The ability to track the location of a cell phone user without the user’s knowledge is far too easy, computer scientists at the University of Minnesota’s College of Science and Engineering have discovered.
University of Minnesota computer science Ph.D. student Denis Foo Kune, working with associate professors Nick Hopper and Yongdae Kim, and undergraduate student John Koelndorfer, described their findings in a recently released paper, “Location Leaks on the GSM Air Interface” (PDF).
“Cell phone towers have to track cell phone subscribers to provide service efficiently,” Foo Kune explained. “For example, an incoming voice call requires the network to locate that device so it can allocate the appropriate resources to handle the call. Your cell phone network has to at least loosely track your phone within large regions in order to make it easy to find it.”
But that information is easily accessible to anyone with a cheap computer, an inexpensive phone and free open source software. Using this simple setup, the researchers where able to track the location of a test subject within a 10-block area as the subject walked through Minneapolis.
The researchers tracked the subject by tapping into the Global System for Mobile Communications (GSM) network, the predominant worldwide mobile network.
Concern has previously been raised about the ability of third parties to access the locational data kept by cell phone service providers. But unlike those cases, the researchers were able to track the cell phone without any collaboration with the service provider whatsoever.
The finding raises numerous privacy and security concerns.
“For example, agents from an oppressive regime may no longer require cooperation from reluctant service providers to determine if dissidents are at a protest location,” the researchers wrote in their study.
“A second example could be the location test of a prominent figure by a group of insurgents with the intent to cause physical harm for political gain. Yet another example could be thieves testing if a user’s cell phone is absent from a specific area and therefore deduce the risk level associated with a physical break-in of the victim’s residence.”