Government Can Determine Location of Cell Phones without Telco Help

Interesting:

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location.

This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI's cell-phone tracking practices. Since August, they've received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed.

Posted on November 26, 2008 at 6:06 AM • 33 Comments

Comments

TimNovember 26, 2008 6:54 AM

Cool, where can I get one? :-P

Does this work with GSM? And aren't communications between cell towers done using cables of some kind?

DavidNovember 26, 2008 7:44 AM

I attended a luncheon late this summer where one of the topics of conversation involved "a cellular tower on a laptop" being demo'd at burningman this year, I presume some asterisk-derived code and drivers for radio transmitters, responders.

I was a bit unnerved, though the coolness of the hack wasn't lost on me. But when anyone with $5k worth of equipment can *be* your cellular provider, you can probably count your own government spying on you among the least of your worries.

Just LookingNovember 26, 2008 7:45 AM

A better question is does the phone also send GPS information even when disabled in the setup menu. Since this information is always sent on 911 calls I'm guessing it does.

gregNovember 26, 2008 8:04 AM

So what phones really have a GPS recivier in them? I mean is a law or something in the US.

I know that there are some tricks you can do with cell networks to find the location quite accurately, but this needs extra software.....

PhillipNovember 26, 2008 8:39 AM

@grep

Please tell Apple how. My Original iPhone can only get within a .5 radius when it's lucky. Hardly what I'd call "accurate".

Clive RobinsonNovember 26, 2008 8:54 AM

Most of this is actualy quite old news, have a hunt around for nano/pico GSM cells to get the idea of what is available in terms of normal functionality.

Then have a hunt through things like the ISDN and SS7 specs to see what other functionality (such as remotly turning on a microphone) is also effectivly built in.

The ability to find a (an old analoge) Cell Phone to within a few meters was developed independantly in the UK back in the 1980's, as far as I am aware it has been updated as new technology has come along ever since.

In theory once you know the handsets electronic serial number you only need an SS7 connection to find out much of what you know from just about anywhere in the world.

Electrician HoustonNovember 26, 2008 9:07 AM

Grep,

The ability of the first generation Iphone to triangulate your position is based on your proximity to various cell phone towers. Sometimes, in a highly populated area such as Los Angles, your Iphone is accurate to the city block.

pegrNovember 26, 2008 9:21 AM

Ah, but with the "right" application, could the phone determine if the signal it's getting is from a legit tower versus a Triggerfish?

"Oh crap, the Feds are looking for me!"

I might buy that app...

Clive RobinsonNovember 26, 2008 9:48 AM

@ SR71

"The GSM technology isn't that complex"

Hmmm that depends on your viewpoint. The last time I had a full copy of the spec by my desk it made two piles one about 3ft the other about 2ft.

And lets just say it was not lite reading, and as always the devil is in the details...

In practice though most of the low level functionality could be written (in assembler) for a fairly simple (for power reasons) microcontroler.

There have been a number of chip manufactures code bases (in C) available for some time so I'm more surprised it has taken this long for an open code base to appear, but of course there is always the question of approval for the finished phone...

A nonny bunnyNovember 26, 2008 9:56 AM

From the article on Kevin Mitnick:
"The person whom had taken control of Shimomura’s systems called to gloat over his achievements, and the conversation was recorded"

Y'know, I'd heard of him, but I never knew he was a villain from a bad sci-fi story.
That's like asking to be caught.

ripNovember 26, 2008 11:04 AM

I recently read a story of a journalist who connected to the taliban through some official of the karzai gov. who had the connection. The journalist then traveled through some checkpoints, with two taliban and to some provincial hideout of a talib leader, where there were internal rivalries that put the party in danger, calls were made to the higher up in kabul, and the party was released to travel back to kabul, but one of the taliban who was with the party recommended that they turn off cell phones while on the road, as the taliban local commander who might turn on them could track them by their cell phones,
I was amazed to understand that even the taliban could track cell phones in motion. Or could it just be that they had a connection in the cell phone company, just as they had high connections in the karzai regime.

Jared LesslNovember 26, 2008 11:29 AM

> Y'know, I'd heard of him, but I never knew he was a villain from a bad sci-fi story

Oh yeah. He was so dangerous that they couldn't let him near a telephone because he could just _whistle_ the proper sequence of tones into it and hack into nuclear missile silos and start WW3. I kid you not, the FBI actually said that.

SteveNovember 26, 2008 11:43 AM

Simple answer: turn the stupid phone *off*.

You're not that important.

Seriously. You're not.

AnonymousNovember 26, 2008 3:02 PM

There will be a separate presentation named "Locating Mobile Phones using SS7" at 25C3

As I understand it, the presentation isn't about IMSI catchers, but may be interesting nevertheless.
(My guess is, locating mobile phones with SS7 means requesting roaming info from MSC or HLR ?)

http://events.ccc.de/congress/2008/Fahrplan/...

meNovember 26, 2008 3:53 PM

@ Steve

You might thing that [sby] is not important, but to the child his mother might well be THAT important.

Who are you to devalue other people and the love they might give to their fellow humans?

Clive RobinsonNovember 26, 2008 4:11 PM

@ Steve,

"Simple answer: turn the stupid phone *off*."

Sorry no that won't do it.

Most phones have "soft" power switches where the CPU turns of some but not all parts of the phone. And as the phones are mutable (ie over air software updates) what gets turned off can change at any time...

So even if you have tested it a few days agao you don't know it's turned off now even though it looks as though it is.

Either leave it somewhere / with someone else, or take the battery out, and if you are of an appropriatly cautious mind set put it in a metal box (biscuit tin) with addehsive metal foil (copper) around the join as well...

SteveNovember 26, 2008 9:43 PM

@me: "Who are you to devalue other people and the love they might give to their fellow humans?"

Someone who has observed the for a long time and found he doesn't like them very much.

I wonder how the species survived the millennia before the invention of the cell phone? Just dumb luck, I suppose.

dad29November 28, 2008 9:28 AM

Another story reports that ACLU/Minnesota believes triggerfish were used during the runup to the GOP convention this summer.

Jonadab the Unsightly OneNovember 28, 2008 10:58 AM

> Most previous descriptions... suggested that
> because of range limitations, triggerfish were
> only useful for zeroing in... once cooperative
> cell providers had given a general location.

Trivially, even if that were true, it would only be true if you had a limited number of triggerfish. It should be obvious to anyone that a network of these things covering a given area would not be significantly harder to build than a network of cell towers covering the same area.

> But when anyone with $5k worth of equipment
> can *be* your cellular provider, you can
> probably count your own government spying
> on you among the least of your worries.

For that matter, listening in on cellphone conversations is generally even easier than pinpointing the location of a particular phone.

And yes, the government is obviously not the only organization that could ever make use (or misuse) of this kind of technology.

> A better question is does the phone also
> send GPS information even when disabled

That doesn't actually matter. It's possible to triangulate your location based on the latency between you and various cell towers (or triggerfish), in much the same way that a GPS receiver determines your location based on the latency from various satellites. So if your phone does transmit GPS information, I don't think that gives anyone (well, anyone with cell towers or triggerfish) any information that they can't get pretty easily anyway. It's redundant, in other words, and changes nothing.

> The ability of the first generation Iphone to
> triangulate your position is based on your
> proximity to various cell phone towers.

Which is also how somebody on the other side of things (running cell towers or triggerfish) would do it as well.

> Sometimes, in a highly populated area...
> your Iphone is accurate to the city block.

Going the other way, the accuracy would be terrible around here because you're lucky to be within range of *one* cell tower. But if an attacker wants to improve that accuracy, all he's gotta do is introduce a couple of extra points of reference (cell towers, or triggerfish). And if they can move around (triggerfish in unmarked vans, anyone?), your phone's location can probably be pinpointed to within a few inches. My advice (if you're trying to avoid being located by people who might have this sort of technology) would be, don't carry a cellphone.

Kristian SolbergNovember 29, 2008 1:52 AM

To explain how this works in simple terms:
If you set up a "pirate" BSC (Base Station Controller) any mobile (2G) phone will handshake with the BSC (mandatory part of 2G). The encrypted relationship is only between the mobile device and the BTS, therefore data is in plain text beyond the BTS. Often, this data is sent across microwave links between the BTS and the BSC. Keys and authentication data are not protected either within or between networks

So, if I do the above I will know:

The IMSI and EMEI of the phone, and it's physical location (within my cell). Triggerfish is not used to monitor callsl (as my pirate BSC has no connection to any network) but purely to catch whoever I'm after by making sure I know when they (or rather their mobile phone) enters the physical area covered by my BSC.

This does not work with WCDMA / UMTS as both parties (phone and BSC) mutually authenticate each others.

If I want to monitor the calls I either crack the GSM master key and derivative keys (easy) or tap into the back haul (even more easy)

DavidNovember 30, 2008 5:16 PM

I'm a complete novice when it comes to the underlying protocols in modern telecom, but just to illustrate how unremarkable this sort of application is in the scheme of things, HAM radio hobbyists have been doing fox hunts for years: http://www.homingin.com

And then of course my grandfather wrote a bit about navigation in WWII era bombers using triangulation via radio compass...

Clive RobinsonNovember 30, 2008 11:49 PM

@ David,

"I'm a complete novice when it comes to the underlying protocols in modern telecom, but just to illustrate how unremarkable this sort of application is in the scheme of things, HAM radio hobbyists have been doing fox hunts for years"

As your grandfather would have told you "huff-duff" does not work with multiple (virtualy) simultanious on frequency transmissions.

All modern cellular phone systems are frequency spectrum limited. To provide the level of coverage required in a modern city they use various shared channel techneiques such as TDMA/CDMA etc. Conventional direction finding does not work with these.

To do it you need a specialised receiver that locks onto the transmitter of interest and only displays directional information for that signal, or be so close to the desired transmitter that it is by far the strongest signal.

Although in practice a mobile when activly in use within a cell will stay on one channel there is no reason why it should. And a good series of arguments to indicate that overall performance would be improved if it did hop around the channels (see CDMA95 and CDMA2000 documentation).

DavidDecember 1, 2008 10:31 AM

@Clive
I have to admit I'm basing my understanding of the technology in these GSM sniffers on 1G protocols that involved persistent cleartext broadcast of a mobile subscriber ID at all times in response to a tower requesting a handshake.

I've owned cellular phones since the early 90's and remember having my SIM cloned (and sold to drug dealers in Atlanta!), so I did the reading to understand just how it works. There's been some knowledge atrophy since then, but a summer spent in SF reinitiated me to the results of all sorts of misuse of FCC licensed devices, so my interest is budding again.

Peter E RetepDecember 1, 2008 5:25 PM

Just saw Eagle Eye.
Has the NSA installed a Verushka-style feature in the omni-chip capabilities list?

Steve VossApril 9, 2009 8:01 AM

The problem with this technology is when the bad guys get it or gangs like ex Military Gangs.
My family is in a situation where we are being gang stalked repeat and I use a I phone.
We go to stores or parks and these guys are there. What is there MO?
To make sure we make e-eye contact then they immediately split.
They just want us to know they are watching our every move.
It is so frightening we had to goto the FBI.
It is a physiological warfare and the citizens of the country are going to have some very tough times in the very near future

KaylaJuly 28, 2009 3:57 PM

I have been looking for a program or something to find the approximate location of a cell phone. The only thing I can seem to find only tells me where I live..... I lost my phone and it could be one of many places. If anybody knows of a cheap or even free program I can buy to Track my cell phone PLEASE e-mail me. thanks

Ing September 18, 2009 6:33 AM

Can someone help answer one simple question for me --- can a cell call last week or yesterday be tracked ??
Please send message back to ing@official-fa-q.com ------ I am asking about this because I use a sim card modem for internet use and I wanted to see if anyone can see my old locations

Thanks for sending an answer back
ING

Clive RobinsonSeptember 18, 2009 11:37 AM

@ Ing,

"Can someone help answer one simple question for me --- can a cell call last week or yesterday be tracked ??"

I think you are asking your question in the wrong way...

Something that works at the speed of light only has a finite timeframe in which it can be tracked or traced whilst it is operating.

However the network sends this sort of information across the network (see Signaling System 7 specifications) to enable things like handovers etc.

The question you should be first asking yourself is,

"is my location information stored by the telco or others?"

The answer in all probability is yes, which gives rise to the real question you should be asking,

"Who can get access to my location data?"

And sadly in many places the answer is more people than you think "officially" and a darn site more unofficialy.

bluesDecember 23, 2009 6:07 AM

I'm a retired frequency coordinator, electronics person. I have no cell phone, but if I did and I wanted to block the signal, I would simply turn the phone "off" (it won't really be off, but you might save on battery usage), and wrap the entire phone in copper foil. This would be easy and quite effective, but the phone might possibly crank up its RF output attempting to reach a tower, and this could cause more battery usage.

I would not use aluminum foil because aluminum accumulates a thin oxide layer that will eventually break electrical contact between overlapping layers and also affect skin effect (high frequency RF "clings" to the outside of electrical conductors), and the shielding could lose effectiveness. You only need thin copper foil, which you can get at:

http://basiccopper.com/thicknessguide.html

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..