GSM networks leak users’ location

Security researchers have discovered it’s possible to track a cellphone’s location by listening to unencrypted broadcast messages from cell phone towers.

“Cell phone towers have to track cell phone subscribers to provide service efficiently,” says University of Minnesota computer science PhD student Denis Foo Kune.

“For example, an incoming voice call requires the network to locate that device so it can allocate the appropriate resources to handle the call. Your cell phone network has to at least loosely track your phone within large regions in order to make it easy to find it.”

To do this, the tower broadcasts a page to the cellphone, waiting for it to respond when it gets a call – not unlike a CB radio, says Foo Kune.

And, using a cheap phone and open source software, and without any help from the servive provider, it’s possible for a hacker to force those messages to go out and then hang up before the victim hears their phone ring.

“It has a low entry barrier,” Foo Kune said. “Being attainable through open source projects running on commodity software.”

The researchers found they were able to track the location of cell phone users without their knowledge on the GSM network. In a field test, they tracked a test subject walking within a 10-block area of Minneapolis.

And there are implications that go beyond hacking, say the team.

“Agents from an oppressive regime may no longer require cooperation from reluctant service providers to determine if dissidents are at a protest location,” they write.

“Another example could be thieves testing if a user’s cell phone is absent from a specific area and therefore deduce the risk level associated with a physical break-in of the victim’s residence.”

The group’s contacted AT&T and Nokia with suggestions for low-cost techniques that close the breach without changing the hardware. They’re also in the process of drafting responsible disclosure statements for cellular service providers.