
What Does It Take to Track a Million Cell Phones? - siva7891
https://thehftguy.com/2017/07/19/what-does-it-really-take-to-track-100-million-cell-phones/
======
jandrewrogers
I've designed systems that do this on continental scales (i.e. hundreds of
millions of cell phones simultaneously, in real-time). The devil is in the
details and non-trivial; this is not a "an intern and 6 months" job. Mobile
telemetry is not nearly as ideal in practice as assumed here and it typically
takes a couple years to learn how to handle the numerous peculiar artifacts of
that data that will damage the quality of a naive implementation.
Reconstructing a model of the population from the cleaned data that
approximates the ground truthing is surprisingly difficult and requires quite
a bit of clever data science and maths.

It takes a _lot_ of work and expertise to build a population model from mobile
telemetry that approximately reflects reality. Far fewer people know how to do
this well than you might assume by looking at the requirements for a naive
implementation. Even most mobile carriers have limited ability.

~~~
frandroid
Have you posted about this at length somewhere? If not, care to elaborate on
what it took to design this system?

~~~
jandrewrogers
I have not written about it. Most of the difficulty and complexity, from my
perspective, is in the data science and processing required to construct an
accurate population model, which requires additional data sources beyond the
mobile telemetry. I designed the custom database platforms (easy for me)
underneath which supported the online data processing.

It isn't that difficult technically, if you have experts doing it, it just
requires far more domain expertise to do correctly than I think people expect.
You also need to be willing to write some of your own tooling to deal with the
data efficiently and effectively.

~~~
dajohnson89
I'm gonna take a wild guess, and say that the NSA has a monopoly on the talent
for this field.

~~~
user5994461
Mapping is wide and common industry, just like web or finance.

The NSA only recruits in the USA. It's a fraction of the talent pool of the
planet.

~~~
cmahler7
NSA violate the constitution on a daily basis, I'm sure they have a loophole
to get whatever talent they need

~~~
FractalNerve
Care to elaborate?

------
strictnein
This article finally answered a question I've had for a while: how they can do
decent triangulation with just two towers.

> "We said that a tower covers a radius around it. In practice, this is sub
> optimal so that’s not how it’s done.

> Instead, a station is usually split in 3 independent beams of 120 degrees."

So it's not the intersection of two circles anymore, it's the intersection of
two arcs, which will likely only have one intersection point, unlike circles.

~~~
mikepurvis
Sometimes it's split even more:
[https://www.google.ca/search?q=sector+antenna&tbm=isch](https://www.google.ca/search?q=sector+antenna&tbm=isch)

------
Rjevski
Note that a lot of the information from the BTS is already available to anyone
who "asks nicely".

The mechanism that provides roaming is based on trust, so anyone connected to
the SS7 network can query the location of any phone in the world and even
intercept its calls. Just say to the home carrier "hey this phone is roaming
on my network, would you be able to send me all of its calls and texts?".

~~~
nawtacawp
There was a talk/demo I saw a few years ago that went into great detail about
how this works. I remember it was given by a German. Anyone know what I am
talking about?

Edit: It was a video.

~~~
freeflight
I remember something similar, it was a presentation given at CCC in Germany.
Tried searching for it on their YouTube channel, just to discover said channel
was terminated for breaking YouTube ToS?!

That's really sad, their channel had videos of all the past talks from the
CCC, an amazing resource that's now gone.

I think this is the one you might have been talking about:
[https://www.youtube.com/watch?v=lsIriAdbttc](https://www.youtube.com/watch?v=lsIriAdbttc)

If it's not that one then it's probably one of the "Running your own
3G/3,5G/GSM network" talks.

~~~
striking
[https://www.youtube.com/watch?v=-wu_pO5Z7Pk](https://www.youtube.com/watch?v=-wu_pO5Z7Pk)

[https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-
manipula...](https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-
manipulate.pdf)

As seen on HN:
[https://news.ycombinator.com/item?id=8803998](https://news.ycombinator.com/item?id=8803998)

~~~
freeflight
That's the one, nice find.

------
warrenm
The phone companies already do this, more or less, as is shown in court cases
where cell phone records are brought in as evidence

A decade ago that data was a little more iffy (i.e. it was more a good
estimate (typically within half a mile or less) than a true location), but
with a combination of more towers (and therefore more data points), the
ubiquity of smartphones (which check in more often, are doing geolocation
related things, etc), and better / more accessible/well-known analytics tools,
is think even 6 months would be a generous time-frame

~~~
jimktrains2
> The phone companies already do this, more or less, as is shown in court
> cases where cell phone records are brought in as evidence

You can also arrange to buy this information. I worked for a place where you
could request someone's location by phone number. There were a lot of
contractual obligations around us having the phone owner "allow" us to do
that, but no technical ones.

~~~
EdwinHoksberg
How did you access the data? Via a simple REST api?

~~~
jimktrains2
> How did you access the data?

We signed a contract, fulfulled our obligations, and paid them money

> Via a simple REST api?

I really don't remember. It might have been SOAP or something. It was an HTTP-
based API, but I don't think it was REST specifically.

There was also a 30s or so delay from request to when we'd get the location
back.

~~~
EdwinHoksberg
Interesting, thanks!

------
contingencies
Q. _What Does It Really Take to Track a Million Cell Phones?_

A. Sell outsourced billing solutions to the mobile carrier. (See AMDOCS)

------
Cieplak
Please don't abuse this :)

[https://github.com/ernw/ss7MAPer](https://github.com/ernw/ss7MAPer)

~~~
TACIXAT
Could you give a high level of what the ss7 network is and what this tool
does? I'm not very familiar with this area.

------
frankydp
Inrix, TOMTOM, and a couple other have been providing this data as a product
for at least 2 decades. There was an early provider that lead the space, but
the name of that company eludes me at the moment, may have been actually
purchased by inrix.

Most of those companies focused on 10m+- resolution and focused on path data
to build traffic speed data for local news companies.

Only cost a couple million bucks and an extensive partnership agreement to get
into the space.

There is a lot of data washing in those agreements, mostly related to
preventing reverse identification.

Airsage has taken it to the next level in the more recent past with GPS based
anonymized data, but data with EXTENSIVE history. The Airsage product is zip
code and smaller resolution and can provide months to years of location
history of an anonymous cell phone id.

------
jakeogh
Seems easy to mitigate with a tweak to the network connection order:
[https://news.ycombinator.com/item?id=10985599](https://news.ycombinator.com/item?id=10985599)

------
mikhailfranco
To answer the 'Call for comment' about intersecting complex shapes... one
simple, fast, general, approximate, discrete method is to use OpenGL to get
your GPU to do it for you. Just render the shapes into an off-screen
framebuffer, using appropriate logic ops or stencil planes, then read back the
final buffer to get a bitmask of the possible positions. To reduce to one
estimate of position, find the centroid of the largest contiguous pixel group
(flood-fill different seed ids; histogram pixels; select region id with
highest count).

------
harlanji
I did the math a while back, don't have the notes at the moment, but scaling
an AWS system I built enough to collect 600m points of data each minute and
compute on data within 100ms and retain it for a few minutes would run a bit
over $10k usd/mo to operate. I operated it at about 3m events/min with a good
amount of compute per including ip to geo lookup... Zookeeper would be the
only bottleneck in this case assuming good enough partitioning.

~~~
tinix
Using AWS is the problem here, and that's why it's so expensive. You could do
this on bare metal WAY faster and more efficiently, and then you own the
hardware forever, for the price you paid to do it for a month with a third
party.

AWS does not scale this way, you can't just throw more resources at a problem
and expect to be profitable.

~~~
greenleafjacob
You would own the hardware until it died which is not forever.

~~~
tinix
Just because it quits working doesn't mean you don't still own it. Might wanna
lay off the green leaf, bro. Hahaha

------
losteverything
If my phone is powered off can i be tracked?

What if i remove the battery?

~~~
gvb
If your phone is powered off _or in airplane mode_ it is not supposed to emit
RF and thus cannot be tracked. This is a matter of trust, so if your threat
model includes high end threats, the assumption that it follows the normal
requirements may be invalid.

If you remove the battery, it will be unpowered and unable to emit RF and thus
cannot be tracked. While it is theoretically possible to hide an auxiliary
battery in your phone, that would be very hard to achieve, especially in
modern thin phones. If your threat model includes highly motivated state
sponsored actors, this is could be achieved.

If you put your phone in a RF-tight enclosure (e.g. metal box), the RF energy
cannot get out and thus it cannot be tracked.

~~~
aembleton
Modern thin phones don't let you remove the battery, so they could easily
continue to transmit RF.

------
liprais
this method will only work with GSM network because 1.GSM networks doesn't
verify BTS 2.GSM encrypt keys are cracked and all over the internet. Users of
other kind of networks should not worry about this kind of hack. Actually here
in China a fake BTS a.k.a 伪基站 can be easily purchased online.

~~~
rsync
"this method will only work with GSM network because ..."

Yes, that's true - but remember that all of our 3G/4G phones _are also 2G
phones_ and that if you disable/jam/overpower the 3G/4G signals the phone will
very happily revert down to 2G, possibly with no encryption, and possibly in a
way that you have to be very careful to even notice.

There are quite a few attacks that are mitigated by 3G/4G in theory, but in
practice you're still vulnerable to because your phone can be downgraded to 2G
by an outside actor.

~~~
girvo
Interestingly, the 2G networks are being (or have? I can't remember which)
shut down entirely here in Australia.

------
TACIXAT
I was hoping there would be some information in here about what cell phones
leak that a third party could pick up on. For example, tracking the mac
address in beacon packets, or the cell frequency equivalent of that. Of course
if you can hook into the base stations you can track them.

------
sengork
Who else noticed the Winamp icon at one of the diagrams?

[https://thehftguy.files.wordpress.com/2017/07/tdoa.png?w=300...](https://thehftguy.files.wordpress.com/2017/07/tdoa.png?w=300&h=225)

------
eleitl
Now you know why my Nokia 3310 is switched off most of the time.

------
draw_down
Nothing worthwhile ever takes an intern and six months. Ever.

~~~
tripzilch
One has to wonder why interns even _bother_. /s

------
devrandomguy
A: A deeply sociopathic mindset. See the requirements section for details.

~~~
thinkfurther
This is "off-topic" to the attention span of HN. I recently realized this when
someone mentioned corruption as the main problem of some issue; yeah, that's
"very general", but nevermind programmers, not even a power user would keep
looking for program bugs or worry about the order they do things in when it's
already been confirmed that the memory or PSU or something like that is
faulty. Anyone worth their salt would stop those other debug activities to
focus on correcting that, while someone who absorbed these broken parts and/or
their acceptance as part of their synthetic identity will do anything _but_
that.

Also see Hannah Arendt, Erich Fromm, et al. This other mediocre shit? This
being a "hacker" in a goldfish bowl? That's for those who can't hack the adult
responsibilities of the 20th and 21th centuries. those who fell asleep, those
who already fell off. They will downvote you today and look the other way as
drones take care of you tomorrow, don't hold your breath for anything else.
Anything else, any future worth a fuck, has to be done _despite_ their wishes,
or rather, despite where they are drifting.

------
trekking101
Somebody please explain this line from the post:

Radio waves travel at the speed of light 299 792 458 m/s.

~~~
officialjunk
When you turn on a lightbulb, the light coming from the bulb travels at the
speed of light, which is 299,792,458 meters per second. Radio waves also
travel at this same speed, since it is also light.

~~~
sillysaurus3
It's worth mentioning that neither light nor radio waves travel at 299,792,458
m/s through atmosphere. That's the speed of light in a vacuum.

An interesting question is whether radio waves, gamma radiation, and visible
light all travel an identical speed through atmosphere.

The reason light slows down in atmosphere is because it hits atoms. It travels
between each atom at the speed of light, but when it reaches an atom the
radiation is absorbed and re-emitted, which introduces a delay. So the
question that I'm wondering is: do different frequencies of radiation get
absorbed and re-emitted at the same rate as every other frequency? That would
give it identical speed. But if the absorption is different then presumably
the speed would also be different.

~~~
smeyer
> An interesting question is whether radio waves, gamma radiation, and visible
> light all travel an identical speed through atmosphere.

They don't. The index of refraction tells you about how the speed of light is
changed by a medium, and the fact that it's different for different colors of
visible light is why you get effects like rainbows.

This stack exchange question might interest you if you'd like to read more:
[https://physics.stackexchange.com/questions/196803/why-is-
th...](https://physics.stackexchange.com/questions/196803/why-is-the-index-of-
refraction-different-for-different-wavelengths) .

