💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › CELLULAR › cellpdoc.txt captured on 2022-06-12 at 17:27:23.
-=-=-=-=-=-=-
September 15, 1992
CELLULAR TELEPHONE OPERATIONS AND INTERCEPTIONS; FIRST OF ALL .
In a recent best seller, (ClearAnd PresentDanger) Tom Clancy, one hell of a
fine wordsmith, based much of the tension in the plot on the fact that the
good guys (government agents in this case) could not follow the bad guys, even
on their cellular telephones because cellular phones are "impossible to
monitor."
Tom, Tom, lack of research or just trying to be nice to those agents
who helped you out on the book? Let's face facts, it ain't exactly impos-
sible to eavesdrop on cellular phones. In fact cellular phones are just about
the easiest type of communication to monitor without major equipment
expenditures or committing grievous felonies. Ah, let me qualify that last one
just a bit, it is against the law to monitor cellular conversations because
they, unlike cordless phones which also transmit over the radio, give the
"expectation of privacy." Or it is against the law until some good ACLU type
lawyer takes the first case to court, but that is neither here nor there. It
is against the law to monitor these conversations without the correct legal
documents and I am writing this section secure in the knowledge that none of
you would break this law, and that anyone who uses these techniques has a
legal right to do so. Right? So please ignore the fact that anyone with a
halfway decent scanner, (and they don't make many without cellular coverage
anymore) can just turn on, tune in and drop, ah, in. Some scanners won't allow
this illegal listening. For instance, Radio Shack, that paragon of poor man's
eavesdropping equip- ment, although they designed their scanners to receive
these calls, made it impossible to do so after the laws were changed.
Unless you take a pair of scissors and clip one little wire...
But it's the intent of the law that is at stake here; suppose you don't have
a scanner? God forbid you should look at the frequency chart and realize that
some cellular channels can be received on an unmodified UHV television set.
Don't touch that dial!
A TRICK
The two problems with either of these drop in monitoring systems is that A.
One doesn't know who one is listening to, and B. As the target moves about in
any area covered by CP's his signal will be automatically "handed ofP' to new
cells as the signal strength of his transmis- sion falls off. These
frequencies are random on the basis that they are available on the system not
in use, and do not interfere with other conversations already in progress.
Pandora's box?
Hardly. Here is how cellular telephones work and how everybody who has any
desire to tune in on the world's greatest party line can do so with a minimum
of effort from those with $40,000 budgets to those equipped only with a
scanner and a sense of adventure...
OPERATING SYSTEMS & TRAINS THAT FLY
Cellular systems consist of a number of indi- vidual "cells" that contain a
number of indi- vidual frequencies for the transmission of audio information.
A certain number of other frequencies within the cell are allotted to channels
that transfer the data necessary to set up and maintain the call.
Every area covered in the U.S. has at least two cellular phone companies in
operation: One is a wireline company, meaning it is, or was, depending on
whose lawyers one believes, owned by Bell. The other operator is a non-
wireline, an independent rep. Both adhere to the same operating standards.
When a particular phone reaches the outer limit of a particular cell's power,
the equipment automatically senses this and "hands off" the call to an
adjacent cell to continue the conver- sation with no noticeable loss in
signal.
The hexagons usually used to illustrate cells are really only symbolic.
Graphic artists and other PR types use these shapes to describe the system but
the real boundary of a cell is a jagged line that represents a point where the
power level falls off to about -100 decibels relative to a milliwatt of radio
power hitting the receive antenna.
At that point the system doesn't work very well because it's about equal to
the regular noise input to the receiver and it becomes very difficult to get a
good signal in there so some- where in the range of -85 to -100 DBM is the
point where one would no longer use the radio in that cell and the signal is
handed off to another cell.
The decision of where and when to hand off is also mitigated by other
factors, for instance, are there any available voice channels in that cell
would be the preferred choice for the handoff target? If so the decision is
simply to take the frequency in that cell and command the mobile to change its
frequencies to that particular frequency in order to carry out the hand off.
In real life, cells do not come out to perfectly drawn symbols but rather
jagged areas of signal which are influenced by hills, buildings, and other
natural factors beyond the control of the cellular company.
There are hills in every city and every hill will create a signal shadow in
the area behind it. Tall buildings will create the same effect. If the cell
includes streets with buildings that have highly reflective windows, like
silver glass or enameled coating, this tends to form a wave guide and will cut
the power down a long distance along that street if it's in line aside an
antenna.
The waves begin bouncing back and forth and side to side, reflecting energy
like two parallel mirrors on opposite walls, so suddenly there are a lot of
strange things that weren't included in the original symmetrically-shaped
pattem. But that's life in the big city. Literally.
The combination of particular antenna placements plus buildings and
shadowing in the service city creates areas which need to be overlapped. Phone
companies want some overlap with the boundaries, which requires a little
leeway about where to make handoffs occur. They have to cover the whole city
to give good service. No area can be excluded.
Some operators employ an engineer on a full-time basis to go out and make
constant measurements. Others will bring in a consult- ant and have them make
measurements locally every other month or two depending on the rate of growth.
If a tall building goes up right on an existing antenna, they may go out and
survey it while it's still under construction in order to do some modeling and
field prediction to correct the problem before it happens. This means cell
site boundaries and handoff points are in a state of flux.
The mobile phone operates on one fre- quency, sending out one side of the
call and the cell operates at another frequency 45 MHz less than the mobile.
The cell itself broadcasts both sides of the call.
In the cells themselves there are basically two sets of channels-the
original channels were just the ones allocated to two different competitive
carriers in the world's metro areas. Of these 333 channels in each of these
two groups, 21 which are near the boundary and 21 on the other side of the
boundary, are used as the so-called set up channels. All the other channels
are available for voice.
Recently the FCC allocated an additional 83 channels to each of the two
carriers. The wireline carrier, which is a former Bell operat- ing company,
got it in one nice big chunk of 83 channels in every area. The A carrier, the
non-wireline carrier in each district, (Cellular One, for example) got the new
access in twochunks that were split apart, say 33 in one place and 50 in the
other. This is important because the FCC has said they are not going to give
out any more channel allocations until the end of the century.
HOW CALLS ARE PLACED
The overhead train, a continuous stream of data (on a data channel) that is
constantly sending out loads of information of who is where and with what will
be occasionally interrupted by a specific starting message, called a page.
This is a message that mitigates the telephone number of the call of the
mobile, indicating there's a call for the mobile.
At this point the system doesn't know where the mobile is in the city so
this page is sent out in every cell in the whole city. The mobile, if it's
there, will respond in one of the cells as it has been watching one particular
frequency in the setup channel. It will go to another channel and if that
fades out, it will scan and find another one so it's always watching one
particular frequency and responding in the same frequency.
If located the mobile will be rung up or a pre-recorded message will be
issued saying that it is busy or off hook. The caller will then be
disconnected whether he wants to stay on or not. He can dial again immediately
but with get the same result, because they are trying to limit the amount of
air time that's consumed without producing any revenue if the subscriber is
out of town or has his mobile tumed off.
What happens when a user goes to make a call? The setup channel in every cell
transmits a sequence of minor data in a certain frame in the overhead train,
which includes things like the actual number of the phone involved. Every
system in North America has a 3 digit number along with some other data which
tells the mobiles if they are from outside the local system, if they should
identify themselves or not. If a phone is visiting the city should it identify
itself or should it wait until the switch has a call for it?
When a mobile starts up cold, it begins scanning. It starts scanning the
supervisory channels. It only has 21 to look at so it scans all of them until
it finds the strongest one and locks onto it and looks for the overhead train.
As soon as overhead train is grabbed, it waits and watches. If the train fades
away, the mobile w~ go back and start scanning a~ over again.
If a mobile operator wants to originate a call, the operator enters all the
dial digits into a display register on the mobile and hits a key labeled
"send." This causes the mobile to transmit a call setup message on the reverse
frequency part of the supervisory or setup channel before it identifies itself
and gives the telephone number to be dialed and it listens to see if the train
wants any more information. The telco may only request 7 of the 10 digits of
the mobile number or it may demand every- thing including the electronic
serial number, but all the systems are capable of asking for everything and
the only reason some compa- nies reduce the amount of information is just to
save transaction time when they're very busy.
The response contains all the same informa- tion. The actual switch, which is
located at the cell site, has to have 3 types of radios: Voice channel
transceivers are for actually talking in duplex covering about 45 usable
channels per cell unless the expanded spectrum has been put into use where it
goes up to 56 channels per cell. At least one control or setup channel
transceiver is also required but most companies will install a spare for that
in case of failure because it's role is a crucial one. If it's dead,
everything's dead, calls can't be set up in either direction.
In addition, at least one locaffng receiver is required to measure radio
signal strength indication because when a handoff occurs there's always a
question. If the signal strength in this mobile is getting weak, where is it?
Is he driving north, is he driving east, west or south, which cell is he
getting closest to? The system, prior to the handoff, has to request all the
locating receivers in the nearby cells to tune tothe frequency of that mobile
in order to mea- sure the signal strength and report the stron- gest one.
The actual switches are called either an MTX or MTSO depending on the
manufacturer. MTX means Mobile Telephone Exchange and MTSO means Mobile
Telephone Switching Office.
The central switch is pretty much a standard telephone switch. Almost all
the modem ones are digital in nature with some type of a switch- ing network
which connects calls from one port to another. There is also some kind of a
control complex involved in the central proces- sor similar to a computer.
There is a digital trunk controller and some sort of interface which is used
to connect to other telephone central offices in other parts of the city.
When the call gets into that switch mecha- nism, the signal is handled like a
regular tele- phone call. All the same technologies about pen recording,
intercepting, tracking and taping all the conversation can and will be
intercepted by the carrier at this point without special equipment.
In addition to that, all the records exchanged produced by like automatic
number identifica- tion and billing and all the call records, (~UR's) can be
subpoened, so everything applies pretty much the same as it does in the
regular tele- phone system.
There's also some type of a control connec- tion to the central processor,
usually run through a voice frequency channel which leads to a controller of
some type which is another microprocessor system at the cell site that's
connected to both the radios to tell them to go on and off and then back into
the locating receiver in order to process the change to get the frequencies
and take measurements.
This is the format of one cell site. A city may have as many cell sites as
necessary. U.S. systems range from the minimum of one cell site to as many as
about 70 or 80. Los Angeles has about 80, New York runs a close secon~i
ROAMING AND ROVING
All of North American cellular operators have
uniform technical standards and in theory, if
there's no business reasons not to, a set can
roam anywhere in the continent where there's
radio coverage. The operator can at least origi-
nate calls even though he may or may not be
able to receive them, depending on whether
inter-connections exist for data transfer be-
tween the various cellular systems, but techni-
cally there's no reason why one can't originate
a call.
Any mobile set has several options. If it can't
find any supervisory channel at all-if it's
suddenly situated out in the country where
there's no cellular service-the local will scan
and scan and eventually, after a few tries it give
up and indicates that the caller is SOL.
If the operator scans all the channels but the
system number showing in the overhead train
doesn't match the one in the memory of the
telephone set, the mobile set, it will keep
watching it in the roam mode, understanding
it's outside of its home system. In most sets one
can also switch to the other carrier in the area.
The business arrangement is that most U.S. wire lines have some kind of
cross-billing contracts. All of the former Bell operating companies
subsidiaries have almost uniform aoss billing contracts and many, but not all
of the non-wire line people have cross-billing contracts, plus there are many
cross-billing contracts between wire line and non-wire line because there are
lots of cross ownership, so almost every place the phone goes there is about a
95% chance to place a call which will later appear on the operator's phone
bill.
General Telephone operates a clearinghouse that automatically bills the
correct party no matter where he happens to be at the time of the call.
If the city the call is being originated in overlaps coverage with a
neighbor, the handoff can occur between cities. In a few years the entire U.S.
is expected to be included in a system of mass coverage.This knowledge can be,
and is, used to protect oneself from law enforcement intercept orders as
follows (borrowed from the ah, well, a group of Italian businessmen):
If someone wants to protect his location and his number from intercept, he
registers on a non-wire line system and then "roams" in whatever city he's
located in, so, in order for his customers to reach him, they will have to
dial the local roamer number, then punch in the area code and phone number to
connect.
The transmitter could be 10' from the re- ceiver, it makes no difference.
This technique protects the caller's location and it protects the location of
the "customer" because he can't be isolated from the roamer truck, making it
effec- tively impossible to place intercept equipment to track and record the
unit's conversations.
The roam feature knocks the caller out of the regional system that normally
covers north, south, east or west in any area. Of course, the user is paying
the price of a toll call, and roaming calls are always more expensive than
non-roamers. But still...
By choosing the other wire/non-wireline system the phone will automatically
operate in the roaming mode. Something to remember, just in case that, well,
that your uncle from New Jersey drops in for an unexpected visit. . .
CELL CONSTRUCTION
AND INTERCEPTION TECHNIQUES
Law enforcement types can purchase sets to monitor, track and record cellular
phone calls. These sets are damn expensive from suppliers like HDS and are
usually just test sets designed to monitor cellular operations for a carrier.
They're still damn expensive.
If someone tries to intercept a call with a test, the results will be
printed out (including new handoff frequencies) and the sets can manually
switch to it almost as fast as the mobile does. That's because a certain
signal is transmitted in the voice channel just before the handoff containing
the mobile change frequency.
This means, among other relevant tidbits, that a person, hopefully a person
in Law Enforcement, who has a monitor that will read the overhead train
(usually a modified IFR service monitor, $25-$35K) can actually tell if a
subject is in a certain city and follow him from cell to cell even if he
doesn't make a singlephone call, as long as his phone is tumed on... In some
systems.
These sets are out of the reach of most police departments at this time, but
many big cities are purchasing some sort of auto-record equip- ment and trust
me, the Feds do have them, my friend.
Test sets such as those produced by IFR will reveal everything going on. It's
their job, after all. A good test set will not only listen to the audio, it
will display all the monitor data in the proper form and anything else asked
of it.
The test set, whether sold to telco suppliers or with a value added (say
$10,000) and sold to law enforcement as an intercept station, can mimic a base
station or it can metamorphosize itself into a mobile unit. It can follow
every handoff via the ESN or phone number auto- matically.
Test sets are programmed to become a certain mobile at any given notice and
record what calls it receives, when it changes to a different frequency and so
on. Although originally designed for sorting through a system they are ideal
for interception within any metropolitan area. Some cellular operators now
maintain a certain portion of their switch physically in the open so law
enforcement folks (armed with a warrant) can hook up their recorders right at
the switch without disturbing the phone company's personnel or equipment. The
telephone companies have only a certain number of spare ports to hook on to. A
few govemment agencies, like the Bureau had a habit of grabbing them up,
making it difficult for other companies to get them. For quite a while the
telephone companies were lying, saying they didn't have the ports avail- able,
forcing them to use a service monitor. However, so many cellular intercepts
came through that telephone companies are required by law to give the minimal
cooperation neces- sary. In the State of NewJersey, for instance, there is a
new phone building in North Jersey that has a separate room to house the
intercept equipment with space for any law enforcement goodies (slaves, etc.)
to live and work. New cellular switching stations are put~ng an appearance
outside for empty TSO's so the cops don't bother them all the time. The
routine is: Show me some paper-go hook up.
It does happen.
By understanding the concept of cellular placement and frequency allotment it
is ver,v possible to monitor cellularphone calls. Author Bill Cheek in his
fine book "Scanner Modifica- tion Handbook," published by CRB Research Books
Inc., describes cellular layout and how it can be tracked with a scanner. This
system is absolutely right-on and we are reprinting it (with permission from
Mr. Cheek and Tom Kneitel of CRB Research) here in full as our first find 'em
technique.
Table 3-1
CELLULAR BAND FREQUENCY ALLOCATIONS
Wireline (telephone company) cell sites
(bases): 880.020- 889.980
Wireline (telephone company) mobiles
(car phones): 835.020 - 844.980
Non-wireline company cell site
(bases): 870.030- 879.990
Non-wireline company mobiles
(car phones): 825.030 - 834.990
Since cellular systems are computer con- trolled and operated, the digital
data channels are always going full blast with an annoying buzzsaw sound.
These control frequencies are shown in Table 3-2.
Table 3-2
CELLULAR MOBILE TELEPHONE COMPUTER
CONTROL FREQUENCIES
Wireline (telephone company) cell site
(bases): 880.020 - 880.620
Wireline (telephone company) mobiles
(car phones): 835.020 - 835.620
Non-wireline company cell site
(bases): 879.390 - 879.990
Non-wireline company mobiles (car phones): 834.390 - 834.990 With 30 kHz
channel- spacing, in a typical 870 to 880 MHz, or 880 to 890 MHz system, there
are twenty-one computer control channels and 312 channels for voice, for a
total of 333 channels for each service provider. This, then, breaks down into
what might be considered several voice bands for cell sites and mobiles:
Band #1 870.030 to 879.360 MHz
(Non-wireline cell sites)
Band #2 880.650 to 889.980 MHz
(Wireline cell sites)
Band #3 835.650 to 844.980 MHz
(Non-wireline mobiles)
Band #4 825.030 to 834.360 MHz
(Wireline mobiles)
The bases (cell cites) use more power than the mobile units, and have antenna
systems that are higher and more formidable than the mobile units. As a
result, the cell sites present strong signals. Moreover, in almost all in-
stances, the cell sites transmit both sides of all conversations inasmuch as
they repeat the received signals from the mobile phones with which they are in
communication.
You might wish to refer to Tables 3-3 and 3-4 which depict the unique
frequency layout for up to seven cells. This is a complete cellular system
frequency layout plan for wireline and non-wireline systems. Visualize a
system this way: In order to avoid adjacent (side-by-side) cells from having
the same frequencies to interfere with one another, seven cells are required;
one at the center and six more sur- rounding the center cell. There is no
particular pattern as to how Cells "A" through "G" have to be laid out. That
is, Cell "D" can just as readily be a center cell with the others circling it,
as could any other combination. In a metro system consisting of many cells,
there isn't any such thing as a "center" cell, because every cell is, in
effect, a "center cell" with respect to six others which surround it.
Generally speaking, two cells can (and do) operate on the same frequencies
when they are separated by at least one different cell. Actually, the seven
cell system unit as depicted in Figure 3-1 is used over and over. Two or even
more adiacent cells on different frequencies are located between any two cells
on the some frequencies. The cellular concept thus takes advantage of low
powered, short range 800 MHz propagation to reuse the same frequencies at
several different cell sites in a large metro region. If this weren't
possible, then only 312 simultaneous conversations could take place at any one
time, as it is thousands of simuIta- neous conversations could be accommodated
within a large cellular system, thanks to fre- quency reuse.
Another factor here is the unique side effect of Frequency Modulation (FM)
where an FM receiver exclusively "hears" the stronger of two signals presented
to it on the same frequency.
So when cells on the same frequency are separated by one or more cells, even
though a mobile might be positioned to detect signals from either, it actually
will accept only the strongest one. The odds are very slim of the mobile being
located precisely where the two signals are exactly equal. But even in that
case, the odds against interference are improved even more because chances are
virtually certain that the mobile would be under the control of a stronger
third cell site signal on a different frequency.
Not only do two adjacent cells use the same frequencies, but no two cells
use adjacent frequencies. For example, a given cell (Cell "D") that transmits
on 880.950 MHz will not trans- mit on 880.980 MHz nor on 880.920 MHz.
Likewise, mobiles within any given cell will not transmit on adjacent
frequencies. This arrangement prevents adjacent channel inter- ference in
receivers located at cell sites and mobile units. FM receivers are not very
selective to begin with, and the use of adjacent channels would cause
interference within a cell. The scheme depicted in Tables 3-3 and 3-4 was
created to minimize the chances of adja- cent channel interference throughout
the entire cellular system. Note that each cell is allocated 47 or 48
frequencies, with a spacing of 210 kHz (seven channels) between each assigned
frequency. In that manner, adjacent frequencies are not used in the same or
adjacent cell sites.
DISCUSSION OF FIGURE 3-1:
Figure 3-1 illustrates the concept of a very large cellular mobile telephone
system. Cities and metro complexes are rarely symmetrical due to geographical
and other considerations, so Figure 3-1 is elongated to simulate the
configuration of a realistic cellular network.
Cities tend to grow along railroads, rivers, and major highways, so the
cellular system here is designed accordingly. Most are not this large, with
the typical system consisting ofthree to seven cells. Small communities might
even be served with a single cell, while metro areas like Los Angeles and New
York City might consist of a number of interconnected systems fanned out to
form a huge network. Frankly, size doesn't matter, because of low power, short
range, and frequency reuse. The potential size of a cellular system is
unlimited, so let's use Figure 3-1 to discuss how a "typical" system is
structured:
FIGURE 3-1.
TYPICAL CELLULAR SYSTEM LAYOUT
1. Cells of the same letter operate on same frequency groups. See Tables 3-3 &
3-4.
2. Numerical designator distinguishes cells of the same letter/frequency
group-otherwise there is no difference.
3. Two companies are permitted to operate cellular systems in any given metro
area. The two systems will be laid out functionally as shown above, even
though the physical layout will be different.
1. A hexagon is used to depict a cell's coverage territory, but the actual
coverage wouldn't be that shape; it would be more-or-less circular,
depending upon terrain and geogra- phy. However, circles don't illustrate
the cellular concept as well as hexagons, and that is why hexagons are
usually used in diagrams of cellular systems.
2. No two adjacent cell cites use the same frequencies. In other words, two
Cell "A's" are never side-by-side, nor two Cell "B's," nor Cell "C's," etc.
At least one cell site on different frequencies is always located between
two other cell sites that are assigned the some frequencies.
3. No two adjacent cell sites are assigned adjacent frequencies. So, Cells "A"
and "B" are never located next to each other. Neither are Cells "A" and
"G," or "B" and "C," etc. At least one different cell site is always
located between two other cell sites that are assigned adjacent
frequencies.
Summary: Each cell site is always assigned frequencies that differ by 60 kHz
or more from cell sites that are adjacent to it.
FIGURE 3-1
TYPICAL
CELLULAR
SYSTEM
LAYOUT
This information, while perhaps boring to lay readers, might be very useful
or handy to persons such as law enforcement officers performing
court-warranted electronic surveil- lance on cellular conversations of a drug
dealer-in-as-much as DEA and other enforce- ment officials have long been
aware that cellular phones have become heavily used by drug traffickers.
So, let's say that an authorized surveillance is taking place and the
suspect is monitored on 880.740 MHz, which is depicted in Table 3-1 under Cell
"D." Everything's fine, and the suspect starts to advise his party to meet him
at -, and then right at the crucial moment, the suspect's car enters the
control of a differ- ent cell site, and presto, the channel goes dead.
Putting the scanner into "Limit Search" mode in an attempt to track the
conversation would bring only frustration; might as well have a cup of coffee
and call it quits for the night. Chances are that the suspect's resumed
conversation will not be encountered. The "Search" mode tracks in a linear,
consecutive- frequency order, either higher or lower. If the suspect's
conversation should be relocated, it would certainly take a while.
There would, however, be a way of increas- ing the chances of zeroing back
in on the suspect. First, the scanner would have to be programmed with each
individual cellular frequency in order by cell sites as depicted in Table 3-3
or 3-4. For such an operation, it would be highly beneficial to be working
with a Realistic PRO-2004/2005 that has undergone the 6,400 channel memory
modification outlined in this book (ed. note-Bill's book) (MOD-16) so that
wireline and non-wireline cell site channels could be programmed.
There wouldn't be any reason to program any of the data-only control
channels, but the scanner could be programmed with Channel 1 = 880.650 MHz;
Channel 2 = 880.860 MHz; Channel 3 = 881.070 MHz, etc. Channel 40 would have
888.840 MHz, then continuing with Ch. 41 = 889.050 MHz and ending all Cell
"A's" programming with Ch. 45 = 889.890.
Then, all zeros would be entered into Ch. 45 to 50, with Cell "B"
programming as: Ch. 51 = 880.680 MHz; Ch. 52. = 880.890 MHz; through Ch. 95 =
889.920 MHz. All zeros would go into Ch. 95 to 100, and Cell "C" program- ming
would start in Ch. 101 with 880.710 MHz. Get the picture?
When completed, the wireline company's 312 voice channel's would have been
pro- grammed into the agency's scanner, organized by cell sites and frequency
allocations.
This would be particularly useful to the surveillance officer because, as
noted earlier, when a mobile unit passes from one cell to another, the new
frequency will not be in the old cell's assignment nor will it be an adjacent
frequency!
Therefore, one could logically eliminate the frequency assignments of three
cells from any consideration. So, when the suspect's conversa- tion gets
handed off from one cell to another, up to three scan banks that are known not
to contain the call are deselected.
The scanner could then check for the re- sumed conversation on the remaining
sites and probably locate same rather quickly, as in the example following the
frequency tables.
CELL A CELL B CELL C CELL D CELL E CELL F CELL C
-I- ======= ======= ======= ======= ======= ======= =======
wireline 889 890 889 920 889 950 889 980
company cell889 680 889 710 889 740 889 770 889 800 889 830 889 860
site x-mit 889 470 889 500 889 530 889 560 889 590 889 620 889 650
& mobile 889 260 889 290 889 320 889 350 889 380 889 410 889 440
receive 889 050 889 080 889 110 889 140 889 170 889 200 889 230
frequeencies888 840 888 870 888 900 888 930 888 960 888 990 889 020
888 630 888 660 888 690 888 720 888 750 888 780 888 810
888 420 888 450 888 480 888 510 888 540 888 570 888 600
888 210 888 240 888 270 888 300 888 330 888 360 888 390
888 000 888 030 888 060 888 090 888 120 888 150 888 180
887 790 887 820 887 850 887 880 887 910 887 940 887 970
887 580 887 610 887 640 887 670 887 700 887 730 887 760
887 370 887 400 887 430 887 460 887 490 887 520 887 550
887 160 887 190 887 220 887 250 887 280 887 310 887 340
886 950 886 980 887 010 887 040 887 070 887 100 887 130
886 740 886 770 886 800 886 830 886 860 886 890 886 920
886 530 886 560 886 590 886 620 886 650 886 680 886 710
886 320 886 350 886 380 886 410 886 440 886 470 886 500
886 110 886 140 886 170 886 200 886 230 886 260 886 290
885 900 885 930 885 960 885 990 886 020 886 050 886 080
885 690 885 720 885 750 885 780 885 810 885 840 885 870
885 480 885 510 885 540 885 570 885 600 885 630 885 660
Voice 885 270 885 300 885 330 885 360 885 390 885 420 885 450
Channels 885 060 885 090 885 120 885 150 885 180 885 210 885 240
884 850 884 880 884 910 884 940 884 970 885 000 885 030
884 640 884 670 884 700 884 730 884 760 884 790 884 820
884 430 884 460 884 490 884 520 884 550 884 580 884 610
884 220 884 250 884 280 884 310 884 340 884 370 884 400
884 010 884 040 884 070 884 100 884 130 884 160 884 190
883 800 883 830 883 860 883 890 883 920 883 950 883 980
883 590 883 620 883 650 883 680 883 710 883 740 883 770
883 380 883 410 883 440 883 470 883 500 883 530 883 560
883 170 883 200 883 230 883 260 883 290 883 320 883 350
882 960 882 990 883 020 883 050 883 080 883 110 883 140
882 750 882 780 882 810 882 840 882 870 882 900 882 930
882 540 882 570 882 600 882 630 882 660 882 690 882 720
882 330 882 360 882 390 882 420 882 450 882 480 882 510
882 120 882 150 882 180 882 210 882 240 882 270 882 300
881 910 881 940 881 970 882 000 882 030 882 060 882 090
881 700 881 730 881 760 881 790 881 820 881 850 881 880
881 490 881 520 881 550 881 580 881 610 881 640 881 670
881 280 881 310 881 340 881 370 881 400 881 430 881 460
881 070 881 100 881 130 881 160 881 190 881 220 881 250
880 860 880 890 880 920 880 950 880 980 881 010 881 040
880 650 880 680 880 710 880 740 880 770 880 800 880 830
Digital 880 440 880 470 880 500 880 530 880 560 880 590 880 620
COntrOI 880 230 880 260 880 290 880 320 880 350 880 380 880 410
ChannelS 880 020 880 050 880 080 880 110 880 140 880.170 880.200
Non_wireline company cell site transmit & mobile receive frequencies
CELLA CELL B CELL C CELL D CELL E CELL F CELL G
======= ======= ======= ======= ======= ======= =======
Digital 879.900 879.930 879.960 879.990
Control 879.690 879.720 879.750 879.780 879.810 879.840 879.870
Channels 879.480 879.510 879.540 879.570 879.600 879.630 879.660
879.270 879.300 879.330 879.360 879.390 879.420 879.450
879.060 879.090 879.120 879.150 879.180 879.210 879.240
878.850 878.880 878.910 878.940 878.970 879.000 879.030
878.640 878.670 878.700 878.730 878.760 878.790 878.820
878.430 878.460 878.490 878.520 878.550 878.580 878.610
878.220 878.250 878.280 878.310 878.340 878.370 878.400
878.010 878.040 878.070 878.100 878.130 878.160 878.190
877.800 877.830 877.860 877.890 877.920 877.950 877.980
877.590 877.620 877.650 877.680 877.710 877.740 877.770
877.380 877.410 877.440 877.470 877.500 877.530 877.560
877.170 877.200 877.230 877.260 877.290 877.320 877.350
876.960 876.990 877.020 877.050 877.080 877.110 877.140
876.750 876.780 876.810 876.840 876.870 876.900 876.930
876.540 876.570 876.600 876.630 876.660 876.690 876.720
876.330 876.360 876.390 876.420 876.450 876.480 876.510
876.120 876.150 876.180 876.210 876.240 876.270 876.300
875.910 875.940 875.970 876.000 876.030 876.060 876.090
875.700 875.730 875.760 875.790 875.820 875.850 875.880
875.490 875.520 875.550 875.580 875.610 875.640 875.670
875.280 875.310 875.340 875.370 875.400 875.430 875.460
voice 875.070 875.100 875.130 875.160 875.190 875.220 875.250
channels 874.860 874.890 874.920 874.950 874.980 875.010 875.040
874.650 874.680 874.710 874.740 874.770 874.800 874.830
874.440 874.470 874.500 874.530 874.560 874.590 874.620
874.230 874.260 874.290 874.320 874.350 874.380 874.410
874.020 874.050 874.080 874.110 874.140 874.170 874.200
873.810 873.840 873.870 873.900 873.930 873.960 873.990
873.600 873.630 873.660 873.690 873.720 873.750 873.780
873.390 873.420 873.450 873.480 873.510 873.540 873.570
873.180 873.210 873.240 873.270 873.300 873.330 873.360
872.970 873.000 873.030 873.060 873.090 873.120 873.150
872.760 872.790 872.820 872.850 872.880 872.910 872.940
872.550 872.580 872.610 872.640 872.670 872.700 872.730
872.340 872.370 872.400 872.430 872.460 872.490 872.520
872.130 872.160 872.190 872.220 872.250 872.280 872.310
871.920 871.950 871.980 872.010 872.040 872.070 872.100
871.710 871.740 871.770 871.800 871.830 871.860 871.890
871.500 871.530 871.560 871.590 871.620 871.650 871.680
871.290 871.320 871.350 871.380 871.410 871.440 871.470
871.080 871.110 871.140 871.170 871.200 871.230 871.260
870.870 870.900 870.930 870.960 870.990 871.020 871.050
870.660 870.690 870.720 870.750 870.780 870.810 870.840
870.450 870.480 870.510 870.540 870.570 870.600 870.630
870.240 870.270 870.300 870.330 870.360 870.390 870.420
870.030 870.060 870.090 870.120 870.150 870.180 870.210
======= ======= ======= ======= ======= ======= =======
EXAMPLE
Suspect is on a frequency in Cell "D" when the call is switched. The officer
immediately knows that the new cell will not be "C," "D," or "E," so those are
deselected and the scanner does not bother with them. The suspect will be on
only one of about 180 possible frequencies, which the officer could locate
within thirty seconds or less if he knows what to do and can react quickly
enough. If he had unsuccessfully used the "search" to look for resumed
conversa- tions, there were more than 300 frequencies to check through that
way. Note: If the suspect was originally in Cell "A," then Cells "B" and "G"
can be eliminated as possibilities. Likewise, if the original call was in Cell
"G," then calls from Cells "A" and "F" would be eliminated.
Remember: Cells of the same and/or adjacent frequencies are never physically
located next to another! A judicious law enforcement surveil- lance expert
would use both the "scan banks" and the "search" feature as tools to relocate
a handed-off cellular conversation.
Note: Cellular handoffs occur quite rapidly, especially when a mobile goes
from one cell through the fringe area of a second and then soon after into a
third cell. The two handoffs could take place within seconds, and a search for
the first handoff could well be in progress when the second handoff takes
place. That's when a cell map of a particular area or system would come in
handy.
Since the time Bill calculated the above information, new frequencies have
been allocated to cellular companies as follows:
824.010 - 834.990 Mobiles non-wireline A
835.020 - 844.980 Mobiles wireline B
845.010 - 846.480 Mobiles non-wireline A
846.510 - 849.000 Mobiles wireline B
869.010 - 879.990 Bases non-wireline A
880.020 - 889.980 Bases wireline B
890.010 - 891.480 Bases non-wireline A
891.510 - 894.000 Bases wireline B
It would be a simple matter to create the same frequency-cell tables with
these new frequencies.
OUR OWN REFINEMENTS:
I sat in on a cellular phone interception project with a couple of law
enforcement types during the writing of this book using an offshoot of Bill's
idea. Here's how they did it:
The target was operating in a major metropoli- tan city in the U.S. with a
number of hills and dead airvalleys. The LPwas situated in a house on a hill
that overlooked much of the city.
The LP was equipped with an ICOM 7000 receiver and a non-directional 800
sensitive antenna. The ICOM had been modified slightly by clipping an intemal
lead which allowed it to receive a baud rate of 9600.
The receiver was connected to an IBM PC clone that was loaded with a
frequency scan- ning program called Program 801. The local frequency banks
were programmed into the computer and we had a colleague watching the target's
residence.
When the target left his residence, the watcher called us on his cellular
phone and so informed us-we began scanning.
Within a few moments we had identified the subject by both his voice and the
subject of the conversation on a certain cell. When a handoff to another cell
occurred, the F4 key was stroked on the computer and it began to look through
the logical frequencies.
Did it work? The intercept was conducted on a weekend so, admittedly, the
traffic was light but in every case we found the target within a few seconds.
The maximum conversation loss was at most, 20 seconds.
The ICOM and the elevated listening post followed the target through each
and every cell as he changed position. There was NO cell that he accessed that
we could not receive from our stationary LP.
INDIVIDUAL CELLULAR TAILING
Another system tested for this book which proved luite invigorating was to
take a Motorola bench equency counter and equip it with a directional antenna.
This set up allowed me to follow a icular subject from a distance of 100-200
feet ~d simply read the operating frequency of his cellular whenever it was
put into use.
The keys to this system are to use a 12 volt bench counter with high
sensitivity and a gain antenna. Omni direction cellular antennas are limited
by a 3 dB gain. Use at least a 5 dB gainer from the 800 business band, or,
better yet, a Yagi transmit/receive antenna from one of several antenna
suppliers.
This will make it directional but will make the entire conceptviable. Remem-
ber, although the carphone onlybroad- casts one side of the conversation, the
cell rebroadcasts both at a frequency of 45 MHz lower than the mobile channel.
When the frequency counter latches on to a frequency, a handheld scanner is
manually pro- grammed to the correct frequency and the entire conversation is
monitored.
When a handoff occurs the new frequency is quickly acquired in a similar
manner and the monitoringresumes with only a minor loss of conversation. It is
possible to drop back from the 200 foot limitation until a handoff occurs at
which time the LP car must move back into position, but only long enough for
the counter to read the new frequency. And now folks, there's a brand new tool
about to come onto the market as we speak which does a much better job than on
individual intercepts.
A TRICK
Besides the previously-detailed cellular system there used to be a pattem in
use that involved 12 cells. This gave no adjacent fre- quencies in any
adjacent cells, but most cities have given that up and gone to above, more
compact 7 factored pattem because it offers more frequencies in each cell (1
of 7 instead of 1 in 12). The current system is likely to remain around a
while because it's about as down as it can be taken without bringing in
directional antennas.
TECHNIQUES FOR INCREASING CELLULAR DENSITY
It is possible to use a 320 degree directional antenna by having a heavy
signal lobe to avoid pickups of signals from the back side from that
particular antenna segment. This gives the option to the frequency right
behind it fairly close in so we get a liffle more density in a particular
system. Another approach to get more capacity buries some low power channels
in the middle of a particular cell which are so low in power that they don't
really get out to more than half way of the radius. It is then possible to use
these same allocations somewhere else because they interfere less than the
channels that run full power.
PHONE NUMBERS AND ESN S
The actual phone number is stored in a pro- grammable chip known as a NAM. In
most parts of the country this chip must be pre- programmed with an available
number on one of the local companies before the phone can be sold, or at least
before it can be put into use. The NAM is a 16 digit chip which contains the
phone number plus other info-in older style phones they are programmed in an
EPROM. New phones have programming capability built into their handsets. The
ESN or electronic serial number (some- times referred to as Electronic
Identification Number, EIN) is not stored in the in NAM chip. At the moment
there are about 125 different phones being manufactured and they all store the
ESN in a different place in their memory in either an EPROM or a ROM. Each
company can, and does utilize separate locations and different methods of
coding. NAM's themselves can be programmed at such mundane points of purchase
as Radio Shack stores. NAM programmers are openly available for about $1,000.
What is to stop someone from cloning a phone so their cellular will ring every
time a target's does? or even so when the cloned phone makes a call, the
target w~uld he hilled?
Several things, the first being the law of the land. No clones allowed. A
larger barrier is posed by the inclusion of the (usually) nonprogrammable
electronic serial number that is often accessed with the phone number. If a
set is stolen this number is put on a com- puterized hot list which shows up
immediately when the unit is used. Some new switches are also rumored to be
able to tell if more than one phone with the same number is on line at any
given time by comparing the serial numbers in a real time situation.
Does this mean no clones?
Well, not exactly. See early phones, before somebody in power decided the
ESN's should be a permanent part of the unit, allowed both NAM and ESN
programming. When research- ing this article, I was offered a series 1 or 2
Novetel mobile phone cloned to any set of numbers I required for $600.
This is to allow busy executives the opffon to have an extension mobile but
it could also be rigged to act as an unscrupulous clone, ringing and recording
every call made to the target number.
I have also been told of black market chips that can replace the ESN chips
in modem phones. The FCC doesn't like these, the phone associations don't like
these and even, yes, the FBI don't like these...
Although most people don't realize it, cellulars broadcast a super audible ID
tone along with the normal audio. The operator will not hear this because it's
filtered out, but it provides three choices for security, helping to make
certain that only one phone is on the system at any one time. The system
listens to what id tone is offered and if it's the wrong one, it'll disconnect
the offender.
This feature is designed to protect against radio propagaffon faults wherein
the signal comes back to the base too strong and over- powers the desired
signal but it is also a factor in cloning because the system will allow 5
seconds for the proper signal and then it willdisconnect the "wrong" signal
automatically. Not a perfect system, but one that must be taken into account
for any cloning attempt.
In fact, there are modified cellulars on the black market that the various
government agencies lLke even less than they do clones. I was also offered a
modified phone that would come up with a random and differentESN and serial
number every time it was used for $2500!
This option lets the user put the phone into the roam mode so it would
access this "traveler's" feature on every call but bill it to a different
number each time.
At first glance this seems to be the ideal (criminal) way to beat phone
charges since the unit will bill to a different number on every call the
operator will not be bothered by those annoying little notices from the local
telco every month.
But the real selling feature of this type of phone is that it cannot be
legally monitored. If a law enforcement agency gets a court order to monitor a
particular telephone (identified by the phone number) it will not be valid,
and in fact will not work if the unit in question changes its identity like
some sort of maddened electronic chameleon every time it is used...
Bet the farm I ain't the only person who has been offered one of these
phones...
In fact, one basic cellular flaw is considered to be the existence of fraud.
The rules of the FCC and the Canadian Department of Commu- nication require
portable phones have an unchangeable identification in a read-only memory in
the set. The wording says it should not be possible to modify the
identification without rendering the set inoperative. One industry study
recently reported that it was possible, with varying degrees of difficulty, to
change the identification in about 80% of the sets which are now out in the
field.
Fraud, fake, and oscillating ESN numbers are estimated to account for
somewhere between 4% of the industry's gross billing.
One of the inducements to fraud is that when a mobile identifies itself, the
local system has to decide if it should query the mobile for the full 10
digits or only 7 of the actual phone number? Should the ESN be required? Some-
times the operating company, to save on transmission time, cuts down on the
number of digits that are transferred in these opera- tions, especially at
rush hour.
Regardless of the saturation ad campaigns for cellular use, the systems are
filling up fast and most claim to operate at only marginally profitable
levels, yet corporations are always interested in purchasing cellular
companies. Why?
They're buying future potential. Capacity limitation will become a thing of
the past when digital cellular comes into play (scheduled to be the norm
within five years) because digital systems can multiplex 3 or more
conversations on each channel.
The technique has been standardized al- ready. There is digital equipment on
the market available for use with the proper support equipment already
although all the in-place equipment will be continued to be supported for
several years, probably until the end of the century, but digital will
gradually take over the market as surely as color television edged out black
and white.
Digital has several appetizing features for cellular users. It involves using
a digital code technique for speech to use 16,000 bytes per second per radio
channel, per conversation. This, plus 3-5 different conversations on each
channel, simultaneously will make the format secure from casual eavesdroppers.
Without a doubt scanner adaptable modules will be marketed to decipher and
demultiplex digital cellular, but from the point of view of security, the
important thing is that when digital speech coding is present one can take
advantage of these superior techniques inher- ent in encrypting digital
signals as opposed to the problems of scrambling analog dialogue.Systems are
now available (see the scrambling section) which will lock out almost
everybody but are still not considered military level secure. Digital
suppliers will probably offer a option for secrecy levels than it is to
constructively distort voice transmissions.
If you need to have a sensitive conversation during a mobile situationyou
have two choices, use a digital scrambler, or stop and use a coin phone by the
side of the road.
Remember this fact.
At one point I took a mobile phone and made a call to a friend and for about
15 min- utes, in the middle of a normal business day, drove around running a
tape asking anyone who was listening in on a scanner to give me an anonymous
phone call for a research study.
In the city of San Francisco I got three calls from casual listeners.
And these were just the people who bothered to call...
DATA AND FUTURE MODES
Because cellular was designed for audio and, at this writing, uses analog FM
transmission, it is difficult to transmit data over the system even though
mobile faxes and modems are available.
Using an ordinary data modem of the type that would be utilized on a
landline telephone, provides less than normal service. One problem is that as
the position changes the mobile passes through a combination of direct and
reflected radio waves which can get out of phase with each other and produce a
phenom- enon called multipath which means that the RF signal is going
constantly up and down like an elevator. The resulting conglomerate is okay
for speech but for data it's a no-no.
In most cases the solution to this is to stop the car. Immediately the
quality will improve and reasonable results will occur AS LONG AS A LOW BAUD
RATE IS MAINTAINED. This is important in digitally-scrambled transmissions, as
well as in data swapping, as well as with mobile FAX transmissions.
Any rate over 2400 is likely to cause some problems.
A new possibility for increasing the availabil- ity of cellular channels has
already been brought before the FCC. This new system is microcellular in
design and uses spread spec- trum technology.
The company that requested a license for this technology (Millicom) has
requested a frequency band in the 1710-2290 MHz region.
Great Britain is testing out a very short range RF-based system known as
Telepoint. This concept gives the user a small, portable unit for a base fee
of $12-$15 per month that can be used as a wireless/cellular phone only when
the operator is within 300 feet of a clearly marked base station.
Many base stations can be located in any given area because they cost only a
fraction of a cellular site and they are extremely low in power.
TAPPING CELLULARS
At first glance it seems to be an oxymoron- why tap a cellular? I mean the
damn things broadcast over the public air waves with 600 beautiful milliwatts
of power. Who needs to tap?
Some people, that's who. Someone out there needs to tap anything and right
at this mo- ment there are about 32 readers wondering how to tap a cellular.
The quickest method to hear at least one side of any conversation is simply
to secret a VOX activated tape recorder in the car. And hope the driver
doesn't play the stereo too loudly...
Saul Mineroff offers a car caddy, you know, one of those things that holds a
Big Mac and a drink and slips over the transmission console, with a great
little stereo recorder built right into the unit.
It would make a nice gift for, say your wife...
Olympus Corporation markets (available from C.I.A., the company, not the
company) a series of drop out recorders for cellular phones. These liffle
boxes connect between the handset and the phone and operate just like a
regularrecord both sides of the conversation when the phone is taken off hook.
These units, called Woodbury Interfaces, are not designed to be hidden but
are supposed to be used to record one's own conversations (legal in one-party
states) for later study.
They can be used somewhat surreptitiously by stashing them, along with a
mini recorder, in some sort of camouflaged unit like the Mineroff car caddy,
or even installed under the phone itself or under the upholstery.
Two elements necessary for success here are access to the target vehicle and a
not overly observant driver.
AID makes a bug that is concealed in a rechargeable Motorola-type battery
for portable phones. This unit works off the battery, which still operates the
phone, and picks up and transmits local conversation.
It would be possible to design some sort of infinity transmitter for a
cellular, although each make of phone is different enough to require some
uptown design work and when the transmitter was in operation, all the air time
would be billed to the target, allowing him a nice printout of the connection.
A wiser move would be to employ some sort of hookswitch bypass so the phone
would be hot on hook and broadcast the local audio. However, even this
technique has problems because it could easily cause interference problems
with other phones and might alarm the switch because more than one phone would
be on a single channel.
A quick thought: You want to record a cellular conversation that you are
part of without alerting anyone else in the car? Think ear mic's (devices that
receive and transmit inside the user's ear and look like a miniature earphone)
put one in your ear and have a conversation.
The DEA recently bought 1,000 of these from, well, from an unnamed New York
sup- plier.
A cellular phone can also be "accidentally" left operating after a call is
made to a recording phone. If l~ ehind ~n a ~u~iness conference, it will work
as a long distance bug. Some portable cellulars are now made with a hot switch
so they will broadcast to a nearby re- ceiver for the same sort of "forgetful"
bug~in~.
"CELLULAR PHONES ARE IMPOSSIBLE TO MONITOR"
RIGHT