It’s possible for an attacker to know the location of a victim’s cell phone within a square kilometer — typical cell-tower range. And, obtaining this information does not require any alteration of the cell phone or participation of the cell-phone’s owner. All that’s required is the cell phone’s number.

I first learned about this particular exploit watching the local Fox9 news. The announcer explained that researchers Denis Foo Kune, John Koelndorfer, Nicholas Hopper, and Yongdae Kim from the University of Minnesota, figured out how attackers can locate a cell phone by exploiting the cellular network.

I read the team’s research paper: Location Leaks on the GSM Air Interface, but my scribbled list of questions was way longer than normal. In a minor epiphany, I realized this was a perfect opportunity to get a better understanding of how cellular networks function and get the scoop on the exploit. Besides, I was going to the U for a class anyway. To set up an appointment, I called lead researcher Denis Foo Kune, who patiently answered all my questions.

Kassner: The paper mentions:

“Base stations such as cellular networks have to track subscribers to ensure adequate service delivery and efficient utilization of limited radio resources. For example, an incoming voice call for a mobile station requires the network to locate that device and allocate the appropriate resources to handle the resulting bi-directional traffic.”

When does tracking start and how accurately can cellular networks locate a mobile device?

Foo Kune: Tracking starts when the phone is turned on. It contacts a nearby cell tower and registers with the network through that tower. From that point on, the network keeps track of the device as it moves. It does so by locating the cell phone within a group of towers in a geographic area.
Kassner: The following slide depicts a basic cellular network.

There are three components I should define:

  • Visitor Location Register (VLR): Is in charge of one or more areas that mobile stations may roam in and out of. This entity handles the temporary IDs (TMSIs) of the mobile stations.
  • Base Station System (BSS): Is a network of Base Station Transceivers (BTS) and controllers (BSC) responsible for communicating directly with the mobile station.
  • Mobile Station (MS): Is the mobile device carried by the user. It is composed of the actual device and a Subscriber Identity Module (SIM).

I think I have all the pieces, could you explain how a cellular network knows where a particular mobile device is?

Foo Kune: When the call comes in, the network uses the Home Location Register (HLR) to translate the phone number into a unique ID. The system then tries to determine which geographic area the phone is likely to be in. Each of those areas is managed by a Visitor Location Register (VLR).

Once the the VLR responsible for the target area is found; that VLR instructs all the towers within its region to broadcast a message with the phone’s ID, asking that phone to contact its nearest tower.

Kassner: The paper goes on to mention there is significant traffic beside phone calls traversing the GSM Air Interface. The transmission channels of interest to us are:

  • Packet Control Channel (PCCH): The broadcast downlink channel that all phones listen to.
  • Random Access Channel (RACH): The broadcast channel to mobile stations registered on the network.
  • Standalone Dedicated Control Channel (SDCCH): A specific uplink channel assigned by the BTS.

If I understand correctly, it is these channels that leak information about the cell phone’s location and anyone can access the information:

“Location leaks in the communication protocol would mean that even entities with no access to the location database would be able to infer some location information from target users.”

I have two questions. What exactly are location leaks?

Foo Kune: Location leaks are the broadcasted messages from the towers that can give an attacker hints if the victim’s phone is in the area.

The cellular-service provider keeps a database of where phones are likely to be, so that it can find them when there is an incoming call. This attack leverages the behavior of the service provider to find the victim’s phone.

To find the phone, the service provider has to send some specific messages with a specific pattern. Those messages and patterns can be recognized by an attacker to determine if the victim’s phone is close by.

Kassner: To help explain the exploit, Denis and the team created a YouTube video.

The following slide shows the test equipment used in the video.

What role the Osmocom Project played in your research?

Foo Kune: The Osmocom Project was critical in our study. It allowed us to hear all the messages that would typically be filtered out in a normal phone. Those include all the broadcast messages from the towers trying to locate the victim’s phone.
Kassner: What can be done to prevent this type of tracking?
Foo Kune: The tracking methods we studied use behaviors from the service providers themselves, so the solutions reside on the service-provider’s side. Our work does not directly look at the defenses from the user’s side, although it is always possible to turn the phone off when not in use.
Kassner: The paper mentioned that you have a way to anonymize the traffic from the mobile set. How important is that? Also, I read this exploit only works on GSM. Aren’t most mobile devices using more modern cellular technology?
Foo Kune: The anonymization techniques described in the paper are very important to protect the location privacy of the users. We propose to generate a certain amount of decoy traffic, along with reordering of messages and frequently changing the ID used by the phone. Those methods should make it difficult for an attacker to find the victim’s phone.

The method studied in this paper looked at the GSM network only because our system could only listen to the GSM network. Parts of the method could be applicable to the UMTS (3G) or LTE (4G) network as well, since they all have broadcast messages to find phones that are roaming around.

Final thoughts

It may not be as accurate as GPS, but the simplicity of this exploit makes it a very useful gun in the bad guy’s arsenal — a simple way of knowing where you aren’t. Denis also mentioned that they have “other things” they’re working on that should be of interest.

I’d like to thank Denis Foo Kune and the rest of the research team for their efforts and helping me understand the complexities of cellular networks.