-
music
-
Herald: so the NSA is spying, and was
spying, and we had Snowden, we have a lot
-
of documents to look at, and there is some
new research on how they used geolocation
-
methods in mobile networks. It is done by
the University of Hamburg and we have here
-
Erik who will present this research to you
and he has done this for the German
-
government and for the NSA
Untersuchungsausschuss which we call "NS
-
Aua", which means "NS Ouch", kind of. He
is a PhD student and holds a master's in
-
physics so give him a warm applause
-
applause
-
Herald: And for those coming later please
-
go to your seats and try to be quiet. Yep,
thank you.
-
Erik Sy: Hello. I'm really happy to have
-
you all here and I welcome you to my talk
about geolocation methods in mobile
-
networks. My name is Eric Sy and I'm a PhD
student at the University of Hamburg. So,
-
at the beginning I want to point out why
I'm giving this talk. So the German
-
parliamentary investigative committee
wanted to find out about the German
-
involvement in US drone strikes and then
the German government officials claimed
-
that they do not know anything or they do
not know any possibility how to use a
-
phone number for targeting drone strikes
and the investigative committee did not
-
really believe this statement and so they
asked our research group at the University
-
of Hamburg to prepare a report and we
handed in that report to the Bundestag and
-
it was very soon after what's also
published by netzpolitik.org
-
thank you for that
-
Applause
-
E: And it contains like technical
methods and approximates the accuracy to
-
localise mobile phones and it also points
out which technical identifiers are
-
required to conduct such geolocation. Now
I give you my agenda for today. First I
-
will speak about the purpose of
geolocation data and then we are looking
-
into a broad variety of different
approaches to conduct such a geolocation
-
in mobile networks, and then we specify on
drones and look into the technical methods
-
which can be conducted with drones, and
and then I'm going to point out which
-
technical identifiers we can use for such
a geolocation. And lastly I'm going to sum
-
up. So, the purpose of geolocation data:
it is a neutral technology, so we can use
-
it for rescue missions, for example if
somebody got lost in the forest or in the
-
mountains, we can use geolocation data to
find that person and rescue the person.
-
Or, if you ever used Google Traffic, there
you you can profit from monitoring traffic
-
conditions. But we can also use it to
invade the privacy of persons, for example
-
if we identify people on surveillance
footage, or if
-
we track the location of a certain
individual over a longer period, and
-
certainly we can use this data for
targeting drone strikes. However I want to
-
point out that this data, that they are
not suitable to prove the identity of a
-
person. So if somebody is conducting a
drone strike based on this data, then he
-
is actually not knowing who he is going to
kill. So, on the right side you see an
-
image of an explosion site from a Hellfire
missile. A Hellfire missile is usually
-
used by these drones and you can
approximate that the blast radius is
-
around 20 meters. So we would consider a
targeted drone strike if we have a
-
geolocation method which can determine the
position of a person more precise than 20
-
meters in radius. So, the first approach
which I want to present are time
-
measurements and the symbol which you will
see down there it's a base station, for
-
for the next couple of slides. And a base
station... this is the point in a mobile
-
network where your phone connects to. On
the slides you can certainly interchange
-
this base station with an IMSI-catcher.
IMSI-catcher is something like a fake base
-
station from a third party and you could
even build it yourself. So, the method
-
used to calculate the position of a phone
is for time measurements trilateration.
-
You have to know that that signal is
usually traveling with the speed of light,
-
so when you measure the time you can also
measure the distance. And here there are
-
three methods presented. There are "Time
of Arrival", where the signal moves from
-
the hand phone to the three base stations
and the accuracy is between 50 and 200
-
meters. This really depends on the cell
size and they can be more precise or less
-
precise. So, then we have "Time Difference
of Arrival," which is like a round-trip
-
measurement, and we have an "Enhanced
Observed Time Difference," where the
-
mobile phone actually computes the
location within the cell, and the accuracy
-
is between 50 to 125 meters.
So, and the next method which I want to
-
present are angular measurements. When you
conduct angular measurements, then you
-
determine the direction of arrival from
the signal and afterwards you do a
-
calculation which is called triangulation
and therefore you have to know the
-
position of the base station, but also the
alignment of your antenna and for this
-
method there's certainly two base stations
or IMSI-catchers sufficient to determine
-
the position of the mobile phone. The
accuracy is usually in field experiments
-
between 100 and 200 meters and the
challenge for this method but also for the
-
ones on the previous slides is that on the
normal mobile cells you don't have a line
-
of sight to each base station from your
mobile phone and so the signal gets
-
disturbed by buildings in the way and then
the accuracy becomes worse. So the next
-
method I want to show you, I think most of
you will know a little bit about GPS and
-
how it's calculated. So satellites, GPS
satellites, broadcast their time and their
-
position, and the mobile phone uses again
trilateration to calculate its position
-
and the accuracy is usually below 10
meters, but it depends a little bit on the
-
chipset within the mobile phone, and then
the base station can request the position
-
of the phone by issuing a radio... or by
issuing a request with the radio resource
-
location service protocol. So another
method which I want to present is the
-
mining of Internet traffic. Some
smartphones send GPS coordinates or the
-
names of nearby Wi-Fi networks, which are
also called SSIDs, to online services, and
-
usually these allow the determination of
the position around or below 10 meters,
-
and it is certainly possible to intercept
this traffic and evaluate the geolocation.
-
So here I have two quotes for you, and the
first one it effectively means that anyone
-
using Google Maps on a smartphone is
working in support of a GCHQ system. This
-
quote comes from the Snowden archive and
was issued in the year 2008. So we
-
certainly see that there's
some proof that at least at those days,
-
that they enter, some third parties
intercepted those traffic and use it for
-
determining the geolocation, and if you
want to work with, or determine the
-
location with the SSIDs, it is necessary
that you have a map where a certain Wi-Fi
-
access points are located. And therefore
we have also something like... like a
-
proof that this has been done by the NSA
and this is the mission victory dance,
-
where they are mapping the Wi-Fi
fingerprint in every major town in Yemen,
-
and in Yemen also a lot of drone strikes
are conducted. So, let's go to next
-
method. Signalling System No. 7 is a
protocol which is used for communication
-
between network providers, and network
providers need to know where, in which
-
cell, a mobile phone is located to... to
enable the communication, and these
-
informations are saved in location
registers, and a third party can easily
-
request these location informations. I
want to refer to the talk by Tobias Engel,
-
which... he gave a talk two years ago
which really goes into the details of this
-
method, and maybe if you like to, there
are also commercial services available to
-
access this data. So, let's talk about
drones. We do not have very solid proofs
-
that geolocation methods are conducted by
drones, but we have certainly hints. A
-
hint is this GILGAMESH system, which is
based on the PREDATOR drones, and is a
-
method for active geolocation, which
describes an IMSI-catcher so... but if
-
anybody of you has access to more
documents... yeah it would be nice to have
-
a look. So...
applause
-
E: So, the easiest method would be
certainly to request for GPS coordinates,
-
and there you just replace the base
station with a drone. But the method which
-
is better, or which I think is the
preferred one: Angular measurements.
-
Angular measurements, if you have a look
in our report, there we approximated that
-
the accuracy of these methods are between
five and thirty five meters in radius from
-
an altitude of two kilometers, and if you
get closer to the mobile phone it becomes
-
more accurate. So, it would be, to some
extent, sufficient to conduct a targeted
-
drone strike on this data, and in the
meantime, since this report was handed
-
over to the Bundestag, I also found other
work which described that they are able to
-
achieve an accuracy of one meter from
three kilometers altitude for small
-
airplanes. You have to know that those
sensors to measure the angle of arrival,
-
that they are usually located within the
wings and within the front of the plane,
-
and when the plane becomes larger it's
also easier to have a more accurate
-
measurement. Then I want to point out that
a single measurement can be sufficient to
-
determine the location of a mobile phone.
If we can assume that the target is on the
-
ground. So if you assume that the target
is maybe in a building in Yemen, so a
-
single measurement would be sufficient on
a low building in Yemen. And a sky scraper
-
would be more difficult. So, and the big
advantage of these methods is that
-
environmental parameters have a very low
influence, since we can have a almost line
-
of sight, which allows a better accuracy.
So now I'm going to talk about the
-
identifiers which can be used for
geolocation. Certainly the phone number
-
and each IMSI-catcher or base station can
request, can issue an identity request to
-
a mobile phone, and then receive the IMSI
or EMI. The IMSI is something like a
-
unique description for a certain customer
in the the mobile network and the EMI is
-
like a unique serial number for an device.
So, when we include those methods of
-
mining Internet traffic, then we can also
add a lot of more identifiers, for example
-
an Apple ID or Android ID, MAC address,
even cookies or user names. If you are
-
interested in this, you can have a look at
the link I provided there. That there's a
-
very interesting paper about this. So I
come to my last slide, my summary. I
-
showed you multiple, or a lot of different
methods to localize a mobile phone, and I
-
pointed out that a single drone can
localize a mobile phone with accuracy
-
which is sufficient to conduct a targeted
drone strike. Since this document was
-
handed over to the Bundestag, they also
never denied that these methods can be
-
used for... or that the accuracy of these
methods... is true. So then I pointed out
-
that as an identifier the phone number,
the IMSI, and the EMI each can be used for
-
the geolocation of a mobile phone, and the
last information which I want to give you
-
is that geolocation methods cannot prove
the identity of a person, and this is
-
really important to know, that we are
not... yeah. That when we conduct, or when
-
somebody is conducting these drone
strikes, that they are not aware who is
-
actually using the phone, and so and I can
happen that they are killing the wrong
-
person. So I thank you very much, I thank
my colleagues and my family and everybody.
-
applause
-
Herald: Thank you.
applause
-
H: That's great. Thank you very much. It's
the first talk we have here today where we
-
can have a lot of questions. So come on.
You have the microphones, number 1, number
-
2, number 3, number 4, and ask your
questions. It's the only chance to have
-
this man answering them. No questions?
Here's someone. No. Yeah. Sorry!
-
Microphone: No problem.
H: Number 4.
-
Microphone 4: Hello. Do you know why we
are located in London right now when we
-
use Google Maps here?
H: "Do you know", can you ask me again,
-
"do you know why we are located in
London?"
-
M4: Yes.
H: Here?
-
M4: When we use Google Maps, we are
located in London.
-
H: Do you know that? The Congress is
located in London. Do you know why?
-
E: I'm not aware.
M4: Okay, I thought this was on plan.
-
H: Okay.
M4: Thank you
-
H: Number 1.
Microphone 1: Okay, so on slide 12 you
-
showed this angle of arrival-
H: Can you please be quiet, we can't
-
understand the questions unless you're
quiet. Sorry.
-
M1: Okay, so, on slide 12 you showed the
angle of arrival method executed by a
-
drone. Is this a passive method or does it
require some cooperation by either the
-
phone company or by the targeted mobile
phone?
-
E: It can be conducted passively. Like, if
you call the phone or page the phone
-
multiple times and you see which phone is
answering this paging... okay, it needs to
-
be active in a way that you contact the
phone, but you don't need an active IMSI-
-
catcher for it. You just phone or call the
phone, and then you see which phone is
-
answering, and then you know where the
phone is situated.
-
M1: Thanks.
E: Yeah.
-
H: I see that we have a question over
there so can you just ask your question
-
please?
M8: Here?
-
H: Yes, number 8, please.
M8: Thank you for the talk. I'd like to
-
ask a question about tracking unpowered
mobile phones: I mean you mentioned lots
-
of methods for phones which are both...
with both have their batteries inserted
-
and are actively operating. Could you
elaborate a bit about the methods of
-
tracking phones, which seem to be off
turned off from the users point of view,
-
and maybe also something about those who
have their batteries removed?
-
E: Actually, if you really turn off your
phone over a long period, let's say a
-
couple of months, I think you are safe,
but... laughter Buf if you...
-
M8: That's good to know.
E: But, actually, like if you have a base
-
station and somebody is switching off his
phone and maybe he is meeting somebody
-
else at that point and somebody else is
also switching off his phone, then it can
-
be suspicious, but it really depends
whether somebody is looking into this data
-
or not.
H: Thank you. Number 8 again.
-
M8: I had a short question: As you
described, we are somehow dependent on the
-
good winning of the NSA, for instance, and
I wanted to ask if there's some way to
-
avoid geolocation or use Google Maps
without sending identity to location
-
services.
E: That is fairly difficult. I would
-
assume that GPS phones are a little bit
better to avoid geo-locationing,
-
especially if you add additional GPS
spoofing, because they are... The network
-
cells are really large and so it's more
difficult to track you within the network
-
cell, but if you have a drone right above
you and you emit a physical signal, then
-
the drone will always be able to localize
where the signal came from. So it's
-
difficult, because it's physically
difficult.
-
M8: Okay.
H: Thanks. Number 1, please.
-
M1: So, I have a question about the
physicalities of receiving a... or
-
localizing or making angular measurement
of a phone within a densely populated
-
area, where there's possibly tens of
thousands of phones within the receptional
-
area of a 3-kilometer-high drone. That
would obviously require you to be more
-
sensitive on one hand than this cell tower
and on the other hand also receive at the
-
same time and sort out all kinds of
interference.
-
E: You usually a cell can be between,
let's say 200 meters, and 3 or 30
-
kilometers in size, so 3 kilometers in
altitude it's not very high.
-
M1: So you assume that the drone does a
pre-selection. We are digital beamforming
-
on the ground path and only looks at a
cell of interest, because it knows from
-
the network, the suspect is in that cell.
E: It depends on the area: In an urban
-
area you have to reduce the size of the
cell, otherwise you would receive too many
-
signals, but in a countryside you can have
larger cells or you can cover a larger
-
area.
M1: Regarding covering larger areas: Did
-
you take, considering that these drones
aren't really like our quadcopter size,
-
they're more airplane-sized, proper
airplanes, did you take the classical
-
synthetic aperture radar techniques of
observing something for a long time while
-
flying straight over it and then
integrating over it into account? Because
-
that's usually where we get our high-
resolution radar imagery of the earth.
-
E: You can conduct multiple measurements
or you just conduct one, if you know that
-
the target is on the ground.
M1: So, did that account for your
-
estimated accuracy?
E: It's not necessary to integrate.
-
M1: Okay, thanks.
H: Thank you. We have a question from the
-
internet.
Signalangel: Yes, the internet wants to
-
know if there are attributes, which you
can change of the phone, to stop
-
surveillance. Attributes like the email,
for example.
-
E: Can you please repeat the question?
S: Are there attributes of the phone,
-
which you can change, to stop
surveillance?
-
E: Yes, certainly you can fake the IMEI
or the IMSI. That is also another reason why
-
it's not sufficient to prove the identity,
because any phone can just take these
-
data.
S: And we have a second question, which
-
is: Does the GSM network have a feature
which allows anyone to get the GPS data
-
from the phone?
E: Yeah..., it would be..., that.., and
-
the radio resource location service
protocol.
-
S: So, thank you.
laughter
-
E: Yeah.
H: Okay, number five.
-
Microphone 5: Hello, you delivered you
work to the NSA Untersuchungsausschuss and
-
they, the Bundestag did not say anything
about it, but is there a statement from
-
the NSA Untersuchungssausschuss?
E: And the government said something about
-
it. They said that, that they washed their
hands and said we did everything nicely
-
because we added also a disclaimer to the
data we provided and that the disclaimer
-
says that the NSA is forced to, to stick
to the German law and that they are not
-
allowed to do whatever they want with this
data.
-
M5: Thank you.
H: Very nice, number 6, please.
-
M6: Hello, on slide 12, you got, you
specify the accuracy of about five meters
-
for two drones. So how does it scale if
you would use more than two drones? For
-
example 10 or whatever.
E: I think that there was a small
-
misunderstanding. Actually, one drone is
sufficient.
-
M6: Okay, so could you use more than one
drone?
-
E: Yeah, you can use as many as you want
but one is sufficient.
-
laughter
M6: Yeah, but that, of course. But does
-
the accuracy increase by using more than
one?
-
E: Yeah if you go closer to the target and
then their accuracy increases.
-
M6: Okay, but with the same distance but
more than one drone?
-
E: Actually not.
M6: Okay, thank you.
-
H: Number four, please.
M4: Also referring to the accuracies, you
-
were talking about field experiments and
so on. Did you conduct those yourself or
-
where did you get all the information
from?
-
E: These are some references, there you
can find the field experiments.
-
M4: Thank you very much.
H: Number two, please.
-
M2: Thank you very much for the
interesting talk. My question is regarding
-
the fingerprint which you can use on many
phones to unlock the phone. Is there
-
currently and if not will there, do you
think there will be a possibility that for
-
example an app which requires the
fingerprint identification on the phone
-
that this is also passively read and by
that you increase the identification of
-
persons? Did you understand the question?
E: Yeah, but I think this is like based on
-
the GSM network and the other I think that
that's based on the operating system.
-
M2: So currently using this technology,
there they couldn't be, there, it's not
-
possible to link this?
E: No.
-
M2: Ok, thank you.
H: Ok, number one, please.
-
M1: My question is actually about the
civil use of geolocation service not so
-
much about phones. So, you mentioned that
every time you use an online service that
-
use geolocation you send the SSids of
nearby Wi-Fi networks and with every
-
request you actually enrich a Wi-Fi map,
Wi-Fi database of either Google, if it's
-
on Android, or Apple if it's on iOS. Now,
there was a talk at CCC here in 2009 when
-
this technology was still nascent and that
back then was called Skyhook but then the
-
speaker had this provocative question:
Shouldn't this Wi-Fi map be public domain
-
instead of just a belonging proprietary
and belonging either to Apple or Google
-
nowadays? So, haven't we lost that
struggle? I mean we can't keep our SSids
-
private, so shouldn't it be public domain?
E: Yeah it would be a good idea to make it
-
public domain I said since also a lot of
positive things can be created with this
-
technology, like helping people in
emergency situations.
-
H: Okay ...
M1: I wanted to take the chance to say
-
thanks for this talk. I'm one of the
people who actually commissioned the
-
analysis because I work in the inquiry,
and it was extremely helpful for us to
-
have the analysis done because we, like
you said, keep being confronted with
-
Secret Service people who tell us that no
way can mobile phone numbers help in the
-
secret war. So yeah I just wanted to say
thanks.
-
applause
H: Yeah, thank you very much.
-
H: Great, so thank you also very, very
much for your work and keep on going with
-
that.
-
music
-
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!
