Mark Loveless, aka Simple Nomad, is a researcher and hacker. He frequently speaks at security conferences around the globe, gets quoted in the press, and has a somewhat odd perspective on security in general.

The Hacker Burner Phone

The Hacker Burner Phone

Courtesy https://dev.to/rly

Courtesy dev.to/rly

[Edit 2022/09/03: If you’re here because of changes to healthcare services due to recent U.S. Supreme Court rulings, be sure to check out my blog post on Digital Tracking. -Mark]

The traditional burner phone is intended to be tossed if the phone number is "burned". Think of those old cheap flip phones. You are supposed to snap the phone in half, and toss each half into a different dumpster on the back of two trucks that are heading in the opposite directions (think slow motion, dramatic music, etc). At least that is how it is done in the movies. But I’m one of those hacker types - I want to use an actual modern phone, communicate with my hacker friends, and move about without being tracked. That seems like a good idea, right?

The problem is, a modern phone has five radios - four that are capable of transmitting, and for the most part as long as the phone has power it can disclose data and location to others via at least one of these radios. This information can be gathered by data brokers and sold to any number of parties, including advertising agencies and even law enforcement. With apps that constantly gather data, radios that constantly broadcast, it is no longer your phone number that is burned. With the modern phone, YOU are burned.

My Goals

I've done a lot of odd projects over the years, but for some reason putting together my hacker burner phone was a lot more fun than I expected. This was a thoroughly enjoyable project, and I had a lot of fun doing it.

Here were my goals:

  • Acquire a phone that cannot be traced back to me. Like, at all.

  • The phone must run a modern operating system, and be able to run the latest version of that operating system.

  • Not dirt cheap, but not expensive.

  • I must be able to modify it at a low level, in case I have to prevent some level of communication that cannot be turned off via the phone’s settings. In light of this I’d need an app written to do just that.

  • The phone must look normal, otherwise it will stand out. In other words, some old flip phone is not going to cut it. And not some over-sized plank.

  • The phone needs to support attaching/inserting extra storage.

  • The phone should at least be name-brand enough that it is not hard to acquire accessories, such as a case.

  • Phone calls will be rare (if at all) as I will mainly use this for non-voice communications.

Simple, modern enough to still work just fine, capable of running any modern app I deem necessary. This is a phone you want in a SHTF situation - a bug-out phone, a get-home phone, that emergency red phone you hope you never need to use.

Why?

Why a hacker burner phone? Here's some scenarios to get you thinking about it:

  • The human rights worker. You need to be in locations with an evil government monitoring you while you are doing your humanitarian work, use the burner during sensitive "operations".

  • On the Showtime show "Billions", there is the Bobby Alexrod scenario. His tight group of co-conspirators each have a burner only used for communication between each other or shady web searches. The OPSEC isn't rigid by any means, but they regularly swap out all of their burner phones at once.

  • If you attend protests, using a burner at the protest keeps you in the loop with the world, but any government surveillance with IMSI catchers or stingers will only get your burner.

  • The security conference attendee (when attending in person). It should be obvious, but protections from government monitoring, out of country spies, fellow attendees, etc all can be covered via the burner while you are still able to communicate with your hacker friends.

Let's Get a Phone

When I say that it should not be traceable back to me, I am not kidding around. Granted, this was more of an intellectual exercise than anything else, and it turned out to be slightly more challenging than I initially thought it would be. And yes, the fact that I am blogging about it kind of ruins my burner phone OPSEC. Nonetheless, this is how I think burner phone acquisition should be done.

I picked out a phone to get based upon the goals I outlined above. I settled on a Motorola Moto G7. After a bit of inquiry about what model phones some of the local merchants had, I realized that finding that exact make and model was not going to be easy. At first I considered just getting whatever a local merchant had, but then I decided no, what if I lived in a place where selection was sparse or non-existent, or what if only one model would meet my needs.

In addition, we were still in the middle of a pandemic. I really did not want to head into some phone store, and have to deal with sales staff and other possible shoppers. Besides, how could I blend in? During the pandemic if any stores were open, they were dead slow, and if they get a customer asking a zillion questions about obscure features of five phones AND pays cash, well, that’s not going to work. No, it seemed like it would draw a lot of attention.

Online Presence

So I decided to buy my burner online. That was going to be challenging, given that I don't want to trace it back to me. I decided to step backwards through the process.

First off, it would be shipped to me, so I needed to figure out how to receive a shipment that would not involve an intermediary - it had to come to me and me alone. Second, I did not want it to come to my home, as that is a dead giveaway.

After a bit of thought, I realized that Amazon had those lockers. I read up on how they worked, and to make it simple they would ship it to a locker location of my choosing, and then send me an email with a six digit code to unlock the specific locker. Perfect! Of course I'd have to set up an Amazon account, which is easy enough. You just need a browser and an email address.

I needed to secure the Internet connection to set up the email address. I wanted to use ProtonMail for this, so I fired up ExpressVPN on the laptop and set up a ProtonMail account using Firefox via a Private Window. I was also smart enough to not send a "test" email from ProtonMail to an email address I control. I did set up 2FA, but added no recovery email as it was optional anyway. The ProtonMail account was solely for the burner. While still in Firefox I set up my Amazon account using my new ProtonMail account.

Payment

Next problem, payment method. I decided I would pay cash for some VISA Gift Cards, so with a few hundred dollars I head to a local pharmacy. I had left my regular phone in the car securely (more on that later), walked into the pharmacy wearing plain clothes so as not to stand out, and again since this was mid-pandemic for COVID-19 I had on a nice gray mask. And sunglasses. No facial recognition on the in-store video for this wily hacker! I felt like I was on a roll.

Why a VISA gift card and not an Amazon card? If I had trouble with the whole Amazon route I might be able to do something else (no idea what yet) but this didn’t lock me into just Amazon.

My triumphant trip came to an abrupt hiccup when I went up to the counter to get a VISA Gift Card loaded up with $300 cash. The somewhat bored clerk says "I need to see your driver's license." When I asked why, the clerk said "well, I cannot continue on the register's screen to activate the card until the system scans your driver's license."

The clerk was surprised as I was, and at one point actually said "This is kind of creepy." Instead of getting mad, I wondered aloud if that requirement was tied to an amount. That intrigued the bored clerk enough and there was no one else in the store, so we proceeded to experiment.

It seems the issue is the $300 limit. Below that, they don’t check. I opted for a VISA gift card and an Amazon card, no showing my driver’s license. Were I to do this all over again, I would purchase them from different locations, or do it at Christmas where it looked more like lazy gift shopping for all the people on my list than an attempt to get around a driver's license scan. Yes this was bad OPSEC for sure, as the clerk will definitely remember me. But then again I do this for science. Plus as I stated before, if were really serious I wouldn’t be blogging about it.

Ordered and Retrieved

Back at the browser, I was able to load up the cards into my Amazon account, and get my phone ordered. When it arrived at the locker I had picked out, I got an email notification with my 6 digit code, and I went to go get it.

Remember me discussing securely leaving my phone in my car at the pharmacy? I have a few Mission Darkness Faraday Bags, I used the smaller one to toss in my iPhone when I made the trip - the idea was that any tracking of my regular phone while en route to go get my burner did not happen, yet if I still needed a phone for an emergency I had it. Once I arrived (just like at the pharmacy - all gray with mask and gloves), I went inside and got my burner, and came back to the car. For added measure I went ahead and parked a block away where there was a lack of surveillance cameras, so no association of me in the store with a car in the parking lot.

Once in the car, I removed my new burner from the packaging and tossed it into another Mission Darkness bag, as I had no idea if the battery might be partially charged, allowing for the pinging of towers. Even without a phone plan or SIM to activate the phone, one can still dial 911, which means reaching a tower. Plus, the lack of a phone plan is checked at the tower (to prevent fraud), not the phone, so it will definitely “ping”.

Configuration

This is obviously going to vary per phone platform, but in general I’d advise the following:

  • Turn off all radios possible (more on GPS in a minute). Note that there is not a way to turn off NFC, but since apps that use it do not access it directly and go APIs, simply do not pull up an app that uses NFC. This keeps that radio off.

  • Delete unnecessary and unused apps.

  • In privacy sections, turn on or activate everything possible.

  • Download and install ProtonVPN.

  • Download a secure browser, like Firefox, and configure its default search engine as DuckDuckGo.

  • If your burner is an iPhone, look into Disconnect.

About That GPS

While I covered this a bit in my BSidesDFW talk “Your Phone Hates You”, I wanted to mention GPS here as well. As I said in the video, the GPS can give up location information when it uses cellular and Wi-Fi. As the TTFF (Time To First Fix) can take up to 15 minutes, and having a radio actively trying to listen by scanning for a signal, there is a battery drain as a result. To help shorten the TTFF, the phone will try to get data from other sources to help speed the entire acquisition process up. The A-GNSS process, or Assisted Global Navigation Satellite System is used to help with this. This can apply to several different types of GNSS, but when applied to GPS it is known as Assisted GPS, or A-GPS. Basically A-GPS providers some pointers to help GPS determine where it is.

So you say sure, no big deal, I’ll just turn off Wi-Fi and there’s no SIM in my phone so it can’t use cellular, I should be good. Unfortunately modern phones will often not pay attention to your settings, and use A-GPS even if you’re in airplane mode. This kind of sucks, and of course when it does this, it is transmitting to a cellular tower with your information.

This was why I chose an Android-based phone for my burner. I prefer the entire iPhone model for a number of reasons. but there is no way to turn off A-GPS on an iPhone. On an Android phone you can disable A-GPS if you go in as root and edit the configuration file (usually found at /system/etc/gps.conf) and remove the SUPL and XTRA entries (basically web addresses e.g. supl.google.com).

But It’s a Phone

I have no plans to use the burner for voice at all. However if I did I’d consider visiting one of those corner shops that sell SIMs in a storefront for a few dollars. Or spend a bit more money (after researching the choices) and getting it via Amazon delivered to a locker. That way I’d at least have the option of voice and text. [Edit 2021-05-23: Just make sure the SIM is “pre-paid” and will work in your country, with a modern phone this shouldn’t be a problem. -ML]

If you have any ideas on this, and especially if you have real-world experience in this area, that would be great to hear.

OPSEC

Now that you have your burner, here are some fun tips.

  • Never have your burner outside of its Faraday bag near your home or office, and never out of the bag near your regular phone.

  • If the battery is removable, remove it when possible.

  • Only use the burner phone when it is required, so don't show it off or brag to friends.

  • If you need to switch between burner and regular phone, each should have its own faraday bag and don't switch at the same place.

  • Don't walk around with your burner out and your FitBit that speaks cellular. Kind of defeats the entire purpose.

  • Never use your burner to access accounts associated with you, especially social media.

Final Thoughts

This hacker burner phone thing does open up some interesting possibilities - for example, you could do weird things like take an anonymous Uber or Lyft. And of course there are alternate ways to do some of the steps I’ve outlined. For example if you take a trip overseas, that might be a great opportunity to pay cash for that phone to use as a burner - even less chance that you’ll be tracked. More than once I’ve asked friends traveling overseas or even friends that live overseas to buy a phone and send it to me. Get creative!

Like I said before, this was a really fun project, and I hope you’ve enjoyed reading this. And good luck sticking it to The Man!

Talon

Talon

Server Error

Server Error