1998-04-22 - Re: Position escrow (triangulation, cell “remailers”)

Header Data

From: Phil Karn <karn@qualcomm.com>
To: vermont@gate.net
Message Hash: f9d832602e9ba074b424b6b15bf442686f1025380373acad45ab6231818a4ff3
Message ID: <199804221728.KAA25486@servo.qualcomm.com>
Reply To: <Pine.LNX.3.96.980422021922.136K-100000@oto.gate.net>
UTC Datetime: 1998-04-22 17:28:44 UTC
Raw Date: Wed, 22 Apr 1998 10:28:44 -0700 (PDT)

Raw message

From: Phil Karn <karn@qualcomm.com>
Date: Wed, 22 Apr 1998 10:28:44 -0700 (PDT)
To: vermont@gate.net
Subject: Re: Position escrow (triangulation, cell "remailers")
In-Reply-To: <Pine.LNX.3.96.980422021922.136K-100000@oto.gate.net>
Message-ID: <199804221728.KAA25486@servo.qualcomm.com>
MIME-Version: 1.0
Content-Type: text/plain


>Wasn't Kevin Mitnick tracked down by triangulating the location of his
>cell phone?  If the feds (or whoever) want to find someone's signal, it

Yes, but it was a very time-consuming manual process. *Any* radio
signal can be located in this way. As a sport, radio hams have long
conducted "fox hunts", aka "hidden transmitter hunts", where somebody
hides with a transmitter and the rest try to find him. Mitnick was
found with classic ham-style fox-hunting techniques. His level of
activity was so high that he made it relatively easy.

Nothing really can thwart this method, other than never using your
phone.  Its saving grace for our purposes is that it is so labor
intensive that it cannot be done routinely.

>If someone wanted to passively track everyone's position all the time,
>there would need to be at least two direction-sensitive cell towers

Almost. In CDMA, the mobile station locks its timing to the base
station.  This lets the base station easily measure the round trip
time through the mobile and back and thereby the radial distance. With
just one base station, you can locate the user to a circle around the
base station.  Defeating this is what I had in mind yesterday when I
talked about dithering the mobile timebase a la Selective
Availability.

Somebody then pointed out in private email that dithering wouldn't
defeat a differential timing measurement made by two or more base
stations. This is true, but these measurements are easily made only
when the mobile is in soft handoff (talking to two base stations at
once).  In CDMA, as in other digital cellular systems, handoffs are
"mobile assisted".  That is, the base station relies on "pilot
strength measurement" reports from the mobile as to which neighboring
cells it can hear so handoffs can be set up. If you hack the phone
software to lie about these measurements, you can keep handoffs from
being set up.  Your service quality will definitely suffer, especially
in the border regions between adjacent cells, but you will make it
much harder (but still not impossible) for them to locate you.

In analog, handoffs during calls are performed entirely by special
scanners in each base station. The mobiles do not assist the
process. Having only one receiver channel, they cannot look for
adjacent base stations while in a call.  CDMA receivers can do this
because they have a "searcher" channel whose sole function is to look
for pilot energy from any base station in range. While it would still
be possible for CDMA base stations to cooperate as analog stations now
do in locating an "uncooperative" mobile, this is not something that
could be done routinely. There are also near-far considerations
because every cell transmits on the same forward channel and every
mobile transmits on the same reverse channel, and tight power control
is used on both links to minimize co-channel interference.

Phil









Thread