By arnabc in Security Awareness
How SMS is used to track the location of a mobile device
The law enforcement agencies used the basic principle that every time a mobile device performs any activity, it exposes its presence to the Cell tower. If the mobile network can force the mobile device to some very short activity without making it perceptible to the user, then using Radiolocation technologies, the mobile device can be tracked. To do that, a special type of SMS known as “Silent SMS” is used. Every time a silent SMS is delivered, the mobile silently acknowledges. This creates activities for a mobile which is tracked by a LMU (Location Measurement Unit) at BTS (Base Transceiver Station) by using a variety of multilateration methods.
A commonly used technique for tracking location in GSM network is called E-OTD (Enhanced-Observed Time Difference of arrival) . This is a network-based location tracking method. In this technique, the signal arrival time from the mobile device is measured from 3 BTS/LMUs’. The position of the ME (Mobile Equipment) is determined by comparing the time differences between two sets of timing measurements. The accuracy is between 50 – 200 meters. More accurate location measurement is possible using A-GPS (Assisted GPS) based systems.
Few sample cases where the technique was used to track adversaries
According to EEF (Electronic Frontier Foundation), German law enforcement agencies used Silent SMS more than 440,000 times in 2010 to track targets (https://www.eff.org/deeplinks/2012/01/privacy-roundup-mandatory-data-retention-smart-meter-hacks-and-law-enforcement).
In the past using Cell Tower log generated by forcing the target mobile device into some activities, a target’s locations and movements were accurately reconstructed and identified. In the USA vs. Forrest case, police used similar techniques [355 F.3d 942 (2004), UNITED STATES of America, Plaintiff-Appellee, v Craig FOREST (02-3022) and Herman E. Garner, III (02-3064), Defendants-Appellants.]. Also, a case in Germany [https://www.eff.org/deeplinks/2011/03/what-location-tracking-looks] showed the amount and accuracy of the information mobile service providers captured and stored.
More about Silent SMS
The SMS message is specified by the ETSI in documents GSM 03.38 and GSM 03.40. It can be up to 160 characters long, where each character is 7 bits. Eight-bit messages can contain up to 140 characters and are usually not viewable by the phones as text messages. Instead they are used for data in e.g. smart messaging (images and ringing tones) and Over The Air (OTA) provisioning of Wireless Application Protocol (WAP) settings.
Silent messages, often referred to as “Silent SMS” or “Stealth SMS” is a type of SMS message which when received by a mobile device does not notify either by the display or by a sound. GSM 03.40 describes a Short Message of type 0 which indicates that the mobile equipment must acknowledge receipt of the short message but may discard its contents.
How to create Silent SMS
To create Silent SMS, the SMS PDU (Protocol Data Unit) needs to be manipulated. It is best done from an application that communicates with SMSC (SMS Center) using a protocol called SMPP. To send a SMS, the application need to send SMPP GSM 03.38 encoded Submit_Sm PDU. A sample Submit_Sm PDU is shown below:
Encoding PDU Header . .’ command length ’ , ( 7 1 ) . . . 00 00 00 47 ’ command id ’ , ( 4 ) . . . 00 00 00 04 ’ command s t a tus ’ , ( 0 ) . . . 00 00 00 00 ’ sequence number ’ , ( 1 ) . . . 00 00 00 01 Encoding PDU Body . . ’ service type ’ , ( 0 ) . . . 30 00 ’ source_add r_ t o n ’ , ( 1 ) . . . 01 __ ’ source_ addr_ npi ’ , ( 1 ) . . . 01 ** ‘source_ addr ’ , (27829239812) . . . 32 37 38 32 39 32 33 39 38 31 32 00 ’dest_addr_ton ’ , ( 1 ) . . . 01 ** ’dest_addr_npi ’ , ( 1 ) . . . 01 ** ’dest_ addr’ , (27829239812) . . . 32 37 38 32 39 32 33 39 38 31 32 00 ’esm_ class ’ , ( 0 ) . . . 00 ’protocol_ id ’ , ( 0 ) . . . 00 ’priority_flag ’ , ( 0 ) . . . 00 ’schedule_delivery_time ’ , ( 0 ) . . . 30 00 ’validity_period ’ , ( 0 ) . . . 30 00 ’registered_delivery ’ , ( 1 ) . . . 01 ’replace_ if_ present_fl ag ’ , ( 0 ) . . . 00 ’data_coding ’ , ( 0 ) . . . 00 ’sm_default_msg_ id ’ , ( 0 ) . . . 00 ’sm_length ’ , ( 0 ) . . . 00 ’short_message ’ , ( ivizsecurity.com ) . . . 69 76 69 7A 73 65 63 75 72 69 74 79 2E 63 6F 6D Full PDU ( 70 o c t e t s + + ) . . 00 00 00 47 00 00 00 04 00 00 00 00 00 00 00 01 30 00 01 01 32 37 38 32 39 32 33 39 38 31 32 00 01 01 32 37 38 32 39 32 33 39 38 31 32 00 00 00 00 30 00 30 00 01 00 00 00 00 73 61 74 6E 61 63 2E 6F 72 67 2E 7A ** ( 0 ) indicates local numeric numbering formatting ( 1 ) indicates international numeric number formatting ++ Octet is a group of 8 bits , often referred to as a byte |
There are many different ways to manipulate SMS PDU but many of them may cause mobile device malfunctioning. The two techniques described by N.J Croft and M.S Olivier [“A silent SMS denial of service (DoS) attack,” Proceedings of the Southern African Telecommunication Networks and Applications Conference 2007 (SATNAC 2007), Sugar Beach Resort, Mauritius, September 2007 (Published electronically)] were used and found working are: Manipulating Data Encoding Scheme and Manipulating Timing in a WAP Push Message.
In the first technique, the data_encoding attribute of SMS PDU was set to 0xC0. This sets the MWIG (Message Waiting Indication Group) identifier that as per GSM 03.38 translates to “Discard Message”. The mobile device on receiving the message discards it after sending delivery acknowledgement.
In the second technique, the scheduled_delivery_time is set to a date and time before today in the format “YYMMDDhhmmsstnn”. It was observed that the message was delivered, delivery acknowledgement was sent by the mobile device but the message was never displayed.
Conclusion
SMS is an important technology that has made a serious impact on our everyday life. It enabled ubiquitous communication channel to be extended for feature rich value added services. It has also helped law enforcement agencies to track adversaries. However, the very technology that has helped tracking criminals also has the potential to become a channel for launching cyber attack. It has the potential to be a channel for launching DoS attack, triggering malware etc. Henceforth adequate security assurance must be implemented for mobile devices.