Telcos

Locating cell-phone owners the non-GPS way

Using GPS, a cell phone can be located within a few feet. So why are researchers concerned about locating a cell phone by its association with a specific cell tower?

It's possible for an attacker to know the location of a victim's cell phone within a square kilometer -- typical cell-tower range. And, obtaining this information does not require any alteration of the cell phone or participation of the cell-phone's owner. All that's required is the cell phone's number.

I first learned about this particular exploit watching the local Fox9 news. The announcer explained that researchers Denis Foo Kune, John Koelndorfer, Nicholas Hopper, and Yongdae Kim from the University of Minnesota, figured out how attackers can locate a cell phone by exploiting the cellular network.

I read the team's research paper: Location Leaks on the GSM Air Interface, but my scribbled list of questions was way longer than normal. In a minor epiphany, I realized this was a perfect opportunity to get a better understanding of how cellular networks function and get the scoop on the exploit. Besides, I was going to the U for a class anyway. To set up an appointment, I called lead researcher Denis Foo Kune, who patiently answered all my questions.

Kassner: The paper mentions:

"Base stations such as cellular networks have to track subscribers to ensure adequate service delivery and efficient utilization of limited radio resources. For example, an incoming voice call for a mobile station requires the network to locate that device and allocate the appropriate resources to handle the resulting bi-directional traffic."

When does tracking start and how accurately can cellular networks locate a mobile device?

Foo Kune: Tracking starts when the phone is turned on. It contacts a nearby cell tower and registers with the network through that tower. From that point on, the network keeps track of the device as it moves. It does so by locating the cell phone within a group of towers in a geographic area. Kassner: The following slide depicts a basic cellular network.

There are three components I should define:

  • Visitor Location Register (VLR): Is in charge of one or more areas that mobile stations may roam in and out of. This entity handles the temporary IDs (TMSIs) of the mobile stations.
  • Base Station System (BSS): Is a network of Base Station Transceivers (BTS) and controllers (BSC) responsible for communicating directly with the mobile station.
  • Mobile Station (MS): Is the mobile device carried by the user. It is composed of the actual device and a Subscriber Identity Module (SIM).

I think I have all the pieces, could you explain how a cellular network knows where a particular mobile device is?

Foo Kune: When the call comes in, the network uses the Home Location Register (HLR) to translate the phone number into a unique ID. The system then tries to determine which geographic area the phone is likely to be in. Each of those areas is managed by a Visitor Location Register (VLR).

Once the the VLR responsible for the target area is found; that VLR instructs all the towers within its region to broadcast a message with the phone's ID, asking that phone to contact its nearest tower.

Kassner: The paper goes on to mention there is significant traffic beside phone calls traversing the GSM Air Interface. The transmission channels of interest to us are:
  • Packet Control Channel (PCCH): The broadcast downlink channel that all phones listen to.
  • Random Access Channel (RACH): The broadcast channel to mobile stations registered on the network.
  • Standalone Dedicated Control Channel (SDCCH): A specific uplink channel assigned by the BTS.

If I understand correctly, it is these channels that leak information about the cell phone's location and anyone can access the information:

"Location leaks in the communication protocol would mean that even entities with no access to the location database would be able to infer some location information from target users."

I have two questions. What exactly are location leaks?

Foo Kune: Location leaks are the broadcasted messages from the towers that can give an attacker hints if the victim's phone is in the area.

The cellular-service provider keeps a database of where phones are likely to be, so that it can find them when there is an incoming call. This attack leverages the behavior of the service provider to find the victim's phone.

To find the phone, the service provider has to send some specific messages with a specific pattern. Those messages and patterns can be recognized by an attacker to determine if the victim's phone is close by.

Kassner: To help explain the exploit, Denis and the team created a YouTube video.

The following slide shows the test equipment used in the video.

What role the Osmocom Project played in your research?

Foo Kune: The Osmocom Project was critical in our study. It allowed us to hear all the messages that would typically be filtered out in a normal phone. Those include all the broadcast messages from the towers trying to locate the victim's phone. Kassner: What can be done to prevent this type of tracking? Foo Kune: The tracking methods we studied use behaviors from the service providers themselves, so the solutions reside on the service-provider's side. Our work does not directly look at the defenses from the user's side, although it is always possible to turn the phone off when not in use. Kassner: The paper mentioned that you have a way to anonymize the traffic from the mobile set. How important is that? Also, I read this exploit only works on GSM. Aren't most mobile devices using more modern cellular technology? Foo Kune: The anonymization techniques described in the paper are very important to protect the location privacy of the users. We propose to generate a certain amount of decoy traffic, along with reordering of messages and frequently changing the ID used by the phone. Those methods should make it difficult for an attacker to find the victim's phone.

The method studied in this paper looked at the GSM network only because our system could only listen to the GSM network. Parts of the method could be applicable to the UMTS (3G) or LTE (4G) network as well, since they all have broadcast messages to find phones that are roaming around.

Final thoughts

It may not be as accurate as GPS, but the simplicity of this exploit makes it a very useful gun in the bad guy's arsenal -- a simple way of knowing where you aren't. Denis also mentioned that they have "other things" they're working on that should be of interest.

I'd like to thank Denis Foo Kune and the rest of the research team for their efforts and helping me understand the complexities of cellular networks.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

30 comments
John Cox 2
John Cox 2

Personally, I already made spy by my husband a few years ago, he installed the software http://gpsonphone.com/cell-tracker-test on my smartphone. When he learned that I was cheating, he did not leave me. He admitted that even though I saw several men he wanted me anyway. Since we have a "free" couple, sometimes we go with other partners, but we love hard. Everyone is free to build the couple he wants ...


Sabrina Gabriel
Sabrina Gabriel

I think this is a great way to lookup phone number owners. Not all people have access to GPS, which is why methods like this can provide great help. I would also recommend going to http://www.phoneinfolookup.org/as it can provide help to know the owners of numbers.

khuletghelai
khuletghelai

On the other hand, since I like Phased Arrays so much, I bet it's possible to combine data collected over time to pinpoint a user further... if the attackers are capable of tracking the target as it transits through several ways.


 

Leahhayhoe
Leahhayhoe

The activity of the animal beings has become acutely active everywhere on this earth. Bodies do not get time to booty a blow for a while. With the accretion use of altered gadgets of [url=http://www.jammerall.com/categories/GPS-Jammers/]GPS jammer[/url], the possibilities of accepting the aboriginal of blow accept absolutely finished. The adaptable phones or the corpuscle phones are some of these accessories that accumulate the bodies consistently in blow with the alfresco world. The adaptable building are additionally accessible about everywhere these canicule and due to this the accessibility of the Cell Phone Jammer has become alike added quick and authentic. Today, you cannot break out of ability of these adaptable building as their signals can bolt your about anywhere. The bearings of bodies who accord to altered business professions has become actual analytical of wifi jammer as their authorities bolt them anywhere any moment.

barthenson
barthenson

Different from other electronics, cell phones have become the necessity of every one's daily life. If someone still has no idea of mobile phones, you must say that "Out!" of course except the senior citizens. To be honest, cell phones really bring us lots of benefits. We use it for talking, sending and playing. With it, our life can be modern one, without it, we will be live in the Mars, you know, know nothing about each other. But do cell phones have no disadvantages? Of course not, more and more people are using cell phones at the cost of other interests. Noises are everywhere, especially the one of mobile phones. What should we do, throw them away? It is a stupid behavior. Have you ever heard cell phone signal booster? It is a new kind of device to solve this problem, effective in blocking the signals of your cell phone and its nearby base station. one side, the mobile phone really benefits us a lot, but another side we also benefit from its noises for a long time, so the fight between the cell phone and [url=http://www.jammerall.com/categories/Cell-Phone-Jammers/]mobile phone jammer[/url] has been a hot topic in society now. Which side you stand by, jamming or not, it depends on you.

jibu_thomas
jibu_thomas

1. Hi for this trick to be effective the attacker has to be in the same Paging area as victim.\ 2. Moreover Paging area can be very huge. It can be several kilometers unlike what we see in Location Based services! When an incoming call comes the whole paging area would be paged so I think it would be unreliable unless Location Based Services can be tapped into (which I belive will be difficult). 3. Moreover as networks move to LTE & 3G things can become more complicated?

nepper
nepper

The tracking method described here starts with a phone number. Several weeks ago, my daughter had her iPhone stolen, and did not have her tracking app enabled. A cell phone tower identifies the phone by a unique identifier, so I asked the service provider if they would track the phone for me, and they said no, only with a police warrant, which the police wouln't do for a small-ticket item such as this. Would it be possible to find the phone by its unique number? (was ESN with CDMA, I don't remember what its called now).

ralcocer
ralcocer

The Pads from china use this method.

Professor8
Professor8

The fact is that no phone company personnel, and certainly no government bureaubums in 99.999% of cases, should know where a particular cellular phone user is within 30 miles. Ditto with calling line identification. Both location and calling line are unfortunate incidental artifacts of making the communications work which some corrupt people have been quick and persistent to abuse. The solution is to deter people in and out of government, by vigorous negative incentives, from such abuse. Deterrence requires that most incidents are detected and punished in a consistent manner in proportion to the harm being done. Or, to revise how the communication works so as to eliminate these flaws.

AnsuGisalas
AnsuGisalas

Does the exploit only allow the location of a user to an area in which the attackers are sampling traffic? I mean, can they only see if a certain phone is "here" or "not here"? Or does all the location data for all users travel the whole tower network at all times? That doesn't sound very viable, but I guess it could be. If it is true that the method can only tell "here" or "not here" (as opposed to "over there"), it could still be used by, say, agents of some kind, who wish to enter a restricted area while the owner is away; all they'd need is to track when the owner's phone begins to be "here", which would give them time to vacate the premises (especially if the LA is quite large). On the other hand, since I like Phased Arrays so much, I bet it's possible to combine data collected over time to pinpoint a user further... if the attackers are capable of tracking the target as it transits through several LAs (and with a rig costing only a couple of hundred dollars, that's not impossible), there are definite methods of narrowing things down: Even without using advanced mathematics to peek through the fog-of-war (and I'd be very surprised if this was not possible), a dedicated tracker has good old-fashioned methods of doing this: 1) Speed of transitions can be noted (when does a tower stop sending for that number, when does a tower begin to send for that number, etc. 2) From this can be estimated the traveling speed of the target to some precision, which means that the mode of transport can be estimated. Precision doesn't even have to be better than +/- 10 km/h - that's enough to tell whether the person is likely walking, driving or bicycling... 3) A rough trajectory can be combined with map data to find the most likely routes of travel, and with tracking over time, the route can be narrowed down eventually (excepting perhaps in built-up areas with streets in a close-knit rectangular grid). So, if the idea is to be able to know when and where to go to pick up a target, this method would definitely work. At the very least, I would recommend that armored transport crews should give up their cell phones while on the job (but maybe they already have).

TobiF
TobiF

The method above, locates a phone to a LA (Location Area), which, depending on network configuration, may contain several hundreds of towers. (For a large metropolitan area, you may be able to find out roughly in which part of the town the phone is located) Bigger LA conserves battery in the phones, since they don't have to update their location to the network all the time. But too big LA can lead to overloaded broadcast channels. The current trend of smartphones with active packet data sessions may force network operators to re-plan their networks and make their location areas smaller. The protection mentioned in the article is that the network in many cases uses a temporary identity when paging a phone. This temporary identity is regularly updated (in ciphered mode) between the network and the phone, when they're communicating. A much more detailed location is easily available to many applications in smartphones. They can simply read the current cell-id for which tower the phone is currently camping on. That way, you'll know the location down to a couple of hundreds of meters. (or a few kilometers in rural areas.) Further, if an app is able to scan visible Wifi networks, then SSID and MAC of available access points may pinpoint your (even indoor) location to just a few meters. And such information was, for example, gathered by Google, when they were shooting street view.

bboyd
bboyd

I'll be glad to see Foo Kune's app soon! (rhyming is unintentional) In analog days I'd use a communications test set to decode sections of the traffic and get very precise location estimates as the phone translated from tower to tower. I'm sure methods like that are available to the carriers still (and law enforcement via warrant.) I think that granular location fixes could be improved by also using WIFI nodes and even the WIFI radio of the phone itself assuming you know the phone specs and signal propagation properties. These are some of the reasons why I hate seeing the list of permissions apps require. It makes me more paranoid. Good Luck Denis Foo Kune! Lastly a question, does airplane mode disrupt this kind of tracking?

Michael Kassner
Michael Kassner

I am curious as to what you mean. I'd appreciate your help explaining. Thanks

danbi
danbi

It is vital for the operator to always know your location, signal wise. Otherwise, they could not provide you with the service you need. This is even more necessary with packet switching networks. Since any telecom operator must have an Government issued license to operate, you can be certain that the Government knows your location too. At all times.

Michael Kassner
Michael Kassner

Is working on several possible solutions to eliminate the flaws.

bboyd
bboyd

Distributed, redundant and ubiquitous. Potentially even capable of observing stealth aircraft. Now I hear of a US effort to detect tornadoes using cellular signals.

Michael Kassner
Michael Kassner

As I understand, the attacker has multiple options. If there is the need to be granular, they can listen to a single tower's pages. And if more then they just add systems and as you point out that can be easily sorted in a data base. They key component is associating the temp ID with the phone. That is why the attacker has to call the victim's phone. To prevent it from ringing the attacker will hang up before five seconds are up. That is enough time to capture the page. From that point on they can track which cell tower the phone is attached to by following the temp ID.

Michael Kassner
Michael Kassner

It is more granular than that. You missed the second test. The one where they time the round trip of the page handshake. If it's less than 200 ms they are fairly certain they are on the same tower as the victim's cell phone. And, the article mentions the whole point of this exploit is not needing to intervene with the victim's cell phone as would be the case with your obtaining data from installed apps.

Michael Kassner
Michael Kassner

Just to make sure, as I did not know if the phone still responded to pages when in "airplane mode". Denis says the phone is non-responsive at that time. So airplane mode is an option.

Michael Kassner
Michael Kassner

If so, it available now at the link in the article. As for airplane-mode that is a great question. I will ask Denis and let you know. Thanks.

Michael Kassner
Michael Kassner

I agree as that pertains to 911 and emergency services.

danbi
danbi

There are operators that will notify the user, typically by SMS for such failed calls.

TobiF
TobiF

You'd "get a roundtrip", i.e. hear the response from the mobile only if the phone transmits on a frequency you'd be listening to (Your local cell tower) AND the signal from the mobile isn't attenuated or covered under radio interference from other phones. In that case, if you've managed to identify a particular radio signal as your target, then you could simply employ old school radio cross direction finding. Oh, all this is with regards to TDMA networks (like GSM, for example). 3G uses CDMA, where one needs to know the individual key, in order to separate a meaningful signal from the surrounding noise.

bboyd
bboyd

On old analog phones in North Dakota one winter they used tower signal strength estimation to locate a stranded person down to the nearest 1/2km and determined she had turned on a farm road. Also a good lesson learned on why you keep batteries charged, as she ran out of battery just as they got a basic location fix. Now you can get an App aimed at helping ID your location for emergency services http://ca.news.yahoo.com/app-designed-north-dakota-blizzard-aims-help-drivers-165127237.html

Michael Kassner
Michael Kassner

I assumed (that word again) all countries had the provision of emergency calls automatically locating the phone calling.

AnsuGisalas
AnsuGisalas

and I don't think that's due to a greater freedom from tracking over here. I had to make a call to emergency services to calm down my s***head parents-in-law as they were endangering the lives of my family with how they were driving their boat, and getting irate at us for not meekly accepting their idiot antics... the emergency center, it turns out, had no way of knowing where we were, and also couldn't locate the tiny island where we were staying with the numbskulls. Luckily I am much bigger than the both of them together, so their bark was worse than their bite. :^0

Michael Kassner
Michael Kassner

I will ask Denis about this. I was wondering if it is considered a failed call if the cell phone doesn't ring? As Denis points out they shut down before that happens.

Michael Kassner
Michael Kassner

Is the ease at which the TempID can be associated with a cell-phone number. I believe that allows other data to be associated with a particular phone.

AnsuGisalas
AnsuGisalas

...than the cat prefers to even know about.

Michael Kassner
Michael Kassner

As I understand it, the researchers first look at the page from the tower, not the response from the phone. That gives them the temp ID. Then they run a second test in which they get the timing information from the cell tower. There is no direct connection to the cell phone.

Editor's Picks