Schneier on Security
A blog covering security and security technology.
« Here Comes Everybody Review |
| New DHS Head Understands Security »
November 26, 2008
Government Can Determine Location of Cell Phones without Telco Help
Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location.
This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI's cell-phone tracking practices. Since August, they've received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed.
Posted on November 26, 2008 at 6:06 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Cool, where can I get one? :-P
Does this work with GSM? And aren't communications between cell towers done using cables of some kind?
I attended a luncheon late this summer where one of the topics of conversation involved "a cellular tower on a laptop" being demo'd at burningman this year, I presume some asterisk-derived code and drivers for radio transmitters, responders.
I was a bit unnerved, though the coolness of the hack wasn't lost on me. But when anyone with $5k worth of equipment can *be* your cellular provider, you can probably count your own government spying on you among the least of your worries.
A better question is does the phone also send GPS information even when disabled in the setup menu. Since this information is always sent on 911 calls I'm guessing it does.
So what phones really have a GPS recivier in them? I mean is a law or something in the US.
I know that there are some tricks you can do with cell networks to find the location quite accurately, but this needs extra software.....
Please tell Apple how. My Original iPhone can only get within a .5 radius when it's lucky. Hardly what I'd call "accurate".
Most of this is actualy quite old news, have a hunt around for nano/pico GSM cells to get the idea of what is available in terms of normal functionality.
Then have a hunt through things like the ISDN and SS7 specs to see what other functionality (such as remotly turning on a microphone) is also effectivly built in.
The ability to find a (an old analoge) Cell Phone to within a few meters was developed independantly in the UK back in the 1980's, as far as I am aware it has been updated as new technology has come along ever since.
In theory once you know the handsets electronic serial number you only need an SS7 connection to find out much of what you know from just about anywhere in the world.
The ability of the first generation Iphone to triangulate your position is based on your proximity to various cell phone towers. Sometimes, in a highly populated area such as Los Angles, your Iphone is accurate to the city block.
Ah, but with the "right" application, could the phone determine if the signal it's getting is from a legit tower versus a Triggerfish?
"Oh crap, the Feds are looking for me!"
I might buy that app...
The GSM technology isn't that complex. A complete GPL-licensed implementation of GSM network already exists and will be demoed at this year's Chaos Communication Congress, live phone calls included ;)
"The GSM technology isn't that complex"
Hmmm that depends on your viewpoint. The last time I had a full copy of the spec by my desk it made two piles one about 3ft the other about 2ft.
And lets just say it was not lite reading, and as always the devil is in the details...
In practice though most of the low level functionality could be written (in assembler) for a fairly simple (for power reasons) microcontroler.
There have been a number of chip manufactures code bases (in C) available for some time so I'm more surprised it has taken this long for an open code base to appear, but of course there is always the question of approval for the finished phone...
From the article on Kevin Mitnick:
"The person whom had taken control of Shimomura’s systems called to gloat over his achievements, and the conversation was recorded"
Y'know, I'd heard of him, but I never knew he was a villain from a bad sci-fi story.
That's like asking to be caught.
I recently read a story of a journalist who connected to the taliban through some official of the karzai gov. who had the connection. The journalist then traveled through some checkpoints, with two taliban and to some provincial hideout of a talib leader, where there were internal rivalries that put the party in danger, calls were made to the higher up in kabul, and the party was released to travel back to kabul, but one of the taliban who was with the party recommended that they turn off cell phones while on the road, as the taliban local commander who might turn on them could track them by their cell phones,
I was amazed to understand that even the taliban could track cell phones in motion. Or could it just be that they had a connection in the cell phone company, just as they had high connections in the karzai regime.
> Y'know, I'd heard of him, but I never knew he was a villain from a bad sci-fi story
Oh yeah. He was so dangerous that they couldn't let him near a telephone because he could just _whistle_ the proper sequence of tones into it and hack into nuclear missile silos and start WW3. I kid you not, the FBI actually said that.
Simple answer: turn the stupid phone *off*.
You're not that important.
Seriously. You're not.
Reminds me of the story about how Eli Cohen was located in Syria by Soviet radio engineers in 1965.
There will be a separate presentation named "Locating Mobile Phones using SS7" at 25C3
As I understand it, the presentation isn't about IMSI catchers, but may be interesting nevertheless.
(My guess is, locating mobile phones with SS7 means requesting roaming info from MSC or HLR ?)
You might thing that [sby] is not important, but to the child his mother might well be THAT important.
Who are you to devalue other people and the love they might give to their fellow humans?
"Simple answer: turn the stupid phone *off*."
Sorry no that won't do it.
Most phones have "soft" power switches where the CPU turns of some but not all parts of the phone. And as the phones are mutable (ie over air software updates) what gets turned off can change at any time...
So even if you have tested it a few days agao you don't know it's turned off now even though it looks as though it is.
Either leave it somewhere / with someone else, or take the battery out, and if you are of an appropriatly cautious mind set put it in a metal box (biscuit tin) with addehsive metal foil (copper) around the join as well...
@me: "Who are you to devalue other people and the love they might give to their fellow humans?"
Someone who has observed the for a long time and found he doesn't like them very much.
I wonder how the species survived the millennia before the invention of the cell phone? Just dumb luck, I suppose.
Another story reports that ACLU/Minnesota believes triggerfish were used during the runup to the GOP convention this summer.
> Most previous descriptions... suggested that
> because of range limitations, triggerfish were
> only useful for zeroing in... once cooperative
> cell providers had given a general location.
Trivially, even if that were true, it would only be true if you had a limited number of triggerfish. It should be obvious to anyone that a network of these things covering a given area would not be significantly harder to build than a network of cell towers covering the same area.
> But when anyone with $5k worth of equipment
> can *be* your cellular provider, you can
> probably count your own government spying
> on you among the least of your worries.
For that matter, listening in on cellphone conversations is generally even easier than pinpointing the location of a particular phone.
And yes, the government is obviously not the only organization that could ever make use (or misuse) of this kind of technology.
> A better question is does the phone also
> send GPS information even when disabled
That doesn't actually matter. It's possible to triangulate your location based on the latency between you and various cell towers (or triggerfish), in much the same way that a GPS receiver determines your location based on the latency from various satellites. So if your phone does transmit GPS information, I don't think that gives anyone (well, anyone with cell towers or triggerfish) any information that they can't get pretty easily anyway. It's redundant, in other words, and changes nothing.
> The ability of the first generation Iphone to
> triangulate your position is based on your
> proximity to various cell phone towers.
Which is also how somebody on the other side of things (running cell towers or triggerfish) would do it as well.
> Sometimes, in a highly populated area...
> your Iphone is accurate to the city block.
Going the other way, the accuracy would be terrible around here because you're lucky to be within range of *one* cell tower. But if an attacker wants to improve that accuracy, all he's gotta do is introduce a couple of extra points of reference (cell towers, or triggerfish). And if they can move around (triggerfish in unmarked vans, anyone?), your phone's location can probably be pinpointed to within a few inches. My advice (if you're trying to avoid being located by people who might have this sort of technology) would be, don't carry a cellphone.
Absolutely spot on.
To explain how this works in simple terms:
If you set up a "pirate" BSC (Base Station Controller) any mobile (2G) phone will handshake with the BSC (mandatory part of 2G). The encrypted relationship is only between the mobile device and the BTS, therefore data is in plain text beyond the BTS. Often, this data is sent across microwave links between the BTS and the BSC. Keys and authentication data are not protected either within or between networks
So, if I do the above I will know:
The IMSI and EMEI of the phone, and it's physical location (within my cell). Triggerfish is not used to monitor callsl (as my pirate BSC has no connection to any network) but purely to catch whoever I'm after by making sure I know when they (or rather their mobile phone) enters the physical area covered by my BSC.
This does not work with WCDMA / UMTS as both parties (phone and BSC) mutually authenticate each others.
If I want to monitor the calls I either crack the GSM master key and derivative keys (easy) or tap into the back haul (even more easy)
I'm a complete novice when it comes to the underlying protocols in modern telecom, but just to illustrate how unremarkable this sort of application is in the scheme of things, HAM radio hobbyists have been doing fox hunts for years: http://www.homingin.com
And then of course my grandfather wrote a bit about navigation in WWII era bombers using triangulation via radio compass...
"I'm a complete novice when it comes to the underlying protocols in modern telecom, but just to illustrate how unremarkable this sort of application is in the scheme of things, HAM radio hobbyists have been doing fox hunts for years"
As your grandfather would have told you "huff-duff" does not work with multiple (virtualy) simultanious on frequency transmissions.
All modern cellular phone systems are frequency spectrum limited. To provide the level of coverage required in a modern city they use various shared channel techneiques such as TDMA/CDMA etc. Conventional direction finding does not work with these.
To do it you need a specialised receiver that locks onto the transmitter of interest and only displays directional information for that signal, or be so close to the desired transmitter that it is by far the strongest signal.
Although in practice a mobile when activly in use within a cell will stay on one channel there is no reason why it should. And a good series of arguments to indicate that overall performance would be improved if it did hop around the channels (see CDMA95 and CDMA2000 documentation).
I have to admit I'm basing my understanding of the technology in these GSM sniffers on 1G protocols that involved persistent cleartext broadcast of a mobile subscriber ID at all times in response to a tower requesting a handshake.
I've owned cellular phones since the early 90's and remember having my SIM cloned (and sold to drug dealers in Atlanta!), so I did the reading to understand just how it works. There's been some knowledge atrophy since then, but a summer spent in SF reinitiated me to the results of all sorts of misuse of FCC licensed devices, so my interest is budding again.
Just saw Eagle Eye.
Has the NSA installed a Verushka-style feature in the omni-chip capabilities list?
The problem with this technology is when the bad guys get it or gangs like ex Military Gangs.
My family is in a situation where we are being gang stalked repeat and I use a I phone.
We go to stores or parks and these guys are there. What is there MO?
To make sure we make e-eye contact then they immediately split.
They just want us to know they are watching our every move.
It is so frightening we had to goto the FBI.
It is a physiological warfare and the citizens of the country are going to have some very tough times in the very near future
I have been looking for a program or something to find the approximate location of a cell phone. The only thing I can seem to find only tells me where I live..... I lost my phone and it could be one of many places. If anybody knows of a cheap or even free program I can buy to Track my cell phone PLEASE e-mail me. thanks
Can someone help answer one simple question for me --- can a cell call last week or yesterday be tracked ??
Please send message back to email@example.com ------ I am asking about this because I use a sim card modem for internet use and I wanted to see if anyone can see my old locations
Thanks for sending an answer back
"Can someone help answer one simple question for me --- can a cell call last week or yesterday be tracked ??"
I think you are asking your question in the wrong way...
Something that works at the speed of light only has a finite timeframe in which it can be tracked or traced whilst it is operating.
However the network sends this sort of information across the network (see Signaling System 7 specifications) to enable things like handovers etc.
The question you should be first asking yourself is,
"is my location information stored by the telco or others?"
The answer in all probability is yes, which gives rise to the real question you should be asking,
"Who can get access to my location data?"
And sadly in many places the answer is more people than you think "officially" and a darn site more unofficialy.
I'm a retired frequency coordinator, electronics person. I have no cell phone, but if I did and I wanted to block the signal, I would simply turn the phone "off" (it won't really be off, but you might save on battery usage), and wrap the entire phone in copper foil. This would be easy and quite effective, but the phone might possibly crank up its RF output attempting to reach a tower, and this could cause more battery usage.
I would not use aluminum foil because aluminum accumulates a thin oxide layer that will eventually break electrical contact between overlapping layers and also affect skin effect (high frequency RF "clings" to the outside of electrical conductors), and the shielding could lose effectiveness. You only need thin copper foil, which you can get at:
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.