 The NSA is spying and was spying and we had Snowden, we have a lot of documents to look at and there is some new research on how they used geolocation methods in mobile networks. It is done by the University of Hamburg and we have here Eric who will present this research to you and he has done this for the German government for the NSA Untersuchungsausschuss which we call NS-Auer which means like NS-Autsch kind of. He is a PhD student and holds a master in physics so give him a warm applause and for those coming later please go to your seats and try to be quiet. Yeah, thank you. Hello, I'm really happy to have you all here and I welcome you to my talk about geolocation methods in mobile networks. My name is Eric Sü and I'm a PhD student at the University of Hamburg. So in the beginning I want to point out why I'm giving this talk. So the German Parliamentary Investigative Committee wanted to find out about the German involvement in US drone strikes. And then the German government officials claimed that they do not know anything or they do not know any possibility how to use a phone number for targeting drone strikes. And the investigative committee did not really believe the statement and so they asked our research group at the University of Hamburg to prepare a report and we handed in that report to the Bundestag and it was very soon afterwards also published by NetsPolitik.org. Thank you for that and it contains like technical methods and approximates the accuracy to localize mobile phones. And it also points out which technical identifiers are required to conduct such geolocation. Now I give you my agenda for today. First I will speak about the purpose of geolocation data and then we are looking into a broad variety of different approaches to conduct such a geolocation in mobile networks. And then we specify on drones and look into the technical methods which can be conducted with drones. And then I'm going to point out which technical identifier we can use for such a geolocation. And lastly I'm going to sum up. So the purpose of geolocation data it is a neutral technology. So we can use it for rescue missions. For example if somebody got lost in the forest or in the mountains we can use geolocation data to find that person and rescue the person. Or if you ever use Google traffic there you can profit from monitoring traffic conditions. But we can also use it to innovate the privacy of persons. For example if we identify people on surveillance footage or if we track the location of a certain individual over a longer period. And certainly we can use it, use this data for target drone strikes. However I want to point out that this data they are not suitable to prove the identity of a person. So if somebody is conducting a drone strike based on this data then he is actually not knowing who he is going to kill. So on the right side you see an image of an explosion site from a Hellfire missile. A Hellfire missile is usually used by these drones. And you can approximate that the blast radius is around 20 meters. So we would consider a targeted drone strike if we have a geolocation method which can determine the position of a person more precise than 20 meters in radius. So the first approach which I want to present are time measurements. And the symbol which you see down there it's a base station for the next couple of slides. And a base station and this is the point in a mobile network where your phone connects to. And on the slides you can certainly interchange this base station with an MC catcher. MC catcher is something like a fake base station from a third party and you could even build it yourself. So the method used to calculate the position of a phone is for time measurements, three literation. You have to know that the signal is usually traveling with the speed of light. So when you measure the time you can also measure the distance. And here there are three methods presented. These are time of arrival where the signal moves from the hand phone to the three base stations and the accuracy is between 50 and 200 meters. This really depends on the cell size and it can be more precise or less precise. So then we have time difference of arrival which is like a round trip measurement. And we have an enhanced observed time difference where the mobile phone actually computes the location within the cell and the accuracy is between 50 to 125 meters. So the next method which I want to present are angular measurements. When you conduct angular measurements then you determine the direction of arrival from the signal and afterwards you do a calculation which is called triangulation. And therefore you have to know the position of the base station but also the alignment of your antenna. And for this method there are certainly two base stations or MC catcher sufficient to determine the position of the mobile phone. The accuracy is usually in field experiments between 100 and 200 meters and the challenge for this method but also for the ones on the previous slides is that on normal mobile cells you don't have a line of sight to each base station from your mobile phone. And so the signal gets disturbed by buildings in the way and then the accuracy becomes worse. So the next method I want to show you I think most of you will know a little bit about GPS and how it's calculated. So satellites and GPS satellites broadcast their time and their position. And the mobile phone uses again trilateration to calculate its position and the accuracy is usually below 10 meters but it depends a little bit on the ship set within the mobile phone. And then the base station can request the position of the phone by issuing a radio resource or by issuing a request with the radio resource location service protocol. So another method which I want to present is the mining of internet traffic. Some smartphones send GPS coordinates or the names of nearby Wi-Fi networks which are also called SSIDs to online services. And usually these allow the determination of the position around or below 10 meters and it is certainly possible to intercept this traffic and evaluate the geolocation. So here I have two quotes for you. The first one it effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system. This quote comes from this known archive and was issued in the year 2008. So we certainly see that there is some proof that at least at those days some third parties intercepted those traffic and used it for determining the geolocation. And if you want to work with and determine the location with the SSIDs it is necessary that you have a map where certain Wi-Fi access points are located. And therefore we have also something like a proof that this has been done by the NSA and this is the mission victory dance where they are mapping the Wi-Fi fingerprint in every major town in Yemen. And in Yemen also a lot of drone strikes are conducted. So let's go to the next method. System number seven is a protocol which is used for communication between network providers. And network providers need to know where and which cell a mobile phone is located to enable the communication. And these information are saved in location registers. And a third party can easily request these location information. I want to refer to the talk by Tobias Engel which he gave a talk two years ago which really goes into the details of this method. And maybe if you like to there are also commercial services available to access this data. So let's talk about drones. We do not have very solid proofs that geolocationing or geolocation methods are conducted by drones but we have certainly hints. A hint is this Gilgamesh system which is based on the predata drones and is a method for active geolocation which describes an MC catcher. But if anybody of you has access to more documents, it would be nice to have a look. So the easiest method would be certainly to request for GPS coordinates. And there you just replace the base station with a drone. And the method which is better, which I think is the preferred one, are angular measurements. Angular measurements, if you have a look in our report, we approximated that the accuracy of these methods are between 5 and 35 meters in radius from an altitude of 2 kilometers. And if you get closer to the mobile phone, it becomes more accurate. So it would be to some extent to be sufficient to conduct targeted drone strikes on this data. And in the meantime, since this report was handed over to the Bundestag, I also found other work which described that they are able to achieve an accuracy of one meter from a three kilometers altitude for small airplanes. You have to know that those sensors to measure the angle of arrival, they are usually located within the wings and within the front of the phone. And when the phone plane, and when the plane becomes larger, it's also easier to have a more accurate measurement. Then I want to point out that a single measurement can be sufficient to determine the location of a mobile phone if we can assume that the target is on the ground. So if you assume that the target is maybe in a building in Yemen, so a single measurement would be sufficient on a low building in Yemen. And the skyscrapers would be more difficult. And the big advantage of these methods is that environmental parameters have a very low influence since we can have an almost line of sight which allows a better accuracy. So now I'm going to talk about the identifiers which can be used for geolocation. Certainly the phone number and each MC catcher or base station can issue an identity request to a mobile phone and then receive the MC or EMI. The MC is something like a unique description for a certain customer in the mobile network. And the EMI is like a unique serial number for a device. So when we include those methods of mining internet traffic, then we can also add a lot of more identifiers for example an Apple ID or Android ID, Mac address, even cookies or usernames. If you are interested in this, you can have a look at the link I provided there that is a very interesting paper about this. So I come to my last slide, my summary. I showed you a lot of different methods to localize a mobile phone. And I pointed out that a single drone can localize a mobile phone with accuracy which is sufficient to conduct a targeted drone strike. Since this document was handed over to the Bundestag, they also never denied that these methods can be used for the accuracy of these methods. So then I pointed out that as an identifier the phone number, the MC and the EMI each can be used for the geolocation of a mobile phone. And the last information which I want to give you is that geolocation methods cannot prove the identity of a person. This is really important to know that we are not, yeah, that when somebody is conducting these drone strikes, that they are not aware of who is actually using the phone. And so it can happen that they are killing the wrong person. So I thank you very much. I thank my colleagues and my family and everybody. Thank you. That's great. Thank you very much. It's the first talk we have here today where we can have a lot of questions. So come on, you have the microphones, number one, number two, number three, number four and ask your questions. It's your only chance to have this man answering them. No questions. There's someone. No. Yeah. Sorry. No problem. Number four. Hello. Do you know why we are located in London right now when we use Google Maps here? Do you know? Can you ask it again? Do you know why we are located in London? Yes. Here? When we use Google Maps we are located in London. Do you know that? The Congress is located in London. Do you know why? I'm not aware. Okay. I thought it was on plan. Okay. Thank you. Number one. Okay. So on slide 12 you showed this angle of arrival method. Can you please be quiet? We can't understand the questions unless you are quiet. Sorry. Okay. So on slide 12 you showed the angle of arrival method executed by a drone. Is this a passive method or does it require some cooperation by either the phone company or by the targeted mobile phone? It can be conducted passively. If you call the phone or page the phone multiple times and you see which phone is answering this paging, it needs to be active in a way that you contact the phone but you don't need an active MC catcher for it. You just call the phone and then you see which phone is answering and then you know where the phone is situated. Thanks. Yeah. I see that we have a question over there. So can you just ask a question, please? Here. Yes. Number eight, please. Thank you for the talk. I'd like to ask a question about tracking unpowered mobile phones. I mean, you mentioned lots of methods for phones which both have their batteries inserted and are actively operating. Could you elaborate a bit about the methods of tracking phones which seem to be turned off from the user's point of view and maybe also something about those who have their batteries removed? Actually, if you really turn off your phone over a long period, let's say a couple of months, I think you're safe. That's good to know. But actually, if you have a base station and somebody is switching off his phone and maybe he is meeting somebody else at that point and somebody else is also switching off his phone, then it can be suspicious. But yeah, it really depends whether somebody is looking into this data or not. Thank you. Number eight, again? I had a short question. As you described, we are somehow dependent on the goodwill of the NSA, for instance. I wanted to ask if there is some way to avoid geolocation or use Google Maps without sending identity to location services. That is fairly difficult. I would assume that GPS phones are a little bit better to avoid geolocationing, especially if you add additional GPS poofing, because the network cells are really large and so it's more difficult to track you within the network cell. But if you have a drone right above you and you emit a physical signal, then the drone will always be able to localize where the signal came from. So yeah, it's difficult because it's physically difficult. Okay, thanks. Number one, please. So I have a question about the physicalities of receiving or localizing or making angular measurements of a phone within a densely populated area where there's possibly tens of thousands of zones within the receptional area of a three kilometer high drone. That would obviously require you to be more sensitive on one hand than the cell tower, and on the other hand also receive at the same time and sort out all kinds of interference. Usually a cell can be between, let's say, 200 meters or 30 kilometers in size, so three kilometers in altitude is not very high. So you assume that the drone does a pre-selection, whatever digital beam forming on the ground path, and only looks at a cell of interest because it knows from the network that the suspect is in that cell. It depends on the area. Like in an urban area, you have to reduce the size of the cell, otherwise you would receive too many signals, but in a countryside you can have a larger cell, or you can cover a larger area. Regarding covering larger areas, did you take, considering that these drones aren't really like our quadcopter size, they're more like airplane sized, usually, or proper airplanes, did you take the classical synthetic aperture radar techniques of like observing something for a long time while flying straight over it and then integrating over it into account because that's usually where we get like our high resolution radar imagery of the Earth. You can conduct multiple measurements, or you just conduct one if you know that the target is on the ground. So yeah, but did that account for your estimation? No, it's not necessary to integrate. Okay. Thanks. We have a question from the Internet. Yes, the Internet wants to know if there are attributes which you can change of the phone to stop surveillance, so attributes like the e-mail, for example. Can you please repeat the question? Are there attributes of the phone which you can change to stop surveillance? Yeah, certainly you can fake the e-mail or the MC. That is also another reason why it's not sufficient to prove the identity. Because any phone can just fake this data. And we have a second question, which is does the GSM network have a feature which allows anyone to get the GPS data from the phone? Yeah, it would be the radio resource location service protocol. So thank you. Yeah. Okay, number five. Hello. You delivered your work to the NSA Untersuchungsausschuss and the Bundestag did not say anything about it, but is there a statement from the NSA Untersuchungsausschuss? And the government said something about it. They said that they washed their hands and said we did everything nicely because we added also a disclaimer to the data we provided. And the disclaimer says that the NSA is forced to stick to the German law and that they are not allowed to do whatever they want with this data. Thank you. Very nice. Number six. Please. Hello. On slide 12 you specified the accuracy of about five meters for two drones. So how does it scale if you would use more than two drones, for example, 10 or whatever? I think there was a small misunderstanding. Actually one drone is sufficient. Okay. So could you use more than one drone? Yeah, you can use as many as you want, but one is sufficient. Yeah, but that, of course, but does the accuracy increase by using more than one? Yeah, if you go closer to the target and then the accuracy increases. Okay, but with the same distance, but more than one drone? No, actually not. Okay, thank you. Number four, please. Also referring to the accuracies, you were talking about field experiments and so on. Did you conduct those yourself or where did you get all the information from? These are some references that you can find the field experiments. Thank you very much. Number two, please. Thank you very much for the interesting talk. My question is regarding the fingerprint which you can use on many phones to unlock the phone. Is there currently and if not, will there, do you think there will be a possibility that for example an app which requires the fingerprint identification on the phone that this is also passively read and by that you increase the identification of persons? Did you understand the question? Yeah, but I think this is like based on the GSM network and the other things that's based on the operating system. So currently using this technology, there couldn't be, it's not possible to link this? Okay, thank you. Okay, number one, please. My question is actually about the civil use of geolocation services, not so much about phones. So you mentioned that every time you use online services that use geolocation, you send the SSIDs of nearby Wi-Fi networks. And with every request, you actually enrich a Wi-Fi map, a Wi-Fi database of either Google if it's on Android or Apple if it's on iOS. Now there was a talk at CCC here in 2009 when this technology was still nascent and then back then it was called Skyhook. But then the speaker had this provocative question, shouldn't this Wi-Fi map be public domain instead of just belonging proprietor and belonging either to Apple or Google nowadays? So haven't we lost that struggle? I mean we can't keep our SSIDs private, so shouldn't it be public domain? Yeah, it would be a good idea to make a public domain. Since also a lot of positive things can be created with this technology like helping people in emergency situations. Okay, Anna. I wanted to take the chance to say thanks for this talk. I'm one of the people who actually commissioned the analysis because I work in the inquiry and it was extremely helpful for us to have the analysis done because we, like you said, keep being confronted with secret service people who tell us that no way can mobile phone numbers help in a secret war. And so yeah, just wanted to say thanks. Yeah, thank you very much. Great, so thank you also very, very much for your work and keep on going with that.