View Full Version : Capturing Mobile Call Data

05-08-2014, 03:12 PM
I want the bad guys to have almost real-time access to the cellular call records of the good guys. I don't want them to be listening in, just to be aware of the 5 Ws of the call.

It's happening in California, but I don't have a particular carrier or phone type in mind. If the bad guys need brief physical access to the device, that's pretty easy for me to arrange. But I want them to know within a few minutes who the good guy has called.

I don't think this is actually cloning the phone, but I could be wrong. Wouldn't be the first time. :)

King Neptune
05-08-2014, 03:31 PM
The easy way is get access to the central computer and add a little code that would send data regarding certain numbers (or digitized copes of all phones calls) to a third party computer. The NSA does that by infecting the target computer with a virus that adds the code. Apparently they are quite successful.

05-08-2014, 06:20 PM
The phone call data that you're wanting is exactly the phone call "metadata" is that Eric Snowden revealed the NSA was farming from the carriers.

Phone call data is stored in a kind of database on the huge switches that route traffic. All phones (mobile or not) are assigned a kind of "home" switch. Phone traffic (very basically) routes from switch to switch until it gets where it's being sent. If your phone moves to a location served by a different switch, that's what roaming means on a technical level.

I've left out a LOT about how that all works, but it means that if you know the home switch for a cell phone, you have one method for retrieving that metadata. If the phone you want to track isn't moving from one switch region (a Local Access and Transport Area, LATA) to another, you could probably hack that switch to retrieve this data.

You could have fun and say that your bad guys are piggybacking the NSA backdoor into those switches.

05-08-2014, 06:54 PM
Yeah, for an ordinary random hacker this data would be hard to get, because telephone company security isn't bad. Call records from the switches aren't sitting out there on the company website for some SQL injection or other stupid zero day thing to reveal. Realistically you need one of:

- employee on the inside giving access
- backdoor access through a security agency -- and then you need to hack or social engineer *them*.
- magical hacking skills with text flying by on the screen too fast to read.

That last works in the movies....

Anyway it turns out not to be easy to collect this kind of data in real-time, because the data is meant for billing and is collected in batches or trickled in from many sources without regard for instant timeliness. From any given switch, you can indeed get it in real-time, but if the victim/target roams, it wouldn't be trivial to monitor call records throughout the whole network all at once. It would still be possible, but it would probably require active support from the company's security/law-enforcement workcenter staff, which suggests a very complicated con indeed.

05-08-2014, 09:11 PM
If the bad guys had access to the good guys phones they could close the phone and have, essentially, a duplicate phone. Open phone, check recently called list, done.

Unfortunately, most networks detect cloned phones pretty quickly and shut down the account, but some liberties in writing it could be believable.

There is (used to be, it's outdated now...) a CSI stick that you can plug into a phone data port to grab the info and the modern equivalents are used by investigating agencies all the time.

It would also be possible to connect via Bluetooth if the phone was close enough.

Lots of options, depending on what works for the story.


05-09-2014, 01:50 AM
You could have fun and say that your bad guys are piggybacking the NSA backdoor into those switches.
That might work for what I need. I'm writing first person, and the MC isn't that technically oriented. But he's got a friend with him who is a crypto/signals guy for a private military contractor, who would know enough to understand what's going on.

"I know what I'd have to do to get this kind of info real-time, and it involves some three-letter government agencies that I don't want to be on the bad side of."