Geolocation methods in mobile networks
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 147 | |
Author | ||
License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/43821 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
| |
Keywords |
33c3116 / 147
1
3
4
6
7
9
11
13
15
16
17
19
22
23
28
31
32
33
37
39
40
41
43
44
45
46
48
49
51
53
54
55
57
58
62
64
65
66
68
71
72
73
74
77
78
82
84
85
90
93
96
98
100
102
103
104
105
108
110
111
112
113
115
118
119
120
121
122
123
125
126
127
131
133
134
137
139
140
141
143
146
147
00:00
Computer networkPhysicalismStudent's t-testUniverse (mathematics)Uniform resource locatorMobile WebDisk read-and-write headSoftwareComputer animationLecture/Conference
01:00
PhysicalismStudent's t-testSoftwareMobile WebUniverse (mathematics)Uniform resource locatorCommutatorLecture/Conference
01:47
Mathematical analysisInformationInternationalization and localizationMobile WebComputer networkIdentifiabilityMobile WebNumberVariety (linguistics)Traffic reportingDifferent (Kate Ryan album)SoftwareGroup actionUniverse (mathematics)Uniform resource locatorComputer animation
03:25
Condition numberVideo trackingProof theoryGoodness of fitUniform resource locatorGeometryTrailForestIdentifiabilityInformation privacyCondition numberLecture/ConferenceComputer animation
04:14
10 (number)Machine visionMedical imagingState of matterIdentity managementFrequencyLecture/Conference
04:51
Condition numberVideo trackingProof theoryMeasurementWorkstation <Musikinstrument>Position operatorMeasurementMedical imagingPosition operatorRadiusMetreSlide ruleSoftwareWebsiteSymbol tableMultiplication signHoaxFamilyComputer animation
05:53
MeasurementWorkstation <Musikinstrument>Position operatorMeasurementPosition operatorMultiplication signHoaxPresentation of a groupDistanceMetreCellular automatonLecture/ConferenceComputer animation
06:39
MeasurementPosition operatorWorkstation <Musikinstrument>DreiecksnetzSatelliteCommunications protocolService (economics)MultilaterationCellular automatonMeasurementRoundness (object)AngleBitCalculationPosition operatorDirection (geometry)BuildingLine (geometry)MetreSatelliteNominal numberRational numberUniform resource locatorSlide ruleRow (database)1 (number)Multiplication signField (computer science)Time zoneState observerTriangulation (psychology)Computer animation
08:42
SatelliteCommunications protocolService (economics)InternetworkingData miningComputer networkPerformance appraisalMetrePosition operatorSet (mathematics)BitSoftwarePerformance appraisalData miningDeterminantService (economics)SmartphoneUniform resource locatorCommunications protocolInternetworkingOnline service providerLecture/ConferenceComputer animation
09:40
Data miningInternetworkingComputer networkPerformance appraisalGoogle MapsPlastikkarteFingerprintSubsetPoint (geometry)Proof theoryPhysical systemFile archiverFood energyLevel (video gaming)SmartphoneUniform resource locatorMappingLecture/ConferenceComputer animation
10:36
InternetworkingData miningComputer networkPerformance appraisalPlastikkarteGoogle MapsFingerprintCellular automatonPhysical systemPosition operatorService (economics)TelecommunicationInternet service providerInformationLeakFingerprintMeasurementRoundness (object)MathematicsUniform resource locatorPhysical systemService (economics)SoftwareFood energyFile formatSurfaceNumberTelecommunicationCommunications protocolProof theoryInternet service providerInformationCellular automatonLecture/ConferenceComputer animation
12:17
LeakSatelliteService (economics)Communications protocolMeasurementParameter (computer programming)RadiusMessage passingExtension (kinesiology)MeasurementMetreTraffic reportingRadiusAngleLecture/ConferenceComputer animation
13:18
Traffic reportingMeasurementExtension (kinesiology)PlanningAngleMetreRing (mathematics)Lecture/Conference
14:10
MeasurementParameter (computer programming)RadiusBuildingUniform resource locatorMeasurementInheritance (object-oriented programming)Square numberParameter (computer programming)Sheaf (mathematics)Computer animation
14:52
Computer networkInternetworkingIdentity managementClient (computing)Uniform resource locatorIdentifiabilityNumberSoftwareIdentity managementDescriptive statisticsUniqueness quantificationAdditionSerial portLecture/ConferenceComputer animation
15:26
Computer networkInternetworkingIdentity managementClient (computing)Variety (linguistics)Mobile WebInternationalization and localizationProof theoryHTTP cookieUniqueness quantificationAddress spaceInternetworkingData miningAndroid (robot)NumberIdentifiabilityDifferent (Kate Ryan album)Link (knot theory)Lecture/ConferenceComputer animation
16:43
Variety (linguistics)Mobile WebInternationalization and localizationProof theoryIdentity managementUniform resource locatorNumberIdentity managementProof theoryInformationFamilyLecture/ConferenceComputer animation
17:37
Metropolitan area networkNumberComputer virusLecture/Conference
18:27
PlanningNumberTerm (mathematics)Slide rule1 (number)Lecture/Conference
18:55
Slide ruleAngleWeb pageMultiplication signMultiplicationTrailForm (programming)Core dumpNumberQuadrilateralLecture/Conference
19:55
Point (geometry)BitNumberView (database)Shared memoryFrequency
20:32
NumberPoint (geometry)Lattice (order)Lecture/Conference
21:14
Uniform resource locatorIdentity managementInstance (computer science)Lecture/Conference
21:40
AreaSoftwareMeasurementNumberCellular automatonBitService (economics)Freeware10 (number)Right angleAdditionLecture/Conference
22:23
10 (number)AngleAreaPhysicalismMetreQuicksortMultiplication signTowerCellular automatonTime zoneLecture/Conference
23:00
SoftwareSet (mathematics)AreaFilm editingPatch (Unix)Cellular automatonPlanningLecture/ConferenceMeeting/Interview
23:51
MeasurementMultiplication signClassical physicsImage resolutionEstimatorLecture/Conference
24:30
InternetworkingINTEGRALAttribute grammarIdentity managementLecture/Conference
25:10
GSM-Software-Management AGSoftwareComputer configurationCommunications protocolService (economics)NumberUniform resource locatorStatement (computer science)Open sourceLecture/Conference
25:42
Statement (computer science)Physical lawLecture/Conference
26:11
InformationScaling (geometry)MetrePhysical lawThumbnailPlanningDistanceSlide ruleNumber
27:28
Parameter (computer programming)Integrated development environmentSound effectVector spacePerformance appraisalComputer networkCellular automatonVolumeComputerDatabase transactionPerturbation theoryProcess (computing)MeasurementRadiusField (computer science)InformationNumberFingerprintMobile appSystem identificationLetterpress printingLecture/ConferenceMeeting/InterviewComputer animation
28:12
Key (cryptography)DatabaseService (economics)Online service providerOperating systemMultiplication signCivil engineeringGSM-Software-Management AGSoftwareNumberLecture/Conference
28:37
SoftwareService (economics)Civil engineeringoutputAndroid (robot)DatabaseOnline service providerMultiplication signPublic domainPosition operatorLevel (video gaming)Arithmetic meanGoogolAuthorizationLecture/Conference
29:41
InternetworkingData miningComputer networkPerformance appraisalGoogle MapsPlastikkarteFingerprintMathematical analysisService (economics)NumberOnline helpComputer animationLecture/Conference
30:15
MedianHypermediaCartesian closed categoryIntegrated development environmentLecture/ConferenceJSON
Transcript: English(auto-generated)
00:14
The NSA is spying and was spying and we had Snowden, we have a lot of documents to look at
00:25
and there is some new research on how they used geolocation methods in mobile networks. It is done by the University of Hamburg and we have here Eric who will present
00:41
this research to you and he has done this for the German government and for the NSA which we call NS-Auer which means like NS-Auch kind of. He is a PhD student and holds a master
01:03
in physics so give him a warm applause and for those coming later please go to your seats and try to be quiet. Yeah, thank you. Hello, I'm really happy to have you all here and
01:28
I welcome you to my talk about geolocation methods and mobile networks. My name is Eric Su and I'm a PhD student at the University of Hamburg. So in the beginning I want to point out
01:42
why I'm giving this talk. So the German Parliamentary Investigative Committee wanted to find out about the German involvement in US drone strikes and then the German government officials claimed that they do not know anything or they
02:03
do not know any possibility how to use a phone number for targeting drone strikes and the investigative committee did not really believe this statement and so they asked our research group at the University of Hamburg to prepare a report and we handed in that report to
02:25
the Bundestag and it was very soon afterwards also published by netspolitik.org. Thank you for that. And it contains like technical methods and approximates the accuracy to localize mobile
02:46
phones and it also points out which technical identifiers are required to conduct such geolocation. Now I give you my agenda for today. First I will speak about the purpose of geolocation data
03:05
and then we are looking into a broad variety of different approaches to conduct such a geolocation in mobile networks and then we specify on drones and look into the technical methods which can be conducted with drones and then I'm going to point out which technical identifier we can use
03:29
for such a geolocation. And lastly I'm going to sum up. So the purpose of geolocation data it is a neutral technology so we can use it for rescue missions for example if somebody
03:46
got lost in the forest or in the mountains we can use geolocation data to find that person and rescue the person or if you ever use google traffic there you can profit from
04:02
monitoring traffic conditions but we can also use it to innovate the privacy of persons for example if we identify people on surveillance footage or if we track the location of a certain individual over a longer period and certainly we can use it use this data for targeting
04:29
drone strikes. However I want to point out that these data they are not they are not suitable to prove the identity of a person so if somebody is conducting a drone
04:44
strike based on this data then he is actually not knowing who he is going to kill. So on the right side you see an image of a explosion site from a Hellfire missile. A Hellfire missile is usually used from by these drones and you can approximate that the blast radius
05:06
is around 20 meters so we would consider a targeted drone strike if we have a geolocation method which can determine the position of a person more precise than 20 meters in radius.
05:26
So the first approach which I want to present are time measurements and the symbol which you see down there it's a base station for for the next couple of slides and a base station and this
05:41
is the point in in a mobile network where your phone connects to and you on the slides you can certainly interchange this base station with an MC catcher. MC catcher is something like a face fake base station from a third party and you could even build it yourself.
06:03
So the method used to calculate the position of a phone is for time measurements pre-literation. You have to know that that signal is usually traveling with this or is traveling with the speed of light so when you measure the time you can also measure the
06:22
distance. And here there are three methods presented. These are time of arrival where the signal moves from the hand phone to the three base stations and the accuracy is between 50 and 200 meters. This really depends on the cell size and it can be more precise or
06:47
less precise. So then we have time difference of arrival which is like a round trip measurement and we have an enhanced observed time difference where the mobile phone actually
07:04
computes the location within the mobile and within the cell and the accuracy is between 50 to 125 meters. So the next method which I want to present are angular measurements.
07:21
When you conduct angular measurements then you determine the direction of arrival from the signal and afterwards you do a calculation which is called triangulation and therefore you have to know the position of the base station but also the alignment of your antenna. And for this method there are certainly two base stations or MZ catch are sufficient to
07:47
determine the position of the mobile phone. The accuracy is usually in field experiments between 100 and 200 meters and the challenge for this method but also for the ones on the
08:02
slides is that on normal mobile cells you don't have a line of sight to each base station from your mobile phone and so the signal gets disturbed by buildings in the way and then the
08:23
accuracy becomes worse. So the next method I want to show you I think most of you will know a little bit about GPS and how it's calculated. So satellites GPS satellites broadcast their time
08:41
and their position and the mobile phone uses again pre-lateralization to calculate its position and the accuracy is usually below 10 meters but it depends a little bit on the ship set within the mobile phone. And then the base station can request the position of the phone by issuing a
09:06
radio or by issuing a request with the radio resource location service protocol. So another method which I want to present is the mining of internet traffic. Some smartphones send GPS coordinates or the names of nearby wi-fi networks which are also called SSIDs
09:27
to online services and usually these allow the determination of the position around or below 10 meters and it is certainly possible to intercept this traffic and evaluate the geolocation.
09:44
So here I have two quotes for you. The first one it effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system. This quote comes from this known archive and was issued in the year 2008. So we certainly see that there is some proof
10:08
that at least at those days they enter or some third parties intercepted those traffic and used it for determining the geolocation. And if you want to
10:25
work with and determine the location with the SSIDs it is necessary that you have a map where certain wi-fi access points are located and therefore we have also something like a proof
10:41
that this has been done by the NSA and this is the mission Victory Dance where they are mapping the wi-fi fingerprint in every major town in Yemen and in Yemen also a lot of drone strikes are conducted. So let's go to the next method. Signal system number seven is a protocol which is
11:06
used for communication between network providers and network providers need to know where in which cell a mobile phone is located to enable the communication and these informations are saved
11:23
in location registers and a third party can easily request these location informations. I want to refer to the talk by Tobias Engel which he gave a talk two years ago which really goes into the details of this method and maybe if you like to there are also commercial
11:45
services available to access this data. So let's talk about drones. We do not have very solid proofs that geolocation methods are conducted by drones
12:03
but we have certainly hints. A hint is this Gilgamesh system which is based on the which describes an MC catcher so but if anybody of you has access to more documents
12:26
yeah it would be nice to have a look. So the easiest method would be certainly
12:43
to request for GPS coordinates and there you just replace the base station with a drone but and the measurement the method which is better or which I think is the preferred one are angular measurements. Angular measurements if you have a look in our report
13:06
that we approximated that the accuracy of these methods are between five and 35 meters in radius from a altitude of two kilometers and if you get closer to the mobile phone it becomes more accurate. So it would be to some extent to be sufficient to
13:27
conduct a targeted drone strike on this data and in the meantime since this report was handed over to the Bundestag I also found other work which described that they are able to
13:42
achieve an accuracy of one meter from three kilometers altitude for small airplanes. You have to know that those sensors and to measure the angle of arrival that they are usually located within the wings and within the front of the phone and when the plane
14:03
becomes larger it's also easier to have a more accurate measurement. Then I want to point out that a single measurement can be sufficient to determine the location of a mobile phone if we can assume that the target is on the ground. So if you assume that the target is
14:26
maybe in a building in Yemen so a single measurement would be sufficient on a low building in Yemen and the skyscraper would be more difficult. So and the big advantage of these methods is that environmental parameters have a very low influence since we can have a
14:47
almost line of sight which allows a better accuracy. So now I'm going to talk about the identifiers which can be used for geolocation. Certainly the phone number
15:06
and each MC catcher or base station can request a can issue a identity request to a mobile phone and then receive the MC or EMI. The MC is something like a unique description for a certain
15:25
customer in the mobile network and the EMI is like a unique serial number for a device. So when we include those methods of mining internet traffic then we can also add a lot of
15:47
more identifiers. For example an Apple ID or Android ID, Mac address, even cookies or user names. If you are interested in this you can have a look at the link I provided there
16:06
that there's a very interesting paper about this. So I come to my last slide, my summary. I showed you a lot of different methods to localize a mobile phone
16:21
and I pointed out that a single drone can localize a mobile phone with an accuracy which is sufficient to conduct a targeted drone strike. Since this document was handed over to the Bundestag they also never denied that these methods can be used for the or that the accuracy
16:42
of these methods is true. Then I pointed out that as an identifier the phone number, the MC and the EMI each can be used for the geolocation of a mobile phone.
17:02
And the last information which I want to give you is that geolocation methods cannot prove the identity of a person and this is really important to know that we are not yeah that when we conduct or when somebody is conducting these drone strikes
17:24
and that they are not aware of who is actually using the phone and so it can happen that they are killing the wrong person. So I thank you very much. I thank my colleagues and my family and everybody. Thank you. That's great. Thank you very much. It's the first
17:52
talk we have here today where we can have a lot of questions. So come on, you have the microphones number one, number two, number three, number four and ask your questions. It's your only
18:06
chance to have this man answering them. No questions. Here's someone. No. Yeah. Sorry.
18:21
No problem. Number four. Hello. Do you know why we are located in London right now when we use Google Maps here? Do you know, can you ask it again? Do you know why we are located in London? Yes. When we use Google Maps we are located in London. Do you know that? The congress is located in London. Do you know why? I'm not aware.
18:49
Okay. I thought this was on plan. Okay. Thank you. Number one. Okay. So on slide 12 you showed this angle of arrival. Can you please be quiet? We can't understand the questions
19:03
unless you are quiet. Sorry. Okay. So on slide 12 you showed the angle of arrival method executed by a drone. Is this a passive method or does it require some cooperation by either the phone company or by the targeted mobile phone? It can be conducted passively. Like
19:24
if you call the phone or page the phone multiple times and you see which phone is answering this paging. Okay. It needs to be active in a way that you contact the phone but you don't need an active MC catcher for it. You just call the phone and then you see
19:44
which phone is answering and then you know where the phone is situated. Thanks. Yeah. I see that we have a question over there. So can you just ask your question please?
20:00
Here? Yes, number eight please. Thank you for your talk. I'd like to ask a question about tracking unpowered mobile phones. I mean you mentioned lots of methods for phones which are both we both have their batteries inserted and are actively operating. Could you elaborate a bit about the methods of tracking phones which seem to be all turned off from the user's
20:26
point of view and maybe also something about those who have their batteries removed? Actually if you really turn off your phone over a long period, let's say a couple of months, I
20:40
think you are safe. That's good to know. But actually like if you have a base station and somebody is switching off his phone and maybe he's meeting somebody else at that point and somebody else is also switching off his phone, then it can be suspicious. But
21:05
yeah it really depends whether somebody is looking into this data or not. Thank you. Number eight again. I had a short question. As you described, we are somehow dependent on the good
21:28
for instance and I wanted to ask if there's some way to avoid geolocation or use Google Maps without sending identity to services. That is fairly difficult. I would assume that GPS phones
21:48
are a little bit better to avoid geolocation, especially if you add additional GPS spoofing because the network cells are really large and so it's more difficult to track you within the
22:03
network cell. But if you have a drone right above you and you emit a physical signal then the drone will always be able to localize where the signal came from. So yeah it's difficult because it's physically difficult. Okay thanks. Number one please. So I have a question about the
22:26
physicalities of receiving or localizing or making angular measurements of a phone within as like a densely populated area where there's possibly like tens of thousands of zones within the receptional area of a three kilometer high drone.
22:44
That would obviously require you to be more sensitive on one hand than this cell tower and on the other hand also receive at the same time and sort out all kinds of interference. Usually a cell can be between let's say 200 meters and 30 kilometers in size. So
23:08
three kilometers in altitude is not very high. So you assume that the drone does a pre-selection via whatever digital beamforming on the ground path path and only looks at a cell of interest
23:23
because he knows from the network that the suspect is in that cell. It depends on the area like in an urban area you have to reduce the size of the cell otherwise you would receive too many signals but in a countryside you can have larger cells or you can cover a larger area.
23:47
Regarding covering larger areas, did you take, considering that these drones aren't really like our quadcopter size, they're more like airplane sized usually, proper airplanes, did you take the classical synthetic aperture radar techniques of like observing something
24:05
for a long time while flying straight over it and then integrating over it into account because that's usually where we get like our high resolution radar imagery of the earth. You can conduct multiple measurements or you just conduct one if you know that the target is on the
24:24
ground. So yeah but did that account for your estimated accuracy? No it's not necessary to integrate. Okay thanks. Thank you we have a question from the internet. Yes the internet wants to know if there are attributes which you can change off the phone to stop surveillance so attributes
24:45
like the EMI for example. Can you please repeat the question? Are there attributes of the phone which you can change to stop surveillance? Yeah certainly you can fake the EMI or the MC that is also another reason why it's not sufficient to prove the identity
25:04
because any phone can just fake this data. And we have a second question which is does the GSM network have a feature which allows anyone to get the GPS data from the phone?
25:23
Yeah it would be that the radio resource location service protocol. So thank you. Okay number five. Hello you delivered your work to the NSA Unterzurungsauschuss
25:46
and the Bundestag did not say anything about it but is there a statement from the NSA Unterzurungsauschuss? And the government said something about it. They said that they washed their hands and said we did everything nicely because we added also a disclaimer to the data
26:07
we provided and that the disclaimer says that the NSA is forced to stick to the German law and that they are not allowed to do whatever they want with this data.
26:23
Thank you. Very nice. Number six please. Hello I'm on slide 12. You specified accuracy of about five meters for two drones so how does it scale if you would use more than two drones
26:44
for example 10 or whatever? I think that there was a small misunderstanding actually one drone is sufficient. Okay so could you use more than one drone? Yeah you can use as many as you want but one is sufficient. Yeah but that of course but
27:05
does the accuracy increase by using more than one? Yeah if you go closer to the target and then the accuracy increases. Okay but with the same distance but more than one drone?
27:24
No actually not. Okay thank you. Number four please. Also referring to the accuracies you were talking about field experiments and so on, did you conduct those yourself or where did you get all the information from? These are some references there you can find the field
27:43
experiments. Thank you very much. Number two please. Thank you very much for the interesting talk. My question is regarding the fingerprint which you can use on many phones to unlock the phone. Is there currently and if not will there or do you think there will be a possibility
28:01
that for example an app which requires the fingerprint identification on the phone that this is also passively read and by that you increase the identification of persons? Did you understand the question? Yeah but I think this is like based on the GSM network and
28:21
the other things that's based on the operating system. So currently using this technology there couldn't be, it's not possible to link this or not? Okay thank you. Okay number one please. My question is actually about the civil use of geolocation services not so much about
28:41
phones. So you mentioned that every time you use an online service that uses geolocation you send the SSIDs of nearby wi-fi networks and with every request you actually enrich a wi-fi map, wi-fi database of either Google if it's on Android or Apple if it's on iOS.
29:01
Now there was a talk at CCC here in 2009 when this technology was still nascent and then back then it was called Skyhook but then the speaker had this provocative question shouldn't this wi-fi map be public domain instead of just a belonging proprietary and belong either to Apple or Google
29:21
nowadays? So haven't we lost that struggle? I mean we can't keep our SSIDs private so shouldn't it be public domain? Yeah it would be a good idea to make a public domain since also a lot of positive things can be created with this technology like helping people in emergency situations.
29:43
Okay Anna. I wanted to take the chance to say thanks for this talk. I'm one of the people who actually commissioned the analysis because I work in the inquiry and it was extremely helpful for us to have the analysis done because we like you said keep being confronted with secret
30:02
service people who tell us that no way can mobile phone numbers help in the secret war. So yeah I just wanted to say thanks. Yeah thank you very much. Great so thank you also very
30:22
much for your work and keep on going with that.