[guardian-dev] thoughts on mobile tracking

Hans of Guardian hans at guardianproject.info
Mon Jan 13 09:58:47 EST 2014

I think that with the big data point of view, it would be pretty easy to corrolate a few SIM cards into a single identity, so I think your multiple SIM card idea would provide only minimal protection.  Plus I believe its a crime in many countries to change your IMEI, so you'll be trackable there regardless of the IMSI used.

The only solution I've seen for widescale wireless network coverage that does not track its users is certain forms of municipal wifi.  For example, Santa Clara, CA has put wifi APs on all of their electricity meters, providing open wifi throughout the city.  If your device then has a MAC changer, then you can get city-wide internet without that network tracking you.

I get wifi service over a much bigger area (most of Long Island and parts of New York City) from Cablevision Optimum Online, but that service requires that I either login or register my MAC address in order to access the service, so the same level of tracking as cellular networks is possible there.

The solution for network tracking in the foreseeable future is not technical.  It is political and social.  We need to pass laws to restrict what the network providers can do with the tracking data, and regulate how much data they can store.  Unfortunately in the US, we're going the wrong way on that issue.  The current proposed "solution" to the NSA mass surveillance is to pass laws that make the telecoms store all of their data for many years (instead of the NSA).

We also need to get people to share their own network connections as open wifi so people can get internet without network-wide tracking.


On Jan 13, 2014, at 5:25 AM, Matej Kovacic wrote:

> Hi,
> I was thinking about the problem of location privacy.
> While the problem of eavesdropping is being solved (use of ecrypted VoIP
> communications and encrypted chat), there seems to be no straightforward
> solution to a problem .
> The problem is, that regardless of using encryption and Tor, it is still
> possible to track mobile device.
> Basically the attack vectors are four:
> - tracking IMEI number
> - tracking MAC address
> - tracking IMSI number
> - tracking with silent SMS messages and IMSI Catchers
> However, there are some solutions for this, at least as proof of
> concept, *but user friendly applications are not developed yet*.
> There is a project called IMEI modifier. More details here:
> - http://forum.xda-developers.com/showthread.php?t=1103766
> And there is a project of MAC changer. More details here:
> - http://www.openwiki.com/ow.asp?Changing+MAC+addresses+on+mobile+devices
> What remains is application for detecting silent SMS messages and IMSI
> Catchers and IMSI changer.
> * Detection of silent SMS messages and IMSI Catchers
> It seems that it could be possible to develop silent SMS detector. It is
> true, that only detecting silent SMS does not prevent tracking, but it
> is an important tool to notify the victim what is going on.
> For Osmocom platform there is a project called IMSI Catcher detector
> (Cather catcher). More info here:
> -
> https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/CatcherCatcher
> (I tried to use this application, it is very nice proof of concept, but
> not usable for "ordinary users").
> There is development for Android:
> - https://github.com/SecUpwN/Android-IMSI-Catcher-Detector
> - http://forum.xda-developers.com/showthread.php?t=1422969
> * IMSI Changer
> There is no easy solution for this. However, it seems that one solution
> is still possible.
> The first thing we have to bear in mind is, that IMSI is a mobile
> identity of a user. If user change IMSI number, he or she will have a
> new telephone number.
> But this is not true if he or she is using OSTN, XMPP/ChatSecure or when
> TextSecure and RedPhone will be using identity handles not tied to phone
> number.
> So the idea is the following. A group of users buy several SIM cards.
> They clone all of them (extract all possible Ki keys from SIM card).
> Then they would use an appliction instead of SIM card, but the following
> way.
> User A will login to network with the first SIM card number 1. After
> some time, it will contact distribution server and make a reservation
> for a SIM card 2. Then ne will logout from network with SIM card 1 and
> login with SIM card 2. Then it will contact distribution server and mark
> that SIM card 1 is free. So another user can use it later.
> That way, user would have multiple IMSI identities, location data will
> be "mixed" (from different users for one IMSI identity), but user will
> still be able to use fixed mobile identity (OSTN number, XMPP account).
> What do you think of this idea?
> Regards,
> Matej
> _______________________________________________
> Guardian-dev mailing list
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To Unsubscribe
>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> You are subscribed as: hans at guardianproject.info

More information about the Guardian-dev mailing list