Ask Slashdot: How To Stay Ahead of Phone Tracking ?

An anonymous reader writes "In the last few years there has been a significant upsurge in subverting the cellular network for law enforcement purposes. Besides old school tapping, phones are have become the ideal informant: they can report a fairly accurate location and can be remotely turned into covert listening devices. This is often done without a warrant. How can I default the RF transmitter to off, be notified when the network is paging my IMSI and manually re-enable it (or not) if I opt to acknowledge the incoming call or SMS? How do I prevent GPS data from ever being gathered or sent ?"

Don't carry one

[siddesu]

As you know, they can track you even when the device is off, unless you've taken the battery out.

Re:Don't carry one

[gl4ss]

umm that's only the case if they've managed to fit something on your phone.
on most any phone offline mode means no connection to network.. but if you want to be conected you're going to be paged all the fucking time for your info. so staying in offline mode is the answer. of course you can't know if someone is calling you or not.

and if you're worreid about gsm attacks put your phone into umts only mode.

Re:Don't carry one

It's called a real-time clock. Your computer has one. A builtin battery too.

Re:Don't carry one

[DKlineburg]

maybe not so? See article about your habits being unique and identifiable here on /.

Re:Don't carry one

[Electricity+Likes+Me]

If you really want to track someone, it's usually way easier to steal and modify their phone, or modify a replica phone and download their phone to that one.

There are a lot of high-tech surveillance techniques, but they're just really kind of hard to do compared to the simple stuff.

Re:Don't carry one

It is about 30-80 seconds. What? Work with embedded radios... Quicker if you have a chipset that keeps some info around in flash.

Believe it or not the modem is just that, a modem. It has an AT command set even hanging off an internal 'com port'. You 'dial' a number just like the old acoustic modems (atdt). You just ate 3-6 seconds there. Time for the modem to find the local towers (and there is almost always more than one). Set up the connection to the tower... Newer ones have a PPP session to setup as well before they will even let you make a call. That takes time for the authentication and radius setup.

You can get it to go faster but you have to be in the right conditions and have a *very* well written stack. Most stacks are 20+ years old now with tons of diagnostic cruft. The books that describe these things are 2+ inches thick. They work but have to work in a cell network that is just as old in all conditions. So they have a very well defined setup procedure.

Also to the original poster. The tower does not 'know' where you are unless your phone transmits. ALL phones transmit. They have to. Otherwise they are not part of the cell network. Otherwise walking/running/driving from one cell to another would not work. Or do you think when someone calls you it lights up every tower in the area? Older networks did just that. But it worked for some types of messages and quickly was swamped with any sort of volume. But newer ones are all switched and routed. Its why if the tower can not see you and someone calls they are dumped right into voice mail. So yeah you could turn off the beacon. But only if you do not care about anyone ever being able to call you as the tower would drop you out if you do not beacon. It has a few hundred other phones to take care of than yours which from its point of view looks off. Do not want GPS? Good luck with that. They do not even need GPS they can figure it out from the towers (which have fixed known locations). http://en.wikipedia.org/wiki/Direction_finding

What the original poster is asking for would not work very well. Well in a very limited fashion it would work. But only if he does not care about ever getting calls or SMS. He can use airplane mode. Built in to almost every phone out there. He can then use one of the many firmwares out there and have it default to on with a startup script. The listen only? Not going to happen unless he knows specifically how to talk to the modem. Also there are hundreds of chipsets out there and they all act a little different, qcom vs athros vs ti vs bcom all different even between chipset lines (the propitiatory blob in most phone firmwares). Even then it would from the networks POV look like he is off so it would not even bother to send the message (older networks did this, newer ones do not waste the bw, they need it). Also if the carrier gets wind of him doing this? They probably would just deactivate the account for tampering with the network and leave him stuck with the bill for the phone he has not paid off yet. The guys at the lower levels 'stick to the script'.

It is very simple do not want someone tracking you? Do not carry around a cell phone radio and leave it at home and turned off. It is the position Richard Stallman takes. It is not one I take. My phone is at my pleasure. Not someone elses. They want the info they have to get a warrant. Someone got the data without one and used it against me I would press on it.

A better idea would be to get one of the *many* android pads out there and put skype on it. Much simpler.

Re:Don't carry one

[number11]

Flash memory has a limited number of writes, and won't power an on-board clock in any event.

The minimum number of write cycles seems to be around 10K, and could be 1M or more (depending on type of memory). If you have the least durable flash, and turn your phone off once a day, that's 27 years. (Most people don't seem to ever turn their phone off.) What do you suppose the service lifetime of the average phone is? 3 years?

Transmitter off won't work.

[rew]

If you want to receive calls or SMSes, you need to leave the phone on and transmitting:

When a call for your number comes in, the incoming call is NOT transmitted nationally. Only in the GSM-cell that you are actually in is the signal transmitted. So, the system has to know in which cell you are to be able to "call" your phone. If you properly turn it off, the phone will tell the GSM network it is going off. So when a call comes in, it will go to voicemail immediately. If you yank the battery, the system will assume you are still in that cell where you last had the phone on, but it will probably time you out if it doesn't hear from your phone for a while. (which happens naturally if for example you drive out of range).

Re:Transmitter off won't work.

[KiwiSurfer]

When a call for your number comes in, the incoming call is NOT transmitted nationally. Only in the GSM-cell that you are actually in is the signal transmitted. So, the system has to know in which cell you are to be able to "call" your phone.

Not quite, a GSM switch will keep track of which Location Area (LA) a mobile device is in. A LA can contain a few or upwards to several hundred cells. Using Vodafone's GSM network in New Zealand as a point of reference, their largest LA covers all of Auckland's (our biggest city with 1.5m population) CBD with around 150-200 sites while in rural areas a LA generally only has around 50 sites.

When a phone is being called, all the cells in the LA will send out a broadcast request to all mobile devices in the LA and the mobile device will respond by contacting the nearest cell. This is quite useful as it reduces the need for the mobile device to check in frequently — the mobile device only needs to check in with the network when it moves into a new LA.

I'm not too familiar with how UMTS or LTE works but I presume the same principles applies but I may stand corrected.

Futile

You can't.

Those are functions performed by the baseband software stack, which cannot be modified by the end user. Also you can't be simultaneously connected and not connected to the network anyway. If you don't want to be tracked by the network, don't use a cellphone.

Airplane mode and OsmocomBB

[asnelt]

I would say a good start is to just use the airplane mode of your phone. That should disable your RF transmitter. But of course you wont be notified when the network is paging your IMSI. The save option is to use a phone with OsmocomBB, a free software implementation of the GSM stack: http://bb.osmocom.org/trac/ It has limited functionality (no GPRS working at the moment) but at least you know exactly would your phone is doing. With that, you can even run CatcherCatcher, which is able to detect IMSI catchers: http://opensource.srlabs.de/projects/catcher The supported phones are a bit outdated, mostly old Motorola phones. But there is one supported smartphone: the Openmoko Freerunner. It is pretty usable these days and is fully supported by Debian. I love it, but you will need to tinker - a lot.

Re:Airplane mode and OsmocomBB

[asnelt]

What I forgot to mention: using OsmocomBB it should even be possible to fake your location. It is explained in this presentation at 05:20: http://www.youtube.com/watch?v=M0NjS6aUXYw

Re:GPS is not the issue.

[DontScotty]

If you are only using one tower - sure...

--------
  The tower can also measure how long it takes to get a response from your phone, and use that to estimate how far away you are. That puts you on the edge of a circle that distance from the tower.

Usually your phone can be heard by multiple cell towers. If two can hear you, then you're on the edge of each of 2 circles, and two circles can only meet at 2 points, so you must be at one of those 2 points.

If a third tower can hear you, its circle can only meet the others at one point, so there you are.

Emergency services (like 911) can get this information from the cell towers. The information exists whenever your phone is on and in range of a tower, whether you're making a call or not. The information is not meant to be publicly accessible.

Tower Triangulation does not often happen

Multiple tower triangulation, which seems so obvious, is quite difficult to implement, and is rarely done. Here's why:
  - if you're fairly close to a tower, then other towers are unlikely to hear you. (This is by design: cell phone towers are designed to minimize overlap in coverage, so as to maximize frequency re-use over a geographic region)
- Those times when you are in range of multiple antennas (LTE people call these e-nodeBs), it's your cellphone that keeps track of the strengths of the neighboring e-nodeBs. This list of signal strengths and interference levels is not sent out from your cellphone unless a handover between enb's is about to happen.
- communications between a cellphone and a tower is not by a single carrier, but rather using a large number of discrete frequencies (for LTE, it's orthogonal frequency division multiplex). This type of modulation is designed to resist fading and interference, but is extremely difficult to triangulate, because the databits are spread over many symbols)

Most common localization of a cellphone uses a single tower. Simply knowing the antenna that you're connected through localizes you to a sector (of about 60 to 120 degrees in angle by about 1Km to 10Km in radius). The cellphone operator's Mobility Management Entity keeps track of this in real time, so as to route your calls, forward messages, and page your cellphone. Of course, this is several square kilometers, but it's possible to do much better:

Better single-tower geolocation takes advantage of every cellphone's being kept in tight time-synchronization with the clock in the tower's enb, using "Timing Advance". The Timing Advance method, in theory, can determine the distance of your cellphone to the tower within about 150 meters, but typically an operator gets 300 to 400 meters rms. This is a radial distance from the tower to your cellphone. The azimuthal location is coarsely determined by the sectorization of the tower: most cellphone towers have 3 to 6 enodeb antennas, and so can localize within 120 to 60 degrees in azimuth. And so, in general, you can be geolocated within an annulus: it's about 300 meters in radial distance from the tower, and about 60 to 120 degrees in azimuth. A fairly big territory: probably a football field or three. These systems are very useful for locating network problems, but cannot determine your location to better than a couple hundred meters.

A few systems can improve on this. For example, Newfield Wireless has developed a high resolution method of single-tower localization, apparently using enodeB timing data combined with local geographic information. But I'd be surprised if this results in better than 50 meter resolution.

Short version: Cellphone triangulation will not track you. Single tower tracking systems can yield coarse tracking.