As if we weren't already living in a dystopian non-fiction...
The Idea
Initial Thought
Phone data exfiltration using receive-only SDRs.
That's it. That's the thought that started it all.
I was listening to a podcast by James Leyte-Vidal involving integrating Software Defined Radio into penetration testing/analysis, and this was a mentioned concept. Essentially, you take advantage of the fact that cell phones will transmit a (usually limited) amount of data given that they have an appropriate transmitter. To some extent, the data that is received can be filtered through enough tweaking, but I strongly doubt it is possible to get exactly what you want/need based on my current understanding of the subject.
In any case, there is the issue of eavesdropping from another party (spying on the spy and stealing from the thief) and getting the victim to connect a transmitter to their phone in the first place.
*sigh*
Expansion
Being the sneaky little PoS that I am - and being strongly influenced by the possibility of constant surveillance and paranoid friends I was recently exposed to - I started to think on ways to expand this concept into something that is actually useful for larger corporations and governments.
The initial thought of plausible transmitters came from a classmate who proposed hiding a transmitter inside a power bank and handing it out to people I wanted to spy on. This is cool and actually feasible, but I am not a large corporation/government, and I think that if I was, this would be pretty useless unless I was doing very targeted surveillance. Who has time for that?
The more efficient way of successfully getting data (even from visitors) would be to embed the transmitters into the wiring of a building. Again, this is assuming the attack is not targeted towards a specific person and instead focuses on another company or organization with a static location.
Limits
The nature of this exfiltration technique makes it completely useless against faraday cages, so unless someone significantly better at physics than I am can figure out how to compress radio waves into the wavelengths of gamma and x rays prior to retrieval, that would be great. Getting through the crystal lattice is possible, just not in the natural state of the data exfiltration transmission waves.
This assumes you have enough power/money/influence to actually embed things into the wiring of the building. I am an insignificant college student, so this would not be possible for me; but if you either own or have influence on an electrical company, this would be great for you.
The Process
On a Basic Level
Starting from the initial thought of single phone data exfiltration, let's see how the idea would play out.
To begin, you would have to choose an appropriate SDR (or I guess make your own, if that's your thing, but...unless you REALLY need to, um...why?). Keep in mind that real-time processing is a requirement. For the initial single-device monitoring, you don't really need to think about this; but if you are using a low-power device or listening to more than a few devices, really think about your limits.
For data visualization, GQRX (SDR : network remote control and UDP streaming, I don't know why I placed it here), rtl_power and heatmap.py are great for linux users.
The transmitter would be embedded into a power bank. Of course, make sure everything is configured correctly before you let it go with your victim. Also keep in mind that you must be within range of transmission ideally at all times.
Modifying to Fit Our Needs
What are our needs?
For the purpose of this, I am assuming the reader is a random person in charge of a surveillance project against a company or organization. Obviously, you can't hand everyone a compromised power bank and hope they actually use it and stay within range for proper transmission. Knowing as much about your target is a must in this case, maybe not as much as in the case of dictionary creation for password cracking in less than a minute, but it's pretty up there. You need to know where their buildings are, who performs electrical repairs, the respective weaknesses of the companies that perform these repairs, what building and renovation plans they have, and what hotels their staff is staying at AT ALL TIMES. As a consequence, you also have to know who holds influence over the involved hotels or external venues.
In this specific plan, we will embed the transmitter into every outlet, especially if these outlets are for USB connections (encourage this as a "forward-thinking innovation" in the office). The only possible issue would be power-only cables being in use, but people don't tend to think about this, and the default phone cables DO transmit data, so this shouldn't be much of an issue, really.
The receiver must be within range, so if possible, rent a warehouse close to the building or include a receive-and-store device in your plans that you can retrieve in regular "maintenance" periods.
The idea behind this is monitoring an entire building and its visitors wirelessly and with little possibility of detection. There are obviously better ways to spy on a building, but if this is a possibility and it works for someone, why not?
Sample Run-Through
Take 44 Vjunet Street, for example.
You can set up shop at Vsocide Kitchen around the corner (or rent a room in the building). Knowing that the ONLY electrical company allowed to do work in the building is named Jahj U'Lepi Electric Company, you can do some recon on the electrical company itself and figure out that the holder of its transaction record passwords is a 28 year old named [REDACTED] etc. etc. and eventually find your way into either "influencing" or sneaking into the company's actions to successfully place the transmitters.
You would have to make sure to set up a way to avoid third-party eavesdropping (if you care about that at all), but it would probably be too much of an inconvenience, and I am assuming your levels of morality are pretty low anyway, so I won't bother with this part of the writing.