Author: Andy Greenberg. Andy Greenberg : 09.28.16.
A cellphone makes a convenient detonator for an improvised explosive device. But it’s also one of the most conveniently trackable devices under the eye of American law enforcement.
Less than 48 hours after a bomb exploded in a dumpster on a streetcorner in the Chelsea neighborhood of New York—and another device a few blocks away failed to explode—police have tracked the attack to New Jersey resident Ahmad Khan Rahami. At least one crucial link that investigators seem to have made came from the cellphone planted in one of the bombs. The incident is a reminder of just how difficult it is to anonymously use a cellphone in America—whether to sell drugs, make an untraceable call to a journalist, or explode a deadly weapon in downtown Manhattan.
“Buying a burner phone correctly isn’t easy,” says Nicholas Weaver, a security- and privacy-focused computer science researcher at Berkeley University, referring to the pre-paid phones often used by criminals and terrorists. “Using a burner phone correctly isn’t easy.” For the operator of a remote explosive device, he adds, that means “a cellphone-type detonator is a good robust mechanism….As long as you don’t mind a high probability of getting caught.”
According to multiple reports, at least one unexploded bomb—constructed from a pressure cooker and placed in a Chelsea trash can—contained a cellphone that law enforcement was able to recover. And that device, in addition to fingerprints and likely other clues, enabled police to find connections to Rahami’s family and then to Rahami himself.
The connection to Rahami’s family suggests that a phone call meant to trigger the detonator cellphone may have been made from a phone that also—rather foolishly—called or received calls from Rahami’s contacts. A simple, urgent request from the New York Police Department or the FBI to the phone’s carrier, with or even without a court order if the telco is sympathetic, would be enough to provide the metadata necessary to identify a suspect.
But even if the bomb had exploded and Rahami had been careful to use new burner phones on both ends of the detonation call, cops with access to carrier records would likely still have plenty of tools to track down the source of the trigger call, American Civil Liberties Union technologist Chris Soghoian wrote on Twitter.
A phone carrier technique called a tower dump, for instance, offers law enforcement all the records on which phones connected to a particular cell tower during a particular period of time. A tower dump from a certain cell tower in Chelsea on Saturday night would have shown all the phones connecting to the tower, including one that received a phone call and then suddenly disappeared, no longer periodically reporting its location back to the tower. The carrier’s records could then lead cops to the phone that called that number and any other numbers connected to it, potentially unraveling an entire terrorist cell or pointing to other detonation calls made from that phone. (New York mayor Bill DeBlasio said in a press conference Monday that no evidence suggests Rahami had any accomplices, and the NYPD declined to comment on its ongoing investigation.)
If the creator of an IED is careful, he or she will buy new burner phones without incriminating call records for both the detonator and the phone intended to call it. But even then, Berkeley’s Weaver says, burner phones can be tracked. He points to the example of a case in California last year when police asked AT&T for help tracing a burner phone used in a kidnapping based only on its number. AT&T revealed that the phone was a prepaid TracFone handset, and that it had been activated at a certain Target store. Target then gave the police in-store surveillance footage that helped identify and arrest the alleged kidnapper. “A burner phone can be a dead end, but that takes more than walking into Target and buying a phone,” says Weaver, who has written a guide on how to use burner phones and other anonymity tools to leak information to the press.
Even if a retailer doesn’t capture surveillance video of the burner phone’s buyer, it might capture his or her credit card number. Or if he or she isn’t careful about where the phone is turned on, it can serve as a location beacon, calling out to nearby cell towers and quickly giving police a record of the bomber’s location within at least a few hundred feet. Google and its operating system Android, according to one criminal affidavit earlier this year, can also provide police with location data detailed enough to pinpoint a bank robber inside a bank. “If you’re actually trying to do this, you have to do everything right to avoid this kind of mistake,” says Matt Blaze, a security-focused science professor at the University of Pennsylvania. “One trivial slip-up like appearing on camera or using a credit card or turning it on in your house or using it to make a call to your friend or family member—any one of those large number of things can associate you with that phone.”
Tracking cellphone detonators has been so effective that it’s even been used by the NSA to identify IEDs in foreign war zones before they’re detonated. By sifting through call records looking for phones in potential target areas that have never before placed a call, NSA analysts can find powerful leads on where a bomb might be planted before the detonating call is placed.
So it’s no surprise that bomb-detection phone-tracking techniques have found their way in to the domestic fight against terror. If the devices in our pocket are going to betray our privacy every moment they’re switched on, it’s only fair that they betray the terrorists trying to kill us, too.