Detecting so called "silent SMS"

Believe it or not, but in most cities the main form of propagation is actually reflection.
Metal sheets can be great reflectors, but even plain old walls will reflect signals.

In cities you are actually very unlikely to have a line-of-sight signal and most communication will be by reflected and refracted signals.

Mobile networks overwhelmingly use cross-polarized (X-pol) antennas which can allow to detect reflections, however, it is quite impractical.
This all changes with beamforming in 5G where reflections are actively used for beam-steering, and 5G base-stations will actively try to reach you by reflecting the beam of buildings.

Also note, to the antenna discussion: changing your devices antennas gains very little, especially since the mechanism of silent SMS is not to triangulate you based on the received signals of the towers, but by querying your phone for its measurements, which it then sends to the network.

4 Likes

That’s a different kind of message, a so-called RRLP (radio resource location protocol) request. Those are what ask the phone’s baseband “hey, give me your position”, which then takes its measurements and replies. There are 2 ways of doing this:
-GPS (assisted, normal, or just sending the raw received data back along the line for the other end to process) - something which won’t be possible on the Librem 5 unless you, the user, explicitly allow it (because the modem can’t talk directly to the GPS).
-Time of flight detection, where all the base stations in the area broadcast a message at the same time, and the modem records how long it takes for each one to arrive. If you can only see one base station (either because you’re in the middle of nowhere, or because you’re using highly directional antennas), all you get is a large circular area rather than a single point.

Silent SMS messages (the so-called “empty paging”) actually won’t be affected by highly directional antennas, but for a different reason. All they do is cause a location update, telling the network which cell tower you are attached to right now.

3 Likes

For clarification: the GPS on the modem card will (to my understanding) not even be functional. To use the separate GNSS chip, the modem firmware (and OS software) would certainly have to be adapted, which is merely a hypothetical possibility.

1 Like

News post from Nicole that touches on this subject.

5 Likes

It is quite a heavy task to implement an open-source version. There is one in development for the PinePhone though, https://github.com/Biktorgj/pinephone_modem_sdk, but I don’t know how far they have gotten. A lot of the modem code should be reusable since it deals with different protocols.

Not really - the part that does the actual modem stuff is as closed as ever, that firmware doesn’t even try to replace Qualcomm blobs. What it does replace is the Quectel’s operating system - it’s like flashing another OS on a smartphone with integrated modem. It doesn’t influence your ability to detect things like silent SMS at all (maybe except of being able to offload diag data processing onto the modem itself).

When it comes to BM818, IIRC it’s using the same Qualcomm chipset as EG25, but unlike EG25 Broadmobi’s firmware does not appear to use Linux, so you would have to do the whole platform bringup by yourself.

1 Like

A few years ago I had a phone made by the Romanian company X-Cellular. It was a “dumb” flip phone that had numerous anti-tracking features, including: dynamic random IMEI and the ability to choose cell towers.

It would display a list of available towers with signal strength. Most phones immediately connect to the tower with the strongest signal (which is how IMEI catchers and Stingray technology works… those devices generate extremely powerful signals that mimic real towers). However, this phone allowed the user to choose towers with lower signal strength (presumably further away or at least not a Stingray device). Apparently that would spoof the location of the phone, making triangulation difficult or impossible.

The phone also alerted the user every time the phone was pinged. Pings are apparently detectable but not preventable. The only way to stop them is a faraday bag or removing the battery. However, pings did not always occur. They seemed somewhat random - several times a day. Sometimes just once a day.

The IMEI randomizer made it more difficult for Stingray devices to target the phone - although it’s not clear to me how the phone was still able to access cell networks when the IMEI number didn’t match the registered IMEI.

Finally, regarding actual silent SMS attacks with malicious payloads, iirc, the way this was handled was to max out the SMS messages stored on the phone/SIM. There were hundreds of “dummy” messages stored. I was repeatedly told to never erase them or it would make me vulnerable to stealth attacks that could install malware on the device. As long as the standard inbox was full, silent SMS messages would fail due to a kind of “mailbox is full” error. However, the phone was still somehow able to receive messages - possibly in some sort of sandboxed part of the phone that prevented malicious payloads from executing.

All of that said, it’s my understanding that the firmware on the phone was heavily modified to allow all of these features. The developers also told me that “smart phones” are nearly impossible to secure because of the numerous sensors. However, it would seem that some of the above strategies could potentially be employed…

6 Likes

Apparently X-Cell did make a stealth smart phone. Interesting article with screenshots here: https://www.stealth-phones-guide.com/blog

However, the website that offers the “Android Ultra Secure Stealth Phone” also appears to be down: https://stealth-phones.com

I would love to see efforts made by Purism to implement some of the above features. Kills switches and open source hardware & software don’t seem to be enough in today’s world.

1 Like

Do you still remember the exact device name of this phone? Maybe it still exists in the 2nd hand market…

Nitpick: triangulation is already very difficult or impossible on cellular networks. It requires a connection to at least 2 towers with extremely precise timing.

It’s also not required to locate your phone: each antenna covers only a certain area, which is a couple hundred meters in radius in cities. Locating is preventable by turning off your cellular modem.

IMEI randomization does not affect the IMSI, which is how the network knows who to bill for the calls.

I’m highly dubious that a phone was able to receive overt messages in some special memory dedicated to it, but would not be able to process other kinds of messages.

3 Likes

@guru I had the “X-Cell Dynamic IMEI v3.1” They are still available at the following link (only their website that sells their Android phone was taken down). https://x-cellular.com/phones.html

@dcz Not nitpicking at all. I appreciate the insight. I am dubious about everything security-related. :slight_smile: I will say that their customer service was very responsive and helpful long after I purchased the phone and I had the sense that they were knowledgeable and sincere in their efforts.

I have no idea how SMS operated under the hood. I was just guessing.

I do think their philosophy about stealth vs encryption warrants consideration. They discuss it here: https://x-cellular.com/about.html

1 Like

TL;DR; “Silent SMS” aren’t an actual issue in itself, just a buzzword without real world implications.

There are actually other methods to do reliable triangulation which do not necessarily involve a connection to another tower.
This is especially true for modern networks, starting with LTE.

Modems do generate measurement reports on a regular basis, in which they report their connection status. These measurement reports are usually triggered by the network when necessary, and do contain a lot of information, including the measurement of neighbor cells.

Based on this report you can actually do triangulation without a connection to multiple towers, as long as the phone can see neighbor cells.

Timings are an issue, but not an unsolved one. LTE and 5G radios are required to do phase tracking, and the required accuracy is in the microsecond range (depending on cells sizes, around 3-5 µs), so synchronization and timing is more precise than often thought.

This also shows, that “silent SMS” aren’t actually a real issue, that was just the crude GSM method to acquire status reports from mobiles; the reporting is much more sophisticated in modern networks.
It’s also not that hard to see when networks create events to acquire measurement reports - the main issue would be, that this happens all the time while the mobile is active, as measurements are crucial to LTE or 5G networks.

For anyone interested in this, many of the points are specified in 3gpp TS 36.133, which is easily available to read up.

2 Likes

Sounds like functionality that is ripe for “re-purposing” by an authoritarian government.

I think the average Librem 5 customer would want to have visibility of and control over “silent SMSs”, whatever they are used for. If they aren’t used for anything then there shouldn’t be a problem in disabling them.

  :wink:

In the vast majority of my country the number of towers with which a phone can communicate is 0 or 1. So a customer should be safe from triangulation / trilateration out there. Of course in the cities, it is the same as anywhere else.

Not according to one of the articles linked before. If the towers rely on signal levels, that cuts down the search area. Besides, just knowing your tower leaks data.

Unrelated to SMS, I’m reminded of the guy with 99 cell phones in a wagon. He used google maps so he lit his location up.

(And I probably mentioned this on another thread awhile back.)

1 Like

I have been tempted to use this method to prevent Wayz, etc. from sending impatient commuters through my neighborhood. I live on a street that is not a good through street, has limited visibility because of a hill, and increasing numbers of children at play, yet yahoos still come barreling through at 45 mph, driving with their knees, texting as they come. I’m kind of surprised there isn’t a product to spoof traffic jams yet – I’d buy one.

More directly related, I was in the mountains recently and wondered why the scenic road I was on was showing up as totally jammed on the nav system, while actual traffic was rather light. I then realized it was counting all the cars pulled over at the scenic overlooks as cars stuck in traffic, and had to laugh.

Sorry, I know this is a COMPLETELY inappropriate aside for this thread. I promise to say no more.

My statement was intended to be precise: You can’t triangulate / trilaterate if you only have one tower to communicate with.

I agree totally that mobile telephony is fundamentally bad for privacy because one tower by itself provides coarse tracking of your position.

Using signal levels could in theory narrow down the possible distance from the tower.

Assuming that the tower has a set of 3 directional antennae, dividing the 360⁰ at the tower into three 120⁰ sectors, this further narrows down your position.

Both of the previous two paragraphs are under ideal conditions. Real world conditions work to reduce the effectiveness, which maybe is a good thing. :wink:

However maybe we should get back to the content of explicit transmissions to the tower that are not under your control and which may leak away your privacy.

1 Like

Great point! I usually just think of a circular area for one tower.
Anyhow - I figure it’s a fairly moot-point, we have a kill-switch, and we need to be connected sometimes for…well, connectivity.

1 Like