Hello, aspiring cyberwarriors!
Imagine this situation, an unknown person calls from a burner phone and demands ransom for a victim. The next day, the criminal calls again and within half an hour investigators know not only the caller’s real phone number, but also the entire history of his movements and calls. And all of this without sophisticated equipment, fake cell towers, or signal interception.
We regularly write about vulnerabilities, networks and security. People have become so used to “thinking complicated” that they often forget about much simpler and more effective methods available to law enforcement agencies around the world. In many cases, the police will not even attempt to hack or intercept anything. They simply send a request to the mobile carrier, and the carrier provides not only call records, but also a huge amount of additional information. For example, under Australian law, mobile carriers are required to retain certain data about network users. This includes information about the device’s location at any given moment, call logs including information about the other subscriber and records of internet sessions. As for SMS messages, Australian privacy law allows carriers, without a wiretap warrant, to retain only metadata, the time the message was sent, its size, and the recipient. The contents of the messages themselves, and certainly voice calls, are not stored.
This is what the information collected by a carrier about a subscriber looks like.
Places visited by a journalist.
Places he visited most frequently during a selected time period.
Metadata includes information about who the user called and texted, the duration of calls, and which cell towers the phone connected to at specific times. This information allows investigators to determine the device’s location with fairly high accuracy. In some countries, carriers not only provide this information to law enforcement, but also openly sell it. The most interesting part is that mobile carriers also have access to, and provide to police, and sometimes sell to anyone willing to pay, details about internet usage, including website addresses and the amount of transmitted data. This is a separate topic entirely, the data is collected by monitoring requests to the provider’s DNS servers. Carriers are so eager to profit from this market that some have even attempted to block customers from using third party DNS servers. Incidentally, the devices supplied by fixed line internet providers, usually combined cable or ADSL modem/router units, often do not allow users to change the DNS server settings on the router itself. If you want to use a different DNS server, you have to change it separately on every computer, phone, smart TV, and smart speaker. Simply changing the router settings is often not enough to fully protect your privacy.
Mobile carriers in the United States are also required to store CDR records. In addition, U.S. intelligence agencies maintain a centralized database known as MAINWAY, where records may be stored far longer than carriers themselves are legally allowed to retain them.
Not Only CDR
In the study mentioned above, journalist Will Ockenden used an iPhone. A properly formatted request to Apple, what the company calls a Device Request, meaning the police have nothing except the device’s hardware identifier, such as the IMEI, can allow law enforcement to obtain much of the data Apple itself collects about the user, which includes almost everything with a few exceptions.
For example, this is what Apple’s statistics on law enforcement requests in the United States looked like for January-June 2025, the latest published report at the time of writing.
Google, meanwhile, offers an interactive transparency report available through its website.
While Apple will not provide law enforcement with certain data such as user passwords, device usage statistics, SMS/iMessage contents, or Health data, including physical activity history, step counts, and heart rate records over a given period, which can be incredibly useful both for catching criminals and exposing cheating spouses, Google will provide virtually everything, including passwords. To be technically precise, Android 9 introduced encrypted backups, meaning law enforcement can no longer access the backups themselves or the SMS messages and call logs stored within them.
Burner Phones
Criminals who use their personal phones for threats, extortion, or other crimes are now extremely rare, and by now it should be obvious why. So what options remain? Burner SIM cards and disposable phones, usually cheap feature phones, preferably without internet access. For police to obtain any useful information about a suspect, they need at least one lead, and an IMEI is often enough. But what can investigators determine from a device that was turned on for only a few minutes? Amateur criminals who spend too much time reading conspiracy theories remove the battery from the phone, powering it on only long enough to make a call. What they rarely think about is what happens when the device powers on or off, whether normally or by removing the battery. Even fewer consider whether law enforcement officers are already familiar with this exact behavior pattern.
Confident in his “security,” the criminal leaves home. If he does not, investigators will likely identify his location either immediately or afterward through log analysis.
But where is his personal phone during all this? Let’s look at several scenarios.
Case 1
This is the most common situation, the “suspicious” call is made from a burner phone while the criminal carries his real phone with him. It sounds careless, but police reports show this happens constantly. Police request CDR records from the carrier for the relevant time period. Depending on the country and its laws, the carrier either returns raw data or anonymized device lists, where each hardware identifier is replaced with a hash. In practice, investigators receive a list of all devices connected to the same cell tower used during the call. Among those devices is very likely the criminal’s personal phone.
A single cell tower may serve thousands of devices simultaneously, so one request alone is not very useful. But if the criminal calls again, whether from the same tower or a different one, investigators receive additional datasets. They then compare the lists of devices connected to the relevant towers at the exact times the calls occurred. By the second or third comparison, the list often shrinks to only a few dozen or even a handful of devices. Investigators analyze not only the tower used for the call, but also neighboring towers. Using this data, triangulation can determine a device’s location within anywhere from a few dozen to a few hundred meters. This technique existed even fifteen years ago. In large cities with dense populations, the suspect pool may still remain too broad after several comparisons. In especially important cases, big data analysis enters the picture. Analysts study behavior patterns associated with anonymized device identifiers. Phone calls, internet activity, movement patterns, registration times on towers, and many other factors allow them to eliminate huge numbers of irrelevant devices and significantly narrow the suspect list.
The easiest criminals to track are those carrying personal devices while moving around. One anonymous call from one cell tower creates a set of possible devices. A second call from another location drastically reduces the number of devices following the same route. This also destroys a popular movie myth. The amount of time a phone remains connected to the network is irrelevant for determining its location. The phone’s location is recorded instantly when it registers on the network and stored in logs. If the device is moving, its position can often be determined even more accurately. And to address another conspiracy theory, a powered off phone does not report its location, even if the battery remains inside.
To summarize, the criminal powers on the burner phone, makes an anonymous call or sends an SMS, then powers it off or removes the battery. The next day, he powers it on again in another part of the city, makes another call, and powers it off again. The list of potential suspects shrinks to only a few devices. By the third call, investigators can often identify the criminal completely. No advanced surveillance equipment is required, just log analysis across three device activations.
Case 2
“But who would carry their personal phone while committing a crime?” you might ask. A more careful criminal may switch off their real phone before making the anonymous call. Great. Now police only need to look at the list of devices that disconnected at the exact moment the anonymous call was made. In many cases, one iteration is enough. If the suspect then turns the phone back on after the anonymous call, investigators can confidently move in.
Why? Because when a phone powers down, it sends a signal to the network, allowing carriers to distinguish between a device that was intentionally switched off and one that simply left the coverage area. Powering it back on creates another network event. Tracking these actions takes only a few clicks.
Case 3
“Who even takes their own phone to commit a crime?” Surprisingly, many do. Others leave the phone at home but wear a smartwatch, which has also helped police solve countless cases. Most “phone criminals” are not professionals. Their understanding of how cellular networks operate, what data is collected, and how it is analyzed is extremely limited. Human error allows police to solve many crimes simply by correlating facts. If the criminal truly never carries a personal device, big data analysis may still expose him. Much depends on how much time and effort the person is willing to invest in remaining anonymous and how many anonymous calls are made.
What If Multiple Burner Phones Are Used?
What if the criminal uses several disposable phones and destroys each one after a call, like in the movies? You have probably already realized that the only thing gained by using multiple devices is a few extra seconds of anonymity before each call. Since all of the calls become part of the investigation, police gain additional leads, the source of the anonymous SIM cards and possibly the purchase location of the burner phones. Whether the calls came from one device or several makes little difference to the investigation.
What If There Was Only One Call?
A person reporting a bomb threat to a school or airport only needs a single call before destroying the device and SIM card. Surprisingly, such criminals are often caught using investigative methods developed decades ago during the era of public payphones. If the suspect owns a regular smartphone, investigators can drastically narrow the suspect pool using the methods already described. Even in a city of millions, the suspect list may shrink to a few hundred or a few thousand people. If the threat targeted a school, investigators cross reference the list with the school’s students. After that, a detective often only needs to conduct a few interviews. Phone terrorists are also frequently caught because they misunderstand how police investigations actually work. They focus on imaginary threats.
What About VoIP Calls Through a VPN?
Criminals think that a truly anonymous call could be made through a VoIP service, preferably a free one to avoid exposing payment information, combined with a VPN provider that keeps no logs. Of course, there is always a risk of making mistakes, failing to verify the VPN connection, accidentally logging in with personal credentials, and so on. To reduce these risks, organized criminal groups spend significant money commissioning modified phones with heavily altered software.
“Criminals will inevitably migrate to other services, and we already have a good idea which ones. I won’t point fingers, but sooner or later we will get to them too,” said AFP Assistant Commissioner Gaughan.
How the Analysis Works
A report published by the ITU in the Republic of Guinea describes in detail both the methods and tools used by analysts.
In simplified form, the process looks like this.
And in greater detail.
All investigators need are the raw CDR logs and software capable of loading and analyzing them. Raw data is difficult to process manually, but once filtered it can easily be displayed, searched, or printed. The popularity of this investigative method is reflected in the fact that nearly every major digital forensics platform supports CDR analysis. Examples include Penlink, HAWK Analytics, GEOtime, CSAS, and many others. That said, we have also spoken with police officers who successfully use nothing more than Google Maps and Microsoft Excel. Without question, intelligence agencies possess advanced equipment capable of jamming cellular communications, spoofing cell towers, or falsifying GPS coordinates. However, ordinary police rarely use most of this equipment, at least not in routine investigations involving extortionists or phone terrorists. It is expensive, time consuming, and often unnecessary. CDR analysis is usually far more efficient.
One revealing case occurred several years ago in the United Kingdom. Police were surveilling a cartel boss. Arresting him was easy, but they lacked evidence that would hold up in court. Investigators believed crucial evidence was stored on the suspect’s iPhone, but at the time they could not bypass the lock screen on that relatively new model. As a result, police launched an operation. Officers watched the suspect until he unlocked the phone and started typing. They immediately arrested him and literally pulled the phone from his hands. The interesting detail is not the arrest itself, but what happened afterward. To keep the iPhone unlocked during transport to the forensic lab, police assigned a dedicated officer whose only job was to periodically swipe the screen so the device would not go to sleep. Investigators already knew about settings controlling automatic screen lock timers. What many people do not realize, however, is that a configuration profile can be installed in seconds to disable auto lock entirely. The phone successfully arrived at the lab unlocked, the data was extracted, and investigators obtained the evidence they needed.
This Seems Unreliable
If reading this article left you feeling that basing criminal convictions on mobile carrier data seems questionable, we agree completely. The Danish Supreme Court agrees as well and has limited the use of CDR evidence by prosecutors. This restriction did not appear out of nowhere. Out of 10,700 convictions based on such data, a significant number for a small, relatively peaceful country, 32 people have already been declared innocent after further review. According to the director of the Telecommunications Industry Association, “This infrastructure was built to provide communications services, not to monitor citizens.” Attempts to interpret this data can easily lead to mistakes, and evidence that appears to be based on precise technical measurements does not necessarily hold strong value in court.
Most advanced training courses for law enforcement officers emphasize that digital evidence should never be trusted blindly, regardless of how it was obtained. Investigators are taught about cases where a suspect’s location was determined using metadata from photos synchronized through cloud services rather than actually taken on the device itself. One illustrative case involved an incoming phone call interpreted as distracted driving that supposedly caused a traffic incident. In reality, the driver’s old feature phone was sitting in his pocket, but a button was accidentally pressed, causing the phone to “answer” the call. The carrier recorded the connection event. The defense successfully cleared the driver after questioning the other party, who confirmed that no conversation actually took place. What truly happened remains unknown, but the court sided with the defendant.
Cases like this are almost certainly not unique. CDR data is an excellent investigative tool, but a weak foundation for evidence in court.
Summary
Today, nearly everyone carries either a smartphone or at least a simple mobile phone, and every one of those devices leaves a digital trail. That trail contains far more information than most people realize, and it is much easier to access than many assume. To obtain a complete picture, investigators often need only a single lead, something as simple as the hardware identifier of a suspect’s personal smartphone, even if that phone was never directly used in the crime itself. Obtaining that lead is often the result of routine analysis of mobile carrier logs.
To improve privacy at the cellular level, we are offering training on how to build your own private cellular network, a legal approach that can help reduce exposure to mass surveillance. Because it is not a public carrier, it is less exposed to MAINWAY-style bulk collection, is not subject to the same CALEA obligations as public telecom networks, and keeps traffic and metadata off public backbones, which limits the collection points that large monitoring systems typically rely on.
The training will be available exclusively for Subscriber Pro students and will take place June 9-11 at 3 PM UTC.
Source: HackersArise
Source Link: https://hackers-arise.com/cell-phone-privacy-how-law-enforcement-uses-your-cell-phone-to-invade-your-privacy/