[HN Gopher] GSMA considers giving away mobile device locations t... ___________________________________________________________________ GSMA considers giving away mobile device locations through API Author : louismerlin Score : 107 points Date : 2023-08-11 15:49 UTC (7 hours ago) (HTM) web link (www.gsma.com) (TXT) w3m dump (www.gsma.com) | michelangelo wrote: | The reference repository - with some more information - seems to | be on [1]. It also includes meeting minutes other than some early | API spec. | | Ah! Meeting information are also included... you know, in case | one is interested in attending.;-) | | [1] https://github.com/camaraproject/DeviceLocation | morkalork wrote: | I have a sudden urge to scrape github for zoom and teams | meeting links! | jononor wrote: | ConfRoulette - visit a random web conference call. | iSloth wrote: | Services like this are actively in use by most Banks/ATMs around | the world on most mobile carriers, just via creative but common | reusing of long standing mobile/telco protocols. | | GSMA are actively attempting to lockdown them existing methods, | as they're built on trust in a very untrustworthy environment | between carriers, and in some cases state actors. | | Sure on the face of it this isn't brilliant to the average HN | reader, but with context it's a significant improvement vs where | we are today. | tamimio wrote: | How about an easier and better solution, stop using a broken | protocol and enforcing the use of phone numbers as an | identification for critical information or banking, there are | better and more secure ways, and just keep the GSM network for | emergencies and 911 calls. | DaiPlusPlus wrote: | > How about an easier and better solution | | Such as? | | Difficulty: nothing that requires an end-user to understand | PKI; and also would not impede a lawful (and for the purposes | of this conversation: ethically necessary) police wiretap. | tamimio wrote: | > nothing that requires an end-user to understand PKI | | None is needed, how hard it's for a bank handing over | physical tokens to the customers when they open an account | or mailing them to existing ones? | | - You can loose them? Sure, just like any smartphone or | even government ID, but the process after to replace is | what will make you careful next time. | | - They can be stolen? Same as above | | - They can be used in banks or even for online banking, | just tap it with your NFC enabled phone (yubico is an | example) | | - They can be used by someone else? Sure, just like your | phone. | | - However, no sim-swap attacks or similar, so in theory | it's better given no negligence from the users which is | always the biggest risk anyway, but overall it's an | improvement. | | >and also would not impede a lawful (and for the purposes | of this conversation: ethically necessary) police wiretap. | | Why would the police wiretap a banking verification, they | can wiretap the transaction at the banks if they are | legally authorized. | ajsnigrutin wrote: | Hmm, imagine if banks already gave you NFC capable cards | and our phones... that would make the process a lot | easier. | | (yes, i'm talking about every modern..ish credit and | debit card) | iSloth wrote: | Being pragmatic you're not going to convince every Mobile | network vendor to implement a new protocol, and then have | every mobile operator invest in replacing their cores to | support it, all in the name of a better solution. | tamimio wrote: | You don't convince, you avoid that risk completely by not | using GSM as the medium of identity verification, just | regulate an identity verification mechanism for banks and | such, and don't mandate it for the users so they are free | to choose or opt-out. | hocuspocus wrote: | That's almost the case in Europe thanks to PSD2, for instance | banks cannot use only SMS tokens anymore. | | The second factor is typically a mobile app that prompts your | biometric authentication, and this obviously allows | geofencing ATM withdrawals. | dfox wrote: | Well, all of the 3GPP mobile networks switch to a different | logic for emergency calls. In the GSM case all emergency | calls (112 is hardcoded in the specification and there is a | provision for both USIM and the network to add more numbers | that behave that way) use different RR layer protocol that | deals in physical addresses (ie. IMEI) and the whole process | is streamlined. The MS that initiates emergency call will | just uplink an emergency RACH frame to anything that it is | synchronized with and the network will respond by allocating | traffic channel for that, there is no kind of GSM signaling | nonsense with multiple packets involved in that. | hexo wrote: | What is this? Cyberstalking as a service or what? Is anything | there even legal? | rogerthis wrote: | As far as I know, they already do this (legally). They seem to | be "just" standardizing for interoperability. | barbazoo wrote: | > The API allows an application to check if a mobile device is in | proximity of a given location. The API request contains the | location to be checked and an accuracy range in km (between 2km | and 200km). The API response indicates whether the location is | within the accuracy range of the last known location of the | MSISDN. | | I'd say this can only "give away" the location if you already | roughly know where someone is AND no rate limit exists. | legulere wrote: | With adjustable accuracy range you can do binary search to find | out where someone is. | PreInternet01 wrote: | Which is where API rate limits come in. But if you really | _need_ to know where someone is, _today_ , just be a telco | with its own mobile infrastructure, and you can pretty much | query the current network+cell ID of any of your subscribers | without any limitations. | | Same goes for anyone with, say, subpoena powers in your | jurisdiction and/or sufficient (social) engineering skills. | And cell ID to geo mapping is also a solved problem... | mplewis wrote: | API rate limits don't keep you from doing the nasty stuff | when you want to target one specific individual. | wolpoli wrote: | Even if API rate limit exists and is strictly enforced, | it's also easy to bypass it with multiple API keys and | over time. Most people adhere to a weekly schedule. | Koffiepoeder wrote: | Rate limits can also be based on the message contents, e. | g. max 20 lookups per day for a cell. | wongarsu wrote: | Assuming you already know what continent somebody is on, | 20 circles of 200km radius (120 miles) should cover most | of the major population centers. | | If you live out in Nebraska or the middle of the Sahara | this attack is easy to defend against, but humans tend to | clump up. | barbazoo wrote: | Depends on the limit and how it's implemented | barbazoo wrote: | > AND no rate limit exists. | downrightmike wrote: | Yeah, the apple air tags do something similar, the more devices | the more accurate the location | m4rtink wrote: | Sounds like you can just easily triangulete someone using this | API. | recursive4 wrote: | Misleading title. | Nextgrid wrote: | > Retail marketing: a retailer Edge Application may query the API | to verify that a user is close enough to a physical location | before pushing a notification to them. | | Hopefully by the time this is rolled out, GDPR enforcement | would've actually caught up and forced them to make it opt-in | only. | zeroCalories wrote: | Wonder if this is in response to BeiDou having such tracking | built in. There is a lot of potential value that businesses can | derive from location data. | dfox wrote: | The network simply has to have a pretty good idea of where the | given MS is and how fast it is moving in which direction. The | network maintains some kind of CDMA/OFDM/whatever radio link to | said MS and thus either has to know that or learns the same data | from behavior of the link. What this does is formalisation of how | these data can be queried and used and by whom. | dfox wrote: | And as for some additional context: before multi-constellation | GNSS receivers and such stuff, multilateriation from GSM timing | advance was a somewhat good way to get precise position fix, | especially with GSM PLMN that has additional support for using | it for position fixes. | tamimio wrote: | Also further reading it | | >Traffic management of drones: the Uncrewed Aircraft System | Traffic Management or the drone operator can obtain drone | location information from its GPS data, however this is | vulnerable to jamming or spoofing. They can query the API to | verify the drone location, e.g. for law enforcement purposes or | to check compliance with approved flight plan. | | That's not the real use case since not a single drone (commercial | or consumer) is using the builtin GNSS in the modem (if any as | most don't even have modems) as they are usually weak compared to | professional ones, the real reason is | | > or to check compliance with approved flight plan. | | There! Quick background: consumer drones like DJI are easily | trackable by DJI AeroScope [1] which is actively used by police | to track these drones in specific events, and now FAA is also | requiring the remote ID is an extension to that to cover other | drones. However, that doesn't cover all drones, you have a sub- | category of drones that are un-trackable, not easily anyway, the | ones that fly over cellular networks, which is a challenge to | know since from network perspective it's just another UE, so | what's the easiest way to know?! Exactly, the builtin gnss, a | quick query and you can tell, although I'm still not sure how | they will distinguish the normal UE from drone UE. So I wouldn't | be surprised that people are disabling the builtin gnss either by | the AT commands or just disconnecting the antennas. | | [1] https://www.dji.com/ca/mobile/aeroscope | Johnie wrote: | This has been around for ages. At least 20 years now. Loc-Aid had | been one of the biggest provider of location data. | | Here are some articles: | | * https://www.nytimes.com/interactive/2018/12/10/business/loca... | | * https://readwrite.com/loc-aid-the-biggest-location-s/ | | * https://www.technologyreview.com/2011/12/09/189247/startup-t... | joecool1029 wrote: | Adding in, they are still around just having merged with | LocationSmart: | https://www.locationsmart.com/company/news/locationsmart-and... | tamimio wrote: | So that FBI can raid people's houses quickly now? No wonder a lot | of services and apps are still keeping you tied to SMS. | pohuing wrote: | Can't they already just query from network providers? | tamimio wrote: | Of course, but that takes time and some legalities, that's | why they use stingrays, or used to.. [1] | | [1] https://en.m.wikipedia.org/wiki/Stingray_use_in_United_St | ate... | qbasic_forever wrote: | The FBI can already subpoena this information from your cell | provider. They would even do this back in the analog cell phone | days--Kevin Mitnick was nearly caught a few times because they | were tracking the location of his analog cell phone. | tamimio wrote: | Keyword: Quickly. Unlike before, now they will add this API | to their OSINT software (mostly Babel X) so they can quickly | access that, why all the paperwork in this digital world!!? | qbasic_forever wrote: | Subpoenas can happen extremely quickly though so don't | think it's a slow process today. They just need a DA to | talk to a judge and get the paperwork approved. I've heard | there are judges on call effectively 24/7 ready to approve | subpoenas as necessary. | tamimio wrote: | >I've heard there are judges on call effectively 24/7 | ready to approve subpoenas as necessary. | | I wouldn't be surprised.. | mrguyorama wrote: | More likely nowadays they just "buy" that location | information through an API endpoint or client product from | the phone companies, zero warrant required. Cops always | choose the expensive "just do it" option over the warrant | option because they seem allergic to the idea that their | power is supposed to be gatekept and dispersed. ___________________________________________________________________ (page generated 2023-08-11 23:00 UTC)