the list. Within days, that initial list of 100 BlackBerrys can be reduced down to a single IMEI identifying the president's phone

Were someone to learn the president's IMEI, they could use it to gain valuable (and dangerous) information. For example, by pointing an antenna at the White House, it'd be possible to instantly determine if the president was inside. With a sophisticated-enough antenna, it might even be possible to determine which vehicle the president is sitting in while traveling in a motorcade, or to determine if the Secret Service is driving an empty limousine along a high-profile route to draw attention, while the president travels to a venue in an unmarked vehicle. The digital trail left by the president's BlackBerry would soon announce his presence to those keeping an eye out for his IMEI.

I am sure that others could come up with even more nefarious uses for real-time access to the president's physical location. I will leave that task to the blogosphere.

Burners
The simple solution to this problem, of course, is for the President to regularly change his IMEI serial number by getting a new phone. However, this presents another problem: that of the odd man out.

Imagine that foreign spies point a directional antenna at the White House and are thus able to capture the IMEI numbers of Obama and his team, as they leave and return to the White House from various events.

If a new IMEI number were to suddenly appear, be used for one week, disappear, and then be replaced by a new IMEI, which was also used for a week, before also disappearing, it would soon be obvious that a single person was changing phones. This pattern would be even more obvious, if everyone else in the president's entourage kept using their own phone--and thus broadcast the same IMEI, week after week.

Simply put, the only way that President Obama can gain some level of anonymity with regard to his IMEI number is if everyone in his team also changes their IMEI numbers with the same regularity.

Fans of the HBO TV show The Wire (a group that includes Obama) will no doubt remember the use of cheap prepaid "burner" phones by the fictional drug dealers. In order to avoid being wiretapped by the police, the entire criminal gang would dispose of their phones at once and switch to brand-new devices.

Essentially, the White House needs to start using burners.

Cost-effective protection
It would be extremely expensive (and wasteful) for the president and his staff to get a new BlackBerry each week. Luckily, there are two options available to the White House tech staff that allow them to protect the president's location privacy in a cost-effective (and environmentally friendly) way:

First, the White House geek team can simply shuffle the BlackBerrys used by the President's staff. That is, take away everyone's phone, mix them up, restore the software to the factory default, then issue a "new" phone to each staffer.

Within minutes, the phones would synchronize with the White House e-mail servers, and thus the "new" devices would have instant access to the e-mails and information that had been on the previous device.

The inconvenience factor of such a solution could also be significantly reduced by having twice as many phones as employees--that way, staff would not have to go without their phone for more than a minute or two, as they were swapped each week.

As long as this shuffling of phones were done randomly, the IMEI numbers would be sufficiently anonymized. Sure, a potential attacker would know that the device belonged to a member of the White House staff, but they would not know whether if belonged to a lowly intern, the press secretary, or the president.

A slightly more laborious method would be to hack the software running on the BlackBerrys and flash the devices with a new serial number. While this is quite possibly a violation of the Digital Millennium Copyright Act (which prohibits most forms of phone hacking), it is unlikely that Research In Motion (which makes the BlackBerry) would sue the White House for engaging in such reverse engineering.

Of course, the downside of giving each phone a new serial number is that these phones would then need to be re-registered with the wireless communication company, which would otherwise refuse to provide the devices with service. However, this additional burden for the White House techies would yield significant security benefits, as each phone would be given a clean IMEI number not associated with the White House.

Insiders
In this article, I've focused solely on the scenario of a bad guy with an antenna. There is also the very real (and significant) risk of an insider working for the phone company.

Insiders are a notoriously difficult security problem to fix, something Obama has likely already learned, after his passport file was read by a contractor working for the State Department.

Even if every person working for the White House's telecommunications carrier were honest, it could also be possible to social-engineer the information out of a customer service representative (otherwise known as "pretexting").

Alternatively, an adversary could simply hack into the computer systems used by the phone company in order to get information on Obama's phone. Is was this latter approach that was followed by an unknown attacker who was able to spy on the phone calls of more than 100 Greek government officials during the 2004 Olympics.

Foreign trips
President Obama is likely to go on many foreign trips during his four (or more) years in office. In addition to burdening taxpayers with the obscene international roaming rates associated with his foreign BlackBerry usage, there are new and more serious security concerns to consider.

The federal government can most likely trust AT&T and the other wireless carriers. After all, they did join forces with the National Security Agency to spy on millions of American's phone calls without a warrant. The telecommunication companies in foreign countries are far less likely to be pro-United States, and in some cases, they are likely to be working closely with foreign intelligence agencies.

Thus, as long as President Obama keeps his BlackBerry turned on while he is in China, it is likely that the Chinese government will be closely monitoring his location, as reported by the president's phone to the Chinese government-owned phone company. The same sort of security issues will likely arise in many other countries.

Due to these security concerns, this blogger would be extremely surprised if the Secret Service permitted the President to use his BlackBerry when on foreign trips.

As you can see, the use of a BlackBerry by the president creates a number of very real security headaches that are no doubt keeping several people at the Secret Service awake at night. While the initial focus of the press was on the e-mail and smartphone technology in the president's phone, the real threats and risks are actually associated with more boring functions of the device.

Further reading: M. Jakobsson and S. Wetzel. "Security Weaknesses in Bluetooth" (PDF) describes some very similar location privacy attacks against mobile phones using Bluetooth-based sniffers.

[n3td3v]

You would think a spy would know where he is anyway without the need of locating him via BlackBerry.

[pentest]

Exactly!

[Travis Ernst]

Sorry Obama, any email sent on it becomes public record. Just as any email sent to a traditional email account held by an elected official that became president would become part of the record. As President you have no privacy by electronic communications be it email or SMS.

I'd drop the blackberry unless SecretService insists on it. They can hack the GPS so it is disabled (easiest route) but that still gets you triangulated within the towers for locating a phone user. Only makes the search broader.

As for the concept of using a "pool" of phones, not a bad idea, but it becomes moot. Enough observation from a static post and you can figure out that transmitter 1 now belongs to janitor when it was in possession of the squad car the day before (example). He's ahead to have the Body Guards have his communications device so he can't be tracked with it. Why do you need to text anyway?

[Vegaman_Dan]

A president carrying a uniquely identifiable electronic device is akin to having him wearing a sign around his neck saying , "Come get me!"

It's neat that he's into the tech, but his first job is the Office of the Presidency, and having his cell phone there is going to interfere with the job as well as put himself and others at higher risk.

[pentest]

Yeah, and the fact that his location is known 99.9% of the time is irrelevant?

[brian.lee]

If RIM was smart not even really smart but just plain smart they would create a special BB for Obama. Think of the marketing advantages.... (Blackberry good enough for the most powerful man in the world) but of course the RIM exec's are too busy back dating and pocketing millions (I speak the truth they were recently BUSTED by the OSEC).

[Commander_Spock]

Re: "Obama's BlackBerry brings personal safety risks". Well, the mitigation against these "risks" should be quite simple as the folks in charge (the U. S. Secret Service) should politely remove the risk thus demonstrating their ability to do their jobs and the carrying out the responsibilities that come with it; as, in this way the injury they avoid may even be their own. And, as a precedent... It was nice work by our "dudes" in keeping that location "unknown" on 9/11 - Huh!

God Speed!

[rebelraptor]

i always find it a bit strange and disconcerting when major news outlets feel the need to publish compromising information. if you are so concerned with our 44th president's safety, then why publish an article on how to compromise his technology.

not that any of this is rocket science or top secret, but nonetheless, collecting ways to interfere with the commander-in-chiefs safety just calls more attention to a subject that would be better left to the secret service...

[myles taylor]

Anyone with malicious intent probably already knows this stuff and/or can find a million other sources on how to do this by running a simple internet search.

[Michichael]

Nice article. You have a typo though: "...it should be possible for a patient adversary to determine which IMEI belongs to the president's phon..."

Though using the word phone 50+ times in the article makes it hard to find. :P

AND WHY DO I HAVE TO ALLOW FACEBOOK TO POST COMMENTS! >.<

[needcaffeine]

I'm not wholly sure why knowing where someone is, is a problem? We all know about Weather Mountain & other such "safe houses." Knowing where or who a cell device is, isn't as important as hacking the data transmitted. And if someone were to spoof the IMEI, they'd need specific encryption data to be able to decrypt the data anyhow, except for MMS or SMS possibly.

[affinity13]

The IMEI number is not specific to Blackberries it's in all cell phones. So no matter what type of cell phone he has it's an issue. Security personnel can ask him to turn it off when they are in transit which is normally when elected officials are most vulnerable. I'm not sure about the so called "Secure" cell phones but i'm assuming they also have IMEI numbers. Maybe RIM will give his cellphone the ability to either spoof or randomly switch IMEI numbers.

[saggicb]

Um, isnt the presidents itinerary a matter of public knowledge? It is very easy to find where the president will be at any point of time.
The risk is in the data that is transmitted not the location from where its transmitted from. And the data is encrypted.
IMHO this whole article is FUD

[oskerctv]

uhm wait... so anyone who didn't know about this pretty much now has a manual on how to track the president thanks to CNET? lol media is funny

[kestrelis]

how hard would it be to produce a phone that would randomly change it's imei? not very. the local dc market probably had it's towers adjusted for this. the changes are probably synced using some timing scheme. considering that blackberry data is seperate from the voice lines, they are probably able to secure it better as well.

the reality of an article giving away the president's location and giving hard infomation on compromising his safety are nil. every knows the general agenda of the president (atleast to what city he's in) so i doubt that his phone giving away his exact location is realistic. it's still an issue of email security more than his physical security and that is the secret services job.

i'm honestly more worried about what obama is going to do as president than his safety. he's well guarded and think that the blackberry issue is just a distraction from the real issues and we should all focus on those instead. like, what's he going to do for me (and the millions of other unemployed or soon to be unemployed americans) after we all lose our jobs?

[Commander_Spock]

Re: "[...'m honestly more worried about what (President) Obama is going to do as president than his safety. he's well guarded and think that the blackberry issue is just a distraction from the real issues and we should all focus on those instead. like, what's he going to do for me (and the millions of other unemployed or soon to be unemployed Americans) after we all lose our jobs?...]" Well, taking what the late President John F. Kennedy said; then, that question should be: "Ask Not What Your Country Can Do For You; But, Ask What You Can Do For Your Country..."!

[fuqtard]

The author is uninformed about the subject and is purely speculating. The president is not carrying off-the-shelf hardware. It is likely relaying through a proxy before communicating with the standard mobile networks, so will not be broadcasting a predictable, unique IMEI. The device may also be using frequency hopping, UWB, or other technologies that make it difficult for intelligence agencies, much less amateurs, to track a signal.

[viper396]

There are alot of wild speculating and assumptions made by the author. Then he uses incidental and irrelevent information to try to prove his point. This article reads more like a page out of a Tom Clancy book then reality. Tabloid journalism at it's best.

[PhaseDMA]

How many times a year does the President go somewhere where he doesn't want anyone to know his location? Once? Maybe twice? I'm pretty sure even the geekest of geeks can live without a phone for a day much less Obama.

And typically when the President goes somewhere where he doesn't want anyone to know his location it is only until he arrives at that location. Put the phone in a lead box for the trip.

As far as how the phone operates it's doubtful anyone outside of the secret service and DOJ knows how it operates. There are phones that of DOJ approved. You think you can figure out the location of those phones without working for the US government? Of course not, so why on earth would you be able to find the President's phone?

[sciontcya]

With everything going on in the world and the US, THIS crap is still news?
When will the drool-fest over Obama stop???
How about answering where this stimulus ripoff is going to help the middle-class?

[tm_anon]

The more jobs get lost, the smaller the middle class becomes. The stimulus package is meant to keep you from losing your job so stop whining that it exists and start being thankful that you haven't lost your job along with the rest of us. Now let's get back to the article.

[xanthaos]

First off, seriously, why does the President of the United States need a cell phone on his person? It's a huge bullseye. Here's a solution.

I'm just guessing but I would imagine that the Secret Service Officers are never more than a thread or two away from the President. And I'm sure the Secret Service can handle a phone on their belt. Also, I'm betting the White House techies can handle this one...

Have a bank of Phones. Issue them each day to Secret Service, randomly. Especially randomize the ones that are issued to the SS Bodyguards and SS Decoys. I'm sure that the tech gurus of the White House can forward any calls to a cell phone. Have a secure phone at the White House, such as the infamous Red Phone. White House techs can forward calls coming to that phone to two different phones. One of these phones would be with the SS Bodyguards, one with the SS Decoys. That way it connects a BOTH locations at once. And since the phones were randomly issued that morning, there's no way of anyone but the tech knowing which phone is with whom, and even the tech could be left in the dark about which forwarded phone is with whom. The President gets his message, call, whatever, and it's done. Tomorrow, the phone that is with the President is different, and a decoy is somewhere else, also different. No way of knowing which phones are his and which aren't. And in that case scenerio, should suspicion be roused, the President SS and Decoy SS could meet somewhere, play musical phones, and a little bit later call the White House and inform them of the change.

It's such a stupidly simply solution who'd expect the government to think of it?

If the President insists on keeping his personal BlackBerry for image purposes though, he'd be best to keep his head way down. It's scary to think that our Commander in Chief is so petty (or worse yet cocky) about his own security...

[xeroply2]

Um, doesn't the "large anonymized pool of phones" strategy also solve the insider problem?

I'm fairly sure that all the phone company knows is that there are a block of phone numbers and IMEI numbers allocated to the US government. I'd be pretty darn surprised if they are able to pinpoint and say "this one here is Obama's phone".

After a while someone working there could probably figure out who was who by looking at call history, but if the phones get switched around every so often, that would be a lot harder.

[ferretboy88]

The Russians once killed a guy by launching missiles at his cell phone location. Don't do it Obama. Not safe. Just use Linux at a desktop.

[AmericanKochevnik]

I would gather that any organization/government capable of killing people by "launching missiles" at their location is probably not going to have to resort to this kind of intelligence gathering technique to ascertain their location. For example, Air Force One is a pretty contained location and isn't invisible to either radar or satellites, so if you have the capability to hit a location with precision missiles, chances are, you'd have the chance to get him in the course of normal business, with or without a BlackBerry. Also, I'm sure there are probably extensive additional security measures in place between his BlackBerry and the outside world, but I don't think the Secret Service is going to be rushing out to explain them all to us so we'll relax about him having a BlackBerry (they are the "Secret" Service, after all).

[Jonathan]

I'm pretty sure AF1 can be seen by satellite unless we have developed a Klingon cloaking field.

[Jonathan]

Ignore my previous post. Sick people should stay off the net else to miss the IN in INvisable..gah.

[oypingppei]

Very informative. The author has added significantly to the public debate.