Your Phone Is Still Tracking You — Even After You Press “Power Off”
Apple confirmed it. Google built it in. The NSA exploited it since 2004.
When you press “power off,” your phone doesn’t actually stop. Here’s what’s still running — and who’s listening.
Your iPhone keeps broadcasting Bluetooth signals for 24 hours after you “shut it down.” Google Pixels do the same. The NSA has been tracking “off” phones since 2004.
This isn’t paranoia — it’s documented in leaked classified materials, confirmed by Snowden, and proven by university researchers who loaded malware onto a phone’s Bluetooth chip while it was powered off. The shift to non-removable batteries means you can’t even pull the plug anymore. Here’s everything you need to know — what’s actually happening inside your phone, who’s exploiting it, and what you can actually do about it.
🧠 The Secret Second Computer Inside Every Phone — Your Baseband Processor
Think of your phone as two separate computers sharing one body. You control one. You have zero access to the other.
The Application Processor (AP) runs iOS or Android — the screen, apps, everything you see and touch. The Baseband Processor (BP) handles all cellular communication and runs its own secret operating system with its own CPU and RAM. You can’t see it. You can’t update it. You can’t turn it off independently.
Why this matters: If someone hacks the baseband, they own your phone at a level deeper than any antivirus can reach. Your visible OS doesn’t even know it happened.
| Baseband | Who Uses It | Known Issues |
|---|---|---|
| Qualcomm (QuRTOS) | Every iPhone since iPhone 12, most Android flagships | First open-source fuzzing tool (Hexagon-Fuzz) only released in 2025 — that’s how under-researched this is |
| Samsung Shannon | Galaxy S22, Pixel 6/7, Vivo phones | Google found 18 zero-days in 2023 — 4 allowed full remote takeover with just your phone number |
| MediaTek (Nucleus RTOS) | Budget/mid-range Android phones | Researchers proved a hacked modem could take over the entire phone |
The scariest finding: Researchers in 2024 discovered 873 hidden undocumented commands in Samsung’s baseband. A forthcoming 2026 paper found 6 flaws affecting 466+ smartphone models. Nobody outside these chip companies fully understands what their basebands are doing.
Can the baseband talk to cell towers when your phone is “off”? Under normal conditions, no — the main processor controls the baseband’s power state. But a compromised baseband could theoretically ignore shutdown commands. On older phones, the baseband would wake up every ~10 minutes to check for texts even when “switched off.” Intelligence agencies have exploited both facts.
📱 What 'Powered Off' Actually Means on a Modern iPhone
Think of it like a building where the lights are off but the security cameras are still recording. The main system sleeps — but three wireless chips stay wide awake.
When you slide to power off an iPhone (iOS 15+), it enters Low Power Mode (LPM) — not a true off state:
| Chip | What It Does While “Off” | How Long |
|---|---|---|
| Broadcom Bluetooth | Broadcasts Find My beacons using cryptographic keys from your Apple ID | 24 hours after manual shutdown |
| NXP NFC Controller | Keeps transit cards, student IDs, and Express Mode payments working | 5 hours after battery dies |
| Apple U1 Ultra-Wideband | Maintains ranging capabilities for car keys and precision finding | Until battery fully depletes |
Nearby Apple devices (from a network of 2.35 billion active devices) detect these Bluetooth broadcasts and silently relay your phone’s encrypted location to Apple’s servers. Your “dead” phone is findable on a map.
The “Evil Never Sleeps” bombshell (TU Darmstadt, 2022): Researchers proved the Broadcom Bluetooth firmware is neither encrypted nor signed. They loaded custom malware onto the Bluetooth chip that executed while the iPhone appeared completely powered off. Because LPM is implemented in hardware, no software update can fix this.
All three LPM-active chips have direct access to the Secure Element where your credit cards and car keys are stored — a theoretical path to steal payment data from a “dead” phone.
Android is different — mostly. Standard Android phones genuinely power down all radios on shutdown. The exception: Google Pixel 8+ (2023 onward) stores location beacons in the Bluetooth controller and remains findable for several hours after shutdown via Google’s Find My Device Network. A 2025 paper found unresolved security vulnerabilities in Google’s protocol, including a way to turn any device into a tracker.
🕵️ NSA & GCHQ: Confirmed Capabilities Against 'Off' Phones
This isn’t speculation. These are documented programs from leaked classified materials and direct whistleblower testimony.
“The Find” (2004): The NSA developed a technique to locate cellphones even when powered off. JSOC troops used it to generate thousands of targets in Iraq.
The NSA ANT Catalog (leaked 2013): A 50-page classified document describing hardware/software implant tools:
| Tool | What It Did | Cost |
|---|---|---|
| DROPOUTJEEP | iPhone implant — geolocation, hot mic, camera capture, covert data extraction | Classified |
| CANDYGRAM | Portable fake cell tower | $40,000 |
| TOTEGHOSTLY 2.0 | Full remote control of Windows Mobile devices | Classified |
| GOPHERSET | SIM card exploitation toolkit | Classified |
The GCHQ SMURF Suite (confirmed by Snowden on BBC Panorama, 2015):
| Smurf | What It Does |
|---|---|
| DREAMY SMURF | Turns your phone on and off without you knowing — creates a “fake off” state |
| NOSEY SMURF | Activates your microphone and listens even when the phone appears switched off |
| TRACKER SMURF | Locates you with greater precision than standard cell tower triangulation |
| PARANOID SMURF | Erases all evidence of the other Smurfs |
These tools were deployed via WARRIOR PRIDE — a mobile exploitation platform delivered through encrypted SMS hidden from the user.
Snowden told Joe Rogan that CIA operatives in Geneva carried “drug dealer phones — old dumb phones with removable backs where you could take the battery out” specifically because intelligence agencies could track sealed modern phones even when off. People who understand surveillance trust only physical battery removal.
Supply chain interdiction is also confirmed: leaked NSA documents describe intercepting equipment shipments, installing implants, repackaging, and forwarding to the original destination. A photograph of NSA employees opening a Cisco router during this process was published by Glenn Greenwald. Cisco’s CEO personally complained to President Obama.
💀 Commercial Spyware — Pegasus, Predator & the Market for Your Data
Think of it as a private surveillance industry where governments buy hacking tools the way you buy software subscriptions — except each “license” costs as much as a house.
| Spyware | Price | What It Does | Survives Reset? |
|---|---|---|---|
| NSO Pegasus | ~$25,000/target | Reads texts, intercepts calls, captures passwords, activates mic/camera, harvests data from Signal/WhatsApp/Telegram | No — factory reset removes it |
| Cytrox Predator | ~$8 million / 100 targets | Persists via iOS Shortcuts automation — triggers when you open Safari, WhatsApp, or Signal | Partial |
| QuaDream REIGN | $2.2 million / 50 targets/year | Zero-click iOS calendar exploit | Ceased operations April 2023 |
| Hacking Team RCS | Varied | Included the first real-world UEFI BIOS rootkit — survived OS reinstalls on PCs | Yes (BIOS-level) |
Pegasus has been documented targeting journalists in 45+ countries. It reads everything — Gmail, WhatsApp, Telegram, Signal. But it operates at the OS level, not firmware. No public evidence confirms it working during a genuine powered-off state.
The baseband itself can be modified. Open-source tools already demonstrate modifying Qualcomm LTE modem firmware in C. If a state actor gains baseband-level access, they could theoretically keep the modem transmitting during apparent power-off — this is the mechanism behind “The Find” and the SMURF suite.
📡 IMSI Catchers, Ultrasonic Tracking & BLE Surveillance Networks
IMSI catchers (like the Stingray) are fake cell towers that force your phone to connect and reveal its identity. Think of them as a fake WiFi hotspot — but for cellular networks. Over 75 US law enforcement agencies across 25+ states have purchased these devices, and body-worn models exist since 2013. Multiple courts have ruled their use requires a warrant.
Ultrasonic cross-device tracking: Between 2015-2017, the SilverPush SDK embedded inaudible sounds (>18kHz) in advertisements. Phone apps with the SDK listened via the microphone and linked your TV viewing to your phone identity. By 2017, 234 Android apps contained these ultrasonic beacons. Researchers demonstrated Tor user deanonymization using this method. A 2018 paper showed tracking could work through the phone’s gyroscope with zero permissions required.
BLE tracking networks now blanket the globe:
| Network | Devices |
|---|---|
| Apple Find My | 2.35 billion |
| Samsung SmartThings Find | 300+ million |
| Google Find My Device | Billions of Android devices |
Your phone silently reports the locations of other people’s lost devices to cloud servers. Researchers built a $5 ESP32-based tracker that piggybacked on Apple’s network for 5+ days without triggering any anti-stalking notification.
Every Bluetooth chip has a unique hardware fingerprint from manufacturing imperfections — allowing passive identification and tracking of specific devices even when MAC addresses are randomized.
🔋 Non-Removable Batteries: Why You Can't Just 'Pull the Plug' Anymore
The last removable-battery flagship from Samsung was the Galaxy S5 (2014). LG’s V20 (2016) was the last from any major brand. By 2019, virtually no new smartphone had user-removable batteries.
The engineering reasons are real — waterproofing, thinner designs, larger capacity. No evidence exists of any government mandate requiring sealed batteries. But the surveillance implications are profound: Apple holds a patent (2016) describing a phone that quietly powers up at intervals, transmits location data, then shuts back down.
Phones with removable batteries still available:
| Device | Price | Notes |
|---|---|---|
| Samsung Galaxy XCover 7/7 Pro | $300-500 | IP68, MIL-STD-810H |
| Fairphone 6 | $839 | Modular, 8-year support |
| PinePhone | $200 | Linux privacy phone |
| Purism Librem 5 | $699-1,999 | Hardware kill switches |
| Nokia feature phones | $50-100 | Multiple models |
EU Battery Regulation (effective Feb 2027) requires removable batteries — but a loophole for waterproof devices may let manufacturers dodge it.
🔐 Hardware Kill Switches — The Strongest Verified Countermeasure
The Purism Librem 5 has three physical slide switches that cut actual power (not software signals) to WiFi/Bluetooth, cellular modem, and cameras/microphone. When all three are engaged simultaneously (Lockdown Mode), it also disables GPS, accelerometer, gyroscope, barometer, and proximity sensor.
Why disabling sensors matters: Princeton’s PinMe research (2018) proved a phone can track your movement using only the accelerometer and barometer — sensors that work perfectly inside a Faraday bag. Only the Librem 5’s Lockdown Mode addresses this.
The PinePhone ($200) has six DIP switches under the back cover controlling modem, WiFi, Bluetooth, microphone, and both cameras.
Critical gap: No independent RF spectrum testing of either phone’s kill switches exists in peer-reviewed literature. A hardware engineer cautioned that some chips can draw running current through parasitic paths even without main power applied.
🧪 Faraday Bags — What the Testing Actually Shows
Matt Blaze (Georgetown University) tested bags with lab-grade equipment at 1-6 GHz:
| Product | Result |
|---|---|
| EDEC OffGrid / Mission Darkness ($40-80) | Excellent — sufficient for real-world signal isolation |
| Mylar/ESD bags | ~9 dB attenuation — essentially useless |
| Heavy-duty aluminum foil | Works “under ideal circumstances that are difficult to replicate” |
| Metal tins | Inconsistent |
Three limitations most guides miss:
- PinMe attack: Phone tracks movement via accelerometer/barometer inside the bag, transmits when removed
- Timing correlation: Faraday bag creates a suspicious gap in carrier records — analysts can infer your travel
- Battery drain: Phone without airplane mode transmits at max power searching for signal, killing the battery
Correct protocol: Airplane mode ON → hardware kill switches (if available) → tested commercial Faraday bag. Or better: remove the battery entirely.
⚖️ The Legal Landscape — More Tracking Than You'd Think Is Legal
| Law/System | What It Enables |
|---|---|
| CALEA (1994) | Carriers must build lawful intercept capabilities into networks — China exploited this exact infrastructure in the 2024 Salt Typhoon breach |
| FCC E-911 | Mandates ±3 meter indoor vertical accuracy — effectively requires location hardware in every US phone |
| Carpenter v. US (2018) | Historical cell location needs a warrant — but doesn’t cover real-time tracking or national security |
| Russia SORM | FSB gets direct telecom access without showing warrants to carriers |
Carrier data retention: AT&T keeps your call/location records for 7 years. T-Mobile for 2 years. Verizon for 1 year.
🛠️ Open-Source Tools for the Privacy-Conscious
| Tool | Purpose | Status |
|---|---|---|
| GrapheneOS | Privacy mobile OS for Pixel phones — treats baseband as untrusted | Very active, daily commits |
| Rayhunter (EFF) | IMSI catcher detection on Orbic hotspot | Most accessible current option |
| QCSuper | Captures raw 2G/3G/4G radio frames from Qualcomm modems | Active (v2, 2024) |
| Binwalk v3.1 | Firmware analysis (rewritten in Rust, 2024) | Active, ~13.6k stars |
| Ghidra | NSA’s own reverse engineering framework | Very active, ~53k stars |
| PCAPdroid | Captures all Android network connections without root | Active, ~2.5k stars |
| NetGuard | Per-app firewall for Android | Active (Oct 2025) |
| Haven | Physical security monitoring via phone sensors | Maintained, ~6.8k stars |
| Briar | Encrypted messaging that works offline via Bluetooth/WiFi mesh | Active, ~3k stars |
| OpenHaystack | Reverse-engineered Apple Find My protocol for research | ~8k stars |
The biggest gap in the ecosystem: No working, user-friendly IMSI catcher detection exists for modern smartphones. The best options are EFF’s Rayhunter (runs on a separate device) or manual SDR monitoring with GNU Radio + RTL-SDR dongle ($20-30).
🎯 What's Actually Realistic at Your Threat Level
Average person: Your carrier already logs your location and keeps it for years. Ad networks track you via device IDs and Wi-Fi probes. Powered-off tracking isn’t your problem — everyday data collection is.
Do this: Review app permissions. Use Signal. Keep software updated. Use a VPN.
Targeted individual (journalist, activist, lawyer): Commercial spyware is the primary threat. Pegasus costs ~$25,000/target and has hit journalists in 45+ countries. IMSI catchers can locate you within 6 feet.
Do this: GrapheneOS on a Pixel with LTE-only mode, or iPhone with Lockdown Mode. Signal with disappearing messages. Faraday bag for sensitive meetings. Check for compromise with Amnesty’s Mobile Verification Toolkit.
Nation-state target: The full spectrum applies — zero-click exploits, baseband attacks, supply chain interdiction, aircraft-mounted IMSI catchers, SMURF-class fake power-off states. No phone is safe.
Do this: Leave phones behind for sensitive activities. Librem 5 with hardware kill switches for verifiable radio silence. Never co-locate a burner phone with your primary device. Accept that the goal shifts from preventing surveillance to raising its cost.
Quick Hits
| Want | Do |
|---|---|
| → GrapheneOS on a Pixel, LTE-only mode | |
| → Librem 5 with all 3 kill switches engaged | |
| → EFF Rayhunter on Orbic hotspot | |
| → EDEC OffGrid or Mission Darkness ($40-80) | |
| → PinePhone ($200) or Samsung XCover 7 ($300) | |
| → Don’t carry an electronic device at all |
The uncomfortable truth: if you need absolute certainty you’re not being tracked, the only reliable option is to not carry an electronic device. Everything else is raising the cost of surveillance — not eliminating it.

!