Detecting so called "silent SMS"


#21

Fair enough. I was looking at the more general question of: messages between the mobile device and the mobile network that are beyond the normal SMS that a user would or could send or receive explicitly - and answering a more general question about what could be achieved with a message beyond the existing knowledge of the position of one or more towers.


#22

Maybe some of them are in relation to missing persons. So in at least a small subset of cases, the tracking may be in the interests of the user of the phone (a person who is ‘lost’ but wants to be found), as distinct from a person who does not want to be found (while not being engaged in any criminal activity) or a person who is engaged in criminal activity.

@tg_gpm gives you one answer.


#23

I consider the problem of “silent SMS” to be overstated.
Of course they are used more - phones are used a lot more and a lot more things are done with phones.
So it shouldn’t surprise that Police makes use of that fact.

Silent SMS actually deliver very little data. While the phone will report back cell information that allows for “triangulation” (again, that is an overstated term, IMHO), that is less useful than one would think.

Modern Smartphones rarely do idle. Phones send and receive data all the time and this implies that the network has to know where they are all the time (otherwise networks would have to send the data in the whole tracking area which would kill throughput).
UMTS and LTE handsets speak the Radio Resource Control (RRC) protocol, where it repeatedly shares cell information with the network to save power and keep throughput up - RRC idles when there is no traffic, but in modern smartphones there is basically always traffic, because apps are really chatty.

It is quite likely, that “silent SMS” are up because they are included in a general toolkit where polices queries for phone information of suspects and persons of interest - the silent SMS in itself isn’t all that useful.


#24

Since it appears to use the QMI protocol (https://lkml.org/lkml/2019/7/24/605), I would assume so - it stands for “Qualcomm MSM Interface”, so that means it’s still a QC chip and therefore has the same diag interface) I won’t know for certain until I actually get mine, write the code and can then hand it to someone else and go “here, try this out”.


#25

On slashdot yesterday:

Full text (but there is another link buried in it).

Joseph Cox, reporting for Motherboard:

Ruth Johnson didn’t know exactly who rang her phone and threatened her around 20 times in 2014. The person on the other end said he was John Edens from the U.S. Marshals with a warrant for her arrest for stealing a car. She was behind on her payments. It later turned out John Edens didn’t have a warrant, nor was he from law enforcement at all. Instead, he was a debt collector with a history of stalking and domestic violence who had managed to get hold of Johnson’s phone location data. He did this by pretending to be a U.S. Marshal with the “Georgia Fugitive Task Force” to T-Mobile, which then provided Edens with the location of Johnson’s phone in a handy Google Maps interface – “pinging” the phone, in industry parlance.

“Fearful,” is the word Johnson first used to explain the episode in a phone call with Motherboard. “It was very fearful.” Motherboard previously reported on Edens’ case using court documents and sources in the bounty hunting industry; Edens was sentenced to one year in prison for impersonating a U.S. officer. Now, Johnson explained in an interview what it was like to have her phone tracked. Her story demonstrates the very real human impact that the black market use and sale of phone location data can have. “I was very upset with the phone company, because I was under the impression that you had to get [a] court order in order to get information such as that out,” she said. T-Mobile “put my life in danger,” she added.


#26

Just to make myself clear:
This is of course reprehensible, and any sharing of locations without a court warrant is in my opinion a terrible thing (and should be a crime where it isn’t).

My point only is, that silent SMS as a mechanism are overstated and just a small part in a larger issue.

The situation will of course get worse: the better coverage and the better the performance of a mobile network, the more dense the base stations are and therefore the more accurate location information is.
Apart from that, many companies simply collect GPS and WiFi-locations via apps, either preinstalled or installed willingly by most users.
So for the average phone it is quite likely, that not only the carrier will be able to locate phones (poorly via the network, or accurately via preinstalled apps), but at least a dozend 3rd party companies will have accurate location data on users via their apps and the phones location framework.

5G will make things worse, as beamforming can be used to quite accurately track users. With current technology a well-established 5G network can easily locate a phone within 10 meters accuracy, and future 5G networks will quite likely see accuracys down to a few centimeters.

So the issue exists and will get worse. There is no rolling back the technology, that’s not going to happen.
So the only possibility to decrease the risks and harm will be a strong legislative framework that forces all parties to use well the power they’re given.


#27

Personally I prefer technological solutions over legal ones. Take for instance the issue of cookies on the internet, I prefer to just delete my cookies then to have laws that force website to not send them and then trust every website from which I do not want cookies and that I visit to obey those laws. If I am going to use 5G at all then I will probably want to do so with a privacy respecting phone with the 5G switch turned off most of the time and any good laws are an added bonus. I can get by without being always available for a phone call.


#28

Yep. Triangulation works every time.


#29

As a thought experiment, if a phone had an external antenna and the antenna were directional, could you defeat triangulation?


#31

The only way to defeat it is by having the radio or the phone off. We can assume that directional antenna would still catch and send the signal to towers. Though, it would make it harder for more accurate pinpoint. It’s not that triangulation is accurate to begin with. :slight_smile:
It’s just scary how intrusive US networks are. It’s not that they keep track of our location (via triangulation) but they have been sharing it with the 3rd parties and getting paid for it. It was to a point, where random folks could get your location history by paying few hundred bucks to companies which were invested in it.


#32

The best way to find out is to measure it. Maybe there is a way to list the number of cell towers that an antenna with a given signal strength can see. If it only lists 1, then you should be fine. Unless, in theory, there are receivers that monitor the radio signals (that do not transmit), and are not detected.

A directional antenna will allow the signal to go further, and might catch more towers behind the one that you are aiming at. Also, directional antenna are not perfectly directional. There could still be communication with towers outside of the intended direction if a weak signal is good enough.

Triangulation is just one technique. In theory, other techniques could be used. If the device can reply with a ping with a known speed, trilateration can measure the distance. Cell towers are often sectorized, so the sector that your phone connects to can give away some location clues as well. More details here: http://fds.global/wp-content/uploads/2016/05/Cell-Phone-Triangulation-and-Trilateration-Presentation.pdf


#33

The point was that the signal is not isotropic. If more than one tower receives the signal and they assume that the received signal strength depends only on the transmitted signal strength (same for all towers) and the inverse square law (i.e. distance to each receiving tower) then the directional antenna messes that up.

It was only a hypothetical and a phone doesn’t generally have an external antenna these days anyway.

If you are implying that they are using the signal timing then the directional antenna doesn’t really help, except possibly to exclude some towers that might otherwise be included in the triangulation. To mess up timing would require a more sophisticated phone and antenna.

Thanks for the things to think about.


#34

Yes, it will make the location calculation produce a different location than what they are expecting. Perhaps that is better than avoiding a calculation entirely, if only a single tower was contacted. I suppose it might be possible to produce a specific false location by intentionally using multiple directional antennas, with some connected to a signal attenuator, each producing the desired signal strength at the tower for producing a specific false location.

This does not have to be hypothetical. Stationary cell modems, such as those found in cellular gateways, USB modems, or M2M cell devices often have external antennas. Some phones can be modded.

I am not implying that common cell towers are using the timing. However, the theory and required parts exist, so I expect that someone is doing it. Multiple RF transmitters attached to directional antennas, with specific delays added to them after the modem provides the signal, might be able to mess with timing based location calculations. I have not thought about it much. There could be a tell that gives this away.


#35

Yes, for example mine (USB dongle) does.

Do we know specifically whether the Librem 5 will allow an external antenna. I expect you are right that someone could open it up and hack one in but let’s say for the average Joe …

I thought about that. You would need a good database of tower locations and to know which way the phone is oriented (or be able to determine that) and probably to have the logic built in to the M2M card.

You might also have to contend with a false triangulation result based on signal strength that is impossible based on which sector on each tower received the signal. Hopefully in that case the system would toss away the triangulation result. :slight_smile:

By hypothetical I meant it is not something that I will be experimenting with when I get my Librem 5.


#36

Going deeper into the land of the imagination, I wonder if you could bounce the directional signal off of a conveniently-located reflective surface to make it arrive at the tower from approximately the correct angle. (I’ve sometimes idly wondered whether a large, strategically positioned metal sheet could improve reception at a specific window on the ‘dark’ side of a building that casts a strong radio shadow.)


#37

That would help to mess up the timing too. :slight_smile:


#38

If you wanted a simple way to create a fixed timing change, you can use a delay line. Before digital computing, delay lines were used to slow a signal down. In some applications with purely analog circuits, it was sort of like memory, in the sense that a copy of an older signal could be read while processing the current signal. Although I expect that these only work well within certain frequencies.


#39

And they don’t make receive-only devices, that would be a way to defeat emission detection. But then you’d have a radio and not a phone. (I guess that’s why there are numbers-stations.)

Hmmm, a crystal-set receive only phone, how would that work? You’d need a darn small crystal to get the right frequency.


#40

Unclear what you are getting at here. I expect you are right about that in respect of a cell phone. A receive-only cell phone would I suggest be completely useless (not even usable as a radio receiver, due to the security protocols used by mobile phone communication). However if you are responding to …

that is a good point that @matt2 makes. In theory governments / telcos could be doing that and that would make it quite hard to do the kind of fakery that I was imagining. Are governments / telcos actually doing that? Who can say?

However the receive-only devices in that case are effectively receive-only base stations, not receive-only cell phones.


#41

I’m thinkin’ this:

https://en.wikipedia.org/wiki/R-390A