Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface...
Transcript of Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface...
![Page 1: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/1.jpg)
Location Leaks on the GSM Air Interface
Denis Foo Kune, John Koelndorfer, Nick Hopper,
Yongdae Kim
![Page 2: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/2.jpg)
Problem definition
• Large array of towers broadcasting messages – Can those messages reveal a phone’s location?
• Given a person’s phone number – can we locate the tower they are attached to in a GSM
network?
• GSM: dominant protocol worldwide – Analysis of layer 2/3 messages only.
• No collaboration from the service provider. • No support from apps.
![Page 3: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/3.jpg)
Cellular network architecture
PSTN Service Provider Core Network
GSM Air Interface
Visitor Location Register
Mobile Station
Home Location Register
IMSI: International Mobile Subscriber Identity TMSI: Temporary Mobile Subscriber Identity
![Page 4: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/4.jpg)
The GSM paging procedure
Paging Request CCCH
Channel Request RACH
Immediate Assignment CCCH
Paging Response SDCCH
Setup and Data
![Page 5: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/5.jpg)
Measurement platform
Motorola C118 ($30)
OsmocomBB (free)
Modified for US frequency bands
Serial cable and reprogrammer
cable ($30)
T-Mobile G1 with custom
Android Kernel ($100)
![Page 6: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/6.jpg)
GSM paging channel observations
T-Mobile LAC 747b AT&T LAC 7d11
Paging Requests – IMSI 27,120 8,897
Paging Requests – TMSI 257,159 84,526
Paging Requests Type 1 284,279 91,539
Paging Requests Type 2 1,635 26
Paging Requests Type 3 0 1
Observation period 24 hours 24 hours
![Page 7: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/7.jpg)
Pages and human activity
• University campus • Day of the week
during the semester
Time/min, April 2011, CDT
Pag
es/m
in
050
100
150
200
01!12:00 02!00:00 02!12:00 03!00:00
Peak in the afternoon
Low traffic after midnight
![Page 8: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/8.jpg)
Phone number-TMSI mapping
PSTN
PCH
Time
dt
dt
![Page 9: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/9.jpg)
No recovered TMSI
PSTN
PCH
Time
dt
dt
![Page 10: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/10.jpg)
Silent paging • Delay between the call initiation and the paging request
– 3 seconds
• Median delay between call initiation and ring – 6 seconds
2 4 6 8 10
Time/seconds
!!!
2 4 6 8 10
Time/seconds
![Page 11: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/11.jpg)
Bounding the LAC • LACs can be very large.
– T-Mobile LAC 747d: 100km2 • Used a wall-following algorithm,
road permitting.
• Call to MS on NW corner. • Observed paging request on
SE corner.
![Page 12: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/12.jpg)
The GSM paging procedure
Paging Request CCCH
Channel Request RACH
Immediate Assignment CCCH
Paging Response SDCCH
Setup and Data
![Page 13: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/13.jpg)
Same tower test • Delay between the paging request and the immediate
assignment message.
!!!!!!
!!
sam
edi
ffra
ndom
0 1 2 3 4
Time difference between paging and IA messages / seconds
![Page 14: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/14.jpg)
Finding individual towers • Find individual towers with a hill-climbing algorithm.
– Non-uniform RF attenuation. – Overshoot by 50m to avoid local maximum.
![Page 15: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/15.jpg)
ARFCN a phone is likely to camp on
![Page 16: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/16.jpg)
Tracking users in motion
Observer
Start End
![Page 17: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/17.jpg)
Defenses • Page multiple areas.
– Less than 0.6% of paging requests are not type 1. – Available bandwidth for additional pages. – Human trajectories are predictable.
• Continuous time mixes. – Switch TMSI at least once per page.
• phone/TMSI bitwise unlinkable. – Prevent traffic analysis.
• Cover traffic. • Add exponential delay to paging requests.
![Page 18: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/18.jpg)
Conclusion
• Systems with broadcast paging protocols could leak location information.
• Leaks observable with – readily available equipment equipment, – no (direct) help from the service provider.
• Proposed low cost fixes. • Responsible disclosures.
– 3GPP, Nokia, AT&T research
![Page 19: Location Leaks on the GSM Air Interface - NDSS Symposium · Location Leaks on the GSM Air Interface Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim . ... dt dt . Silent](https://reader033.fdocuments.us/reader033/viewer/2022060314/5f0bb0ab7e708231d431bd38/html5/thumbnails/19.jpg)
Thank you
• Questions