Enabling Physical Localization of Uncooperative Cellular Devices
Abstract: In cellular networks, authorities may need to physically locate user devices to track criminals or illegal equipment. This process involves authorized agents tracing devices by monitoring uplink signals with cellular operator assistance. However, tracking uncooperative uplink signal sources remains challenging, even for operators and authorities. Three key challenges persist for fine-grained localization: i) devices must generate sufficient, consistent uplink traffic over time, ii) target devices may transmit uplink signals at very low power, and iii) signals from cellular repeaters may hinder localization of the target device. While these challenges pose significant practical obstacles to localization, they have been largely overlooked in existing research. This work examines the impact of these real-world challenges on cellular localization and introduces the Uncooperative Multiangulation Attack (UMA) to address them. UMA can 1) force a target device to transmit traffic continuously, 2) boost the target's signal strength to maximum levels, and 3) uniquely differentiate between signals from the target and repeaters. Importantly, UMA operates without requiring privileged access to cellular operators or user devices, making it applicable to any LTE network. Our evaluations demonstrate that UMA effectively overcomes practical challenges in physical localization when devices are uncooperative.
- 3GPP. TS 23.203, v17.2.0. Policy and charging control architecture, 2022.
- 3GPP. TS 36.213, v17.1.0. Evolved Universal Terrestrial Radio Access (E-UTRA); Physical layer procedures, 2022.
- 3GPP. TS 36.305, v17.0.0. Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Stage 2 functional specification of User Equipment (UE) positioning in E-UTRAN, 2022.
- 3GPP. TS 36.321, v16.6.0. Evolved Universal Terrestrial Radio Access (E-UTRA); Medium Access Control (MAC) protocol specification, 2021.
- 3GPP. TS 36.331, v17.3.0. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification , 2023.
- 3GPP. TS 36.942, v17.0.0. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Frequency (RF) system scenarios, 2022.
- Non-cooperative wi-fi localization & its privacy implications. In Proceedings of the 28th Annual International Conference On Mobile Computing And Networking, 2022.
- Watching the watchers: Practical video identification attack in {{\{{LTE}}\}} networks. In 31st USENIX Security Symposium (USENIX Security 22), pages 1307–1324, 2022.
- Targeted privacy attacks by fingerprinting mobile apps in lte radio layer. In IEEE/IFIP International Conference on Dependable Systems and Networks, 2023.
- Freaky leaky SMS: extracting user locations by analyzing SMS timings. arXiv preprint arXiv:2306.07695, 2023.
- Bolton parabolic directional antenna. https://boltontechnical.com/.
- Watching your call: breaking VoLTE privacy in LTE/5G networks. arXiv preprint arXiv:2301.02487, 2023.
- LTE location technologies and delivery solutions. Bell Labs Technical Journal, 2013.
- Indoor localization without the pain. In International Conference on Mobile Computing and Networking, 2010.
- AB Handshake Corporation. Interconnect Bypass - Which Regions of the World are Most Vulnerable? https://totaltele.com/interconnect-bypass-which-regions-of-the-world-are-most-vulnerable/.
- Csi-based outdoor localization for massive mimo: Experiments with a learning approach. In 2018 15th International Symposium on Wireless Communication Systems (ISWCS). IEEE, 2018.
- Survey of cellular mobile radio localization methods: From 1G to 5G. IEEE Communications Surveys & Tutorials, 2017.
- Richard W. Downing. Geolocation technology and privacy. https://www.justice.gov/sites/default/files/testimonies/witnesses/attachments/2016/05/12/508_compliant_03-02-16_aag_downing_testimony_from_march_2_2016_hearing_re_geolocation_technology_and_privacy.pdf.
- AdaptOver: adaptive overshadowing attacks in cellular networks. In International Conference on Mobile Computing And Networking, 2022.
- Fake mobile phone towers operating in the UK. http://news.sky.com/story/fake-mobile-phone-towers-operating-in-the-uk-10356433.
- EFF (Electronic Frontier Foundation). Mobile phones: location tracking, 2021. https://ssd.eff.org/module/mobile-phones-location-tracking.
- GSMA. Mobile cyber security & fraud threat observations and incidents, 2020.
- GSMA. Mobile money fraud typologies and mitigation strategies, 2024.
- Ltesniffer: An open-source lte downlink/uplink eavesdropper. 2023.
- GUTI reallocation demystified: cellular location tracking with changing temporary identifier. In Network and Distributed System Security Symposium, 2018.
- E. Houweling. Chinese ‘anti-fraud centre’ becomes most downloaded app. https://www.verdict.co.uk/chinese-anti-fraud-centre-becomes-most-downloaded-app/?cf-view.
- Privacy attacks to the 4G and 5G cellular paging protocols using side channel information. In Network and Distributed System Security Symposium, 2019.
- Hyperlog 7060x. https://aaronia.com/en/shop/antennas-sensors/logper-antennas/aktive-emv-peilantenne-hyperlog7060x.
- The body-worn “IMSI catcher” for all your covert phone snooping needs. https://arstechnica.com/information-technology/2013/09/the-body-worn-imsi-catcher-for-all-your-covert-phone-snooping-needs/.
- Lost traffic encryption: fingerprinting LTE/4G traffic on layer two. In Conference on Security and Privacy in Wireless and Mobile Networks, 2019.
- Ltrack: stealthy tracking of mobile phones in LTE. In USENIX Security Symposium, 2022.
- LTE radio analytics made easy and accessible. In ACM SIGCOMM, 2014.
- Location leaks on the GSM air interface. In Network and Distributed System Security Symposium, 2012.
- A stealthy location identification attack exploiting carrier aggregation in cellular networks. In USENIX Security Symposium, 2021.
- From 5G sniffing to harvesting leakages of privacy-preserving messengers. In IEEE Symposium on Security and Privacy, 2022.
- Josh McConnell. No, the authorities can’t actually track your iPhone’s GPS without your permission and here’s why. https://financialpost.com/technology/personal-tech/no-the-authorities-cant-actually-track-your-iphones-gps-without-your-permission-and-heres-why.
- PowerSpy: location tracking using mobile device power analysis. In USENIX Security Symposium, 2015.
- Elizabeth Montalbano. Sophisticated vishing campaigns take world by storm. https://www.darkreading.com/endpoint-security/sophisticated-vishing-campaigns-take-world-by-storm?__cf_chl_tk=GJUR3PaINshKoad_ld9ub.yWTBKMUxNhiR1g6oWBaNA-1710219180-0.0.1.1-1471.
- Accurate GSM indoor localization. In International Conference on Ubiquitous Computing, 2005.
- Csi-based fingerprinting for indoor localization using lte signals. EURASIP Journal on Advances in Signal Processing, 2018.
- Performance of 3GPP Rel-9 LTE positioning methods. https://www.cwins.wpi.edu/workshop10/pres/std_2.pdf.
- Boxed out: blocking cellular interconnect bypass fraud at the network edge. In USENIX Security Symposium, 2015.
- Breaking LTE on layer two. In IEEE Symposium on Security and Privacy, 2019.
- Sok: Fraud in telephony networks. In IEEE European Symposium on Security and Privacy, 2017.
- Min seok Chae. Manipulating number 070 into 010… police arrest 15 people involved in voice phishing. https://biz.chosun.com/topics/topics_social/2022/07/11/K3QWGLQZKNAEPJUFPFPYT6M434/.
- Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In Network and Distributed System Security Symposium, 2016.
- srsRAN, 2022. https://www.srslte.com/.
- Data-plane signaling in cellular IoT: attacks and defense. In International Conference on Mobile Computing and Networking, 2021.
- A new approach to multipath correction of constant modulus signals. IEEE Transactions on Acoustics, Speech, and Signal Processing, 1983.
- Blue’s clues: practical discovery of non-discoverable Bluetooth devices. In IEEE Symposium on Security and Privacy, 2023.
- USRP X310. https://www.ettus.com/x310-kit/.
- Estimation of multipath parameters in wireless communications. IEEE Transactions on Signal Processing, 1998.
- Accuver XCAL. http://www.accuver.com/.
- Hiding in plain signal: physical signal overshadowing attack on LTE. In USENIX Security Symposium, 2019.
- A survey of indoor localization systems and technologies. IEEE Communications Surveys & Tutorials, 2019.
- Fingerprint-based localization using commercial lte signals: A field-trial study. In 2019 IEEE 90th Vehicular Technology Conference (VTC2019-Fall), pages 1–5. IEEE, 2019.
- When good becomes evil: tracking Bluetooth low energy devices via allowlist-based side channel and its countermeasure. In Conference on Computer and Communications Security, 2022.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.