Schneier on Security

Clive Robinson • October 27, 2021 4:56 PM

@ ALL,

A look at page 16 of the PDF shows some important information…

The celular system “assumes” signal strength is the way to decide which cell you are in or should be “handed off to”.

That model assumes that the mobile radiates more or less omnidirectionaly. To prevent base station receiver “de-sense” in that cell and other adjacent cells the base the mobile is connected to, tells the mobile to turn it’s power down if the signal strength is high.

If you disable GPS in your phone then location data is based on,

1, Assumed cell you are in (signal strength).
2, Which sector you appear in (which base antenna you are strongest on).
3, What your time delay is as a crude measure of distance.

Because the above can be crappy they take several readings including those from adjacent cells to get an aproximate location the accuracy of which is inversely proportional to the distance from the mobile to the base (assuming omnidirectional radiation).

Ask yourself the question,

“What happens when the mobile does not radiate omnidirectionaly?”

That is you take the phone appart, identify where the internal antenna is, remove it and replace it with an external high gain directional antenna… Especially one with few or no effective side lobes (corner reflector or trough / dish).

Your location uncertainty becomes rather dependent on which way your high gain antenna is pointing, and at what…

I’ve talked about “back to back” antennas to be used as passive relays in the past. Such things can be usefull if you live in a basment. One antenna is just outside your main room window which feeds low loss coax to another antenna up on the side of the building ten or more feet above ground level.

You can use “back-fire” antennas that have good back to front ratio with five to ten directors back to back and cross polarised both mounted on a pole on a high building. If you use a similar antenna to point into one of the antennas on the roof your signal in effect “dog legs” which means your path length measured by time delay is off and you can point the other roof based antenna at a more distant cell site…

You also get issues with buildings acting as reflectors, if you can get the maps, of cars driving down a main road, they can all appear to jump a distance off of the road.

It’s why the cell site surveys are so very very important, because such anomalies although they don’t effect your ability to use the service, do effect your location sometimes significantly.

Oh whilst I see they have to get a “warrant” to get at “voicemails” I have not seen anything about getting the “call records” of what numbers were used to “call the voicemail service”.

So a question arises, if you just leave a dirt cheap burner phone on in a box, that triggers a Raspberry Pi or some such when it rings, and the Pi then “pages you”[1], you can go to a phone box landline or borrow somebody elses mobile to call the VoiceMail and pick up a message. The question then is do the FBI get the information about which number called the VM service and thus be able to get it’s location?…

Also there are “emergancy button phones” you can get really dirt cheap (less than $20 for GSM 2G service) as they have real “keyboards” it’s not to difficult to program it to call the voice mail service, as “single key dialing” and get the audio messages into a computer then squirt them off via Tor as audio files to a “drop box” server, where having been “paged” you can then pick them up via Tor from an Internet Cafe etc.

Not impossible to be traced but requires sufficiently technically competent staff. Which is certainly way beyond what this ~1/4year training will get them…

But then if you are technically competent there are all sorts of other tricks you can pull with just a Raspberry Pi and a network socket including having a little VoIP PABX… Tucked away by WiFi under a floor or in a loft, all you need is to get power to it… Go to a flat via Airbnb / Gumtree / etc that is over looking a coffee shop or travel interchange or backs onto a large store car park and install $100 of kit under the floor and there you go…

These things are not difficult if you can think laterally in technical ways. Or know that whilst “chains” do monitor WiFi little independent cafes, coffee shops, etc don’t and mostly they do not change their WiFi passwords if they even have them…

[1] The thing about “national paging” services is you don’t need a “pager” a Software Defined Radio (SDR) and a little software and you can receive everybodies pager signalls and by writting a bit of software get the data off of it. There are Ham Radio Projects that do exactly this, to control systems remotely…

Clive Robinson • October 28, 2021 6:14 AM

@ SpaceLifeForm, Winter,

Because it is a cell tower communication. It is a way to geolocate your phone, at random hours.

Sometimes called SMS Type Zero, I’ve mentioned them before. They are used as part of the mechanism for “Over The Air Updates”. AND they came in as a legacy “health&Safety” from various people “finessing” on various “national” standards bodies…

http://smstools3.kekekasvi.com/topic.php?id=1338

In theory, they are “to the SIM, not the Phone”. That is the phone gets a notification but it ignores the SMS content.

People tend to forget the “privileged nature” of the SIM.

Clive Robinson • October 28, 2021 9:34 PM

@ Winter, SpaceLifeForm,

Is knowing where you are not a prerequisite of being able to use a mobile phone? If you are called, the Telco has to know which tower should send you the call signal, and if you are moving to which tower to hand over the call.

Err not exactly… I’m going to use IT networking names to describe how it worked, and over simplify the process of tree walking used.

To keep undesirable traffic down on the “back hauls” a hierarchy is used. With a central node at the top and several layers untill you get to the leaf nodes that are the actual cells. Each node has a historical database of mobiles registered.

So simplisticaly the hierarchy is, from the central node you have a regional node layer, then below that a local node layer and then below that an actuall cell.

So it is not a prerequisite for the central node of the network to know where a mobile is. All that it needs to know is that the phone was “registered” as connected with the network at some point in the recent past and that it has not been wilfully turned off in some way since. If you turn off or battery goes too low your mobile tells the network it is disconnecting, if the base station carrier signal goes below ~70db then the mobile goes into “hand-off mode” which is unknesseceraly complicated for an over view description.

When a call comes into the network for a given mobile the central node looks in the main database there to see if the mobile is in theory connected to the neywork. If not the call gets diverted to VM or some other service to convert it to a profitable call connected. If the DB shows the phone registered as connected it quearies the last reported leaf node (the reported node may well be out of date, as you move only the lowest layers know where you’ve moved to, as you move through from one layer to the next the DBs in involved higher layers get updated, not the layers above or central DB.

If the mobile is in the leaf nodes DB –the most likely case– the leaf attempts to move the mobile from the control channel to an available call channel. If it succeeds the call is connected.

If not the leaf node passes it up back up a layer and a search is made of adjacent local leaf nodes. The search pattern is generally not a round robin but statistically weighted based on handover statistics (as mobiles follow roads etc thus have “normal traversal patterns”). If the mobile is found in another adjacent leaf then that leaf attempts to move it from the control channel to a call channel. If it’s not found in any of the adjacent leafs it goes up a layer and so on.

It is why you get a pause of several seconds… Interestingly it is the mobile that dictates the ring tone the person trying to make the call hears not the network. So it is possible to have a customized ring tone on some networks (many don’t as this enables the user to change the tone so that the inbound caller can receive information without the call being connected for charging happening).

Anyway whilst one of many historical network databases knows where you were most have quite old information and searching has to be done if you have moved.

The fun stuff is when you go out of range without handing off as the signal drops below the threshold. This can happen with vehicals in built up areas or with tunnels etc. It’s why statistical searching is used because the chances are you follow a normal pattern.

Then there is “ping pong” you can be in a position where you are marginal in two cells and you do not switch cleanly but go back and forth (quite normal behaviour when actually moving). Obviously this creates a heck of a load of traffic unless algorithms are used to suppress it (which there are).

It’s why in reality the location signalling is hellishly complicated and should always be challenged in court because it is far from accurate most of the time…

Clive Robinson • October 31, 2021 1:27 PM

@ someone,

Think a little bit further beyond the tech.

What I suggest if done in your own property does not actually break any US laws currently.

When you say,

and register it using phony id info and an anonymous email account.

Breaks atleast three US federal laws that I am aware of and probably more… So could have you locked up for quite some time, even though to most people you have done nothing criminal.

But onto your question,

Does your solution have important advantages over using that phone to call into VM for a phone registered to my real identity?

There is an unknown in the documentation so all I can say is that,

“If the phone company logs the inbound number then it will be kept for anything upto seven years by the looks of it. Which means that potentially it is available and as it’s registered to you would be covered ubder any existing warrants or paperwork anyway so no advantage. But if not registered to you, then the FBI would have to go further legaly to get location data”.

The point is not to stop the FBI dead, but just make their journy down the road have more pot holes, thus maybe deter them from driving down that particular road.

If I wanted to have my location hidden from LEO’s and many National agencies then I could I know of ways it can be done. But we know that even the more well funded and intrusive agencies have limitations, that when they try to reach past certain points they will unavoidably trip alarms and that can cause several cut outs to drop out. Could they get beyond those now open cut outs, well that’s an open question, but I suspect that it would be easier to find me other ways.

One such way is to “create an emergancy” that in effect forces you to nolonger use comms you control but they control or have advantage in…

It’s one of a number of “flush the game out” tactics. The solution is in effect “not to play”. That is by preprepared mitigation or drop comms altogether.

Why do they do this? Well by and large they are creatures of habit… That is history shows inexperienced or incautious kidnappers, blackmailers and ransomers can be strung out and thus get lured into a trap which is generally what they authorities try to do.

However if the criminals just cease comms etc at the first sign leaving a dead end then the authorities get stymied their preprepared stratagem has failed.

Whilst they might eventually pick up a thread other ways, by then the clock has stopped. Also any half way sensible criminal is going to mitigate those other avenues anyway. Ultimately black swans exist, so the criminas might not be successful because of later changes in technology etc. Like when DNA analysis came to the fore and old cases got re-examined with it, but a lot of cases especially lower profile ones go unsolved indefinately as resources are limited.

It’s this last point that some criminals realised the internt had advantages in. Whilst say a $5000 crime clears a bar fifty $100 crimes do not get close as many will not get reported or recorded anyway.

Whilst in some what questionable theory all physical crimes can be solved by “forensics”, reality is somewhat different. That is the longer a physical crime remains uninvestgated the lower the probability will be that there is anything to investigate.

The same is unfortunately not true for non physical information crimes. It’s one of the reasons for “collect it all” you can in effect build a virtual time machine and go back as far as the data goes and rerun history over and over till you spot something.

For example back untill the 1990’s field craft worked because those following a suspect did not see the world through the suspects eyes. Thus covert signals by a handler to an agent would not get remembered by those following. These days with CCTV and video cameras 1/10th the size of a matchbox and with high resolution images they can be automatically searched, and if the handler uses the signal more than a couple of times then it can be surfaced by correlation and the handler then watched for and apprehended.

We don’t know what the phone companies actually log, likewise we don’t know what the authorities will put resources into now or in the future. We can however realise what is currently recordable and make assumptions and mitigate them as best we can.

Speaking of which, how to break correlation attacks… Lets say you the agent go to the same bus stop every work day. So your handler aranges for some sort of signal like a used soft drinks can on the ground next to the rubbish/trash bin. If it always means the same thing then correlarion will pull it up. If however it means different things on different days then the correlation becomes hard if not impossible to establish. In essence that is the proof of security behind the “One Time Pad”(OTP), the message could mean any and all messages including no message. Thus if you the agent know that if you see a can, and you check it against your secret “bit stream” you will know if it means “go to the dead drop” or not, or maybe check for second signal at lunch time etc.

To the agent and handler it is both deternanistic and purposefull as they share the secret. However to an observer it is at best random and probably not noticable.

There is a lot of degrees of freedom between what the first and second parties in an arrangement know, and what a third party observer of one of them can only guess at…