music
Herald: so the NSA is spying, and was
spying, and we had Snowden, we have a lot
of documents to look at, and there is some
new research on how they used geolocation
methods in mobile networks. It is done by
the University of Hamburg and we have here
Erik who will present this research to you
and he has done this for the German
government and for the NSA
Untersuchungsausschuss which we call "NS
Aua", which means "NS Ouch", kind of. He
is a PhD student and holds a master's in
physics so give him a warm applause
applause
Herald: And for those coming later please
go to your seats and try to be quiet. Yep,
thank you.
Erik Sy: Hello. I'm really happy to have
you all here and I welcome you to my talk
about geolocation methods in mobile
networks. My name is Eric Sy and I'm a PhD
student at the University of Hamburg. So,
at the beginning I want to point out why
I'm giving this talk. So the German
parliamentary investigative committee
wanted to find out about the German
involvement in US drone strikes and then
the German government officials claimed
that they do not know anything or they do
not know any possibility how to use a
phone number for targeting drone strikes
and the investigative committee did not
really believe this statement and so they
asked our research group at the University
of Hamburg to prepare a report and we
handed in that report to the Bundestag and
it was very soon after what's also
published by netzpolitik.org
thank you for that
Applause
E: And it contains like technical
methods and approximates the accuracy to
localise mobile phones and it also points
out which technical identifiers are
required to conduct such geolocation. Now
I give you my agenda for today. First I
will speak about the purpose of
geolocation data and then we are looking
into a broad variety of different
approaches to conduct such a geolocation
in mobile networks, and then we specify on
drones and look into the technical methods
which can be conducted with drones, and
and then I'm going to point out which
technical identifiers we can use for such
a geolocation. And lastly I'm going to sum
up. So, the purpose of geolocation data:
it is a neutral technology, so we can use
it for rescue missions, for example if
somebody got lost in the forest or in the
mountains, we can use geolocation data to
find that person and rescue the person.
Or, if you ever used Google Traffic, there
you you can profit from monitoring traffic
conditions. But we can also use it to
invade the privacy of persons, for example
if we identify people on surveillance
footage, or if
we track the location of a certain
individual over a longer period, and
certainly we can use this data for
targeting drone strikes. However I want to
point out that this data, that they are
not suitable to prove the identity of a
person. So if somebody is conducting a
drone strike based on this data, then he
is actually not knowing who he is going to
kill. So, on the right side you see an
image of an explosion site from a Hellfire
missile. A Hellfire missile is usually
used by these drones and you can
approximate that the blast radius is
around 20 meters. So we would consider a
targeted drone strike if we have a
geolocation method which can determine the
position of a person more precise than 20
meters in radius. So, the first approach
which I want to present are time
measurements and the symbol which you will
see down there it's a base station, for
for the next couple of slides. And a base
station... this is the point in a mobile
network where your phone connects to. On
the slides you can certainly interchange
this base station with an IMSI-catcher.
IMSI-catcher is something like a fake base
station from a third party and you could
even build it yourself. So, the method
used to calculate the position of a phone
is for time measurements trilateration.
You have to know that that signal is
usually traveling with the speed of light,
so when you measure the time you can also
measure the distance. And here there are
three methods presented. There are "Time
of Arrival", where the signal moves from
the hand phone to the three base stations
and the accuracy is between 50 and 200
meters. This really depends on the cell
size and they can be more precise or less
precise. So, then we have "Time Difference
of Arrival," which is like a round-trip
measurement, and we have an "Enhanced
Observed Time Difference," where the
mobile phone actually computes the
location within the cell, and the accuracy
is between 50 to 125 meters.
So, and the next method which I want to
present are angular measurements. When you
conduct angular measurements, then you
determine the direction of arrival from
the signal and afterwards you do a
calculation which is called triangulation
and therefore you have to know the
position of the base station, but also the
alignment of your antenna and for this
method there's certainly two base stations
or IMSI-catchers sufficient to determine
the position of the mobile phone. The
accuracy is usually in field experiments
between 100 and 200 meters and the
challenge for this method but also for the
ones on the previous slides is that on the
normal mobile cells you don't have a line
of sight to each base station from your
mobile phone and so the signal gets
disturbed by buildings in the way and then
the accuracy becomes worse. So the next
method I want to show you, I think most of
you will know a little bit about GPS and
how it's calculated. So satellites, GPS
satellites, broadcast their time and their
position, and the mobile phone uses again
trilateration to calculate its position
and the accuracy is usually below 10
meters, but it depends a little bit on the
chipset within the mobile phone, and then
the base station can request the position
of the phone by issuing a radio... or by
issuing a request with the radio resource
location service protocol. So another
method which I want to present is the
mining of Internet traffic. Some
smartphones send GPS coordinates or the
names of nearby Wi-Fi networks, which are
also called SSIDs, to online services, and
usually these allow the determination of
the position around or below 10 meters,
and it is certainly possible to intercept
this traffic and evaluate the geolocation.
So here I have two quotes for you, and the
first one it effectively means that anyone
using Google Maps on a smartphone is
working in support of a GCHQ system. This
quote comes from the Snowden archive and
was issued in the year 2008. So we
certainly see that there's
some proof that at least at those days,
that they enter, some third parties
intercepted those traffic and use it for
determining the geolocation, and if you
want to work with, or determine the
location with the SSIDs, it is necessary
that you have a map where a certain Wi-Fi
access points are located. And therefore
we have also something like... like a
proof that this has been done by the NSA
and this is the mission victory dance,
where they are mapping the Wi-Fi
fingerprint in every major town in Yemen,
and in Yemen also a lot of drone strikes
are conducted. So, let's go to next
method. Signalling System No. 7 is a
protocol which is used for communication
between network providers, and network
providers need to know where, in which
cell, a mobile phone is located to... to
enable the communication, and these
informations are saved in location
registers, and a third party can easily
request these location informations. I
want to refer to the talk by Tobias Engel,
which... he gave a talk two years ago
which really goes into the details of this
method, and maybe if you like to, there
are also commercial services available to
access this data. So, let's talk about
drones. We do not have very solid proofs
that geolocation methods are conducted by
drones, but we have certainly hints. A
hint is this GILGAMESH system, which is
based on the PREDATOR drones, and is a
method for active geolocation, which
describes an IMSI-catcher so... but if
anybody of you has access to more
documents... yeah it would be nice to have
a look. So...
applause
E: So, the easiest method would be
certainly to request for GPS coordinates,
and there you just replace the base
station with a drone. But the method which
is better, or which I think is the
preferred one: Angular measurements.
Angular measurements, if you have a look
in our report, there we approximated that
the accuracy of these methods are between
five and thirty five meters in radius from
an altitude of two kilometers, and if you
get closer to the mobile phone it becomes
more accurate. So, it would be, to some
extent, sufficient to conduct a targeted
drone strike on this data, and in the
meantime, since this report was handed
over to the Bundestag, I also found other
work which described that they are able to
achieve an accuracy of one meter from
three kilometers altitude for small
airplanes. You have to know that those
sensors to measure the angle of arrival,
that they are usually located within the
wings and within the front of the plane,
and when the plane becomes larger it's
also easier to have a more accurate
measurement. Then I want to point out that
a single measurement can be sufficient to
determine the location of a mobile phone.
If we can assume that the target is on the
ground. So if you assume that the target
is maybe in a building in Yemen, so a
single measurement would be sufficient on
a low building in Yemen. And a sky scraper
would be more difficult. So, and the big
advantage of these methods is that
environmental parameters have a very low
influence, since we can have a almost line
of sight, which allows a better accuracy.
So now I'm going to talk about the
identifiers which can be used for
geolocation. Certainly the phone number
and each IMSI-catcher or base station can
request, can issue an identity request to
a mobile phone, and then receive the IMSI
or EMI. The IMSI is something like a
unique description for a certain customer
in the the mobile network and the EMI is
like a unique serial number for an device.
So, when we include those methods of
mining Internet traffic, then we can also
add a lot of more identifiers, for example
an Apple ID or Android ID, MAC address,
even cookies or user names. If you are
interested in this, you can have a look at
the link I provided there. That there's a
very interesting paper about this. So I
come to my last slide, my summary. I
showed you multiple, or a lot of different
methods to localize a mobile phone, and I
pointed out that a single drone can
localize a mobile phone with accuracy
which is sufficient to conduct a targeted
drone strike. Since this document was
handed over to the Bundestag, they also
never denied that these methods can be
used for... or that the accuracy of these
methods... is true. So then I pointed out
that as an identifier the phone number,
the IMSI, and the EMI each can be used for
the geolocation of a mobile phone, and the
last information which I want to give you
is that geolocation methods cannot prove
the identity of a person, and this is
really important to know, that we are
not... yeah. That when we conduct, or when
somebody is conducting these drone
strikes, that they are not aware who is
actually using the phone, and so and I can
happen that they are killing the wrong
person. So I thank you very much, I thank
my colleagues and my family and everybody.
applause
Herald: Thank you.
applause
H: That's great. Thank you very much. It's
the first talk we have here today where we
can have a lot of questions. So come on.
You have the microphones, number 1, number
2, number 3, number 4, and ask your
questions. It's the only chance to have
this man answering them. No questions?
Here's someone. No. Yeah. Sorry!
Microphone: No problem.
H: Number 4.
Microphone 4: Hello. Do you know why we
are located in London right now when we
use Google Maps here?
H: "Do you know", can you ask me again,
"do you know why we are located in
London?"
M4: Yes.
H: Here?
M4: When we use Google Maps, we are
located in London.
H: Do you know that? The Congress is
located in London. Do you know why?
E: I'm not aware.
M4: Okay, I thought this was on plan.
H: Okay.
M4: Thank you
H: Number 1.
Microphone 1: Okay, so on slide 12 you
showed this angle of arrival-
H: Can you please be quiet, we can't
understand the questions unless you're
quiet. Sorry.
M1: Okay, so, on slide 12 you showed the
angle of arrival method executed by a
drone. Is this a passive method or does it
require some cooperation by either the
phone company or by the targeted mobile
phone?
E: It can be conducted passively. Like, if
you call the phone or page the phone
multiple times and you see which phone is
answering this paging... okay, it needs to
be active in a way that you contact the
phone, but you don't need an active IMSI-
catcher for it. You just phone or call the
phone, and then you see which phone is
answering, and then you know where the
phone is situated.
M1: Thanks.
E: Yeah.
H: I see that we have a question over
there so can you just ask your question
please?
M8: Here?
H: Yes, number 8, please.
M8: Thank you for the talk. I'd like to
ask a question about tracking unpowered
mobile phones: I mean you mentioned lots
of methods for phones which are both...
with both have their batteries inserted
and are actively operating. Could you
elaborate a bit about the methods of
tracking phones, which seem to be off
turned off from the users point of view,
and maybe also something about those who
have their batteries removed?
E: Actually, if you really turn off your
phone over a long period, let's say a
couple of months, I think you are safe,
but... laughter Buf if you...
M8: That's good to know.
E: But, actually, like if you have a base
station and somebody is switching off his
phone and maybe he is meeting somebody
else at that point and somebody else is
also switching off his phone, then it can
be suspicious, but it really depends
whether somebody is looking into this data
or not.
H: Thank you. Number 8 again.
M8: I had a short question: As you
described, we are somehow dependent on the
good winning of the NSA, for instance, and
I wanted to ask if there's some way to
avoid geolocation or use Google Maps
without sending identity to location
services.
E: That is fairly difficult. I would
assume that GPS phones are a little bit
better to avoid geo-locationing,
especially if you add additional GPS
spoofing, because they are... The network
cells are really large and so it's more
difficult to track you within the network
cell, but if you have a drone right above
you and you emit a physical signal, then
the drone will always be able to localize
where the signal came from. So it's
difficult, because it's physically
difficult.
M8: Okay.
H: Thanks. Number 1, please.
M1: So, I have a question about the
physicalities of receiving a... or
localizing or making angular measurement
of a phone within a densely populated
area, where there's possibly tens of
thousands of phones within the receptional
area of a 3-kilometer-high drone. That
would obviously require you to be more
sensitive on one hand than this cell tower
and on the other hand also receive at the
same time and sort out all kinds of
interference.
E: You usually a cell can be between,
let's say 200 meters, and 3 or 30
kilometers in size, so 3 kilometers in
altitude it's not very high.
M1: So you assume that the drone does a
pre-selection. We are digital beamforming
on the ground path and only looks at a
cell of interest, because it knows from
the network, the suspect is in that cell.
E: It depends on the area: In an urban
area you have to reduce the size of the
cell, otherwise you would receive too many
signals, but in a countryside you can have
larger cells or you can cover a larger
area.
M1: Regarding covering larger areas: Did
you take, considering that these drones
aren't really like our quadcopter size,
they're more airplane-sized, proper
airplanes, did you take the classical
synthetic aperture radar techniques of
observing something for a long time while
flying straight over it and then
integrating over it into account? Because
that's usually where we get our high-
resolution radar imagery of the earth.
E: You can conduct multiple measurements
or you just conduct one, if you know that
the target is on the ground.
M1: So, did that account for your
estimated accuracy?
E: It's not necessary to integrate.
M1: Okay, thanks.
H: Thank you. We have a question from the
internet.
Signalangel: Yes, the internet wants to
know if there are attributes, which you
can change of the phone, to stop
surveillance. Attributes like the email,
for example.
E: Can you please repeat the question?
S: Are there attributes of the phone,
which you can change, to stop
surveillance?
E: Yes, certainly you can fake the IMEI
or the IMSI. That is also another reason why
it's not sufficient to prove the identity,
because any phone can just take these
data.
S: And we have a second question, which
is: Does the GSM network have a feature
which allows anyone to get the GPS data
from the phone?
E: Yeah..., it would be..., that.., and
the radio resource location service
protocol.
S: So, thank you.
laughter
E: Yeah.
H: Okay, number five.
Microphone 5: Hello, you delivered you
work to the NSA Untersuchungsausschuss and
they, the Bundestag did not say anything
about it, but is there a statement from
the NSA Untersuchungssausschuss?
E: And the government said something about
it. They said that, that they washed their
hands and said we did everything nicely
because we added also a disclaimer to the
data we provided and that the disclaimer
says that the NSA is forced to, to stick
to the German law and that they are not
allowed to do whatever they want with this
data.
M5: Thank you.
H: Very nice, number 6, please.
M6: Hello, on slide 12, you got, you
specify the accuracy of about five meters
for two drones. So how does it scale if
you would use more than two drones? For
example 10 or whatever.
E: I think that there was a small
misunderstanding. Actually, one drone is
sufficient.
M6: Okay, so could you use more than one
drone?
E: Yeah, you can use as many as you want
but one is sufficient.
laughter
M6: Yeah, but that, of course. But does
the accuracy increase by using more than
one?
E: Yeah if you go closer to the target and
then their accuracy increases.
M6: Okay, but with the same distance but
more than one drone?
E: Actually not.
M6: Okay, thank you.
H: Number four, please.
M4: Also referring to the accuracies, you
were talking about field experiments and
so on. Did you conduct those yourself or
where did you get all the information
from?
E: These are some references, there you
can find the field experiments.
M4: Thank you very much.
H: Number two, please.
M2: Thank you very much for the
interesting talk. My question is regarding
the fingerprint which you can use on many
phones to unlock the phone. Is there
currently and if not will there, do you
think there will be a possibility that for
example an app which requires the
fingerprint identification on the phone
that this is also passively read and by
that you increase the identification of
persons? Did you understand the question?
E: Yeah, but I think this is like based on
the GSM network and the other I think that
that's based on the operating system.
M2: So currently using this technology,
there they couldn't be, there, it's not
possible to link this?
E: No.
M2: Ok, thank you.
H: Ok, number one, please.
M1: My question is actually about the
civil use of geolocation service not so
much about phones. So, you mentioned that
every time you use an online service that
use geolocation you send the SSids of
nearby Wi-Fi networks and with every
request you actually enrich a Wi-Fi map,
Wi-Fi database of either Google, if it's
on Android, or Apple if it's on iOS. Now,
there was a talk at CCC here in 2009 when
this technology was still nascent and that
back then was called Skyhook but then the
speaker had this provocative question:
Shouldn't this Wi-Fi map be public domain
instead of just a belonging proprietary
and belonging either to Apple or Google
nowadays? So, haven't we lost that
struggle? I mean we can't keep our SSids
private, so shouldn't it be public domain?
E: Yeah it would be a good idea to make it
public domain I said since also a lot of
positive things can be created with this
technology, like helping people in
emergency situations.
H: Okay ...
M1: I wanted to take the chance to say
thanks for this talk. I'm one of the
people who actually commissioned the
analysis because I work in the inquiry,
and it was extremely helpful for us to
have the analysis done because we, like
you said, keep being confronted with
Secret Service people who tell us that no
way can mobile phone numbers help in the
secret war. So yeah I just wanted to say
thanks.
applause
H: Yeah, thank you very much.
H: Great, so thank you also very, very
much for your work and keep on going with
that.
music
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!