Discussion on:

Locating cell-phone owners the non-GPS way

I'll be glad to see Foo Kune's app soon! (rhyming is unintentional)
In analog days I'd use a communications test set to decode sections of the traffic and get very precise location estimates as the phone translated from tower to tower.
I'm sure methods like that are available to the carriers still (and law enforcement via warrant.)

I think that granular location fixes could be improved by also using WIFI nodes and even the WIFI radio of the phone itself assuming you know the phone specs and signal propagation properties.

These are some of the reasons why I hate seeing the list of permissions apps require.
It makes me more paranoid. Good Luck Denis Foo Kune!

Lastly a question, does airplane mode disrupt this kind of tracking?

If so, it available now at the link in the article.

As for airplane-mode that is a great question. I will ask Denis and let you know. Thanks.

The method above, locates a phone to a LA (Location Area), which, depending on network configuration, may contain several hundreds of towers. (For a large metropolitan area, you may be able to find out roughly in which part of the town the phone is located)

Bigger LA conserves battery in the phones, since they don't have to update their location to the network all the time. But too big LA can lead to overloaded broadcast channels. The current trend of smartphones with active packet data sessions may force network operators to re-plan their networks and make their location areas smaller.

The protection mentioned in the article is that the network in many cases uses a temporary identity when paging a phone. This temporary identity is regularly updated (in ciphered mode) between the network and the phone, when they're communicating.

A much more detailed location is easily available to many applications in smartphones. They can simply read the current cell-id for which tower the phone is currently camping on. That way, you'll know the location down to a couple of hundreds of meters. (or a few kilometers in rural areas.)
Further, if an app is able to scan visible Wifi networks, then SSID and MAC of available access points may pinpoint your (even indoor) location to just a few meters. And such information was, for example, gathered by Google, when they were shooting street view.

It is more granular than that. You missed the second test. The one where they time the round trip of the page handshake. If it's less than 200 ms they are fairly certain they are on the same tower as the victim's cell phone.

And, the article mentions the whole point of this exploit is not needing to intervene with the victim's cell phone as would be the case with your obtaining data from installed apps.

You'd "get a roundtrip", i.e. hear the response from the mobile only if the phone transmits on a frequency you'd be listening to (Your local cell tower) AND the signal from the mobile isn't attenuated or covered under radio interference from other phones.
In that case, if you've managed to identify a particular radio signal as your target, then you could simply employ old school radio cross direction finding.

Oh, all this is with regards to TDMA networks (like GSM, for example). 3G uses CDMA, where one needs to know the individual key, in order to separate a meaningful signal from the surrounding noise.

As I understand it, the researchers first look at the page from the tower, not the response from the phone. That gives them the temp ID. Then they run a second test in which they get the timing information from the cell tower. There is no direct connection to the cell phone.

...than the cat prefers to even know about.

Does the exploit only allow the location of a user to an area in which the attackers are sampling traffic? I mean, can they only see if a certain phone is "here" or "not here"? Or does all the location data for all users travel the whole tower network at all times? That doesn't sound very viable, but I guess it could be.

If it is true that the method can only tell "here" or "not here" (as opposed to "over there"), it could still be used by, say, agents of some kind, who wish to enter a restricted area while the owner is away; all they'd need is to track when the owner's phone begins to be "here", which would give them time to vacate the premises (especially if the LA is quite large).

On the other hand, since I like Phased Arrays so much, I bet it's possible to combine data collected over time to pinpoint a user further... if the attackers are capable of tracking the target as it transits through several LAs (and with a rig costing only a couple of hundred dollars, that's not impossible), there are definite methods of narrowing things down:
Even without using advanced mathematics to peek through the fog-of-war (and I'd be very surprised if this was not possible), a dedicated tracker has good old-fashioned methods of doing this:
1) Speed of transitions can be noted (when does a tower stop sending for that number, when does a tower begin to send for that number, etc.
2) From this can be estimated the traveling speed of the target to some precision, which means that the mode of transport can be estimated. Precision doesn't even have to be better than +/- 10 km/h - that's enough to tell whether the person is likely walking, driving or bicycling...
3) A rough trajectory can be combined with map data to find the most likely routes of travel, and with tracking over time, the route can be narrowed down eventually (excepting perhaps in built-up areas with streets in a close-knit rectangular grid).

So, if the idea is to be able to know when and where to go to pick up a target, this method would definitely work. At the very least, I would recommend that armored transport crews should give up their cell phones while on the job (but maybe they already have).

As I understand, the attacker has multiple options. If there is the need to be granular, they can listen to a single tower's pages. And if more then they just add systems and as you point out that can be easily sorted in a data base.

They key component is associating the temp ID with the phone. That is why the attacker has to call the victim's phone. To prevent it from ringing the attacker will hang up before five seconds are up. That is enough time to capture the page. From that point on they can track which cell tower the phone is attached to by following the temp ID.

There are operators that will notify the user, typically by SMS for such failed calls.

I will ask Denis about this. I was wondering if it is considered a failed call if the cell phone doesn't ring? As Denis points out they shut down before that happens.

The fact is that no phone company personnel, and certainly no government bureaubums in 99.999% of cases, should know where a particular cellular phone user is within 30 miles. Ditto with calling line identification.

Both location and calling line are unfortunate incidental artifacts of making the communications work which some corrupt people have been quick and persistent to abuse.

The solution is to deter people in and out of government, by vigorous negative incentives, from such abuse. Deterrence requires that most incidents are detected and punished in a consistent manner in proportion to the harm being done. Or, to revise how the communication works so as to eliminate these flaws.

Is working on several possible solutions to eliminate the flaws.

It is vital for the operator to always know your location, signal wise. Otherwise, they could not provide you with the service you need. This is even more necessary with packet switching networks.

Since any telecom operator must have an Government issued license to operate, you can be certain that the Government knows your location too. At all times.

I agree as that pertains to 911 and emergency services.

and I don't think that's due to a greater freedom from tracking over here.

I had to make a call to emergency services to calm down my s***head parents-in-law as they were endangering the lives of my family with how they were driving their boat, and getting irate at us for not meekly accepting their idiot antics... the emergency center, it turns out, had no way of knowing where we were, and also couldn't locate the tiny island where we were staying with the numbskulls.

Luckily I am much bigger than the both of them together, so their bark was worse than their bite.

I assumed (that word again) all countries had the provision of emergency calls automatically locating the phone calling.

The Pads from china use this method.

The tracking method described here starts with a phone number. Several weeks ago, my daughter had her iPhone stolen, and did not have her tracking app enabled. A cell phone tower identifies the phone by a unique identifier, so I asked the service provider if they would track the phone for me, and they said no, only with a police warrant, which the police wouln't do for a small-ticket item such as this. Would it be possible to find the phone by its unique number? (was ESN with CDMA, I don't remember what its called now).

1. Hi for this trick to be effective the attacker has to be in the same Paging area as victim.\
2. Moreover Paging area can be very huge. It can be several kilometers unlike what we see in Location Based services! When an incoming call comes the whole paging area would be paged so I think it would be unreliable unless Location Based Services can be tapped into (which I belive will be difficult).
3. Moreover as networks move to LTE & 3G things can become more complicated?

Different from other electronics, cell phones have become the necessity of every one's daily life. If someone still has no idea of mobile phones, you must say that "Out!" of course except the senior citizens. To be honest, cell phones really bring us lots of benefits. We use it for talking, sending and playing. With it, our life can be modern one, without it, we will be live in the Mars, you know, know nothing about each other. But do cell phones have no disadvantages? Of course not, more and more people are using cell phones at the cost of other interests. Noises are everywhere, especially the one of mobile phones. What should we do, throw them away? It is a stupid behavior. Have you ever heard cell phone signal booster? It is a new kind of device to solve this problem, effective in blocking the signals of your cell phone and its nearby base station. one side, the mobile phone really benefits us a lot, but another side we also benefit from its noises for a long time, so the fight between the cell phone and mobile phone jammer has been a hot topic in society now. Which side you stand by, jamming or not, it depends on you.

The activity of the animal beings has become acutely active everywhere on this earth. Bodies do not get time to booty a blow for a while. With the accretion use of altered gadgets of GPS jammer, the possibilities of accepting the aboriginal of blow accept absolutely finished. The adaptable phones or the corpuscle phones are some of these accessories that accumulate the bodies consistently in blow with the alfresco world. The adaptable building are additionally accessible about everywhere these canicule and due to this the accessibility of the Cell Phone Jammer has become alike added quick and authentic. Today, you cannot break out of ability of these adaptable building as their signals can bolt your about anywhere. The bearings of bodies who accord to altered business professions has become actual analytical of wifi jammer as their authorities bolt them anywhere any moment.