In cellular networks, mobile stations (MS) are usually battery powered. To prolong the operational time of the MSs, the network architecture allows them to go into idle mode after being inactive for a certain period of time. In idle mode, the MSs do not sustain a connection with the serving base stations (BS). When there is a need to create a connection with an idle MS, e.g. voice calls, data, or system information updates, the BS sends out a notification to the MS in the form of a paging message. The location of an idle MS may have changed since the last time it was in communication. Therefore, the network maintains a tracking area for each idle MS.
A tracking area consists of several cells and the MS has to report if it moves out of the assigned tracking area. In general, paging messages are sent without any confidentiality protection, so that anyone can listen to those messages. The privacy of those being paged is provided through the use of temporary IDs. Those are IDs which only have meaning in the context of the idle MS and the serving network within the tracking area.
Recently, D. F. Kune et al. in “Location Leaks over the GSM air interface,” Proceedings 19th Annual Network and Distributed System Security Symposium (2012), showed that despite the use of temporary IDs, the location of a user's cellphone in a GSM network can still be leaked. In particular, it was shown that an attacker can check if a user's cellphone is within a small area, or absent from a large area, without the user's awareness. Such vulnerability can lead to serious consequences. For example, in an oppressive regime, locations of dissidents can be revealed to suppressive agents without cooperation from reluctant service providers. Another example is that a thief, who attempts a break-in, can use the knowledge of the absence of the target to reduce the threat of encounter.
To perform this location attack, the attacker requires two capabilities: cause paging request messages to appear on the GSM Paging Control Channel (PCCH); and listen on the GSM PCCH broadcast channel.
In GSM networks, paging messages are sent on dedicated time-division channels. The Temporary Mobile Subscriber Identity (TMSI) is used for paging messages. The idea behind the location attack is that the adversary initiates a connection request to the user cellphone (this of course assumes that he knows the target's number), which results in a paging message being sent in the user's tracking area. By observing the paging channel, the adversary obtains a set of possible temporary IDs for the target user. Repeating this procedure several times, the adversary collects several sets of possible temporary IDs, from which he can do a set intersection analysis to get the temporary ID associated with the user's cellphone.
Practical experiments on T-Mobile and AT&T GSM networks show that after 2 or 3 repetitions, the adversary can pinpoint the temporary ID of a user's cellphone. To keep the user unaware of the attack, the connection request to his cellphone has to be terminated before a connection is established, but after the paging message is sent out. In the above referenced paper, the authors, through experiments, show that by calling the target's number and hanging up within 5 seconds, a paging message would be sent out, but the user's phone would not ring. Another way of achieving this goal is to send “silent SMS”, a controversial method used by German and French police to track people.