Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure

FranklyFlawless · November 19, 2023, 3:50pm

I found a report from Citizen Lab that caught my interest, so I figured it was worth sharing it with the Purism community considering its themes’ relevance.

Here is an introductory quote I reformatted which summarizes it:

This report provides a high-level overview of the geolocation-related threats associated with contemporary networks that depend on the protocols used by 3G, 4G, and 5G network operators, followed by evidence of the proliferation of these threats.

Part 1 provides the historical context of unauthorized location disclosures in mobile networks and the importance of the target identifiers used by surveillance actors.

Part 2 explains how mobile networks are made vulnerable by signaling protocols used for international roaming, and how networks are made available to surveillance actors to carry out attacks. An overview of the mobile ecosystem lays the foundation for the technical details of domestic versus international network surveillance, while the vectors of active versus passive surveillance techniques with evidence of attacks shows how location information is presented to the actor.

Part 3 provides details of a case study from a media report that shows evidence of widespread state-sponsored surveillance, followed by threat intelligence data revealing network sources attributed to attacks detected in 2023. These case studies underscore the significance and relevance of undertaking these kinds of surveillance operations.

Deficiencies in oversight and accountability of network security are discussed in Part 4. This includes outlining the incentives and enablers that are provided to surveillance actors from industry organizations and government regulatory agencies.

Part 5 makes clear that the adoption of 5G technologies will not mitigate future surveillance risks unless policymakers quickly move to compel telecommunications providers to adopt the security features that are available in 5G standards and equipment. If policymakers do not move swiftly then surveillance actors may continue to prey upon mobile phone users by tracking their physical location. Such a future paints a bleak picture of user privacy and must be avoided.

I have not gotten around to fully reading the entire report, but after doing so I will join in the discussion in this thread, if any.

irvinewade · November 20, 2023, 11:08pm

Definitely looks relevant. Unfortunately at 40 pages, I don’t have time right now.

While your local authorities may themselves like to exploit these kinds of weaknesses, hopefully they are also paying attention that it is exploited by, sometimes hostile, foreign authorities.

At least on the Librem 5 you can use the kill switch to suppress tracking of any intermediate locations (i.e. intermediate between the times when you “choose” to “broadcast” your location).

I downloaded the PDF copy as that is more convenient for future reading.

FranklyFlawless · November 22, 2023, 7:11pm

This report has been far more eye-opening than expected, and immensely dense. It will require me multiple days to simplify it into written actionable steps for everyone to benefit and protect themselves, so while I continue to formulate this in the background, here are some important quotes worthy of discussion and my immediate interest:

Part 1

Part 5

New security features which are available in the 5G standards take a significant step towards preventing network-based location surveillance. Whereas 3G and 4G networks use the IMSI as the user network identity, which has been exposed to adversaries and obtained over the years to conduct geolocation tracking attacks, 5G provides privacy enhancements. These enhancements have the ability to obfuscate the network identity of the user and their device, and they come in the form of the following identifiers:

Subscription Permanent Identifier (SUPI) - The globally unique identifier that is allocated to each 5G subscription

Subscription Concealed Identifier (SUCI) - The encrypted equivalent of the SUPI that includes the Mobile Country Code (MCC) and Mobile Network Code (MNC), and the Mobile Subscription Identity Number (MSIN)

Globally Unique Temporary Identifier (5G-GUTI) - The temporary identifier used in 5G networks to identify a mobile device and its associated subscription information

Implementing security features, however, is highly dependent on telecommunications operators adopting correct network configurations and taking advantage of the available 5G security features. There is a risk that some operators may not adopt these configurations on the premise that doing so increases the costs of deploying 5G infrastructure. Moreover, users have no ability to determine whether available privacy or security measures have been implemented. This customer-harmful business judgment on implementing privacy or security features should be avoided on the basis that, in doing so, businesses may be placing themselves in legal or regulatory jeopardy should individuals seek recompense for a failure to adequately protect their privacy, or regulators should impose fines on companies that have deliberately failed to protect their customers’ personal information.

My interests in this report are centered towards creating anti-surveillance and anti-censorship solutions broken down into manageable steps.

irvinewade · November 23, 2023, 12:50am

And if you are in a country where human rights protections are fairly SUCI … whether the government in that country allows telecommunications operators to take advantage of available security features.

FranklyFlawless · November 25, 2023, 1:45am

My current line of thinking is that I should make an entirely separate thread to address all of these issues within the report. It makes more sense to write up a practical guide, similar to the EFF’s Surveillance Self-Defense, but more effective than their proposed solutions. It will take many weeks to complete.

In the meantime, this thread can be used for discussion for any of the points in the report, for those who value it. My current focus is defeating cell-site simulators/IMSI catchers, but I am also fine discussing anything else relating to street-level surveillance.

FranklyFlawless · November 28, 2023, 11:19pm

Well I started writing the guide, and it will probably not take as long as I thought because I am going to omit explaining all of the technical details and jargon behind it, in favour of focusing on actionable steps against mobile geolocation surveillance. Anyone interested can simply read the report on their own time and do further research on their own if desired.

I will mention that Figure 7 of the report had additional redactions on November 8th, 2023, but it can be easily reverted using the Wayback Machine, either by using the initial report, or this “direct” image link.

FranklyFlawless · December 16, 2023, 10:26pm

After some serious deliberation, I have decided to not finish this guide, as mobile geolocation surveillance is not part of my threat model, among other reasons, so writing about it is not relevant to me. However, I have done some work already, so I will share it in a spoiler below:

Guide (Unfinished)

This thread is a guide addressing mobile geolocation surveillance, and is based on this 40-page report from Citizen Lab in this thread. Thus, it will be significantly consensed and comparatively accessible for the reader, at the expense of explaining technical details and jargon. For convenience, I have defined a clear threat model.

Threat:

Mobile geolocation surveillance (surreptitious and/or unlawful)

Assets:

Behaviours
Demographic details
Social communities
Shopping habits
Sleeping patterns
Travel history
Where you live and work

Actors/Adversaries:

Foreign intelligence agencies
Law enforcement
Private intelligence firms
Security services

Abilities/Skillsets:

Varies depending on which actor(s)

(e)SIM cards are provisioned a few globally unique values to enables roaming services:

ICCID (global)
IMSI/SUPI (domestic)
MSISDN (phone number)

The IMSI can be exposed by locating its Cell ID or an IMSI catcher within close physical proximity. Metadata surrounding the MSISDN, including the IMSI, can be exposed with an HLR lookup service.

When using roaming services, malicious signaling messages from actors/adversaries connected to the IP Exchange can be directed towards the device with the effect of exposing its geolocation.

I will add a few important practices off the top of my head for those who are concerned about mobile geolocation surveillance:

Do not roam on other networks.
Before travelling, prepare your Librem 5 with the appropriate modem and associated SIM card for the destination country.
- Keep the cellular hardware kill switch on to prevent malicious signaling messaging attacks against them until you arrive at the destination country.
After travelling, switch back to the original modem and SIM card.

Reading the report was enlightening/fascinating, but I was being too altruistic writing up a guide that does not affect me, instead of focusing on something that does.

Also, I am confident that IMSI catchers can be jammed or at least overwhelmed with a stronger signal, but I have not thoroughly explored that subject enough.

FranklyFlawless · January 26, 2025, 4:20am

I finally had the time and interest to read the entire unredacted Citizen Lab report, and it was a highly informative resource.

JR-Fi · January 28, 2025, 8:28pm

This may interest you, as it’s somewhat related. Here is another type of (rough) geolocation attack, recently published: Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform · GitHub Apparently any type of CDN network that platforms and some protocols use, as well as VPNs seem susceptible to this (the more servers available a service has, the more accurate this kind of traffic redirection method is).

FranklyFlawless · January 28, 2025, 9:35pm

Same link on my GotHub instance:

Repository hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 - GotHub

I will read it later once I have time.

irvinewade · January 29, 2025, 1:52am

Can you elaborate on that?

Even so, a VPN may be part of the solution i.e. the CDN probing should find the nearest datacentre to where the VPN server is, if you are using a VPN, rather than the nearest datacentre to where you are.

(I guess that in order to mix it up well and truly, you should randomly change your VPN server i.e. which endpoint you use, every X seconds - assuming that you are using a VPN provider that offers a wide choice of servers.)

JR-Fi · January 29, 2025, 10:11am

Ay, just meant that although user is on VPN, the endpoint server can be located similarly - this may not be relevant since it’s VPN but makes the location more specific than just “somewhere”.