Location Tracking of a Mobile Device Via Silent SMS

May 10, 2012 | comments

SMS
SMS (Short Message Services) has become an extended part of modern day life. Initially created to send non-sensitive information using spare space in signaling channels, it has now evolved into a feature-rich service.

How SMS is used to track the location of a mobile device

The law enforcement agencies used the basic principle that every time a mobile device performs any activity, it exposes its presence to the Cell tower. If the mobile network can force the mobile device to some very short activity without making it perceptible to the user, then using Radiolocation technologies, the mobile device can be tracked.  To do that, a special type of SMS known as “Silent SMS” is used. Every time a silent SMS is delivered, the mobile silently acknowledges. This creates activities for a mobile which is tracked by a LMU (Location Measurement Unit) at BTS (Base Transceiver Station) by using a variety of multilateration methods.

A commonly used technique for tracking location in GSM network is called E-OTD (Enhanced-Observed Time Difference of arrival) . This is a network-based location tracking method. In this technique, the signal arrival time from the mobile device is measured from 3 BTS/LMUs’. The position of the ME (Mobile Equipment) is determined by comparing the time differences between two sets of timing measurements. The accuracy is between 50 – 200 meters. More accurate location measurement is possible using A-GPS (Assisted GPS) based systems.

In the past using Cell Tower log generated by forcing the target mobile device into some activities, a target’s locations and movements were accurately reconstructed and identified.  In the USA vs. Forrest case, police used similar techniques

The SMS message is specified by the ETSI in documents GSM 03.38  and GSM 03.40. It can be up to 160 characters long, where each character is 7 bits. Eight-bit messages can contain up to 140 characters and are usually not viewable by the phones as text messages. Instead they are used for data in e.g. smart messaging (images and ringing tones) and Over The Air (OTA) provisioning of Wireless Application Protocol (WAP) settings.
Silent messages, often referred to as  “Silent SMS” or “Stealth SMS” is a type of SMS message which when received by a mobile device does not notify either by the display or by a sound. GSM 03.40  describes a Short Message of type 0 which indicates that the mobile equipment must acknowledge receipt of the short message but may discard its contents.

How to create Silent SMS

To create Silent SMS, the SMS PDU (Protocol Data Unit) needs to be manipulated. It is best done from an application that communicates with SMSC (SMS Center) using a protocol called SMPP. To send a SMS, the application need to send SMPP GSM 03.38 encoded Submit_Sm PDU.  A sample Submit_Sm PDU is shown below:

Encoding PDU Header . .’ command length ’ , ( 7 1 ) . . . 00 00 00 47
’ command id ’ , ( 4 ) . . . 00 00 00 04
’ command s t a tus ’ , ( 0 ) . . . 00 00 00 00
’ sequence number ’ , ( 1 ) . . . 00 00 00 01
Encoding PDU Body . .
’ service type ’ , ( 0 ) . . . 30 00
’ source_add r_ t o n ’ , ( 1 ) . . . 01 __ ’ source_ addr_ npi ’ , ( 1 ) . . . 01 **
‘source_ addr ’ , (27829239812) . . . 32 37 38 32 39 32 33 39 38 31 32 00
’dest_addr_ton ’ , ( 1 ) . . . 01 **
’dest_addr_npi ’ , ( 1 ) . . . 01 **
’dest_ addr’ , (27829239812) . . . 32 37 38 32 39 32 33 39 38 31 32 00
’esm_ class ’ , ( 0 ) . . . 00
’protocol_ id ’ , ( 0 ) . . . 00
’priority_flag ’ , ( 0 ) . . . 00
’schedule_delivery_time ’ , ( 0 ) . . . 30 00
’validity_period ’ , ( 0 ) . . . 30 00
’registered_delivery ’ , ( 1 ) . . . 01
’replace_ if_ present_fl ag ’ , ( 0 ) . . . 00
’data_coding ’ , ( 0 ) . . . 00
’sm_default_msg_ id ’ , ( 0 ) . . . 00
’sm_length ’ , ( 0 ) . . . 00
’short_message ’ , ( xyz..etc ) . . . 69 76 69 7A 73 65 63 75 72 69 74 79 2E 63 6F 6D
Full PDU ( 70 o c t e t s + + ) . . 00 00 00 47 00 00 00 04 00 00 00 00 00 00
00 01 30 00 01 01 32 37 38 32 39 32 33 39 38 31 32 00 01 01 32 37 38
32 39 32 33 39 38 31 32 00 00 00 00 30 00 30 00 01 00 00 00 00 73 61
74 6E 61 63 2E 6F 72 67 2E 7A
** ( 0 )  indicates local numeric numbering formatting
( 1 ) indicates international numeric number formatting
++ Octet is a group of 8 bits , often referred to as a byte

There are many different ways to manipulate SMS PDU but many of them may cause mobile device malfunctioning. The two techniques described by N.J Croft and M.S Olivier ["A silent SMS denial of service (DoS) attack," Proceedings of the Southern African Telecommunication Networks and Applications Conference 2007 (SATNAC 2007), Sugar Beach Resort, Mauritius, September 2007 (Published electronically)]  were used and found working are: Manipulating Data Encoding Scheme and Manipulating Timing in a WAP Push Message.

In the first technique, the data_encoding attribute of SMS PDU was set to 0xC0. This sets the MWIG (Message Waiting Indication Group) identifier that as per GSM 03.38 translates to “Discard Message”. The mobile device on receiving the message discards it after sending delivery acknowledgement.
In the second technique, the scheduled_delivery_time   is set to a date and time before today in the format “YYMMDDhhmmsstnn”. It was observed that the message was delivered, delivery acknowledgement was sent by the mobile device but the message was never displayed.




Share this article :

Post a Comment

I'm certainly not an expert, but I'll try my hardest to explain what I do know and research what I don't know. Be sure to check back again , after moderation i do make every effort to reply to your comments .

 
Support : INDIATRIKS
Copyright © 2011. INDIATRIKS - All Rights Reserved
Template Edited By Indiatriks
Proudly Powered By Blogger