[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mobile phones used as trackers




In article <[email protected]>,
"William H. Geiger III" <[email protected]> writes:

> It is my understanding that they can still track you with the cell phone
> turned off so long as there is power going to the box (most auto cell
> phones are hardwired into the cars electrical system).

This is the funniest thing I have read in some time.  Assuming you
watch the show, I think you may have watched too many episodes of the
X-Files (TM).

When the subscriber unit (SU a.k.a. the cellular phone) is turned off,
"they" can't track you.  Now, it is possible that some cars have
built-in SUs that automatically power-on whenever the car is started.
In this case, the SU is clearly turned on and the user knows it.

Analog cellular phone systems in the U.S. only force the SU to
transmit when they need too.  As someone else already mentioned, from
the perspective of cellular system operators, bandwidth is in short
supply.  The cellular system operators wouldn't stand for a bunch of
unneeded transmissions "just to track location".

Based upon my own personal informal study [1] and some past knowledge
of cellular-type systems [2], in general, I believe the following
about analog cellular systems fielded in the U.S.:

1) "They" might be able to get a location reading at power-on time.
   The SU will check to see if it is being powered on within a
   different cell than it was last registered.  If the cell is
   different, then the SU transmits a message on the cell's control
   channel to reregister.  If the SU believes it is in the same cell,
   then it doesn't transmit anything at power-on time.  If the SU
   transmits, it will be a very short burst.  This would allow an
   attacker to see your location at power-on time.

2) When your SU is on, "they" can track your cell-to-cell movements.
   Cells are on the order of 1-10 miles in diameter.  The more
   populated the area (actually, the more likely the system is to be
   used in an area), the smaller the cell size.  "They" will only get
   a reading when you move between cells.  The system uses a form of
   hysteresis so your SU doesn't flip back and forth between two cells
   while you are on the "edge" between cell.  Actually, there are no
   real edges to the cells in an RF cellular system.  There is a bit
   of overlap between cells and the cell boundaries actually move over
   time due to environmental factors.  I.e. your SU might be
   stationary and yet decide to move to a different cell due to a
   stronger signal being seen from a different cell at a particular
   point in time.

3) "They" can track your fine-grain movement while you are engaged in
    a call or call setup.  This is because an SU transmits the entire
    time these activities take place.  Note that call setup can be for
    either incoming or outgoing calls.

The above appear to be the only times an SU will transmit in a
properly functioning analog cellular system.

Now, if we change the rules to allow an active "spoof" attack or
participation by the service provider, I speculate that specific
attacks against one or a few people (well, actually against their SUs)
could be waged to track their fine-grain movement:

4) Continuously inform the SU that an incoming call is waiting.  The
   user would get an indication of this attack since the phone would
   "ring" to signal an incoming call.  OTOH, perhaps, there is a way
   to inform the SU that an incoming call is waiting without allowing
   the phone to enter the final state where it begins to "ring".  A
   detailed study of the air interface and SU implementations would be
   required to understand if the silent attack is possible.  This
   attack could target one SU.  Even if direct indications were not
   seen by the user, battery life would be shortened somewhat.

5) Continuously force the SU to "see" a different cell code, thus
   forcing it to continuously reregister.  The user would get no
   direct indication during the attack.  However, battery life would
   be shortened somewhat.  There may be protection in the SU to ensure
   a minimum time period between reregistrations.  However, this would
   just limit the fineness of the tracking.  Again, detailed study
   would be required.  This attack would appear to target multiple SUs
   in a given area.

If you assume your attacker is capable of (4), (5) and similar tricks
and you have something to hide, then I suppose turning your SU off and
on is a wise course of action.

However, the coarse-grain (pin-point location but only at widely
dispersed points in time) tracking afforded by (1) and (2) seem like
minimal threats.  If you are concerned by (3), then please remind me
why you are using the analog cellular phone system.

Regards,
Loren

[1] My informal study was conducted with a Motorola Micro TAC Lite SU
    and an HP 2.9 GHz Spectrum Analyzer on 1/5/98 and 1/6/98.  My
    analog cellular service provider is Ameritech in the Chicagoland
    area.

[2] Disclaimer: I personally work on research related to the iDEN
    system (which is an advanced form of digital cellular with
    dispatch services and packet data) being rolled out nationwide in
    the U.S. by Nextel along with other local and international
    operators.  Motorola recently shipped the millionth SU for iDEN.
    I am only speaking for myself.  I have never worked on analog
    cellular systems nor read its specification.

-- 
Loren J. Rittle ([email protected])	PGP KeyIDs: 1024/B98B3249 2048/ADCE34A5
Systems Technology Research (IL02/2240)	FP1024:6810D8AB3029874DD7065BC52067EAFD
Motorola, Inc.				FP2048:FDC0292446937F2A240BC07D42763672
(847) 576-7794				Call for verification of fingerprints.