Opinion: The stalker in your pocket

A new generation of 'snoopware' listens, watches and spies through cell phones

For most of a century, nosey people, both professional and amateur, have used microphones and cameras to listen to and watch unsuspecting targets.

In recent years, the miniaturization of electronics has enabled these devices to be hidden. Extreme drops in price have made spy electronics available to anyone, even creepy stalker types. The only remaining challenge is placement: If anyone wants to capture the juicy tidbits, they've got to have a microphone or camera in the right place at the right time.

Enter the camera phone, a dream come true for not just spies but a new breed of "cell phone stalkers."

Camera phones contain all the necessary ingredients for completely invasive stalking: a microphone, camera, personal data on the user, location information, a chat and call history -- you name it. And victims carry them everywhere they go.

All that's missing is the software that lets stalkers take control. This new software, called snoopware, does just that. Snoopware -- both legal and illegal -- enables stalkers to secretly seize control of a phone's electronics to listen, watch and spy on their victims.

Welcome to the creepy new world of cell phone stalking.

Although cell phone stalking is new, there's already plenty of bad information, urban legends and false beliefs about it in circulation. I'm going to sort all this out for you, tell you about what's possible and how to protect yourself (it's easier than you think). But first, let's look at the first and most celebrated case to date of this new world of cell phone stalking.

Meet the Kuykendalls

I told you in a previous column about a family in Washington state called the Kuykendalls, who say that a hacker was stalking them through three of their cell phones for more than four months.

The stalker seemed to perform unprecedented cell phone superhacks, according to press reports. For example, he watched them through their phones' cameras and listened through the microphones. When they turned off the phones, the hacker turned them back on remotely, seized control of the phones and sent text messages from them. When they got new phones, the hacking continued. Even scarier, they received almost daily threats of violence from an anonymous caller, who seemed to be calling from a family member's own phone, even when that phone was turned off, and provided details about what they were doing and even what they were wearing.

In addition to the Kuykendalls, the family's neighbor and Mrs. Kuykendall's sister were also harassed by the anonymous caller.

Although the mainstream press played up these events as some kind of terrifying superhack, I think something much more ordinary is going on.

The most likely explanation, based on the limited information publicly available, is that some malicious script kiddie, who knows the family personally, pulled off one or two simple hacks, then "socially engineered" the family into thinking he'd done something more impressive.

For example, a combination of spoofing one of the family's cell phone's Caller ID, which is easy to do, and using that trick to retrieve voice mail, plus possibly hacking the carrier's Web site to change ringtones and cause other mischief. These steps, combined with old-fashioned spying on the family in person, could explain nearly all the superhacking claims.

Hacked? Yes. Disturbing? Very. Illegal? Absolutely. But it's a far cry from the picture painted in the press of some unstoppable arch-villain mastermind.

Experts interviewed on TV and in the newspapers answer "yes" to the question, "Is this kind of hack possible?" And, in fact, it is possible, but spectacularly unlikely.

To pull off the Kuykendalls' superhack described in the press, the family would have to repeatedly buy high-end camera phones, such as Windows Mobile, BlackBerry or other devices, leave Java support on, keep Bluetooth on and in "autodiscovery" mode, or give the hacker full physical access to the phones to install several snoopware applications.

What's possible?

Snoopware is on the rise, mostly because of the increasing sophistication of phones. They're like mini-PCs. Most snoopware attacks have taken place in Europe and Asia. But they're coming to America.

Security experts estimate that there are more than 400 types of snoopware (most of them variants of a few major snoopware programs), and that figure may top 1,000 by the end of the year.

Your typical new snoopware program might enable someone to listen to phone calls and read e-mail and text messages, or steal contacts and other data. Some snoopware can use your phone's microphone to listen, even when the phone is supposedly "off." Other programs can capture images from a camera phone's camera.

Snoopware is the kind of software used by the government to eavesdrop on gangsters and terrorists.

But snoopware isn't the only way to stalk via cell phone.

Most carriers offer a "skip passcode" feature that lets you turn off voice mail password-checking when you call from your cell phone. But because carriers use Caller ID to verify the phone, cell phones "spoofing" another phone's number can get in, enabling hackers to access your voice mail and other features without ever knowing the password.

Semilegitimate snoopware programs called Mobile Spy from Retina-X Studios and FlexiSpy from Vervata run invisibly and upload text messages and phone logs to an online server. They can also upload location information. Mobil Spy runs only on Windows Mobile phones, while FlexiSpy offers versions for Series 60 Nokia phones, BlackBerry and Windows Mobile phones. A Pro version of FlexiSpy enables eavesdropping through cell phone microphones when you call a dedicated phone number. A future Pro-X version will let you listen in on calls in progress. The companies target concerned parents, suspicious spouses and distrustful bosses, but obviously a malicious hacker could use them for cell phone stalking.

Sounds bad. But be aware that these programs require physical access to the phone for installation, and they're easy to detect. The security software companies generally consider these applications as malware, and alert users to their presence.

How to beat cell phone stalkers

The best cure is prevention. Don't allow strangers to gain access to your phone. Like any other kind of software, snoopware doesn't install itself. The leading methods for installation are physical access installation, where the user installs by clicking on an attachment or link; or via Bluetooth. By preventing potential stalkers from touching your phone, never clicking on e-mail attachments or links from strangers, and turning off Bluetooth autodiscovery, you'll keep snoopware off your phone.

The fact is, snoopware hacks are dangerous only if you're unaware of them. Once you suspect someone is using your cell phone to spy on you, it's trivially easy to stop them.

Let me count the ways:

1. Buy an anti-malware application from vendors like Symantec, McAfee, Trend Micro, F-Secure, SMobile, MyMobiSafe and others. These products find not just the shadowy, hacker snoopware programs, but the legal ones, too.

2. Turn on passwords for voice mail access. Do you have to enter a password each time you check voice mail? If not, your carrier has enabled the "skip passcode" feature. A stalker spoofing your Caller ID can check your voice mail, too. But by re-enabling a good password, it will be much easier to keep your voice mail private.

3. Downgrade your cell phone. Snoopware works only on the most advanced phones. For nontechnical users like the Kuykendalls, one simple solution is to swap out your high-end phone for a cheaper model that doesn't support Java or Bluetooth and doesn't have a camera. This isn't a good solution for gadget fans, but for families feeling terrorized, this is a cheap, fast and easy way to get control.

4. Switch carriers. There's not much you can do at the handset level to foil a hack of the carrier's Web site. If the company can't shut down the hacker, switch to another carrier.

5. Buy an anonymous prepaid phone. The last-ditch solution (just before going without a cell phone) is to buy a prepaid phone from 7-Eleven or a similar store. This provides not only the benefits of a low-tech cell phone and a new carrier, but greater anonymity.

The cell phone stalker trend is real. But simple, common-sense precautions can protect you and your family from malicious harassment.

Mike Elgan writes about technology and global tech culture. Contact Mike at mike.elgan@elgan.com or his blog, The Raw Feed.

Related News and Discussion:

6 tips for scaling up team collaboration tools
Shop Tech Products at Amazon