I found a report from Citizen Lab that caught my interest, so I figured it was worth sharing it with the Purism community considering its themes’ relevance.
This report provides a comprehensive guide to geolocation-related threats sourced from 3G, 4G, and 5G network operators. Case studies, references, examples, and evidence are provided to give a complete and contextual understanding of mobile...
Here is an introductory quote I reformatted which summarizes it:
This report provides a high-level overview of the geolocation-related threats associated with contemporary networks that depend on the protocols used by 3G, 4G, and 5G network operators, followed by evidence of the proliferation of these threats.
Part 1 provides the historical context of unauthorized location disclosures in mobile networks and the importance of the target identifiers used by surveillance actors.
Part 2 explains how mobile networks are made vulnerable by signaling protocols used for international roaming, and how networks are made available to surveillance actors to carry out attacks. An overview of the mobile ecosystem lays the foundation for the technical details of domestic versus international network surveillance, while the vectors of active versus passive surveillance techniques with evidence of attacks shows how location information is presented to the actor.
Part 3 provides details of a case study from a media report that shows evidence of widespread state-sponsored surveillance, followed by threat intelligence data revealing network sources attributed to attacks detected in 2023. These case studies underscore the significance and relevance of undertaking these kinds of surveillance operations. Deficiencies in oversight and accountability of network security are discussed in
Part 4. This includes outlining the incentives and enablers that are provided to surveillance actors from industry organizations and government regulatory agencies.
Part 5 makes clear that the adoption of 5G technologies will not mitigate future surveillance risks unless policymakers quickly move to compel telecommunications providers to adopt the security features that are available in 5G standards and equipment. If policymakers do not move swiftly then surveillance actors may continue to prey upon mobile phone users by tracking their physical location. Such a future paints a bleak picture of user privacy and must be avoided.
I have not gotten around to fully reading the entire report, but after doing so I will join in the discussion in this thread, if any.
Definitely looks relevant. Unfortunately at 40 pages, I don’t have time right now.
While your local authorities may themselves like to exploit these kinds of weaknesses, hopefully they are also paying attention that it is exploited by, sometimes hostile, foreign authorities.
At least on the Librem 5 you can use the kill switch to suppress tracking of any intermediate locations (i.e. intermediate between the times when you “choose” to “broadcast” your location).
I downloaded the PDF copy as that is more convenient for future reading.
This report has been far more eye-opening than expected, and immensely dense. It will require me multiple days to simplify it into written actionable steps for everyone to benefit and protect themselves, so while I continue to formulate this in the background, here are some important quotes worthy of discussion and my immediate interest:
5G adds a security feature called the Subscription Concealed Identifier (SUCI),
with an encryption scheme to prevent the open transmission of the user network identity over the radio interface. This has the effect of foiling surveillance actors who have physical proximity to a mobile device and use tools such as IMSI Catchers to intercept radio communications in order to forcibly reveal a device’s IMSI number. IMSI Catchers are used by a variety of actors, including law enforcement, security, and foreign intelligence agencies, as well as criminals, to obtain the network identity of users for surveillance purposes.
Cell-site simulators, also known as Stingrays or IMSI catchers, are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower. Cell-site simulators operate by...
New security features which are available in the 5G standards take a significant step towards preventing network-based location surveillance. Whereas 3G and 4G networks use the IMSI as the user network identity, which has been exposed to adversaries and obtained over the years to conduct geolocation tracking attacks, 5G provides privacy enhancements. These enhancements have the ability to obfuscate the network identity of the user and their device, and they come in the form of the following identifiers:
Subscription Permanent Identifier (SUPI) - The globally unique identifier that is allocated to each 5G subscription
Subscription Concealed Identifier (SUCI) - The encrypted equivalent of the SUPI that includes the Mobile Country Code (MCC) and Mobile Network Code (MNC), and the Mobile Subscription Identity Number (MSIN)
Globally Unique Temporary Identifier (5G-GUTI) - The temporary identifier used in 5G networks to identify a mobile device and its associated subscription information
Implementing security features, however, is highly dependent on telecommunications operators adopting correct network configurations and taking advantage of the available 5G security features. There is a risk that some operators may not adopt these configurations on the premise that doing so increases the costs of deploying 5G infrastructure. Moreover, users have no ability to determine whether available privacy or security measures have been implemented. This customer-harmful business judgment on implementing privacy or security features should be avoided on the basis that, in doing so, businesses may be placing themselves in legal or regulatory jeopardy should individuals seek recompense for a failure to adequately protect their privacy, or regulators should impose fines on companies that have deliberately failed to protect their customers’ personal information.
My interests in this report are centered towards creating anti-surveillance and anti-censorship solutions broken down into manageable steps.
Looking forward to further comments Frankly.
And if you are in a country where human rights protections are fairly SUCI
… whether the government in that country allows telecommunications operators to take advantage of available security features.
My current line of thinking is that I should make an entirely separate thread to address all of these issues within the report. It makes more sense to write up a practical guide, similar to the
EFF’s Surveillance Self-Defense, but more effective than their proposed solutions. It will take many weeks to complete.
In the meantime, this thread can be used for discussion for any of the points in the report, for those who value it. My current focus is defeating cell-site simulators/IMSI catchers, but I am also fine discussing anything else relating to
Well I started writing the guide, and it will probably not take as long as I thought because I am going to omit explaining all of the technical details and jargon behind it, in favour of focusing on actionable steps against mobile geolocation surveillance. Anyone interested can simply read the report on their own time and do further research on their own if desired.
I will mention that Figure 7 of the report had additional redactions on November 8th, 2023, but it can be easily reverted using the Wayback Machine, either by using the
initial report, or this “ direct” image link.