Back in 2004, when the NSA allegedly first gained the ability to remotely turn on cellphones, the answer may have been yes. When some so-called "feature phones" were powered off, their baseband chips still communicated with cell towers operated by carriers such as AT&T or Verizon Wireless. Only when the batteries were removed from such phones did the baseband truly turn off.
So do today's smartphones - many of which, such as iPhones, have no removable batteries - also keep their basebands on when the handsets are powered down (not just in resting mode in a pocket)? It's very unclear. Jonathan Zdziarski, a Boston-area independent security expert who specializes in retrieving information from iPhones, says that today's baseband chips may very well remain active even when a phone is powered down.
"The baseband has to be programmed to remain in a ready state while the device is powered off," Zdziarski told Tom's Guide. "I can't tell you with any certainty if that's how the iPhone baseband is programmed."
"The baseband could be programmed so, while the power source is connected, it stays in a ready mode," he said. "That seems to be at least a plausible assumption based on, and only based on, a number of other articles citing FBI and CIA and the agencies that have been able to locate these devices while they're turned off."
It's difficult to be certain whether a modern smartphone's baseband chip remains on in some capacity when the phone is switched off. Baseband chips are made by a handful of companies and run closed, proprietary code that few outsiders have access to.
It's also possible that even if baseband chips don't always stay on by default, the NSA may have found ways to push out tailored firmware updates to targeted cellphones to make sure the baseband chips do stay on for those particular handsets.
Rounding the basebands That brings us to the next question: If the baseband chip somehow stays on, could you contact it and command it to turn on the rest of the phone, including the smartphone operating system, so that the phone can be used as a listening device? Does the baseband chip have that capability?
Connecting to the baseband in the first place is not difficult. There are plenty of ways to trick a phone into connecting with a malicious tower instead of with a carrier's tower. The FBI has a tool for this called the Stingray; it's been common knowledge for years, and similar methods have been demonstrated at hacker conferences.
But once you're connected to the targeted phone, how do you gain control of the baseband processor?
"The code in baseband processors is crap," wrote Graham. "It's relatively easy to find vulnerabilities that can be used to take control of the baseband processor ... The code is so fragile it's hard not to find a bug in it."