Yeming Li,Hailong Lin,Jiamei Lv,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/infocom52122.2024.10621247

2024-01-01

Abstract:In recent years, Bluetooth Low Energy (BLE) has become one of the most wildly used wireless protocols and it is common that users carry one or more BLE devices. With the extensive deployment of BLE devices, there is a significant privacy risk if these BLE devices can be tracked. However, the common wisdom suggests that the risk of BLE location tracking is negligible. The reason is that researchers believe there are no stable BLE fingerprints that are stable across different scenarios (e.g., temperatures) for different BLE devices with the same model. In this paper, we introduce a novel physical-layer fingerprint named Transient Dynamic Fingerprint (TDF), which originated from the negative feedback control process of the frequency synthesizer. Because of the hardware imperfection, the dynamic features of the frequency synthesizer are different, making TDF unique among different devices, even with the same model. Furthermore, TDF keeps stable under different thermal conditions. Based on TDF, we propose BTrack, a practical BLE device tracking system and evaluate its tracking performance in different environments. The results show BTrack works well once BLE beacons are effectively received. The identification accuracy is 35.38%-57.41% higher than the existing method, and stable over temperatures, distances, and locations.

Kang Hu,Chaojie Gu,Jiming Chen

DOI: https://doi.org/10.1109/TVT.2022.3143526

IF: 6.8

2022-01-01

IEEE Transactions on Vehicular Technology

Abstract:The robot's mobility and intelligence have expanded its application in recent years. Specifically, indoor tracking is a fundamental function of public service robots in nursing homes, hospitals, and warehouses. Existing vision-based tracking requires visual information, which may be unavailable and introduce privacy issues in practical deployment. To this end, in this paper, we propose LTrack, a long-range tracking system based on LoRa, an emerging low-power wide-area networking (LPWAN) technology, with a single transceiver pair. Note that commodity LoRa devices cannot estimate the angle of arrival (AoA) of signals due to hardware limitations. We design a virtual circular antenna array in the mobile rotating anchor via a lightweight hardware modification to multiplex the only RF channel in the low-cost LoRa device. The difference of time of flight (TDoF) measured in the circular antenna array is fused with the rotating orientation to estimate the target AoA. We also redesign and optimize the primitive LoRa ranging engine based on systematic analysis. Further, we present a real-time mobile target tracking algorithm based on the Doppler frequency shift to combat the uncertainty introduced by the target movement. We have developed the prototype of LTrack, which consists of a mobile rotating anchor, a LoRa tag, and a commercial robot. The system is evaluated in both LOS and NOLS indoor scenarios. Experiments show that LTrack supports robust tracking with a median error of 0.12 m and 0.45 m in a 137 m(2) lab space and a 600 m(2) corridor, respectively.

Stig F. Mjølsnes,Ruxandra F. Olimid

DOI: https://doi.org/10.48550/arXiv.1702.04434

2017-02-15

Abstract:IMSI Catchers are tracking devices that break the privacy of the subscribers of mobile access networks, with disruptive effects to both the communication services and the trust and credibility of mobile network operators. Recently, we verified that IMSI Catcher attacks are really practical for the state-of-the-art 4G/LTE mobile systems too. Our IMSI Catcher device acquires subscription identities (IMSIs) within an area or location within a few seconds of operation and then denies access of subscribers to the commercial network. Moreover, we demonstrate that these attack devices can be easily built and operated using readily available tools and equipment, and without any programming. We describe our experiments and procedures that are based on commercially available hardware and unmodified open source software.

Cryptography and Security

Ronghua Li,Haibo Hu,Qingqing Ye

DOI: https://doi.org/10.1109/tifs.2024.3404810

IF: 7.231

2024-06-04

IEEE Transactions on Information Forensics and Security

Abstract:We present RFTrack, a new indoor location inference attack on Wi-Fi devices. This attack differs from existing Wi-Fi localization methods as it does not need bulky appliance deployment or inner physical access to the place of interest. RFTrack distinguishes itself by leveraging the temporal sequence of unlabeled Received Signal Strength Indicator (RSSI) values to deduce location labels. To achieve this, we deploy a Reinforcement Learning (RL) agent to model the most likely path of device movement and utilize these modeled trajectories to construct an RSSI fingerprint map. To enhance the accuracy of trajectory reconstruction, our technique exploits certain stationary Wi-Fi devices within the target area as reference points, facilitating the assessment of whether the mobile devices have traversed near specific zones with a newly proposed metric, the RSSI difference. The experimental results demonstrate that our system can accurately recover the trends of moving trajectories and successfully associate the unlabeled RSSI values with positions inside the place of interest to build a fingerprint map for real-time device tracking.

computer science, theory & methods,engineering, electrical & electronic

W. Xu,M. Huang,C. Zhu,A. Dammann

DOI: https://doi.org/10.1002/ett.2871

IF: 3.6

2014-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:The US Federal Communications Commission (FCC) has mandated wireless network operators and mobile devices to provide accurate location information for E‐911. Requirements for time of arrival (TOA) and time difference of arrival (TDOA) measurements have been specified in 3GPP LTE Rel. 9 to ensure accurate user equipment (UE) positioning even under bad conditions (e.g. with channel quickly varying and SNR being as low as −13 dB). To fulfil these requirements, it is vital to accurately estimate the first signal arriving path. In this work, we first derive ‐ without any approximation ‐ the Cramér–Rao lower bound (CRLB) of the LTE TOA and TDOA measurements based on the different pilots, which is shown to be as low as a few metres for SNR = −13 dB. The achievable performance of the LTE system is compared with the FCC and 3GPP requirements, and the impact of mobile multipath channels on the measurements is analysed. Then, we describe practical low‐complexity methods for LTE TOA and TDOA measurements with enhanced first arriving path detection. The maximum likelihood based correlation profile is used as detection metric. After grossly determining the signal region by a moving window, three methods, namely, peak detection, SNR‐based threshold and adaptive threshold based on noise floor and metric peak value are employed to estimate the first arriving path. Simulation results show that the proposed adaptive threshold‐based method can meet all 3GPP requirements under various realistic mobile channels, and can in some cases achieve a performance close to the CRLB. Copyright © 2014 John Wiley & Sons, Ltd.

Jinku Li,Yangtian Ye,Yajin Zhou,Jianfeng Ma

DOI: https://doi.org/10.1109/access.2018.2804321

IF: 3.9

2018-01-01

IEEE Access

Abstract:Short message service (SMS) authorization codes play an important role in the application ecosystem, as a number of transactions (e.g., personal identification and online banking) require users to provide a code for authorization purposes. However, authorization codes in SMS messages can be stolen and forwarded by attackers, which introduces serious security concerns. In this paper, we propose CodeTracker, a lightweight approach to track and protect SMS authorization codes. Specifically, we leverage the taint tracking technique to mark the authorization code with taint tags at the origin of the incoming SMS messages (taint sources), and then, we propagate the tags in the system. To this end, we modify the related array structure, array operations, string operations, inter-process communication mechanism, and file operations for secondary storage of SMS authorization codes to ensure that the taint tags cannot be removed. When the authorization code is sent out via either SMS messages or network connections (taint sinks), we extract the taint tag of the data and enforce pre-defined security policies to prevent the code from being leaked. We have developed a prototype of CodeTracker on Android's ART virtual machine and used 1, 218 SMS-stealing Android malware samples to evaluate the system. The evaluation results show that CodeTracker can effectively track and protect SMS authorization codes with a small performance overhead (<;2% on average).

Zishuai Cheng,Mihai Ordean,Flavio Garcia,Baojiang Cui,Dominik Rys

DOI: https://doi.org/10.56553/popets-2023-0053

2023-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Voice over LTE (VoLTE) and Voice over NR (VoNR), are two similar technologies that have been widely deployed by operators to provide a better calling experience in LTE and 5G networks, respectively. The VoLTE/NR protocols rely on the security features of the underlying LTE/5G network to protect users' privacy such that nobody can monitor calls and learn details about call times, duration, and direction. In this paper, we introduce a new privacy attack which enables adversaries to analyse encrypted LTE/5G traffic and recover any VoLTE/NR call details. We achieve this by implementing a novel mobile-relay adversary which is able to remain undetected by using an improved physical layer parameter guessing procedure. This adversary facilitates the recovery of encrypted configuration messages exchanged between victim devices and the mobile network. We further propose an identity mapping method which enables our mobile-relay adversary to link a victim's network identifiers to the phone number efficiently, requiring a single VoLTE protocol message. We evaluate the real-world performance of our attacks using four modern commercial off-the-shelf phones and two representative, commercial network carriers. We collect over 60 hours of traffic between the phones and the mobile networks and execute 160 VoLTE calls, which we use to successfully identify patterns in the physical layer parameter allocation and in VoLTE traffic, respectively. Our real-world experiments show that our mobile-relay works as expected in all test cases, and the VoLTE activity logs recovered describe the actual communication with 100% accuracy. Finally, we show that we can link network identifiers such as International Mobile Subscriber Identities (IMSI), Subscriber Concealed Identifiers (SUCI) and/or Globally Unique Temporary Identifiers (GUTI) to phone numbers while remaining undetected by the victim.

English Else

Ivan Palamà,Francesco Gringoli,Giuseppe Bianchi,Nicola Blefari-Melazzi

DOI: https://doi.org/10.1016/j.comnet.2021.108137

IF: 5.493

2021-07-01

Computer Networks

Abstract:IMSI catching attacks are a type of privacy threats designed to locate and track specific users by gathering their long-term identifiers, i.e., their International Mobile Subscriber Identity (IMSI). In order to understand how different mobile phone brands respond to different attack methods, this article makes a twofold contribution. We first address the feasibility and practicality of IMSI Catchers using off-the-shelf Software-Defined-Radio (SDR) platforms and two open source frameworks - OpenAirInterface and srsLTE. Second, we evaluate the behavior of different mobile phone brands/modems, when they are under attack. Specifically, we performed experiments on 26 4G devices and four more recent ones also supporting 5G. In each experiment we performed two different attack types, and we tested the attacks when using/not using a radio-frequency jammer specifically designed for our purposes. Our tests show that the sheer majority of the devices under test (also the last ones 3GPP Release 15 compliant) surrender even without any jamming. Finally, we have verified that network deployments have no impact — we repeated tests on four different operator's networks —, and we also developed a portable IMSI Catcher using a Raspberry Pi4 so as to test the attacks over early 5G Non Stand-Alone deployments we could find in our cities.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Giuseppe Ateniese,Briland Hitaj,Luigi V. Mancini,Nino V. Verde,Antonio Villani

DOI: https://doi.org/10.48550/arXiv.1505.07774

2015-09-04

Abstract:News reports of the last few years indicated that several intelligence agencies are able to monitor large networks or entire portions of the Internet backbone. Such a powerful adversary has only recently been considered by the academic literature. In this paper, we propose a new adversary model for Location Based Services (LBSs). The model takes into account an unauthorized third party, different from the LBS provider itself, that wants to infer the location and monitor the movements of a LBS user. We show that such an adversary can extrapolate the position of a target user by just analyzing the size and the timing of the encrypted traffic exchanged between that user and the LBS provider. We performed a thorough analysis of a widely deployed location based app that comes pre-installed with many Android devices: GoogleNow. The results are encouraging and highlight the importance of devising more effective countermeasures against powerful adversaries to preserve the privacy of LBS users.

Cryptography and Security

Pai Wang,Yang Wang,Y. Jade Morton,Jade Morton

DOI: https://doi.org/10.1109/taes.2021.3139569

IF: 3.491

2021-01-01

IEEE Transactions on Aerospace and Electronic Systems

Abstract:Positioning with cellular signals has been gaining attention in urban and indoor environments, where global navigation satellite system signals have limited availability due to interference, blockage, or multipath. However, accurate and reliable tracking of cellular signals under highly dynamic urban channel conditions remains a challenging task. This article presents a cellular long-term evolution (LTE) signal tracking algorithm implemented by an adaptive multipath estimating delay lock loop (AMEDLL) to achieve carrier phase synchronization and time-of-arrival (TOA) tracking under severe multipath propagation conditions. The analytical expression of the coherently integrated correlation result over multiple slots with the LTE cell-specific reference signal is derived. A multipath estimator along with a simple yet efficient multipath estimation monitoring approach is developed to estimate the parameters of all detected multipath signals. Several heuristic monitoring criteria based on historical multipath parameter estimations are established to enable adaptive adjustment of the estimated path number. Real LTE signals are collected in an urban environment for the signal tracking performance evaluation. This article presents two case studies with varying levels of multipath effects and signal power to illustrate the effectiveness of the developed signal tracking algorithm. Instead of a TOA truth reference, open-loop carrier phase estimations are used to analyze the TOA tracking error. Our analyses demonstrate that the AMEDLL-based tracking algorithm provides improved TOA estimation accuracy over the existing super-resolution-algorithm-based and delay-lock-loop-based tracking schemes.

telecommunications,engineering, electrical & electronic, aerospace

Heng Qi,Yanming Shen,Baocai Yin

DOI: https://doi.org/10.1109/tccn.2019.2961660

2020-01-01

Abstract:As cellular networks get widely deployed, mobiles generate enormous amount of signaling data during every call and session. These signaling data contains rich location information. If at the network side, we can accurately locate large amounts of users using the signaling data, this will present opportunities for many novel applications, e.g., assisting wireless operators to troubleshoot the network performance, and providing location assisted service. However, it is challenging to accurately locate a user using only the signaling data due to its relatively high noise. Most existing solutions are based on fingerprint approaches, which apply supervised learning and are costly to build the fingerprint map. In this paper, we propose LTETrack, a novel trajectory tracking system using LTE signaling data. LTETrack only uses data that is already available in current LTE system and does not require any special hardware/software. LTETrack first makes a key observation that the Timing Advance (TA) data is suitable for trajectory tracking. TA value corresponds to the length of time that a signal takes to reach the cell tower from a mobile phone, which is required in cellular communication standard. LTETrack incorporates novel filtering techniques to identify the most accurate TAs, and then runs a map-matching algorithm to locate a user. We have evaluated LTETrack using traces collected in our city covering more than 800km. The results show that LTETrack achieves a high trajectory matching accuracy in metropolitan area.

Yafei Tian,Hao Duan,Yangyang He

DOI: https://doi.org/10.1109/ICCW.2019.8756961

2019-01-01

Abstract:Mobile communication signal such as LTE is a good external illuminator for wireless sensing, since it is seamlessly covered and always on the air. Through channel estimation, we can find the variation of propagation channels, and then locate the moving objects passively. The basic idea of passive localization is to estimate the propagation delay of the dynamic reflection path, determine an ellipse based on the known positions of the transmitter and receiver, and finally solve the intersection point of multiple ellipses. However, the synchronization error, sampling clock drift, frequency offset and phase noise will severely impact the estimation performance. In this paper, we propose a set of methods to make the practical application of this kind of passive localization possible. A prototype system is built to test the performance in real environments, and various experiments have been done to verify its feasibility.

Taekkyung Oh,Sangwook Bae,Junho Ahn,Yonghwa Lee,Tuan Dinh Hoang,Min Suk Kang,Nils Ole Tippenhauer,Yongdae Kim

2024-09-26

Abstract:In cellular networks, authorities may need to physically locate user devices to track criminals or illegal equipment. This process involves authorized agents tracing devices by monitoring uplink signals with cellular operator assistance. However, tracking uncooperative uplink signal sources remains challenging, even for operators and authorities. Three key challenges persist for fine-grained localization: i) devices must generate sufficient, consistent uplink traffic over time, ii) target devices may transmit uplink signals at very low power, and iii) signals from cellular repeaters may hinder localization of the target device. While these challenges pose significant practical obstacles to localization, they have been largely overlooked in existing research. This work examines the impact of these real-world challenges on cellular localization and introduces the Uncooperative Multiangulation Attack (UMA) to address them. UMA can 1) force a target device to transmit traffic continuously, 2) boost the target's signal strength to maximum levels, and 3) uniquely differentiate between signals from the target and repeaters. Importantly, UMA operates without requiring privileged access to cellular operators or user devices, making it applicable to any LTE network. Our evaluations demonstrate that UMA effectively overcomes practical challenges in physical localization when devices are uncooperative.

Cryptography and Security

Heng Zhang,Zhichao Zhang,Shunqing Zhang,Shugong Xu,Shan Cao

DOI: https://doi.org/10.48550/arXiv.1907.00594

2019-07-01

Abstract:Wireless localization for mobile device has attracted more and more interests by increasing the demand for location based services. Fingerprint-based localization is promising, especially in non-Line-of-Sight (NLoS) or rich scattering environments, such as urban areas and indoor scenarios. In this paper, we propose a novel fingerprint-based localization technique based on deep learning framework under commercial long term evolution (LTE) systems. Specifically, we develop a software defined user equipment to collect the real time channel state information (CSI) knowledge from LTE base stations and extract the intrinsic features among CSI observations. On top of that, we propose a time domain fusion approach to assemble multiple positioning estimations. Experimental results demonstrated that the proposed localization technique can significantly improve the localization accuracy and robustness, e.g. achieves Mean Distance Error (MDE) of 0.47 meters for indoor and of 19.9 meters for outdoor scenarios, respectively.

Signal Processing,Systems and Control

Xi Chen,Andrea Edelstein,Yunpeng Li,Mark Coates,Michael G. Rabbat,Aidong Men

2011-01-01

Abstract:This paper presents and evaluates a method for simultaneously tracking a target while localizing the sensor nodes of a passive device-free tracking system. The system uses received signal strength (RSS) measurements taken on the links connecting many nodes in a wireless sensor network, with nodes deployed such that the links overlap across the region. A target moving through the region attenuates links intersecting or nearby its path. At the same time, RSS measurements provide information about the relative locations of sensor nodes. We utilize the Sequential Monte Carlo (particle filtering) framework for tracking, and we use an online EM algorithm to simultaneously estimate static parameters (including the sensor locations, as well as model parameters including noise variance and attenuation strength of the target). Simultaneous tracking, online calibration and parameter estimation enable rapid deployment of a RSS-based device free localization system, e.g., in emergency response scenarios. Simulation results and experiments with a wireless sensor network testbed illustrate that the proposed tracking method performs well in a variety of settings.

Zheng Yang,Feng Wang,Wei Gong

DOI: https://doi.org/10.1109/PERCOMWORKSHOPS51409.2021.9430940

2021-01-01

Abstract:Thanks to the ability to decompose multipath from raw data, decimeter-level localization and tracking solutions have come to reality. Yet, one daunting task in such solutions is how to robustly and efficiently identify the direct path from multiple candidates. In this paper, we present Mobi-Track to explore the mobility of target to handle this challenge and output the trajectory precisely. Through a novel likelihood function, Mobi-Track can distill the direct-path with high probability. We further propose a Forward Pruning algorithm to reduce the computational burden and make it more applicable in practice. A prototype is implemented based on commercial WiFi NICs. Our extensive experiments show that Mobi-Track can achieve AOA error of about 16.1 degrees in Line-of-Sight (LOS) scenario and 21.7 0 in Non-Line-of-Sight scenario, and a median tracking error of 0.86 m in LOS scenario, making Mobi-Track an excellent option for a wide range of indoor localization and tracking applications to significantly boost their performance.

Sanjia Xu,Yafei Tian

DOI: https://doi.org/10.1109/lcomm.2018.2854587

IF: 3.5529

2018-01-01

IEEE Communications Letters

Abstract:Wireless signals not only carry the information of data but also encode the information of propagation environments. The motion of an object can be sensed by analyzing the variation of channel-state information. Combining the function of wireless sensing and communication will further enhance the capability of smartphones. LTE signal, which is always on the air and is seamlessly covered, is a perfect external illuminator for wireless sensing. In this letter, we study the device-free moving object detection via LTE signals. We build a prototype to receive on-the-air LTE signal and extract the real-time channel response. The existence of a moving object is recognized by the amplitude of the interfered multipath, and the moving speed is derived by the phase of the dynamic reflection. The detection probability and discovery region are investigated, and field experiments are conducted to validate the analyses.

Norbert Ludant,Marinos Vomvas,Guevara Noubir

DOI: https://doi.org/10.48550/arXiv.2403.06717

2024-03-11

Abstract:Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Cryptography and Security

Lionel de Guenin,Patrick Rosson,Nicolas Petrochilos,Eric Moreau

DOI: https://doi.org/10.1049/rsn2.12662

2024-12-12

IET Radar Sonar & Navigation

Abstract:This paper present a single‐antenna receiver passive radar system in the context of mobile target detection leveraging the LTE network as an illumination source. The proposed system uses signal reconstruction, enabled by the telecom structure of the opportune signal in order to forego the use of a reference antenna. This presents the advantage of not relying on a physical signal for reference and its possible defect, potentially yielding better performances. This paper presents a single‐antenna receiver passive radar system in the context of moving target detection such as trains, car, planes and UAVs, leveraging the long‐term evolution (LTE) network as an illumination source. The proposed system uses signal reconstruction enabled by the telecom structure of the opportune signal in order to forego the use of a reference antenna. This presents the advantage of not relying on a physical signal for reference and its possible defect, potentially yielding better performances. The techniques introduced are validated through simulation and experiments. Moreover, a simplified passive radar system emphasises one of the key advantage of passive radar over other competing technologies for moving target detection: stealthiness and cost‐effectiveness.

telecommunications,engineering, electrical & electronic

Simon Erni,Martin Kotuliak,Patrick Leu,Marc Roeschlin,Srdjan Capkun

DOI: https://doi.org/10.1145/3495243.3560525

2022-09-08

Abstract:In cellular networks, attacks on the communication link between a mobile device and the core network significantly impact privacy and availability. Up until now, fake base stations have been required to execute such attacks. Since they require a continuously high output power to attract victims, they are limited in range and can be easily detected both by operators and dedicated apps on users' smartphones. This paper introduces AdaptOver - a MITM attack system designed for cellular networks, specifically for LTE and 5G-NSA. AdaptOver allows an adversary to decode, overshadow (replace) and inject arbitrary messages over the air in either direction between the network and the mobile device. Using overshadowing, AdaptOver can cause a persistent ($\geq$ 12h) DoS or a privacy leak by triggering a UE to transmit its persistent identifier (IMSI) in plain text. These attacks can be launched against all users within a cell or specifically target a victim based on its phone number. We implement AdaptOver using a software-defined radio and a low-cost amplification setup. We demonstrate the effects and practicality of the attacks on a live operational LTE and 5G-NSA network with a wide range of smartphones. Our experiments show that AdaptOver can launch an attack on a victim more than 3.8km away from the attacker. Given its practicability and efficiency, AdaptOver shows that existing countermeasures that are focused on fake base stations are no longer sufficient, marking a paradigm shift for designing security mechanisms in cellular networks.

Cryptography and Security