[guardian-dev] thoughts on mobile tracking

Matej Kovacic matej.kovacic at owca.info
Mon Jan 13 05:25:06 EST 2014


I was thinking about the problem of location privacy.

While the problem of eavesdropping is being solved (use of ecrypted VoIP
communications and encrypted chat), there seems to be no straightforward
solution to a problem .

The problem is, that regardless of using encryption and Tor, it is still
possible to track mobile device.

Basically the attack vectors are four:

- tracking IMEI number
- tracking MAC address
- tracking IMSI number
- tracking with silent SMS messages and IMSI Catchers

However, there are some solutions for this, at least as proof of
concept, *but user friendly applications are not developed yet*.

There is a project called IMEI modifier. More details here:
- http://forum.xda-developers.com/showthread.php?t=1103766

And there is a project of MAC changer. More details here:
- http://www.openwiki.com/ow.asp?Changing+MAC+addresses+on+mobile+devices

What remains is application for detecting silent SMS messages and IMSI
Catchers and IMSI changer.

* Detection of silent SMS messages and IMSI Catchers

It seems that it could be possible to develop silent SMS detector. It is
true, that only detecting silent SMS does not prevent tracking, but it
is an important tool to notify the victim what is going on.

For Osmocom platform there is a project called IMSI Catcher detector
(Cather catcher). More info here:

(I tried to use this application, it is very nice proof of concept, but
not usable for "ordinary users").

There is development for Android:
- https://github.com/SecUpwN/Android-IMSI-Catcher-Detector
- http://forum.xda-developers.com/showthread.php?t=1422969

* IMSI Changer

There is no easy solution for this. However, it seems that one solution
is still possible.

The first thing we have to bear in mind is, that IMSI is a mobile
identity of a user. If user change IMSI number, he or she will have a
new telephone number.

But this is not true if he or she is using OSTN, XMPP/ChatSecure or when
TextSecure and RedPhone will be using identity handles not tied to phone

So the idea is the following. A group of users buy several SIM cards.
They clone all of them (extract all possible Ki keys from SIM card).

Then they would use an appliction instead of SIM card, but the following

User A will login to network with the first SIM card number 1. After
some time, it will contact distribution server and make a reservation
for a SIM card 2. Then ne will logout from network with SIM card 1 and
login with SIM card 2. Then it will contact distribution server and mark
that SIM card 1 is free. So another user can use it later.

That way, user would have multiple IMSI identities, location data will
be "mixed" (from different users for one IMSI identity), but user will
still be able to use fixed mobile identity (OSTN number, XMPP account).

What do you think of this idea?



More information about the Guardian-dev mailing list