63

According to Edward Snowden in this tweet...

Phones used in real-world ops are disposed on a per-action, or per-call basis. Lifetimes of minutes, hours. Not days.

Let's imagine for a moment that I'm Jason Bourne. I've stopped by the kiosk in Waterloo Station and picked up a PAYG mobile phone. Presumably I've used fake ID.

At the same time, my counterparty Jack Bauer is picking up a prepaid phone from a similar kiosk at Los Angeles International Airport.

How do I actually place a call to him, given that both of us have new phone numbers?

Improve this question
1
  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Commented Mar 24, 2016 at 16:48

12 Answers 12

Reset to default
38

Burner phone numbers as an OTP 'equivalent'

You can think of the "identities" of those phones (phone number, SIM, phone itself/IMEI) as an equivalent of one-time pad encryption - you exchange the phone numbers (multiple) over a secure channel - e.g., when meeting in person; and then they're secure and provide no useful information (for network/metadata analysis) as long as you discard them after a single use.

In your proposed scenario, Jack would have picked up a bunch of prepaid phone cards and given you the list of those numbers. Afterwards, if you'd need to contact him, you would call the first number on the list, have your conversation, and after that you could both discard the phones. If you'd expect a future call, then you'd turn on the phones corresponding to the second item on your lists.

Improve this answer
9
  • 10
    For most 'ops' this is likely the situation. Your average Bourne isn't likely to just go off and do some spy stuff, things will be planned ahead of time. That planning will involve previsions for communications
    – Jay
    Commented Mar 21, 2016 at 7:50
  • 1
    Something that just occurred to me while reading this answer: what if some clever person at a three-letter agency that has access to phone metadata in whatever country our spies are operating in creates a simple tool that can search through that metadata and find the numbers of phones that have been used only once during some period of time where'd you expect almost all "real" (ie. non-burner) recently assigned numbers to be used more than that? Better yet, what if that tool could identify calls where used-once phone number called another used-once number?
    – mostlyinformed
    Commented Mar 21, 2016 at 20:40
  • 2
    @halfinformed the usual goal of phone call metadata analysis is to link a particular phone to (other) real world people. For example, a phone found on a suspect can allow to identify other suspected numbers called from it, and identify them as they eventually link to "common" people by call metadata. Calls on such 'burner' numbers would be suspicious and identifiable, but in the absence of other data (e.g. interception and recording of the call) it gives no link to your identities iff they are single-use only - when the authorities have the suspect numbers, they are already trashed.
    – Peteris
    Commented Mar 21, 2016 at 20:48
  • 2
    I suppose one thing you could do live, if you were in both providers' systems, is to detect and intercept burner-burner calls, by detecting all calls that are the first ever use of the numbers at both ends. You'd get some false positives, of course, but it must be a fairly rare event that the first thing a person does with a new mobile is call another brand new mobile. Then if Jack and Jason are aware of such a system, they could call one from a list of popular numbers (e.g. customer service and information lines), before making the real call, to throw off this simple analysis.
    – Steve Jessop
    Commented Mar 22, 2016 at 15:28
  • 3
    @Peteris: agreed, if all calls are intercepted and recorded, then any call that can later be identified as suspicious on the basis of its metadata, must be assumed to be eventually listened to by your opponents. I just speculate here that there could exist an intermediate legal (or storage-space) environment, where you want to avoid your call being immediately suspicious such that it can be intercepted on the fly, but it's not so bad for it to be observable later as suspicious in hindsight, because by then the chance to intercept is past.
    – Steve Jessop
    Commented Mar 22, 2016 at 15:34
29

If you know Jack

A few weeks or months before the call, you could create a simple web page with a login wall and a signup page. In order to sign up, you need to write your phone number. By using standard measures, you can hide your access to the website, hide as much as possible the website in the deep web and protect the database.

You now need to tell Jack the URL: this can be done in different ways, including using a standard dead drop or - if you are Jason Bourne, it should be a piece of cake- by breaking into Jack's house and putting pieces of paper with the URL in the pockets of every trouser,jacket,etc. he uses (obviously the pieces of paper must not be handwritten, and you must check the absence of watermarks on the paper, so to avoid identification of the printer).

At this point, you and Jack separately buy your burner phones. Jack uses an open wifi network to access the website and write his phone number in the database. At a given time, you log in, retrieve the number from the website and write it. The website can be built in such a way to delete its content after been accessed twice. You are now ready to call Jack.

The tricky part is guaranteeing that the other phone number written in the database is actually Jack's and not Mike's (Adm. Michael S. Rogers). This can be achieved by agreeing codewords to be used at the beginning of the phone call (which can be written on the above-mentioned pieces of paper).

EDIT

Jeff Meden suggested the possibility of a man in the middle attack. Basically, the scheme outlined doesn't prevent Mike from replacing the number entered by Jake with his own number and setting up a relay to forward calls to Jake's burner phone. In this way, Mike could be able to listen the conversation between Jason and Jack.

This attack could be thwarted (thanks again to Jeff!) by encrypting the data entered in the database (in this case, Jack's number) with a pad written on the pieces of paper planted on Jack.

Of course, if a history mechanism doesn't exist, Mike could arbitrarily alter the ciphertext, knowing that if the corresponding plaintext is not a valid phone number, the call will not take place.

Improve this answer
12
  • To verify it is actually his number in the database you could include some sort of predetermined passphrase at the login wall. Such as name: Marty McFly, phone: Burner number, Message: My Mom Made Me Make More Mayonnaise. So all random passerbys and counter spies that don't include that message are flagged as not Jack.
    – DasBeasto
    Commented Mar 21, 2016 at 12:53
  • 4
    Predetermined codewords used at the beginning of the call wouldn't protect you against a man-in-the-middle attack.
    – ChrisInEdmonton
    Commented Mar 21, 2016 at 13:32
  • @ChrisInEdmonton I know, but I neglected the possibility of MitM attack, because the attacker cannot associate Jason and Jack to the two phones and, lacking any kind of suspect, I doubt that a MitM attack would be mounted on random phones.
    – A. Darwin
    Commented Mar 21, 2016 at 14:00
  • Why ignore the MitM but still think a codeword scheme is useful? If Mike did want to know what you two had to say, he would check the site constantly and supplant Jack's number with his insta-relay, so when you go to call Jack you reach Jack, but Mike is listening to everything you have to say.
    – Jeff Meden
    Commented Mar 21, 2016 at 16:16
  • @Jeff Meden I have to admit I didn't even think about relays (I'm definitely not a security expert). However, if by "insta-relay" you mean a relay on the telco operator side(from the MSC, I guess), I don't really know how could one detect this attack, let alone prevent it. Do you have any ideas?
    – A. Darwin
    Commented Mar 21, 2016 at 17:17
15

Burner phones may not typically be used like that, although they could be. To answer your little scenario, you can try area code tricks with hidden messages stored somewhere that's accessible to each of you.

This answer assumes you have to register the phone and provide details. If you don't have to register, this answer does not apply.

Area Code Registration Tricks

This is the first step. It's all in the area code. You both sign up in the same area, using two real addresses in the same zip code, in somewhat close proximity within the same hour.

They are not your addresses, but that doesn't matter. Many places in the U.S. require you to register with an actual address. Both of you will now be given similar phone numbers with the same area code, and the same local code:

  1. Jason Bourne: 707-555-0001

  2. Jack Bauer: 707-555-0100

You and Bauer will be using some kind of protocol, somewhere, somehow, where either of you can find the last four digits of each other's phone number using something that only the two of you know.

Hidden Messages

This is the second step.

  1. Here's a rough example that is easy to understand: Bauer then posts something like ABAA. Your little "cipher" decodes A to 0, and B to 1. When decoded, this translates to 0100. And then you call 1-707-555-0100.

  2. Hiding in plain sight is much better, as there are lots of ways to hide messages in every day sentences that don't stand out, or make people suspicious. Maybe you'll have a programmable answering machine where you can set the recording of a phone number that both of you know.

    *"Hi, mom. I'll be late to Christmas Dinner. My plane was delayed. It's really cold here. Literally 0 degrees. I'll arrive around 1 O'Clock. Save me some meatloaf! MOM! THE MEATLOAF! So cold... can you believe it? It's zero degrees!"

Even if someone decodes your little trick, they find four numbers. What are they going to do with it? There's a lot of different possibilities as to what those numbers mean. Good luck figuring it out. You should use something other than A=0, and B=1. It's just there are a rough example.

Improve this answer
4
  • 1
    This is a third-party trick. Using a code and hidden messages is a degree of indirection, and presumes either a third-party to exchange the information or pre-arranged signal that acts itself like a third party would.
    – Brent Kirkpatrick
    Commented Mar 20, 2016 at 22:49
  • That "area code registration trick" won't work in many places. For example, I purchased new phones a few years ago in Phoenix, AZ, one was given a 623 area code, and the other was a 480 area code. It would be wiser to simply have a way of communicating the entire number, as purchasing even from different carriers or stores would run the same risk.
    – user41341
    Commented Mar 22, 2016 at 18:04
  • @Thebluefish Agreed, but actually, you can usually choose the area code you want to use. And if it's in the same general area, with the same address, you can make it choose something by default. Also, you can know the chosen area codes for a particular city and add a few details.
    – Mark Buffalo
    Commented Mar 22, 2016 at 18:05
  • 1
    The US is one of the few countries that actually uses geographic area codes for mobile phone numbers. Most countries use a fixed range or a few prefixes for mobile numbers. The UK uses 71xx, 072xx, 073xx, 074xx, 075xx, 07624, 077xx, 078xx, and 079xx. Different operators sometimes have different prefixes and in some cases its just random.
    – papirtiger
    Commented Mar 22, 2016 at 21:27
5

Are we talking disposal within minutes/hours of purchasing the phone or is it disposal immediately after making/receiving a single call ("per-action, or per-call basis")? If the latter is the case, then the simple solution is to start off with two phones each and to buy new phones such that you always have two. The first phone number to be used by each will need to be communicated either in person or secretly by one of the methods that's outlined in other answers.

But for the first call, Jason and Jack can verbally tell the other what their next phone number will be and then dispose of the first phone. The next phone remains unused until they make contact with each other again, they give each other the next number for the third phone, and the process keeps repeating.

Improve this answer
3

1.- Kiosk sellers may be part of the network and the cards that have been given may have been known by both agents previously.

2.- They don't use the phone, they use its ability to connect to the Internet to communicate with that phone. So they call using prestablished Internet acconts that allow voice calls, or they may not need to use the voice at all.

Improve this answer
2
  • That's it. Meet me in the Darknet only.
    – ott--
    Commented Mar 22, 2016 at 22:25
  • I'm not so sure about 1. Jason buys his phone in London, Jack in LA. Of course, it is possible for an international network of kiosk sellers to exist, but it would probably be managed by the CIA/whatever agency you work for. If Jason Bourne is a former CIA agent, hunted by the Agency, it would be wise to not use CIA resources.
    – A. Darwin
    Commented Mar 23, 2016 at 6:49
2

  1. Meet:

    a. each other at the same time

    b. a 3rd party

  2. Securely send a number one-way through a known communication channel by encrypting it with something like a one-time pad

Anything else would be variation of these.

Improve this answer
3
  • why would you need a 3rd party?
    – A. Darwin
    Commented Mar 21, 2016 at 7:27
  • 1
    @A.Darwin: at risk of stating the obvious, in order to not meet each other at the same time. That might either be because it's operationally unsound to meet or just because it's difficult to match schedules.
    – Steve Jessop
    Commented Mar 21, 2016 at 11:40
  • @SteveJessop Ah I see... I was confused because I thought that they needed to meet each other at the same time and need a 3rd party ,as well. Now it's definitely more clear.
    – A. Darwin
    Commented Mar 21, 2016 at 12:13
1

Once Jason gets his phone, he sends an email with the number to a public Mailinator inbox:

https://www.mailinator.com/

The inbox name is a shared secret that only Jason and Jack know. Further to this, the number is encrypted using some coding scheme that only Jason and Jack know. Jack picks up the number from there. This is not very secure, but obscure enough that Jason and Jack stay ahead of the game for long enough to make a few calls before discarding their phones/sims for new ones.

Improve this answer
1

Get a third party to buy the phone for you, so that you're not caught on camera.

Setup a web site or newsgroup (preferably as a TOR service) and tell Jack the address beforehand. Make sure it's hosted in a non-Fourteen Eyes country.

Get Jack's public key beforehand. Preferably, give him your public key too.

Encrypt [and sign] the message (which has your your phone number) and post it to the web site or newsgroup.

You could post several other fake messages encrypted with other keys to the same site/group. The one Jack can decrypt is the real one.

Improve this answer
0

PGP over Twitter

Whatever method they chose, they must first make a trusted exchange of information. Either they both trust a leader and set up an symmetric encryption channel through him. Or one of them trusts the other. Or they meet in person.

Before the meeting, each generates a big set of private keys. They might even get away with generating them from a 12 word seed (the bitcoin wallet electrum.org works like this). At the meeting they exchange the public keys.

Now sending PGP messages and hash-tagging them with the public key they encoded with is enough to communicate securely (from an open wifi spot).

The problem is they look awfully suspicious. So they are going to take one more step and agree on some fixed dictionary, preferably with simple english words. Now they are going to encode they're messages with this dictionary. The end result is they communicate through gibberish tweets "correct horse battery staple #foxladder". The gibberish though is simple english so it's going to be a pain to search for.

In this case "fox ladder" is the first part of the public key the message is encoded with. The other person knows his public keys so he can keep searching twitter until a message appears for him.

Improve this answer
0

You place a key-pair signed & encrypted message within a steganographically encoded image, and then you place that image in a public forum / social media. Make the image a funny meme or cat picture, so it will be widely disseminated by unwitting helpers. The intended recipients will be able to decrypt the message, and the image will be disseminated widely enough to mask the actual intended recipients.

Improve this answer
0

One possible way was demonstrated on an episode of "Person of Interest". The two protagonists' usual communications are blown, but they need to get in touch.

They independently pick up burner phones, then one of them calls a pre-arranged number and leaves a message containing their phone number. The other can call the number and retrieve the message.

It's assumed that the answering service has never been used before, and is, presumably, itself disposable.

I further assume that when leaving the message, the phone number is obscured by some pre-arranged scheme (e.g. adding the digits of the number of their favourite deli to the given number).

I don't think they did it in the show, but you'd presumably call the answering service from payphones, rather than from the burner phone, so that anyone who knows about the answering service and is tracing the call doesn't get the burner phones.

Improve this answer
-1

There are any number of ways to communicate with someone these days. Forums provide the easiest method. There are tons of them out there, they're easily accessed, and there's so much activity that there's no way to keep track of everything. You would need to agree before hand on which forum to use, and how to encode your message. The choice of forum and username could even be part of the code.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .