1994-06-20 - Real truth about Cell phone tracking

Header Data

From: rusty@hodge.com (Rusty Hodge)
To: cypherpunks@toad.com
Message Hash: 94e07f22e6115b27416fd12589e52832289f4048afbba7d62c7b599154828dce
Message ID: <199406202207.PAA23750@netcom.netcom.com>
Reply To: N/A
UTC Datetime: 1994-06-20 22:07:33 UTC
Raw Date: Mon, 20 Jun 94 15:07:33 PDT

Raw message

From: rusty@hodge.com (Rusty Hodge)
Date: Mon, 20 Jun 94 15:07:33 PDT
To: cypherpunks@toad.com
Subject: Real truth about Cell phone tracking
Message-ID: <199406202207.PAA23750@netcom.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


1. Cellular phones "register" (the proper term) themselves whenever they
move into a new cell (the coverage area provided by a base or tower - not
the proper term. They do this by scanning the control channels when the
current one falls below a certian signal strength. If you have cellular
monitoring equipment, you will see the registration confirmations
transmitted on the control channel, complete with the MIN (mobile
identification number, or cellular phone number). The MTSO (mobile
telephone switching office) knows what MINs are registered in each cell at
a given time.

1a. A cellular phone can be "tracked" if it is turned on. It does not have
to be in use.

2. If you are in a fixed position, and your phone is going between service
and no service modes, you are at the edge of coverage area, and some of the
time the control channel is falling below the scan threshold. It then tries
to register with another cell and another until it is successful. It is
scanning control channels when the no service lite is on.

3. There is a test mode defined in the NAMPS standard that causes a phone
to begin transmitting on a designated frequency. And since the mouthpiece
on a cellular phone is not switched off when the phone is on hook, you can
easily bug someone's car this way.

4. Many of the cellular-based vehicle tracking systems only use the
cellular phone to transmit data back to company headquarters, and do not
determine location via triangulation or doppler direction finding
techniques.  These are not reliable enough for moving targets due to all
the RF reflections.  Also, my (limited) experience with doppler-based
triangulation DFing shows how hard it is to DF a modulated FM signal. And
since all cellular phones are transmitting a SAT tone (a 6kHz-ish
supervisory audio tone) all the time, I think this would be very hard to
do.

5. In major metro areas, individual cells cover extremely small areas...
often every mile or two on the freeway, you will see another cell site. So
you know exactly where to send a helicopter to.

6. For under $1000, you can buy a box which hooks up to a PC and controls a
scanner and decodes the cellular control channels (and reverse channel data
too). This includes software for following cellular calls as they hop from
cell to cell, paging requests (get a phones attention), and displaying the
MINs that register in a given cell (or cells, but you need one receiver for
each cell you are monitoring!).

7. From the moment your phone starts ringing, there is an audio path back
to the MTSO. When your phone is ringing, it has been assigned a channel and
is transmitting. Pressing the send button to answer the phone sends a
signal to the MTSO telling the switch to connect the landline to the
channel the phone is on.  This is especially evident on Ericcison switches
(like LA Cellular uses).

--
Rusty Hodge <rusty@hodge.com>







Thread