May 15, 2006

Tracking you, tracking me, tracking everyone

You, me, everyone is trackable by our cellphones. Not just Greek Prime Ministers. Here's how.

Each phone has a SIM ("subscriber identity module?") card, which is the smart card that holds the billing arrangement. Each SIM card has a number, so it is uniquely identified in the packets of information flashing across the network. That made it trackable.

So a common trick was for mafia bosses and other delightful characters was to keep the same phone but change the SIM (by opening the back up, dropping the battery out, and switching the little chip card). This meant that access to the billing records would not automatically be useful for tracking purposes, as the SIM number is what is billed.

This trick was known as far back as the early 90s, when some drugs dealer was caught with 80 SIMs in his briefcase. He'd use them for one call each.

Unfortunately this was futile, and here's why. Each phone has a number, which is internationally and centrally coordinated in the standard telco committee fashion. That is, the mobile phone manufacturers get together in a smoke-filled room and allocate a batch of numbers to each of them, so each phone the world around is unique.

This number is called the IMEI, or international mobile equipment identity, which includes the manufacturer's prefix and the phone's number (it's the same concept as your ethernet card's MAC address if you know what that means). The IMEI is also trackable, but you need a separate set of records to get access to it: call records. These are the technical records of what traffic is passing up and down, phone to phone. This is the real time stuff, and it has the raw IMEIs in there, which are later filtered out for billing purposes.

So our friendly mafiosa were caught by anyone who could get access to those traffic records. And, if you think about it, the bad guys stuck out like a sore thumb because the SIMs kept changing and the IMEI did not. Now of course this trick is widely known:

ICE officials said that they're working with Mexican authorities to return [Castorena-Ibarra] to the United States but that the mustachioed fugitive moves frequently and changes cellphones every few days.

It's also possible to rewrite the IMEI if you have the right phones and the know-how. But, a good friend advises me, that's illegal in many countries, and you'll get into heap big trouble if you're caught doing it.

Another little trick - it turns out that it is possible to ping anyones cell phone by sending a zero-length SMS message. As it is zero length, the phone drops it without further ado but if the "acknowledge receipt" bit is set the phone replies. This reply SMS is free, but it still shows up bright and clear in the records. Which leads us to the next issue. [this paragraph edited improved heavily!]

Think about how the network works. You are walking down the street, and you are always in contact. You can always be phoned. Yet, the transmitters in built-up areas only have a range of less than a kilometer ... sometimes only a few hundred meters.

How do they do that? It's called "hand-off". Each tower recognises the phone's presence and tells the "center" that it's in comms with your phone. Then, when you walk past the next tower, the two towers have a little chit chat and hand you over. Of course, the center has to know so as to re-route incoming calls to you.

So the center knows where you are - to the accuracy of the towers. And, anyone who is looking at that feed of information knows where you are. And, anyone who shares that info also knows.

That's why there is all this talk about adverts popping up on your phone saying "turn left here for a special price on lunch!" Actually it gets even more juicy as there is a thing called triangulation where the towers can reveal signal strengths, times, and directions, and a bit of maths will coordinate you down to tens of metres.

None of this is secret. In conferences, and in articles, people have been talking about the marketing implications of such cellphone "traffic analysis" for years. Some of this is directed at sales opportunities, other at "social networking" analysis, and some of course at the "tracking bad guys" angle.

This is so un-secret that in the USA and other places, they have been trying to make it law that cell phone operators provide your location every time you punch in 911.

What has not been discussed at all are the ramifications of your telco knowing where you are. Within pretty close paramaters. Every moment your cellphone is switched on.

What has not been thought about at all is who they are selling this information to and who they are sharing it with - inadvertently or otherwise. And whether those that are doing the listening are operating with due regard to your privacy, with oversight, or what.

Instead, there is the steady rumble of scandals, as the public finds out what the insiders have known all along. Let's close with this one:

Alexis Papahelas -- so you are saying even the crypto phones that the [Greek] prime minister/government/military are using they are vulnerable to this kind of penetration you say.

James Bamford: Well, crypto phones are probably NSA's biggest targets around the world, whether or not the NSA was able to break the encryption of the algorithm to get into those phones I don't know. I don't have this information, but I know obviously NSA's key job, NSA's first job is intercepting communications, and second job is breaking codes such as the codes that encrypts that communications, and third job is making USA encryption systems.

(oops, sorry, that'll all be greek to you!)

Posted by iang at May 15, 2006 07:41 AM | TrackBack

minor related reference from crypto list posting NSA knows who you've called

there was some recent announcement (I forget where I saw it)that somewhere they are going to start sending location specific advertisements to your cellphone ... as you move from place to place ... they will transmit advertisements to your cellphone that are specific to your current physical location.

Posted by: Lynn Wheeler at May 14, 2006 10:46 AM

I have probably missed something: What is the issue with zero-length SMS message? Do towers use this approach to detect a phone presence/location?

Interesting article anyway, thanks!

Posted by: Tom K. at May 15, 2006 03:27 AM

I've adjusted the article a bit - there is an acknowledge bit that needs to be set, that results in your phone sending back an ACK that you don't know about. This is uncharged, but it pops up in the records.

Posted by: Iang at May 15, 2006 09:41 AM

These days the phones themselves are so cheap that they can perhaps be used disposably for these purposes.

Posted by: Ray at May 17, 2006 05:25 AM

I got a good learning but somewhere i felt that still we have to go up in this techniques.
And suppose,i m talking to somebody on his/her mobile phone and at the same time i want to trace his/her entire information. ( like address and all etc.)
how can we do that?

Posted by: Chandraprakash at December 10, 2006 09:54 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.