B3RN3D

Staying in the darkness

Burner Phone Best Practices

There’s a good mix of useful and mis-information in regard to burner phones out there. I thought I would compile some facts and review the proper use-case for a burner phone.

Tracking: Fingerprinting

Burner phones, for both CDMA (US Sprint, US Verizon Wireless) and GSM (Ever other carrier network in the world), are easy to trace. Carriers specifically segregate burner/prepaid traffic from normal subscriber traffic. Yes, this is primarily used to control which type of traffic should receive priority, but it’s used by LEOs to easily identify network traffic used by targets.

Bruce Schneier recently commented on what the NSA is actively doing in regards to burner phones. In a recent lawsuit between the NSA and the EFF, the court documents show that one of the ways the US keeps track of burner traffic, is by fingerprinting the number of unique contacts, and the times of the calls. With this information, it’s much easier to keep track of whose phone is whose.

For example, Joe talks to John, George, and Jimmi on a daily basis. He cycles through burner phones at least once a week. For each phone, Joe adds the contact information for John, George, and Jimmi and calls only them. Joe stops never re-uses a burner phone.

From this information, we can easily track his first burner’s contact (namely John, George, and Jimmi) because this information is stored on the SIM, and correlate it to the contacts used by the next burner phone. How hard would it be for law enforcment to trace this information? Turns out not very hard if you’re a subject of interest.

Tracking: Location

There are two parts to the location of your burner you need to be aware of. First, carriers maintain logs of the signal strengh between your phone and a carrier tower/base station. With this information they can http://www.al911.org/wireless/triangulation_location.htm. On your smart phone this is considered your “Course-Grain” location as opposed to “Fine-Grain” that the GPS in your smartphone provides.

The second location to think about here is the location used to register/activate the phone in the first place. For American burners, they are required to call into a toll-free number and setup their new phone using a name, address, and secret password. Of course this information is not verified and can be easily spoofed. But the phone number used to activate the account, is forever associated to that device.

When not to use a burner

  • hiding from a national adversary: If you think the government is after you, there’s really not much a burner phone is going to help you with. They can pull up security camera footage of when you purchased the phone, they can map all the locations in which you’ve powered on the device, they can watch the calls being made by a variety of burners and correlate them all together.
  • near your home: Every time you power up, that information is logged. If you decide to constantly turn on your device in or around our apartment, it is very easy for even local law enforcement to find you
  • calling someone you know that does not use a burner: If all you’re going to do is call Jimmy down the street, it’s easy to correlate your activities across multiple burners because the destination address never change. It becomes a bit harder if Jimmy changes his phone number at the same time you change yours.
  • registering for a gmail address: you might think it’s a good idea to setup a burner to make a new email address but while it can be, you also have to be careful with how you use that address, and where you registered your phone. If you buy a phone in London, and then pretend that you’re in Brazil for all of your email correspondence, this will be a red flag for investigators. Make sure you remember what that phone will be for.

When is a burner useful

  • hiding from non-law enforcement: If your goal is to just make sure that no one you know can find your name or home address, a burner is useful.
  • registering for inconsequential accounts: If you just need to register an account, but aren’t concerned about being tracked back to its activity, you can use a burner as an alternative to registering with a pay phone or something else.

Pro tips

Based on everything we’ve discussed so far, here are some operational suggestions. Feel free to suggest more that work for you:

  1. Get feature/dumb/flip-phones rather than smart phones. iOS, Android (or whatever other OS you choose) is not interested in keeping track of your privacy. Feature phones have the benefit of being generally too stupid to leak information about you.
  2. Never turn your phone on in, or around your home. Take the battery out when it’s not being used.
  3. Leave your phone at a place you’re going to use it to make sure it never gets turned on at your home
  4. If possible, pay someone else to activate the phone for you. This is a way of removing yourself from the activation process completely. There are some burner trading sites on the deep web.
  5. Fill your phone with fake contacts. Each burner should look like it has a different set of contacts in it.
  6. Never save your real contacts in the phone. Put them on paper, or on a separate device, but never on the phone. This information is potentially saved on the SIM and accessible to carriers.
  7. Pad operational calls with random calls. Dial numbers you don’t know, leave messages, call tech support, send an SMS. Make it difficult to differentiate between your operations and random activities.
  8. Use a burner as little as possible before switching to the next one.
  9. If purchased from a retail store, wait at least 60 days to activate. This is usually how far back mom and pop stores keep security footage.
  10. Activate from a payphone as far away from home as possible, or at least in the area where you will be using it most often
  11. Dispose of burner phones completely. Don’t recycle them or throw them away in your apartment garbage. They should be destroyed completely, electronically wiped, and physically wipe down.

EDIT: /u/lugh suggested some modifications.