Android: IMSI Leaking during GPS Positioning
First of all, the basics:
Assisted GPS (abbreviated as A-GPS) is a system that usually significantly improves the time it takes to fix a satellite-based positioning system (GPS) for the first time - so GPS positioning is accelerated. How does this work? With mobile phones, the approximate location is already known from the radio cell in which your device is registered. This approximate location is then sent via the Secure User Plane Location Protocol (SUPL) to a SUPL server, which uses this information to limit the search range for the satellite signals and thus enables fast GPS positioning. Communication with the SUPL server takes place via TCP/IP or SMS.
Android systems use such a SUPL server to accelerate GPS positioning. However, the problem is that your IMSI number is also transmitted to the SUPL server when you make a request - which would not actually be necessary from a technical point of view.
The problem: The combination of the IMSI number with the radio cell ID enables the operator of a SUPL server to uniquely identify a user as soon as the smartphone locates or limits the location via a SUPL request. The SUPL protocol is therefore actually relatively sensible, but we do not know what the operators of the SUPL servers do with this information.
With my test devices I have now tried to find out when such a SUPL request is sent. Result: Whenever your GPS is activated and an app wants to query the location. It doesn't matter which mode you have chosen:
High accuracy:
Use GPS, WLAN, Bluetooth or mobile networks to determine your location.
Energy-saving mode:
Use WLAN, Bluetooth or mobile networks to determine your position.
Device only:
Use GPS to locate.
This means: Even if you have selected the mode "Device only", a request will be sent via A-GPS or SUPL-Request. The question is now which SUPL server or operator receives the radio cell information together with the IMSI number?
This is quite different - even with LineageOS. You can find out if you open the following file (root assumed) on your Android:
supl.google.com: Google
supl.sonyericsson.com: Sony
supl.qxwz.com: SUPL Server in China
supl.nokia.com: Nokia
If your GPS is activated, a SUPL request is sent to the SUPL_HOST - but this does not happen every time. You can force it after a device restart in combination with an app that wants to determine the GPS location. Sometimes it was also necessary to deactivate the WLAN interface.
Now you have to ask yourself if a quick GPS position determination via SUPL is important to you or maybe your privacy. If it's your privacy, you'll need to make the following changes to gps.conf and then restart your device:
With tcpdump you can check directly on the device if SUPL requests are still being sent:
How SUPL Reveals My Identity And Location To Google When I Use GPS. If you can help to answer this question, please feel free to contact me via email or use the forum thread.
With a "toy" like the HackRF One, mobile phone traffic on this level could certainly be recorded.
📡 @NoGoolag
#android #IMSI #leaking #GPS #positioning #guide #kuketz
First of all, the basics:
Assisted GPS (abbreviated as A-GPS) is a system that usually significantly improves the time it takes to fix a satellite-based positioning system (GPS) for the first time - so GPS positioning is accelerated. How does this work? With mobile phones, the approximate location is already known from the radio cell in which your device is registered. This approximate location is then sent via the Secure User Plane Location Protocol (SUPL) to a SUPL server, which uses this information to limit the search range for the satellite signals and thus enables fast GPS positioning. Communication with the SUPL server takes place via TCP/IP or SMS.
Android systems use such a SUPL server to accelerate GPS positioning. However, the problem is that your IMSI number is also transmitted to the SUPL server when you make a request - which would not actually be necessary from a technical point of view.
The problem: The combination of the IMSI number with the radio cell ID enables the operator of a SUPL server to uniquely identify a user as soon as the smartphone locates or limits the location via a SUPL request. The SUPL protocol is therefore actually relatively sensible, but we do not know what the operators of the SUPL servers do with this information.
With my test devices I have now tried to find out when such a SUPL request is sent. Result: Whenever your GPS is activated and an app wants to query the location. It doesn't matter which mode you have chosen:
High accuracy:
Use GPS, WLAN, Bluetooth or mobile networks to determine your location.
Energy-saving mode:
Use WLAN, Bluetooth or mobile networks to determine your position.
Device only:
Use GPS to locate.
This means: Even if you have selected the mode "Device only", a request will be sent via A-GPS or SUPL-Request. The question is now which SUPL server or operator receives the radio cell information together with the IMSI number?
This is quite different - even with LineageOS. You can find out if you open the following file (root assumed) on your Android:
/etc/system/gps.confor
/vendor/etc/gps.confThere you can search for the following entries:
SUPL_HOST=supl.google.comPreviously identified as SUPL_HOST or operator:
SUPL_PORT=7275 (may vary)
supl.google.com: Google
supl.sonyericsson.com: Sony
supl.qxwz.com: SUPL Server in China
supl.nokia.com: Nokia
If your GPS is activated, a SUPL request is sent to the SUPL_HOST - but this does not happen every time. You can force it after a device restart in combination with an app that wants to determine the GPS location. Sometimes it was also necessary to deactivate the WLAN interface.
Now you have to ask yourself if a quick GPS position determination via SUPL is important to you or maybe your privacy. If it's your privacy, you'll need to make the following changes to gps.conf and then restart your device:
SUPL_HOST=localhost⚠️Note: It is not sufficient to comment out the lines. Then a fallback becomes active. Where the fallback information came from I could not find out yet.
SUPL_PORT=7275
With tcpdump you can check directly on the device if SUPL requests are still being sent:
tcpdump -i any -s0 port 7275Unfortunately, one question remains unanswered: Does the proprietary baseband possibly send a SUPL request on its own and bypasses the Android operating system? In any case, this is indicated by the following article:
How SUPL Reveals My Identity And Location To Google When I Use GPS. If you can help to answer this question, please feel free to contact me via email or use the forum thread.
With a "toy" like the HackRF One, mobile phone traffic on this level could certainly be recorded.
Source and more infohttps://www.kuketz-blog.de/android-imsi-leaking-bei-gps-positionsbestimmung/
📡 @NoGoolag
#android #IMSI #leaking #GPS #positioning #guide #kuketz
Project INVICTUS: Inside the UK's Human Rights Busting Campaign to Spy on Refugees – Mint Press
The “full potential” could, Prevail declared, only be harnessed via a “GDPR exemption of some kind, as it is indiscriminate, passive collection against the general population.” By collecting targets’ Media Access Control (MAC) addresses, the company would be able to follow a “breadcrumb trail” of residual data they left while traveling through North West Europe.
This was achievable by conducting a “war drive” along those routes – identifying every vulnerable wireless network in these areas using a moving vehicle. Prevail noted such activity “would breach current permissions.” Indeed, the entire conspiracy constitutes an extraordinary infringement of British and European data protection standards and laws
#IMSIcatcher #IMSI #snooping #surveillance #wifi #wireless #EU #refugees #UK #GDPR
#PassiveDataCollection #Invictus #ProjectInvictus
The “full potential” could, Prevail declared, only be harnessed via a “GDPR exemption of some kind, as it is indiscriminate, passive collection against the general population.” By collecting targets’ Media Access Control (MAC) addresses, the company would be able to follow a “breadcrumb trail” of residual data they left while traveling through North West Europe.
This was achievable by conducting a “war drive” along those routes – identifying every vulnerable wireless network in these areas using a moving vehicle. Prevail noted such activity “would breach current permissions.” Indeed, the entire conspiracy constitutes an extraordinary infringement of British and European data protection standards and laws
#IMSIcatcher #IMSI #snooping #surveillance #wifi #wireless #EU #refugees #UK #GDPR
#PassiveDataCollection #Invictus #ProjectInvictus
Media is too big
VIEW IN TELEGRAM
DragonOS FocalX Cellular Security Research w/ LTESniffer (srsRan, LimeSDR, B205mini) part 1
https://github.com/alphafox02/focalx_ppa
To learn more about LTESniffer please see the following project page
https://github.com/SysSec-KAIST/LTESn...
#SDR #Cellular #IMSI #LTE
The purpose of this video is to support security and analysis research on cellular networks. It's also created from an educational perspective to help learn more about cellular networks in general by means of a controlled lab environment and software defined radios. Privacy is respected at all times and any use of this tool or software defined radios in general is on the user to follow all local regulations.
With that said, LTESniffer is easily installed in DragonOS FocalX, in fact it can be installed with apt after setting up an install with the following PPA. https://github.com/alphafox02/focalx_ppa
To learn more about LTESniffer please see the following project page
https://github.com/SysSec-KAIST/LTESn...
In this first video on cellular security research, I focus on the general lab environment setup in order to use the downlink functions of the tool.#SDR #Cellular #IMSI #LTE
Media is too big
VIEW IN TELEGRAM
Forcing A Targeted LTE Cellphone Into An Eavesdropping Network - Lin Huang - 2016
#Cellular #IMSI #LTE
In this presentation, we will introduce a method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure in LTE networks resulting in the ability to force a targeted LTE cellphone to downgrade into a malicious GSM network where an attacker can subsequently eavesdrop its voice calls and GPRS data.#Cellular #IMSI #LTE
Media is too big
VIEW IN TELEGRAM
Passive IMSI Catching On A Real GSM Network Using A RTL-SDR And Gr-GSM
#SDR #IMSI #ImsiCatcher #GSM #Cellular
Recently, I had the opportunity to play around with a real 2G cellular network. So, here is a quick video of how passive IMSI catchers are constructed using a couple of Linux software tools and an RTL-SDR dongle.
It is a common misconception that mobile phones are tracked via their telephone numbers or the IMEI number of the handset. IMSI is an abbreviation that stands for 'international mobile subscriber identity' and is the unique identifier of a mobile phone subscribers SIM card on a cellular network. IMSI numbers are used in most mobile phone communication generations from 2G, all the way up until the more modern 5G.
The IMSI number of a SIM card is very well protected in 3G, 4G and 5G. However, in the case of the 2G mobile communication standard GSM, these unique identifying values are not so well protected from the prying eyes of governments, militaries, law enforcement and spy agencies.#SDR #IMSI #ImsiCatcher #GSM #Cellular
Media is too big
VIEW IN TELEGRAM
GSM Voice Decryption From Start To Finish (2G Non-Hopping Only)
This video was made for purposes of education & experimentation only #IMSI-CATCHING, #SMS-SNIFFING and voice call #interceptior on #CELLULAR #NETWORKS is illegal & punishable by hefty fines & imprisonment
#GSM #2G #SDR #GRsdm
The GSM data used in the making of this video was recorded and decrypted with unanimous consent from the owner(s) for the purpose of demonstrating the 2G decoding features of gr-gsm and for evaluating cellular network security.
Due to it's complexity and difficulty, decoding 2G phone calls is considered by most to be the hardest task to accomplish in the realm of GSM decoding. Differing voice codecs, varying channel data rates, arbitrary allocation of frequency hopping and carrier-specific network configurations add too many variables into the mix to make it a straight-forward enough goal to achieve.
I showcase the entire 2G voice decryption process from start to finish, excluding the actual recording of the GSM data
This video was made for purposes of education & experimentation only #IMSI-CATCHING, #SMS-SNIFFING and voice call #interceptior on #CELLULAR #NETWORKS is illegal & punishable by hefty fines & imprisonment
#GSM #2G #SDR #GRsdm
itsecbot@schleuss.online -
Android 14 to let you block connections to unencrypted cellular networks - Google has announced new cellular security features for its upcoming Android 14, expected...
#security #google #mobile #Cellular #Android #IMSI
Android 14 to let you block connections to unencrypted cellular networks - Google has announced new cellular security features for its upcoming Android 14, expected...
#security #google #mobile #Cellular #Android #IMSI
BleepingComputer
Android 14 to let you block connections to unencrypted cellular networks
Google has announced new cellular security features for its upcoming Android 14, expected later this month, that aim to protect business data and communications.