A recent client was concerned that their Directors were being tracked and their location (Country) was being published and updated regularly on a stalker website. The website contained the Company name, Directors name, and the name of the Country they currently resided in followed by the Country’s flag. The question arose;
How are they tracking us?
Initial thoughts were that something quite simple or trivial was happening such as bugged offices, malware/spyware on phones/computers disclosing location, or even an insider….A quick bug-sweep of their Offices, homes and vehicles revealed no bugs! An analysis of the laptops, digital pads and mobiles revealed no malware. Strict employee screening followed up with interviews revealed no leaks.
That was until one of the Directors was visiting Cyprus due to an investment opportunity. First the website published they were in Turkey, and then after a brief period corrected the information with Cyprus. Why? What just happened?
What Was Happening…
It turns out that the website was tracking the Directors through their use of mobile networks. You may notice (when approaching Cyprus) that your mobile will first associate with a Turkish Telephony provider, and then finally associate with a Cyprian provider once the plane has landed. This pattern which we have previously experienced and from our exposure to mobile networks enabled us to confirm this theory.
That the website was using a 3rd-Party mobile-services provider, (or possibly a hacked femtocell) to obtain VLR records from the mobile provider.
Location management within mobile networks is a two-stage process that enables the network to discover the current attachment point of the mobile user for call delivery. The first stage is location update or registration. In this stage, the MT periodically notifies the network of its new access point, allowing the network to authenticate the user and revise the user’s location profile. The second stage is call delivery. Here the network is queried for the user location profile and the current position of the mobile terminal is found.
There are two types of roaming in Intra-System and Inter-System roaming. Intra-System roaming refers to an MT’s movement between the different tiers of the same systems, i.e., between the pico, micro, macro cells. For the current cellular network architecture, the service area is divided into many location areas (LAs), and each LA consists of a group of cells for microcell systems while one LA may be one cell for macrocell systems. Thus, when an MT moves from one LA to another within a system, it is experiencing the Intra-System roaming.
Inter-System roaming refers to the MTs that move between backbones using protocols, technologies, or service providers. The Inter-System roaming can be either the MT moving between different systems within the same tier or in different tiers. In the presence of inter-system roaming, the MTs may change from a North America system such as IS-95/IS-136 to a European system such as GSM/GPRS. In this case, new techniques must be devised to retrieve the mobility profiles between networks, and to prepare the requested services before the MTs enter the new systems. Of particular concern is how to reduce set-up delays, processing time, extra overhead, and call loss rates due to inter-system roaming.
Inter-System Location Registration and Call Delivery
In wireless networks, the mobility application part (MAP) protocol is related to a set of signaling messages that communicate between the mobile entities such as BSCs, mobile switching centers (MSCs), HLR, and VLRs. The MAP protocol is related to Location Update and Paging Schemes and they consume radio bandwidth as well as cause processing latency. In the meantime, the delay of services delivery is prolonged because the searching process involves more than one network. Thus, a new MAP protocol is developed in accordance with the Inter-System Location Update and Paging Schemes proposed in the previous section.
SS7 MAP Message SendRoutingInfo (SRI)
As part of Inter-System terminating call handling, the HLR may request the VLR for subscriber information. The subscriber information is obtained with the MAP Provide Subscriber Info (PSI) MAP message. The subscriber information received from VLR, is then included in the MAP Send Routing Info (SRI) Ack message, sent to GMSC.
The subscriber information that may be requested from the VLR consists of Subscriber Location and Subscriber State. The Subscriber Location that may be obtained in this way is read from the VLR. However, the subscriber may have changed location since the VLR was last refreshed. Hence, the location information of the subscriber may be out of date. The age of the subscriber location information is indicated in the “Age of Location” information element, which is part of the Location Information.
Update Location Communication
- MAP Update Location Area (MSC -> VLR1)
- MAP Send Identification (VLR1 -> VLR2)
- MAP Send Identification ACK (VLR2 -> VLR1)
- MAP Update Location (VLR1 -> HLR)
- MAP Update Location ACK (HLR->VLR1)
- MAP Update Location Area ACK (VLR1->MSC)
- MAP Cancel Location (HLR – >VLR2)
- MAP Cancel Location ACK (VLR2 -> HLR)
Thus any hacker / telephony worker who has access to the backend (core) mobile infrastructure can potentially read, intercept, or generate Location Update Communication. With this level of access exists the possibility to track individuals through their IMSI or Phone number.