Is this done on the hardware level or do software companies like Google have a backdoor in the Linux kernel?

The back door is in the mobile baseband firmware. This is the chip that processes the signaling commands from the telephone network. None of that is up in the application processor in smartphones.

If the phone can be turned on with the phone turned off, what does this mean as far as how it works? Is there a program running in the background at all times, a separate OS with one daemon just listening for a request to turn on?

Yes. See above.

would it be the hardware guys like LG and Samsung who set this up or is it done on the software side first such as what Google makes with Android?

It's the "hardware guys" who make the mobile baseband chips.

How can I research this further to prove this is true and can be done?

The first place I saw this confirmed in the press was an FBI mob prosecution where a dumb-phone was used as a "roving bug." There have been other confirmations of this capability. Ironically, the more recent ones are about how you should not trust your phone when visiting China and other places with active spying ops.

if the battery is removed would this tech still work?

Ex-military intelligence analyst here, worked particularly with electromagnetic intelligence, and I can verify this is true. Hypothetically anything that sends/receives an electromagnetic signal can be 'hacked'. Take an ATM machine for example. If you attached a highly sensitive sensor near the cabling, you could intercept any data-links that were not protected, decrypt them and have access to all the financial transaction data. If the battery is in, the phone's receiver will still be capable of receiving transmissions.

I was just asking if you could turn on a mic if the cell phone has no battery.

No you cannot.

Even if there is no battery installed, it is possible that you could pick up the information from the microphone. The Soviets did just such a thing. It is unlikely but possible to operate a battery-free bug because the motion of the air against the microphone creates voltage all by itself.

It isn't even this complex. The bugging software is built right in, and the telcos cooperate in turning it on.

No, without a battery, no bugging.

And you might detect it if your battery drains mysteriously, especially on a dumb-phone without clever free apps that wake up and download ads. But there really is no way to tell for sure unless you wired your battery to an ammeter and watched for the phone to start using power when it is "off."

how do I wire my battery to an ammeter?

The back door is in the mobile baseband firmware. This is the chip that processes the signaling commands from the telephone network. None of that is up in the application processor in smartphones.

OK. And my question is... is this a backdoor only for US authorities, or can other countries do it?

Also, is it just FBI/CIA/MI5. Or can police do it? Do you just need the phone number, and some special hardware, or is it like a special code + phone number + special equipment?

Is it the kind of thing that organised criminals could access, theoretically...? I'm having a hard time understanding the specifics of this....... I haven't seen this confirmed anywhere other than the FBI "roving bug" media report, which is really just a media report, and gave no technical specifics.

OK. And my question is... is this a backdoor only for US authorities, or can other countries do it?

That is a VERY interesting question. My somewhat educated guess is that the commands for turning on a roving bug are only protected through "security by obscurity" and there is no encryption or authentication beyond what it takes to get the phone on the network.

This stuff is in a grey area. It isn't what telcos call "Lawful Intercept" (LI), which is something the network does. LI is written into law, and, while the implementation details are restricted, ALL network equipment makers must implement this.

And yet, a roving bug requires the network to send special signaling to make it work. That means that most of the network equipment providers, who sell worldwide, know how to do this. And, being an element of legitimate police investigations, I doubt it could be embargoed from, for example, the Chinese. So, it's more secret than LI, but there is good reason to think it is almost as widely available and widely used.

As for "bad guys" accessing this... The bad guys would have to run the telco or the law enforcement agency.

I doubt anyone has ever done this as a "rogue." That would take knowledge of soft-radio, GSM signalling, and designing an attack that would reveal what is the control signaling for roving bugs. Never say never, but it is much more likely a dirty cop would use this than a common criminal.

And yet, a roving bug requires the network to send special signaling to make it work. That means that most of the network equipment providers, who sell worldwide, know how to do this.

...

The bad guys would have to run the telco or the law enforcement agency.

Surely, a regular person could know someone at the phone company/equipment provider/government agency, and have them spy on someone for them. I see no reason why not.

It all depends what this "special signal" is... whether it's a constant signal, or whether it changes over time... I mean, if it's just a signal/device which you can use to do this.... I can definitely imagine a common criminal/well-connected person getting hold of this technology..... I see no reason why not...... Corrupt people are everywhere..... News International bribed British police, despite not being actual police....... Human corruption is everywhere........ You wouldn't have to run the agency/telco.... You'd just have to know someone there.

Good point re the News scandal, although that wasn't as hi-tech as turning on roving bugs. I was thinking more along the lines of some tin-pot dictatorship where the ruler's cousins run both the telco and your local competitor.

http://hiphopwired.com/2011/10/27/snoop-dogg-talks-conspiracy-theories-in-ggn-episode-12-video/

snoop talks about blue tooth

You probably got downvoted in the Android subreddit because this article doesn't mention any OEMs that make Android phones. I'm fairly certain if there were a back door in the kernel or something like that it would be discovered by now since its open source and practically needs to be re-written for every single different device. Surely the mod community would have found a vulnerably such as this by now. It would be possible for OEMs to install some other small application to allow back door access like this but again, you could protect yourself by installing your own version of the OS from the mod community.

Carrier IQ is a privately-owned mobile software company founded in 2005 in Mountain View, California....On November 12, 2011, researcher Trevor Eckhart stated in a post on androidsecuritytest.com[14] that Carrier IQ was logging information such as location without notifying users or allowing them to opt-out,

http://en.wikipedia.org/wiki/Carrier_IQ

Carrier IQ, the carrier-sanctioned keylogger and activity monitor that has been confirmed to exist on Android devices, on AT&T and Sprint networks, has been found in iOS. In our post yesterday, we wrongly assumed that Carrier IQ was something that carriers added to smartphones — but now it’s clear that Apple bakes Carrier IQ into its closed-source iOS for use by carriers.

http://www.extremetech.com/computing/107427-carrier-iq-which-phones-are-infected-and-how-to-remove-it

Carrier IQ Part #2 http://www.youtube.com/watch?v=T17XQI_AYNo

iPhone, Blackberry and Gmail users are all screwed http://www.youtube.com/watch?v=pM0YWRYaB_c&feature=related

and this http://www.corbettreport.com/meet-in-q-tel-the-cias-venture-capital-firm-preview/ (go to 1:22)

CarrierIQ does tons of sketchy shit, but roving bugs isn't one of them.

Prove it.

Meh. I know lots of people who work there. I wouldn't work on that stuff because I find it unethical.

But I do know they don't do voice bugging. You should believe that because the roving bug technology long predated CarrierIQ, and was built by TI and other chip makers in the mobile baseband chip business.

You have no proof that they don't do voice bugging. All you have is a claim that you know people working there.

And you don't know handset hardware. You are talking out your ass.

Bullshit slick. The mic on an Android phone is just like the mic on a laptop. It is a device in the /dev directory and can be addressed in the same way that you would on a desktop computer running Linux. CarrierIQ is installed with root privileges and can easily record anything from the mic, compress it, and send it home to momma.

Clearly, if you don't think that this is true, then you are the guy who doesn't know handset hardware, or Linux.

CarrierIQ does tons of sketchy shit, but roving bugs isn't one of them.

Prove it.

No you cannot.

Even if there is no battery installed, it is possible that you could pick up the information from the microphone. The Soviets did just such a thing. It is unlikely but possible to operate a battery-free bug because the motion of the air against the microphone creates voltage all by itself.

Good point re the News scandal, although that wasn't as hi-tech as turning on roving bugs. I was thinking more along the lines of some tin-pot dictatorship where the ruler's cousins run both the telco and your local competitor.