September 15, 1992 CELLULAR TELEPHONE OPERATIONS AND INTERCEPTIONS; FIRST OF ALL . In a recent best seller, (ClearAnd PresentDanger) Tom Clancy, one hell of a fine wordsmith, based much of the tension in the plot on the fact that the good guys (government agents in this case) could not follow the bad guys, even on their cellular telephones because cellular phones are "impossible to monitor." Tom, Tom, lack of research or just trying to be nice to those agents who helped you out on the book? Let's face facts, it ain't exactly impos- sible to eavesdrop on cellular phones. In fact cellular phones are just about the easiest type of communication to monitor without major equipment expenditures or committing grievous felonies. Ah, let me qualify that last one just a bit, it is against the law to monitor cellular conversations because they, unlike cordless phones which also transmit over the radio, give the "expectation of privacy." Or it is against the law until some good ACLU type lawyer takes the first case to court, but that is neither here nor there. It is against the law to monitor these conversations without the correct legal documents and I am writing this section secure in the knowledge that none of you would break this law, and that anyone who uses these techniques has a legal right to do so. Right? So please ignore the fact that anyone with a halfway decent scanner, (and they don't make many without cellular coverage anymore) can just turn on, tune in and drop, ah, in. Some scanners won't allow this illegal listening. For instance, Radio Shack, that paragon of poor man's eavesdropping equip- ment, although they designed their scanners to receive these calls, made it impossible to do so after the laws were changed. Unless you take a pair of scissors and clip one little wire... But it's the intent of the law that is at stake here; suppose you don't have a scanner? God forbid you should look at the frequency chart and realize that some cellular channels can be received on an unmodified UHV television set. Don't touch that dial! A TRICK The two problems with either of these drop in monitoring systems is that A. One doesn't know who one is listening to, and B. As the target moves about in any area covered by CP's his signal will be automatically "handed ofP' to new cells as the signal strength of his transmis- sion falls off. These frequencies are random on the basis that they are available on the system not in use, and do not interfere with other conversations already in progress. Pandora's box? Hardly. Here is how cellular telephones work and how everybody who has any desire to tune in on the world's greatest party line can do so with a minimum of effort from those with $40,000 budgets to those equipped only with a scanner and a sense of adventure... OPERATING SYSTEMS & TRAINS THAT FLY Cellular systems consist of a number of indi- vidual "cells" that contain a number of indi- vidual frequencies for the transmission of audio information. A certain number of other frequencies within the cell are allotted to channels that transfer the data necessary to set up and maintain the call. Every area covered in the U.S. has at least two cellular phone companies in operation: One is a wireline company, meaning it is, or was, depending on whose lawyers one believes, owned by Bell. The other operator is a non- wireline, an independent rep. Both adhere to the same operating standards. When a particular phone reaches the outer limit of a particular cell's power, the equipment automatically senses this and "hands off" the call to an adjacent cell to continue the conver- sation with no noticeable loss in signal. The hexagons usually used to illustrate cells are really only symbolic. Graphic artists and other PR types use these shapes to describe the system but the real boundary of a cell is a jagged line that represents a point where the power level falls off to about -100 decibels relative to a milliwatt of radio power hitting the receive antenna. At that point the system doesn't work very well because it's about equal to the regular noise input to the receiver and it becomes very difficult to get a good signal in there so some- where in the range of -85 to -100 DBM is the point where one would no longer use the radio in that cell and the signal is handed off to another cell. The decision of where and when to hand off is also mitigated by other factors, for instance, are there any available voice channels in that cell would be the preferred choice for the handoff target? If so the decision is simply to take the frequency in that cell and command the mobile to change its frequencies to that particular frequency in order to carry out the hand off. In real life, cells do not come out to perfectly drawn symbols but rather jagged areas of signal which are influenced by hills, buildings, and other natural factors beyond the control of the cellular company. There are hills in every city and every hill will create a signal shadow in the area behind it. Tall buildings will create the same effect. If the cell includes streets with buildings that have highly reflective windows, like silver glass or enameled coating, this tends to form a wave guide and will cut the power down a long distance along that street if it's in line aside an antenna. The waves begin bouncing back and forth and side to side, reflecting energy like two parallel mirrors on opposite walls, so suddenly there are a lot of strange things that weren't included in the original symmetrically-shaped pattem. But that's life in the big city. Literally. The combination of particular antenna placements plus buildings and shadowing in the service city creates areas which need to be overlapped. Phone companies want some overlap with the boundaries, which requires a little leeway about where to make handoffs occur. They have to cover the whole city to give good service. No area can be excluded. Some operators employ an engineer on a full-time basis to go out and make constant measurements. Others will bring in a consult- ant and have them make measurements locally every other month or two depending on the rate of growth. If a tall building goes up right on an existing antenna, they may go out and survey it while it's still under construction in order to do some modeling and field prediction to correct the problem before it happens. This means cell site boundaries and handoff points are in a state of flux. The mobile phone operates on one fre- quency, sending out one side of the call and the cell operates at another frequency 45 MHz less than the mobile. The cell itself broadcasts both sides of the call. In the cells themselves there are basically two sets of channels-the original channels were just the ones allocated to two different competitive carriers in the world's metro areas. Of these 333 channels in each of these two groups, 21 which are near the boundary and 21 on the other side of the boundary, are used as the so-called set up channels. All the other channels are available for voice. Recently the FCC allocated an additional 83 channels to each of the two carriers. The wireline carrier, which is a former Bell operat- ing company, got it in one nice big chunk of 83 channels in every area. The A carrier, the non-wireline carrier in each district, (Cellular One, for example) got the new access in twochunks that were split apart, say 33 in one place and 50 in the other. This is important because the FCC has said they are not going to give out any more channel allocations until the end of the century. HOW CALLS ARE PLACED The overhead train, a continuous stream of data (on a data channel) that is constantly sending out loads of information of who is where and with what will be occasionally interrupted by a specific starting message, called a page. This is a message that mitigates the telephone number of the call of the mobile, indicating there's a call for the mobile. At this point the system doesn't know where the mobile is in the city so this page is sent out in every cell in the whole city. The mobile, if it's there, will respond in one of the cells as it has been watching one particular frequency in the setup channel. It will go to another channel and if that fades out, it will scan and find another one so it's always watching one particular frequency and responding in the same frequency. If located the mobile will be rung up or a pre-recorded message will be issued saying that it is busy or off hook. The caller will then be disconnected whether he wants to stay on or not. He can dial again immediately but with get the same result, because they are trying to limit the amount of air time that's consumed without producing any revenue if the subscriber is out of town or has his mobile tumed off. What happens when a user goes to make a call? The setup channel in every cell transmits a sequence of minor data in a certain frame in the overhead train, which includes things like the actual number of the phone involved. Every system in North America has a 3 digit number along with some other data which tells the mobiles if they are from outside the local system, if they should identify themselves or not. If a phone is visiting the city should it identify itself or should it wait until the switch has a call for it? When a mobile starts up cold, it begins scanning. It starts scanning the supervisory channels. It only has 21 to look at so it scans all of them until it finds the strongest one and locks onto it and looks for the overhead train. As soon as overhead train is grabbed, it waits and watches. If the train fades away, the mobile w~ go back and start scanning a~ over again. If a mobile operator wants to originate a call, the operator enters all the dial digits into a display register on the mobile and hits a key labeled "send." This causes the mobile to transmit a call setup message on the reverse frequency part of the supervisory or setup channel before it identifies itself and gives the telephone number to be dialed and it listens to see if the train wants any more information. The telco may only request 7 of the 10 digits of the mobile number or it may demand every- thing including the electronic serial number, but all the systems are capable of asking for everything and the only reason some compa- nies reduce the amount of information is just to save transaction time when they're very busy. The response contains all the same informa- tion. The actual switch, which is located at the cell site, has to have 3 types of radios: Voice channel transceivers are for actually talking in duplex covering about 45 usable channels per cell unless the expanded spectrum has been put into use where it goes up to 56 channels per cell. At least one control or setup channel transceiver is also required but most companies will install a spare for that in case of failure because it's role is a crucial one. If it's dead, everything's dead, calls can't be set up in either direction. In addition, at least one locaffng receiver is required to measure radio signal strength indication because when a handoff occurs there's always a question. If the signal strength in this mobile is getting weak, where is it? Is he driving north, is he driving east, west or south, which cell is he getting closest to? The system, prior to the handoff, has to request all the locating receivers in the nearby cells to tune tothe frequency of that mobile in order to mea- sure the signal strength and report the stron- gest one. The actual switches are called either an MTX or MTSO depending on the manufacturer. MTX means Mobile Telephone Exchange and MTSO means Mobile Telephone Switching Office. The central switch is pretty much a standard telephone switch. Almost all the modem ones are digital in nature with some type of a switch- ing network which connects calls from one port to another. There is also some kind of a control complex involved in the central proces- sor similar to a computer. There is a digital trunk controller and some sort of interface which is used to connect to other telephone central offices in other parts of the city. When the call gets into that switch mecha- nism, the signal is handled like a regular tele- phone call. All the same technologies about pen recording, intercepting, tracking and taping all the conversation can and will be intercepted by the carrier at this point without special equipment. In addition to that, all the records exchanged produced by like automatic number identifica- tion and billing and all the call records, (~UR's) can be subpoened, so everything applies pretty much the same as it does in the regular tele- phone system. There's also some type of a control connec- tion to the central processor, usually run through a voice frequency channel which leads to a controller of some type which is another microprocessor system at the cell site that's connected to both the radios to tell them to go on and off and then back into the locating receiver in order to process the change to get the frequencies and take measurements. This is the format of one cell site. A city may have as many cell sites as necessary. U.S. systems range from the minimum of one cell site to as many as about 70 or 80. Los Angeles has about 80, New York runs a close secon~i ROAMING AND ROVING All of North American cellular operators have uniform technical standards and in theory, if there's no business reasons not to, a set can roam anywhere in the continent where there's radio coverage. The operator can at least origi- nate calls even though he may or may not be able to receive them, depending on whether inter-connections exist for data transfer be- tween the various cellular systems, but techni- cally there's no reason why one can't originate a call. Any mobile set has several options. If it can't find any supervisory channel at all-if it's suddenly situated out in the country where there's no cellular service-the local will scan and scan and eventually, after a few tries it give up and indicates that the caller is SOL. If the operator scans all the channels but the system number showing in the overhead train doesn't match the one in the memory of the telephone set, the mobile set, it will keep watching it in the roam mode, understanding it's outside of its home system. In most sets one can also switch to the other carrier in the area. The business arrangement is that most U.S. wire lines have some kind of cross-billing contracts. All of the former Bell operating companies subsidiaries have almost uniform aoss billing contracts and many, but not all of the non-wire line people have cross-billing contracts, plus there are many cross-billing contracts between wire line and non-wire line because there are lots of cross ownership, so almost every place the phone goes there is about a 95% chance to place a call which will later appear on the operator's phone bill. General Telephone operates a clearinghouse that automatically bills the correct party no matter where he happens to be at the time of the call. If the city the call is being originated in overlaps coverage with a neighbor, the handoff can occur between cities. In a few years the entire U.S. is expected to be included in a system of mass coverage.This knowledge can be, and is, used to protect oneself from law enforcement intercept orders as follows (borrowed from the ah, well, a group of Italian businessmen): If someone wants to protect his location and his number from intercept, he registers on a non-wire line system and then "roams" in whatever city he's located in, so, in order for his customers to reach him, they will have to dial the local roamer number, then punch in the area code and phone number to connect. The transmitter could be 10' from the re- ceiver, it makes no difference. This technique protects the caller's location and it protects the location of the "customer" because he can't be isolated from the roamer truck, making it effec- tively impossible to place intercept equipment to track and record the unit's conversations. The roam feature knocks the caller out of the regional system that normally covers north, south, east or west in any area. Of course, the user is paying the price of a toll call, and roaming calls are always more expensive than non-roamers. But still... By choosing the other wire/non-wireline system the phone will automatically operate in the roaming mode. Something to remember, just in case that, well, that your uncle from New Jersey drops in for an unexpected visit. . . CELL CONSTRUCTION AND INTERCEPTION TECHNIQUES Law enforcement types can purchase sets to monitor, track and record cellular phone calls. These sets are damn expensive from suppliers like HDS and are usually just test sets designed to monitor cellular operations for a carrier. They're still damn expensive. If someone tries to intercept a call with a test, the results will be printed out (including new handoff frequencies) and the sets can manually switch to it almost as fast as the mobile does. That's because a certain signal is transmitted in the voice channel just before the handoff containing the mobile change frequency. This means, among other relevant tidbits, that a person, hopefully a person in Law Enforcement, who has a monitor that will read the overhead train (usually a modified IFR service monitor, $25-$35K) can actually tell if a subject is in a certain city and follow him from cell to cell even if he doesn't make a singlephone call, as long as his phone is tumed on... In some systems. These sets are out of the reach of most police departments at this time, but many big cities are purchasing some sort of auto-record equip- ment and trust me, the Feds do have them, my friend. Test sets such as those produced by IFR will reveal everything going on. It's their job, after all. A good test set will not only listen to the audio, it will display all the monitor data in the proper form and anything else asked of it. The test set, whether sold to telco suppliers or with a value added (say $10,000) and sold to law enforcement as an intercept station, can mimic a base station or it can metamorphosize itself into a mobile unit. It can follow every handoff via the ESN or phone number auto- matically. Test sets are programmed to become a certain mobile at any given notice and record what calls it receives, when it changes to a different frequency and so on. Although originally designed for sorting through a system they are ideal for interception within any metropolitan area. Some cellular operators now maintain a certain portion of their switch physically in the open so law enforcement folks (armed with a warrant) can hook up their recorders right at the switch without disturbing the phone company's personnel or equipment. The telephone companies have only a certain number of spare ports to hook on to. A few govemment agencies, like the Bureau had a habit of grabbing them up, making it difficult for other companies to get them. For quite a while the telephone companies were lying, saying they didn't have the ports avail- able, forcing them to use a service monitor. However, so many cellular intercepts came through that telephone companies are required by law to give the minimal cooperation neces- sary. In the State of NewJersey, for instance, there is a new phone building in North Jersey that has a separate room to house the intercept equipment with space for any law enforcement goodies (slaves, etc.) to live and work. New cellular switching stations are put~ng an appearance outside for empty TSO's so the cops don't bother them all the time. The routine is: Show me some paper-go hook up. It does happen. By understanding the concept of cellular placement and frequency allotment it is ver,v possible to monitor cellularphone calls. Author Bill Cheek in his fine book "Scanner Modifica- tion Handbook," published by CRB Research Books Inc., describes cellular layout and how it can be tracked with a scanner. This system is absolutely right-on and we are reprinting it (with permission from Mr. Cheek and Tom Kneitel of CRB Research) here in full as our first find 'em technique. Table 3-1 CELLULAR BAND FREQUENCY ALLOCATIONS Wireline (telephone company) cell sites (bases): 880.020- 889.980 Wireline (telephone company) mobiles (car phones): 835.020 - 844.980 Non-wireline company cell site (bases): 870.030- 879.990 Non-wireline company mobiles (car phones): 825.030 - 834.990 Since cellular systems are computer con- trolled and operated, the digital data channels are always going full blast with an annoying buzzsaw sound. These control frequencies are shown in Table 3-2. Table 3-2 CELLULAR MOBILE TELEPHONE COMPUTER CONTROL FREQUENCIES Wireline (telephone company) cell site (bases): 880.020 - 880.620 Wireline (telephone company) mobiles (car phones): 835.020 - 835.620 Non-wireline company cell site (bases): 879.390 - 879.990 Non-wireline company mobiles (car phones): 834.390 - 834.990 With 30 kHz channel- spacing, in a typical 870 to 880 MHz, or 880 to 890 MHz system, there are twenty-one computer control channels and 312 channels for voice, for a total of 333 channels for each service provider. This, then, breaks down into what might be considered several voice bands for cell sites and mobiles: Band #1 870.030 to 879.360 MHz (Non-wireline cell sites) Band #2 880.650 to 889.980 MHz (Wireline cell sites) Band #3 835.650 to 844.980 MHz (Non-wireline mobiles) Band #4 825.030 to 834.360 MHz (Wireline mobiles) The bases (cell cites) use more power than the mobile units, and have antenna systems that are higher and more formidable than the mobile units. As a result, the cell sites present strong signals. Moreover, in almost all in- stances, the cell sites transmit both sides of all conversations inasmuch as they repeat the received signals from the mobile phones with which they are in communication. You might wish to refer to Tables 3-3 and 3-4 which depict the unique frequency layout for up to seven cells. This is a complete cellular system frequency layout plan for wireline and non-wireline systems. Visualize a system this way: In order to avoid adjacent (side-by-side) cells from having the same frequencies to interfere with one another, seven cells are required; one at the center and six more sur- rounding the center cell. There is no particular pattern as to how Cells "A" through "G" have to be laid out. That is, Cell "D" can just as readily be a center cell with the others circling it, as could any other combination. In a metro system consisting of many cells, there isn't any such thing as a "center" cell, because every cell is, in effect, a "center cell" with respect to six others which surround it. Generally speaking, two cells can (and do) operate on the same frequencies when they are separated by at least one different cell. Actually, the seven cell system unit as depicted in Figure 3-1 is used over and over. Two or even more adiacent cells on different frequencies are located between any two cells on the some frequencies. The cellular concept thus takes advantage of low powered, short range 800 MHz propagation to reuse the same frequencies at several different cell sites in a large metro region. If this weren't possible, then only 312 simultaneous conversations could take place at any one time, as it is thousands of simuIta- neous conversations could be accommodated within a large cellular system, thanks to fre- quency reuse. Another factor here is the unique side effect of Frequency Modulation (FM) where an FM receiver exclusively "hears" the stronger of two signals presented to it on the same frequency. So when cells on the same frequency are separated by one or more cells, even though a mobile might be positioned to detect signals from either, it actually will accept only the strongest one. The odds are very slim of the mobile being located precisely where the two signals are exactly equal. But even in that case, the odds against interference are improved even more because chances are virtually certain that the mobile would be under the control of a stronger third cell site signal on a different frequency. Not only do two adjacent cells use the same frequencies, but no two cells use adjacent frequencies. For example, a given cell (Cell "D") that transmits on 880.950 MHz will not trans- mit on 880.980 MHz nor on 880.920 MHz. Likewise, mobiles within any given cell will not transmit on adjacent frequencies. This arrangement prevents adjacent channel inter- ference in receivers located at cell sites and mobile units. FM receivers are not very selective to begin with, and the use of adjacent channels would cause interference within a cell. The scheme depicted in Tables 3-3 and 3-4 was created to minimize the chances of adja- cent channel interference throughout the entire cellular system. Note that each cell is allocated 47 or 48 frequencies, with a spacing of 210 kHz (seven channels) between each assigned frequency. In that manner, adjacent frequencies are not used in the same or adjacent cell sites. DISCUSSION OF FIGURE 3-1: Figure 3-1 illustrates the concept of a very large cellular mobile telephone system. Cities and metro complexes are rarely symmetrical due to geographical and other considerations, so Figure 3-1 is elongated to simulate the configuration of a realistic cellular network. Cities tend to grow along railroads, rivers, and major highways, so the cellular system here is designed accordingly. Most are not this large, with the typical system consisting ofthree to seven cells. Small communities might even be served with a single cell, while metro areas like Los Angeles and New York City might consist of a number of interconnected systems fanned out to form a huge network. Frankly, size doesn't matter, because of low power, short range, and frequency reuse. The potential size of a cellular system is unlimited, so let's use Figure 3-1 to discuss how a "typical" system is structured: FIGURE 3-1. TYPICAL CELLULAR SYSTEM LAYOUT 1. Cells of the same letter operate on same frequency groups. See Tables 3-3 & 3-4. 2. Numerical designator distinguishes cells of the same letter/frequency group-otherwise there is no difference. 3. Two companies are permitted to operate cellular systems in any given metro area. The two systems will be laid out functionally as shown above, even though the physical layout will be different. 1. A hexagon is used to depict a cell's coverage territory, but the actual coverage wouldn't be that shape; it would be more-or-less circular, depending upon terrain and geogra- phy. However, circles don't illustrate the cellular concept as well as hexagons, and that is why hexagons are usually used in diagrams of cellular systems. 2. No two adjacent cell cites use the same frequencies. In other words, two Cell "A's" are never side-by-side, nor two Cell "B's," nor Cell "C's," etc. At least one cell site on different frequencies is always located between two other cell sites that are assigned the some frequencies. 3. No two adjacent cell sites are assigned adjacent frequencies. So, Cells "A" and "B" are never located next to each other. Neither are Cells "A" and "G," or "B" and "C," etc. At least one different cell site is always located between two other cell sites that are assigned adjacent frequencies. Summary: Each cell site is always assigned frequencies that differ by 60 kHz or more from cell sites that are adjacent to it. FIGURE 3-1 TYPICAL CELLULAR SYSTEM LAYOUT This information, while perhaps boring to lay readers, might be very useful or handy to persons such as law enforcement officers performing court-warranted electronic surveil- lance on cellular conversations of a drug dealer-in-as-much as DEA and other enforce- ment officials have long been aware that cellular phones have become heavily used by drug traffickers. So, let's say that an authorized surveillance is taking place and the suspect is monitored on 880.740 MHz, which is depicted in Table 3-1 under Cell "D." Everything's fine, and the suspect starts to advise his party to meet him at -, and then right at the crucial moment, the suspect's car enters the control of a differ- ent cell site, and presto, the channel goes dead. Putting the scanner into "Limit Search" mode in an attempt to track the conversation would bring only frustration; might as well have a cup of coffee and call it quits for the night. Chances are that the suspect's resumed conversation will not be encountered. The "Search" mode tracks in a linear, consecutive- frequency order, either higher or lower. If the suspect's conversation should be relocated, it would certainly take a while. There would, however, be a way of increas- ing the chances of zeroing back in on the suspect. First, the scanner would have to be programmed with each individual cellular frequency in order by cell sites as depicted in Table 3-3 or 3-4. For such an operation, it would be highly beneficial to be working with a Realistic PRO-2004/2005 that has undergone the 6,400 channel memory modification outlined in this book (ed. note-Bill's book) (MOD-16) so that wireline and non-wireline cell site channels could be programmed. There wouldn't be any reason to program any of the data-only control channels, but the scanner could be programmed with Channel 1 = 880.650 MHz; Channel 2 = 880.860 MHz; Channel 3 = 881.070 MHz, etc. Channel 40 would have 888.840 MHz, then continuing with Ch. 41 = 889.050 MHz and ending all Cell "A's" programming with Ch. 45 = 889.890. Then, all zeros would be entered into Ch. 45 to 50, with Cell "B" programming as: Ch. 51 = 880.680 MHz; Ch. 52. = 880.890 MHz; through Ch. 95 = 889.920 MHz. All zeros would go into Ch. 95 to 100, and Cell "C" program- ming would start in Ch. 101 with 880.710 MHz. Get the picture? When completed, the wireline company's 312 voice channel's would have been pro- grammed into the agency's scanner, organized by cell sites and frequency allocations. This would be particularly useful to the surveillance officer because, as noted earlier, when a mobile unit passes from one cell to another, the new frequency will not be in the old cell's assignment nor will it be an adjacent frequency! Therefore, one could logically eliminate the frequency assignments of three cells from any consideration. So, when the suspect's conversa- tion gets handed off from one cell to another, up to three scan banks that are known not to contain the call are deselected. The scanner could then check for the re- sumed conversation on the remaining sites and probably locate same rather quickly, as in the example following the frequency tables. CELL A CELL B CELL C CELL D CELL E CELL F CELL C -I- ======= ======= ======= ======= ======= ======= ======= wireline 889 890 889 920 889 950 889 980 company cell889 680 889 710 889 740 889 770 889 800 889 830 889 860 site x-mit 889 470 889 500 889 530 889 560 889 590 889 620 889 650 & mobile 889 260 889 290 889 320 889 350 889 380 889 410 889 440 receive 889 050 889 080 889 110 889 140 889 170 889 200 889 230 frequeencies888 840 888 870 888 900 888 930 888 960 888 990 889 020 888 630 888 660 888 690 888 720 888 750 888 780 888 810 888 420 888 450 888 480 888 510 888 540 888 570 888 600 888 210 888 240 888 270 888 300 888 330 888 360 888 390 888 000 888 030 888 060 888 090 888 120 888 150 888 180 887 790 887 820 887 850 887 880 887 910 887 940 887 970 887 580 887 610 887 640 887 670 887 700 887 730 887 760 887 370 887 400 887 430 887 460 887 490 887 520 887 550 887 160 887 190 887 220 887 250 887 280 887 310 887 340 886 950 886 980 887 010 887 040 887 070 887 100 887 130 886 740 886 770 886 800 886 830 886 860 886 890 886 920 886 530 886 560 886 590 886 620 886 650 886 680 886 710 886 320 886 350 886 380 886 410 886 440 886 470 886 500 886 110 886 140 886 170 886 200 886 230 886 260 886 290 885 900 885 930 885 960 885 990 886 020 886 050 886 080 885 690 885 720 885 750 885 780 885 810 885 840 885 870 885 480 885 510 885 540 885 570 885 600 885 630 885 660 Voice 885 270 885 300 885 330 885 360 885 390 885 420 885 450 Channels 885 060 885 090 885 120 885 150 885 180 885 210 885 240 884 850 884 880 884 910 884 940 884 970 885 000 885 030 884 640 884 670 884 700 884 730 884 760 884 790 884 820 884 430 884 460 884 490 884 520 884 550 884 580 884 610 884 220 884 250 884 280 884 310 884 340 884 370 884 400 884 010 884 040 884 070 884 100 884 130 884 160 884 190 883 800 883 830 883 860 883 890 883 920 883 950 883 980 883 590 883 620 883 650 883 680 883 710 883 740 883 770 883 380 883 410 883 440 883 470 883 500 883 530 883 560 883 170 883 200 883 230 883 260 883 290 883 320 883 350 882 960 882 990 883 020 883 050 883 080 883 110 883 140 882 750 882 780 882 810 882 840 882 870 882 900 882 930 882 540 882 570 882 600 882 630 882 660 882 690 882 720 882 330 882 360 882 390 882 420 882 450 882 480 882 510 882 120 882 150 882 180 882 210 882 240 882 270 882 300 881 910 881 940 881 970 882 000 882 030 882 060 882 090 881 700 881 730 881 760 881 790 881 820 881 850 881 880 881 490 881 520 881 550 881 580 881 610 881 640 881 670 881 280 881 310 881 340 881 370 881 400 881 430 881 460 881 070 881 100 881 130 881 160 881 190 881 220 881 250 880 860 880 890 880 920 880 950 880 980 881 010 881 040 880 650 880 680 880 710 880 740 880 770 880 800 880 830 Digital 880 440 880 470 880 500 880 530 880 560 880 590 880 620 COntrOI 880 230 880 260 880 290 880 320 880 350 880 380 880 410 ChannelS 880 020 880 050 880 080 880 110 880 140 880.170 880.200 Non_wireline company cell site transmit & mobile receive frequencies CELLA CELL B CELL C CELL D CELL E CELL F CELL G ======= ======= ======= ======= ======= ======= ======= Digital 879.900 879.930 879.960 879.990 Control 879.690 879.720 879.750 879.780 879.810 879.840 879.870 Channels 879.480 879.510 879.540 879.570 879.600 879.630 879.660 879.270 879.300 879.330 879.360 879.390 879.420 879.450 879.060 879.090 879.120 879.150 879.180 879.210 879.240 878.850 878.880 878.910 878.940 878.970 879.000 879.030 878.640 878.670 878.700 878.730 878.760 878.790 878.820 878.430 878.460 878.490 878.520 878.550 878.580 878.610 878.220 878.250 878.280 878.310 878.340 878.370 878.400 878.010 878.040 878.070 878.100 878.130 878.160 878.190 877.800 877.830 877.860 877.890 877.920 877.950 877.980 877.590 877.620 877.650 877.680 877.710 877.740 877.770 877.380 877.410 877.440 877.470 877.500 877.530 877.560 877.170 877.200 877.230 877.260 877.290 877.320 877.350 876.960 876.990 877.020 877.050 877.080 877.110 877.140 876.750 876.780 876.810 876.840 876.870 876.900 876.930 876.540 876.570 876.600 876.630 876.660 876.690 876.720 876.330 876.360 876.390 876.420 876.450 876.480 876.510 876.120 876.150 876.180 876.210 876.240 876.270 876.300 875.910 875.940 875.970 876.000 876.030 876.060 876.090 875.700 875.730 875.760 875.790 875.820 875.850 875.880 875.490 875.520 875.550 875.580 875.610 875.640 875.670 875.280 875.310 875.340 875.370 875.400 875.430 875.460 voice 875.070 875.100 875.130 875.160 875.190 875.220 875.250 channels 874.860 874.890 874.920 874.950 874.980 875.010 875.040 874.650 874.680 874.710 874.740 874.770 874.800 874.830 874.440 874.470 874.500 874.530 874.560 874.590 874.620 874.230 874.260 874.290 874.320 874.350 874.380 874.410 874.020 874.050 874.080 874.110 874.140 874.170 874.200 873.810 873.840 873.870 873.900 873.930 873.960 873.990 873.600 873.630 873.660 873.690 873.720 873.750 873.780 873.390 873.420 873.450 873.480 873.510 873.540 873.570 873.180 873.210 873.240 873.270 873.300 873.330 873.360 872.970 873.000 873.030 873.060 873.090 873.120 873.150 872.760 872.790 872.820 872.850 872.880 872.910 872.940 872.550 872.580 872.610 872.640 872.670 872.700 872.730 872.340 872.370 872.400 872.430 872.460 872.490 872.520 872.130 872.160 872.190 872.220 872.250 872.280 872.310 871.920 871.950 871.980 872.010 872.040 872.070 872.100 871.710 871.740 871.770 871.800 871.830 871.860 871.890 871.500 871.530 871.560 871.590 871.620 871.650 871.680 871.290 871.320 871.350 871.380 871.410 871.440 871.470 871.080 871.110 871.140 871.170 871.200 871.230 871.260 870.870 870.900 870.930 870.960 870.990 871.020 871.050 870.660 870.690 870.720 870.750 870.780 870.810 870.840 870.450 870.480 870.510 870.540 870.570 870.600 870.630 870.240 870.270 870.300 870.330 870.360 870.390 870.420 870.030 870.060 870.090 870.120 870.150 870.180 870.210 ======= ======= ======= ======= ======= ======= ======= EXAMPLE Suspect is on a frequency in Cell "D" when the call is switched. The officer immediately knows that the new cell will not be "C," "D," or "E," so those are deselected and the scanner does not bother with them. The suspect will be on only one of about 180 possible frequencies, which the officer could locate within thirty seconds or less if he knows what to do and can react quickly enough. If he had unsuccessfully used the "search" to look for resumed conversa- tions, there were more than 300 frequencies to check through that way. Note: If the suspect was originally in Cell "A," then Cells "B" and "G" can be eliminated as possibilities. Likewise, if the original call was in Cell "G," then calls from Cells "A" and "F" would be eliminated. Remember: Cells of the same and/or adjacent frequencies are never physically located next to another! A judicious law enforcement surveil- lance expert would use both the "scan banks" and the "search" feature as tools to relocate a handed-off cellular conversation. Note: Cellular handoffs occur quite rapidly, especially when a mobile goes from one cell through the fringe area of a second and then soon after into a third cell. The two handoffs could take place within seconds, and a search for the first handoff could well be in progress when the second handoff takes place. That's when a cell map of a particular area or system would come in handy. Since the time Bill calculated the above information, new frequencies have been allocated to cellular companies as follows: 824.010 - 834.990 Mobiles non-wireline A 835.020 - 844.980 Mobiles wireline B 845.010 - 846.480 Mobiles non-wireline A 846.510 - 849.000 Mobiles wireline B 869.010 - 879.990 Bases non-wireline A 880.020 - 889.980 Bases wireline B 890.010 - 891.480 Bases non-wireline A 891.510 - 894.000 Bases wireline B It would be a simple matter to create the same frequency-cell tables with these new frequencies. OUR OWN REFINEMENTS: I sat in on a cellular phone interception project with a couple of law enforcement types during the writing of this book using an offshoot of Bill's idea. Here's how they did it: The target was operating in a major metropoli- tan city in the U.S. with a number of hills and dead airvalleys. The LPwas situated in a house on a hill that overlooked much of the city. The LP was equipped with an ICOM 7000 receiver and a non-directional 800 sensitive antenna. The ICOM had been modified slightly by clipping an intemal lead which allowed it to receive a baud rate of 9600. The receiver was connected to an IBM PC clone that was loaded with a frequency scan- ning program called Program 801. The local frequency banks were programmed into the computer and we had a colleague watching the target's residence. When the target left his residence, the watcher called us on his cellular phone and so informed us-we began scanning. Within a few moments we had identified the subject by both his voice and the subject of the conversation on a certain cell. When a handoff to another cell occurred, the F4 key was stroked on the computer and it began to look through the logical frequencies. Did it work? The intercept was conducted on a weekend so, admittedly, the traffic was light but in every case we found the target within a few seconds. The maximum conversation loss was at most, 20 seconds. The ICOM and the elevated listening post followed the target through each and every cell as he changed position. There was NO cell that he accessed that we could not receive from our stationary LP. INDIVIDUAL CELLULAR TAILING Another system tested for this book which proved luite invigorating was to take a Motorola bench equency counter and equip it with a directional antenna. This set up allowed me to follow a icular subject from a distance of 100-200 feet ~d simply read the operating frequency of his cellular whenever it was put into use. The keys to this system are to use a 12 volt bench counter with high sensitivity and a gain antenna. Omni direction cellular antennas are limited by a 3 dB gain. Use at least a 5 dB gainer from the 800 business band, or, better yet, a Yagi transmit/receive antenna from one of several antenna suppliers. This will make it directional but will make the entire conceptviable. Remem- ber, although the carphone onlybroad- casts one side of the conversation, the cell rebroadcasts both at a frequency of 45 MHz lower than the mobile channel. When the frequency counter latches on to a frequency, a handheld scanner is manually pro- grammed to the correct frequency and the entire conversation is monitored. When a handoff occurs the new frequency is quickly acquired in a similar manner and the monitoringresumes with only a minor loss of conversation. It is possible to drop back from the 200 foot limitation until a handoff occurs at which time the LP car must move back into position, but only long enough for the counter to read the new frequency. And now folks, there's a brand new tool about to come onto the market as we speak which does a much better job than on individual intercepts. A TRICK Besides the previously-detailed cellular system there used to be a pattem in use that involved 12 cells. This gave no adjacent fre- quencies in any adjacent cells, but most cities have given that up and gone to above, more compact 7 factored pattem because it offers more frequencies in each cell (1 of 7 instead of 1 in 12). The current system is likely to remain around a while because it's about as down as it can be taken without bringing in directional antennas. TECHNIQUES FOR INCREASING CELLULAR DENSITY It is possible to use a 320 degree directional antenna by having a heavy signal lobe to avoid pickups of signals from the back side from that particular antenna segment. This gives the option to the frequency right behind it fairly close in so we get a liffle more density in a particular system. Another approach to get more capacity buries some low power channels in the middle of a particular cell which are so low in power that they don't really get out to more than half way of the radius. It is then possible to use these same allocations somewhere else because they interfere less than the channels that run full power. PHONE NUMBERS AND ESN S The actual phone number is stored in a pro- grammable chip known as a NAM. In most parts of the country this chip must be pre- programmed with an available number on one of the local companies before the phone can be sold, or at least before it can be put into use. The NAM is a 16 digit chip which contains the phone number plus other info-in older style phones they are programmed in an EPROM. New phones have programming capability built into their handsets. The ESN or electronic serial number (some- times referred to as Electronic Identification Number, EIN) is not stored in the in NAM chip. At the moment there are about 125 different phones being manufactured and they all store the ESN in a different place in their memory in either an EPROM or a ROM. Each company can, and does utilize separate locations and different methods of coding. NAM's themselves can be programmed at such mundane points of purchase as Radio Shack stores. NAM programmers are openly available for about $1,000. What is to stop someone from cloning a phone so their cellular will ring every time a target's does? or even so when the cloned phone makes a call, the target w~uld he hilled? Several things, the first being the law of the land. No clones allowed. A larger barrier is posed by the inclusion of the (usually) nonprogrammable electronic serial number that is often accessed with the phone number. If a set is stolen this number is put on a com- puterized hot list which shows up immediately when the unit is used. Some new switches are also rumored to be able to tell if more than one phone with the same number is on line at any given time by comparing the serial numbers in a real time situation. Does this mean no clones? Well, not exactly. See early phones, before somebody in power decided the ESN's should be a permanent part of the unit, allowed both NAM and ESN programming. When research- ing this article, I was offered a series 1 or 2 Novetel mobile phone cloned to any set of numbers I required for $600. This is to allow busy executives the opffon to have an extension mobile but it could also be rigged to act as an unscrupulous clone, ringing and recording every call made to the target number. I have also been told of black market chips that can replace the ESN chips in modem phones. The FCC doesn't like these, the phone associations don't like these and even, yes, the FBI don't like these... Although most people don't realize it, cellulars broadcast a super audible ID tone along with the normal audio. The operator will not hear this because it's filtered out, but it provides three choices for security, helping to make certain that only one phone is on the system at any one time. The system listens to what id tone is offered and if it's the wrong one, it'll disconnect the offender. This feature is designed to protect against radio propagaffon faults wherein the signal comes back to the base too strong and over- powers the desired signal but it is also a factor in cloning because the system will allow 5 seconds for the proper signal and then it willdisconnect the "wrong" signal automatically. Not a perfect system, but one that must be taken into account for any cloning attempt. In fact, there are modified cellulars on the black market that the various government agencies lLke even less than they do clones. I was also offered a modified phone that would come up with a random and differentESN and serial number every time it was used for $2500! This option lets the user put the phone into the roam mode so it would access this "traveler's" feature on every call but bill it to a different number each time. At first glance this seems to be the ideal (criminal) way to beat phone charges since the unit will bill to a different number on every call the operator will not be bothered by those annoying little notices from the local telco every month. But the real selling feature of this type of phone is that it cannot be legally monitored. If a law enforcement agency gets a court order to monitor a particular telephone (identified by the phone number) it will not be valid, and in fact will not work if the unit in question changes its identity like some sort of maddened electronic chameleon every time it is used... Bet the farm I ain't the only person who has been offered one of these phones... In fact, one basic cellular flaw is considered to be the existence of fraud. The rules of the FCC and the Canadian Department of Commu- nication require portable phones have an unchangeable identification in a read-only memory in the set. The wording says it should not be possible to modify the identification without rendering the set inoperative. One industry study recently reported that it was possible, with varying degrees of difficulty, to change the identification in about 80% of the sets which are now out in the field. Fraud, fake, and oscillating ESN numbers are estimated to account for somewhere between 4% of the industry's gross billing. One of the inducements to fraud is that when a mobile identifies itself, the local system has to decide if it should query the mobile for the full 10 digits or only 7 of the actual phone number? Should the ESN be required? Some- times the operating company, to save on transmission time, cuts down on the number of digits that are transferred in these opera- tions, especially at rush hour. Regardless of the saturation ad campaigns for cellular use, the systems are filling up fast and most claim to operate at only marginally profitable levels, yet corporations are always interested in purchasing cellular companies. Why? They're buying future potential. Capacity limitation will become a thing of the past when digital cellular comes into play (scheduled to be the norm within five years) because digital systems can multiplex 3 or more conversations on each channel. The technique has been standardized al- ready. There is digital equipment on the market available for use with the proper support equipment already although all the in-place equipment will be continued to be supported for several years, probably until the end of the century, but digital will gradually take over the market as surely as color television edged out black and white. Digital has several appetizing features for cellular users. It involves using a digital code technique for speech to use 16,000 bytes per second per radio channel, per conversation. This, plus 3-5 different conversations on each channel, simultaneously will make the format secure from casual eavesdroppers. Without a doubt scanner adaptable modules will be marketed to decipher and demultiplex digital cellular, but from the point of view of security, the important thing is that when digital speech coding is present one can take advantage of these superior techniques inher- ent in encrypting digital signals as opposed to the problems of scrambling analog dialogue.Systems are now available (see the scrambling section) which will lock out almost everybody but are still not considered military level secure. Digital suppliers will probably offer a option for secrecy levels than it is to constructively distort voice transmissions. If you need to have a sensitive conversation during a mobile situationyou have two choices, use a digital scrambler, or stop and use a coin phone by the side of the road. Remember this fact. At one point I took a mobile phone and made a call to a friend and for about 15 min- utes, in the middle of a normal business day, drove around running a tape asking anyone who was listening in on a scanner to give me an anonymous phone call for a research study. In the city of San Francisco I got three calls from casual listeners. And these were just the people who bothered to call... DATA AND FUTURE MODES Because cellular was designed for audio and, at this writing, uses analog FM transmission, it is difficult to transmit data over the system even though mobile faxes and modems are available. Using an ordinary data modem of the type that would be utilized on a landline telephone, provides less than normal service. One problem is that as the position changes the mobile passes through a combination of direct and reflected radio waves which can get out of phase with each other and produce a phenom- enon called multipath which means that the RF signal is going constantly up and down like an elevator. The resulting conglomerate is okay for speech but for data it's a no-no. In most cases the solution to this is to stop the car. Immediately the quality will improve and reasonable results will occur AS LONG AS A LOW BAUD RATE IS MAINTAINED. This is important in digitally-scrambled transmissions, as well as in data swapping, as well as with mobile FAX transmissions. Any rate over 2400 is likely to cause some problems. A new possibility for increasing the availabil- ity of cellular channels has already been brought before the FCC. This new system is microcellular in design and uses spread spec- trum technology. The company that requested a license for this technology (Millicom) has requested a frequency band in the 1710-2290 MHz region. Great Britain is testing out a very short range RF-based system known as Telepoint. This concept gives the user a small, portable unit for a base fee of $12-$15 per month that can be used as a wireless/cellular phone only when the operator is within 300 feet of a clearly marked base station. Many base stations can be located in any given area because they cost only a fraction of a cellular site and they are extremely low in power. TAPPING CELLULARS At first glance it seems to be an oxymoron- why tap a cellular? I mean the damn things broadcast over the public air waves with 600 beautiful milliwatts of power. Who needs to tap? Some people, that's who. Someone out there needs to tap anything and right at this mo- ment there are about 32 readers wondering how to tap a cellular. The quickest method to hear at least one side of any conversation is simply to secret a VOX activated tape recorder in the car. And hope the driver doesn't play the stereo too loudly... Saul Mineroff offers a car caddy, you know, one of those things that holds a Big Mac and a drink and slips over the transmission console, with a great little stereo recorder built right into the unit. It would make a nice gift for, say your wife... Olympus Corporation markets (available from C.I.A., the company, not the company) a series of drop out recorders for cellular phones. These liffle boxes connect between the handset and the phone and operate just like a regularrecord both sides of the conversation when the phone is taken off hook. These units, called Woodbury Interfaces, are not designed to be hidden but are supposed to be used to record one's own conversations (legal in one-party states) for later study. They can be used somewhat surreptitiously by stashing them, along with a mini recorder, in some sort of camouflaged unit like the Mineroff car caddy, or even installed under the phone itself or under the upholstery. Two elements necessary for success here are access to the target vehicle and a not overly observant driver. AID makes a bug that is concealed in a rechargeable Motorola-type battery for portable phones. This unit works off the battery, which still operates the phone, and picks up and transmits local conversation. It would be possible to design some sort of infinity transmitter for a cellular, although each make of phone is different enough to require some uptown design work and when the transmitter was in operation, all the air time would be billed to the target, allowing him a nice printout of the connection. A wiser move would be to employ some sort of hookswitch bypass so the phone would be hot on hook and broadcast the local audio. However, even this technique has problems because it could easily cause interference problems with other phones and might alarm the switch because more than one phone would be on a single channel. A quick thought: You want to record a cellular conversation that you are part of without alerting anyone else in the car? Think ear mic's (devices that receive and transmit inside the user's ear and look like a miniature earphone) put one in your ear and have a conversation. The DEA recently bought 1,000 of these from, well, from an unnamed New York sup- plier. A cellular phone can also be "accidentally" left operating after a call is made to a recording phone. If l~ ehind ~n a ~u~iness conference, it will work as a long distance bug. Some portable cellulars are now made with a hot switch so they will broadcast to a nearby re- ceiver for the same sort of "forgetful" bug~in~. "CELLULAR PHONES ARE IMPOSSIBLE TO MONITOR" RIGHT