Using a cheap phone, readily available equipment, and no direct help from a service provider, hackers can listen in on unencrypted broadcast messages from cell phone towers.
Computer scientists in the University of Minnesota's College of Science and Engineering have discovered that cellular networks are leaking the locations of cell phone users, allowing a third party to easily track the location of the cell phone user without the user's knowledge.
"Cell phone towers have to track cell phone subscribers to provide service efficiently," researcher Denis Foo Kune explains. "For example, an incoming voice call requires the network to locate that device so it can allocate the appropriate resources to handle the call. Your cell phone network has to at least loosely track your phone within large regions in order to make it easy to find it."
The result is that the tower will broadcast a page to your phone, waiting for your phone to respond when you get a call.
This communication is not unlike a CB radio. Further, it is possible for a hacker to force those messages to go out and hang up before the victim is able to hear their phone ring.
Cellular service providers need to access location information to provide service. In addition, law enforcement agencies have the ability to subpoena location information from service providers. The University of Minnesota group has demonstrated that access to a cell phone user's location information is easily accessible to another group—possible hackers.
"It has a low entry barrier," Foo Kune said. "Being attainable through open source projects running on commodity software."
Using an inexpensive phone and open source software, the researchers were able to track the location of cell phone users without their knowledge on the Global System for Mobile Communications (GSM) network, the predominant worldwide network.
In a field test, the research group was able to track the location of a test subject within a 10-block area as the subject traveled across an area of Minneapolis at a walking pace. The researchers used readily available equipment and no direct help from the service provider.
The implications of this research highlight possible personal safety issues.
"Agents from an oppressive regime may no longer require cooperation from reluctant service providers to determine if dissidents are at a protest location," the researchers wrote in a research paper presented at presented at the 19th Annual Network & Distributed System Security Symposium.
"Another example could be thieves testing if a user's cell phone is absent from a specific area and therefore deduce the risk level associated with a physical break-in of the victim's residence."
Foo Kune and his group have contacted AT&T and Nokia with low-cost techniques that could be implemented without changing the hardware, and are in the process of drafting responsible disclosure statements for cellular service providers.
Source: "Location Leaks on the GSM Air Interface," presented at the 19th Annual Network & Distributed System Security Symposium in San Diego, California.
Ph.D. student Denis Foo Kune, associate professors Nick Hopper and Yongdae Kim, and undergraduate student John Koelndorfer.