As an RF engineer who has tested frequency spectra and radiated powers of various consumer electronics including cell phones, I've never seen a cell phone (specifically an iPhone 5, A Nexus, a Samsung Galaxy S4, and a razr flip phone) transmit with airplane mode turned off.
It's not just airplanes that could be susceptable to cell phone emissions, but back in GSM days, the number of handoffs while in flight would effectively jam the cellular network in a 200mi radius. Nowadays cell phones are much smarter and don't do that, and the EMC risk in aircraft is extremely low.
>>I've never seen a cell phone (specifically an iPhone 5, A Nexus, a Samsung Galaxy S4, and a razr flip phone) transmit with airplane mode turned off.
I think you meant "on"? If airplane mode was on, RF emissions were a strict test case executed in the lab Faraday cages where we ran new terminals through their paces prior to launch rollouts.
Correct, typo. We were specifically testing the radiated and conducted (through its charging cable) emissions from the cellphone's processors, display, etc, and needed the radios off in a reverberation chamber.
No way to tell if it's listening though. It could be silent and still be processing every it can detect.
Who knows if there are secret commands that can be sent to it to override airplane mode settings, or instructions to do other nefarious things and broadcast once out of air plane.
Every radio has a signature that it's turned on by listening to its Local Oscillator. [0]
We weren't testing the presence of the LO, but instead characterizing the phone's radiated and conducted emissions from it's non-phone radio functions like its processors, displays, BMS, etc. There were discrete frequencies which were certainly from oscillators, but we didn't determine whether or not that was the receiver(s') LO(s) when airplane mode was on. There's probably a dozen other oscillators within phones for memory, CPU, displays, etc. So, you might be right, but this can be tested in the right lab.
However, that might be complicated with software defined receivers that don't have a typical receiver architecture, very low level signals, and very tiny PCB traces.
He means listening to the radio. A phone might have special baseband firmware that, e.g., turns on for a minute every hour and listens for a particular coded sequence (such as the date, and a mask of serial numbers, encrypted to a key in firmware etc), which would then cause the phone to do a number of things, such as turn on the radio for rx, or tx the RSSI of nearby towers, etc. All without telling the main CPU.
Colour me dubious. If the phone is in airplane mode then the carrier doesn't know where it is. Are you suggesting they broadcast this information on all their cell towers? Or that they have a secret system to predict/guess where a dark handset might be so they can target it? Either sounds extremely unlikely.
As to the practicalities, it wouldn't need to use the carrier network, just put it in a plane. Like the plane they have circling D.C. right now, or a drone. And your location is often known approximately.
Android does this routinely with wifi listening, if not GPS. It's a feature, and you can't turn it off. Haven't tested if GPS spoofing (a debug interface) overrides that.
Iphones now do this too, privacy violation by relay to nearby iPhones, over Bluetooth and possibly with the new mm wave RADAR too.
A while back, I experienced a technical problem with my carrier. As a result, my subscription stopped working. That meant that for everyday I used the internet connection, I was to be charged 4 euros.
The solution was obvious: airplane mode! You know what? It didn't help. They kept charging me 4 euros a day. Then I replaced the APN in the network settings with a fake one and suddenly the daily charges were gone.
Airplane mode didn't help, some byte was still passing through.
The phone was an android phone. The carrier refunded me right after fixing the problem (which took them a month and half).
How? I don't think there's any way a phone could know if someone has a spectrum analyzer looking at it's antennas, so it wouldn't be able to distinguish between a user enabling airplane mode because they want to vs. someone testing it.
Why? Airplane mode is a software feature right, you just don't enable whatever power transistors you use to amplify your transmission. However a receiver won't give measurable EMF, you could still listen and detect any abnormally low noise floor. You could probably even employ a heuristic like "only call home if the noise floor has been very high for at least one hour".
That would still be catastrophic for people trying to avoid tracking in demonstrations for example.
Your phone's (rootkit?) would have to passively measure the room before any remote action, that's true and reduces the utility. Still it would require accessing the sensors in the faraday cage which might make some noise.
Plenty of VM evasion stuff has been caught in the wild so it would up the game regardless, which is all you can really hope for against hackers and malicious parties. They almost always go for the easy targets who don't think of this stuff anyway.
It's not just airplanes that could be susceptable to cell phone emissions, but back in GSM days, the number of handoffs while in flight would effectively jam the cellular network in a 200mi radius. Nowadays cell phones are much smarter and don't do that, and the EMC risk in aircraft is extremely low.