[guardian-dev] detecting mobile phone location

Hans-Christoph Steiner hans at guardianproject.info
Wed Feb 12 11:00:50 EST 2014



On 02/11/2014 12:21 PM, Nathan of Guardian wrote:
> 
> On 02/11/2014 10:59 AM, Lee Azzarello wrote:
>> On 2/11/14, 9:20 AM, Matej Kovacic wrote:
>>>> Hi,
>>>>
>>>> I have a contact with one of the human rights activists in
>>>> Sudan. The person told me a story, that some Somalian
>>>> indigenous people, who are opressed by the Sudanian regime did
>>>> the test with mobile phones.
>>>>
>>>> They turned the mobile phone on, put it on some corner and
>>>> went several hundert meters away. In an hour airplane came and
>>>> bombed the house.
> 
> This sounds very similar to the case in Syria where a journalist was
> using a fixed satellite uplink to communicate via Skype, and it was
> eventually targeted by mortar fire. Whether the targeting was through
> radio signal tracking or a more crude means, the fact that it was
> fixed made it more easy to locate and destroy.
> 
>>>> I am quite curious how is that possible if there is no mobile
>>>> signal there. Of course, I don't know the details, it is
>>>> possible, that mobile signal is there. As far as I know, it is
>>>> possible to connect to a base station from up to 30 km away,
>>>> but I am not sure how triangulation works if there is only one
>>>> base station nearby.
> 
> This is definitely part of the story that sounds questionable. If
> there was malware on the phone that tapped into the GPS (was it a
> smartphone?), then the precise coordinates of a house are possible to
> locate. If it is just a feature phone and the location occured via
> cellular base station triangulation, there would need to be a good
> density of towers in the area for the phone to connect to.
> Alternately, there could have been a drone or aerial tracking of some
> sort, which is apparently what the US is capable of.
> 
> Any sort of digital surveillance of this sort, was also likely paired
> with human, on the ground intelligence, such that it was known the
> person of interest might be coming to a certain house, and the cell
> signal being roughly in the area only confirmed that. Again, based on
> recent reports, it often seems that simply knowing a phone is on in a
> rough area is enough reason to target a bombing or drone strike.

It is absolutely possible to track a mobile phone even if it is not near any
base station, and even if it has no SIM card.  That mobile phone will put out
broadcasts of the highest power looking for a base station, and those
broadcasts will include unique IDs like IMEIs and IMSIs.  I don't have figures
on cellular range, but I do for wifi.  For an idea of the range of detection,
a GSM radio can radiate 2000-3000mW.  A wifi radio radiating at 500mW is
usable from 300km away if both sides are using an antenna.
https://www.defcon.org/html/links/dc_press/archives/12/wifiplanet_highnoonforwireless.htm

So a drone should have no problem tracking a mobile phone that is 30km away.
This kind of tracking is used the US (CIA/NSA) for its targetting killings,
and the drone strikes are often done purely based on SIGINT (signals
intelligence, aka looking at the info radiating from mobile phone radios).
Read more about it here:

https://firstlook.org/theintercept/article/2014/02/10/the-nsas-secret-role/


>>>> Now they have a question: how to protect from this? They came
>>>> with an idea that they will simply remove SIM card and
>>>> communicate via wi-fi. System would create with meshing network
>>>> where each mobile phone would be a relay node.
> 
> There are a variety of technical wifi mesh system that are possible
> for short range sharing - Samsung phones even have a whole bunch of
> built in apps that make this possible via wifi direct. However, a
> persistent large mesh system takes time to put in place, and given the
> state of Syria, would not really be possible with the current
> restriction on import of technology, imho.
>
>>>>
>>>> There is an application from Swiss mountain rescue service
>>>> called Uepaa (http://www.uepaa.ch), which is doing similar
>>>> thing.
>>>>
>>>> There is also interestin slovenian project doing this with
>>>> home wi-fi routers: https://wlan-si.net/en/ and
>>>> https://nodes.wlan-si.net/.
>>>>
> 
> For one project that we contributed Android code to, see
> http://commotionwireless.net/
> 
> A 10 node system was recently deployed in Tunisia, with the help of a
> qualified team. The Android app does work, but it mostly requires a
> rooted device (Cyanogen even better), running the right type of wifi
> driver.
> 
> Even with mesh however, you are emitting a radio signal, that is
> trackable via your MAC hardware address, and so on. Location tracking
> of wifi signals via MAC is now a fairly common skill that even ad
> marketers are using, so I wouldn't put it beyond a government.
> 
> Most mesh systems are built for humanitarian purposes and not
> adversarial situations, and so the state of their security and
> anti-surveillance features is quite minimal.
> 
>>>> Any idea how to privide safe communications in such a case?
>>>> Because encryption is not a solution, problem is location
>>>> privacy.
>> Radio Direction Finding (RDF) has a rich history that predates
>> mobile phones. A solution to provide safe communications when a
>> radio is an active target for an air strike is not to use a radio
>> to communicate.
> 
> I would agree. If you are being actively targeted for bombing, I would
> avoid using radio emitting systems at all. Netbooks or cheap laptops
> with wifi off, or in a strech an Android device without SIM and wifi
> off, combined with physical couriers of encrypted (TrueCrypt or encFS)
> USB flash drives or SD cards, are probably the best way to go, in that
> case. It seems a bit archaic perhaps, but at least you won't be
> broadcasting a radio signal, while still providing a means for secure
> digital exchange of information between remote groups.



Wifi can help, but there are also some of the same risks.  It will be harder
to track because the signal is much weaker.  On a mobile phone, wifi will
usually radiate less than 50mW. That's a lot less than 3000mW.  The risk is
that wifi still radiates a unique ID (the MAC address).  But if you use a MAC
changer, then you can change the MAC address every time the device uses a
different wifi, and that will make it very difficult to track.

But really the best protection is like Lee and Nathan said: avoid using
radios.  Turn off all radios when they are not in use.  So for people at high
risk, that means they should always leave the phone in airplane mode with wifi
and bluetooth off, then only turn on the radios when actually using the phone.
 And when possible use devices without cellular (GSM/CDMA/LTE) radios, i.e.
only wifi.


>> At the very least use the radio only for some kind of store and
>> forward system whereby the user may transmit a message and
>> immediately power down the radio after transmission.
> 
> Yes, a store and forward system where people travel to a central area
> to send/exchange messages also makes a great deal of sense.
> 
> In the end, places like Syria and Sudan are active war zones for all
> intensive purposes, and need to be approached in that way. The export
> of digital surveillance tools to anyone with the funds to by them is a
> reality, and so any plausible capability should be seriously considered.
> 
> +n

There are a number of great projects like this, one called "United Villages"
that use buses and motorcycles as the internet connection:

http://news.bbc.co.uk/2/hi/technology/6506193.stm

https://ictec.wordpress.com/2010/02/09/drive-by-wi-fi-internet-access-for-remote-villages/

.hc





-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 969 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140212/65200ed0/attachment-0001.pgp>


More information about the Guardian-dev mailing list