LTrack: Stealthy Tracking of Mobile Phones in LTE

We introduce LTRACK, a new tracking attack on LTE that allows an attacker to stealthily extract user devices’ locations and permanent identifiers (IMSI). To remain stealthy, the localization of devices in LTRACK is fully passive, relying on our new uplink/downlink sniffer. Our sniffer records both the times of arrival of LTE messages and the contents of the Timing Advance Commands, based on which LTRACK calculates locations. LTRACK is the first to show the feasibility of a passive localization in LTE through implementation on software-defined radio. Passive localization attacks reveal a user’s location traces but can at best link these traces to a device’s pseudonymous temporary identifier (TMSI), making tracking in dense areas or over a long time-period challenging. LTRACK overcomes this challenge by introducing and implementing a new type of IMSI Catcher named IMSI Extractor. It extracts a device’s IMSI and binds it to its current TMSI. Instead of relying on fake base stations like existing IMSI Catchers, which are detectable due to their continuous transmission, IMSI Extractor relies on our uplink/downlink sniffer enhanced with surgical message overshadowing. This makes our IMSI Extractor the stealthiest IMSI Catcher to date. We evaluate LTRACK through a series of experiments and show that in line-of-sight conditions, the attacker can estimate the location of a phone with less than 6m error in 90% of the cases. We successfully tested our IMSI Extractor against a set of 17 modern smartphones connected to our industry-grade LTE testbed. We further validated our uplink/downlink sniffer and IMSI Extractor in a test facility of an operator.

[1]  Michael Hicks,et al.  Deanonymizing mobility traces: using social network as a side-channel , 2012, CCS.

[2]  Henry A. Kautz,et al.  Learning and inferring transportation routines , 2004, Artif. Intell..

[3]  Emiliano De Cristofaro,et al.  Knock Knock, Who's There? Membership Inference on Aggregate Location Data , 2017, NDSS.

[4]  John C. McEachen,et al.  On Location Privacy in LTE Networks , 2017, IEEE Transactions on Information Forensics and Security.

[5]  Cristina Cano,et al.  srsLTE: an open-source platform for LTE evolution and experimentation , 2016, WiNTECH@MobiCom.

[6]  Jean-Pierre Seifert,et al.  White-Stingray: Evaluating IMSI Catchers Detection Applications , 2017, WOOT.

[7]  Philippe Golle,et al.  On the Anonymity of Home/Work Location Pairs , 2009, Pervasive.

[8]  John Krumm,et al.  A survey of computational location privacy , 2009, Personal and Ubiquitous Computing.

[9]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[10]  Yunhao Liu,et al.  FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild , 2017, NDSS.

[11]  Reza Shokri,et al.  Quantifying the Effect of Co-location Information on Location Privacy , 2014, Privacy Enhancing Technologies.

[12]  Jörg Widmer,et al.  OWL: a reliable online watcher for LTE control channel measurements , 2016, ATC@MobiCom.

[13]  Hui Xiong,et al.  Enhancing Security and Privacy in Traffic-Monitoring Systems , 2006, IEEE Pervasive Computing.

[14]  Sébastien Gambs,et al.  De-anonymization Attack on Geolocated Data , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Roger Piqueras Jover,et al.  LTE security, protocol exploits and location tracking experimentation with low-cost software radio , 2016, ArXiv.

[16]  Thorsten Holz,et al.  Lost traffic encryption: fingerprinting LTE/4G traffic on layer two , 2019, WiSec.

[17]  Gang Wang,et al.  De-anonymization of Mobility Trajectories: Dissecting the Gaps between Theory and Practice , 2018, NDSS.

[18]  César A. Hidalgo,et al.  Unique in the Crowd: The privacy bounds of human mobility , 2013, Scientific Reports.

[19]  Hui Zang,et al.  Anonymization of location data does not work: a large-scale measurement study , 2011, MobiCom.

[20]  Thorsten Holz,et al.  Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE , 2020, USENIX Security Symposium.

[21]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[22]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[23]  Jean-Pierre Seifert,et al.  New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities , 2019, WiSec.

[24]  John Krumm,et al.  Inference Attacks on Location Tracks , 2007, Pervasive.

[25]  Srdjan Capkun,et al.  AdaptOver : Adaptive Overshadowing of LTE signals , 2021, ArXiv.

[26]  Swarun Kumar,et al.  LTE radio analytics made easy and accessible , 2014 .

[27]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[28]  M. Fareed Arif,et al.  PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification , 2021, NDSS.

[29]  Yongdae Kim,et al.  Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE , 2019, USENIX Security Symposium.

[30]  Matthew Smith,et al.  SnapMe if you can: privacy threats of other peoples' geo-tagged media and what we can do about it , 2013, WiSec '13.

[31]  Frank Dürr,et al.  A classification of location privacy attacks and approaches , 2012, Personal and Ubiquitous Computing.

[32]  Srdjan Capkun,et al.  Location privacy of distance bounding protocols , 2008, CCS.