Researchers at the Eidgenössische Technische Hochschule Zürich have built a fully passive mobile phone tracking system for Long Term Evolution (LTE) networks, which does not require the use of fake base stations as with current technology.
The ETH Zurich researchers called their attack LTrack, and it can locate phones within six metres in 90 percent of cases, the researchers said [pdf].
LTrack uses uplink and downlink traffic sniffers devised by the researchers for passive localisation attacks on a large scale.
The uplink and downlink sniffers can also be used to capture a phone's unique 15-digit International Mobile Subscriber Identity (IMSI) number.
The researchers were able to validate the IMSI Extractor's functionality by testing it with 17 newer smartphones from large vendors such as Samsung, Google, Huawei and Xiaomi.
Knowing the IMSI allows surveillance agents to identify specific user devices by setting up fake mobile phone network stations, but these are detectable by law enforcement and operators thanks to the large amount of transmission power they use.
"Instead of relying on fake base stations like existing IMSI Catchers, which are detectable due to their continuous transmission, IMSI Extractor relies on our uplink/downlink sniffer enhanced with surgical message overshadowing," the researchers wrote.
"This makes our IMSI Extractor the stealthiest IMSI Catcher to date."
Hardware for LTrack is cheap, since it uses low-power software defined radios.
The researchers propose countermeasures such as notifying users when their devices receive IMSI identity requests, or a large number of eavesdroppers on operators' networks to detect their IMSI Extractor.
Using the newer 5G protocol also stops IMSI Extractor, as the unqiue identifier is encrypted with the network's public key, and cannot be decoded by attackers.
