Comment by Chance-Device
5 months ago
Since you seem to know about the subject, how are these not immediately found and shut down? It seems like the messages they send could be traced to the sims physical location, and having a massive cluster of thousands of sims just sitting in an apartment also seems like an obvious giveaway. And there’s all the traceability required to rent the locations and buy the equipment. It seems like bothering with this is just asking to get caught.
Well, they did get caught. But for that to happen immediately would require a detection method that can point out the presence of a farm with only a few samples. SIMs don't know their 'physical location' and triangulation of signals in these bands in the urban environment is non trivial.
Whoever did this likely isn't all that happy that their carefully created infra was used to harass officials, which most likely is the single reason this operation got uncovered in the first place. If it would have just been used for low level crime who knows how long they could have continued to do this.
Note that these are not unique to NYC or even to the United States, they've been found in other countries as well, the UK has now criminalized possession or operation of these (but the fines are so low that I don't think it will make much difference).
> SIMs don't know their 'physical location' and triangulation of signals in these bands in the urban environment is non trivial.
IIRC modern cell towers use cool tricks to send stuff for a particular phone to only where that phone is so they can send more total data. Can this not be turned into a precomputed map by taking a test phone everywhere and seeing what settings the tower picks to talk to it?
Sure, so now you are at the front door of a quad of four 300 apartment highrises. What is your next move?
9 replies →
Yeah modern cellular and WiFi modems use multiple antenna and beam forming to allow multiple same frequency connections to occur, without interference.
But when people think of beam forming as “pointing a beam at a phone” that’s kinda thinking of the problem backwards. Modems beam form by looking at the various bits of signal delay coming down multiple antenna, and computing a transform function that will effectively result in the signal it sends mimicking those delays and thus forming a beam pointing in the opposite direction of the incoming signal.
But the modem has no idea what physical direction that beam is pointing in, and doesn’t care. It just know how to analyse an incoming signal to effectively mask the inputs from different antenna in order to extract a very weak signal, by taking advantage of constructive interference between a signal received on multiple antenna, and in turn invert that function to create an equivalently strong constructive interference pattern at the source of the signal when replying.
Most important the modem has no idea what the actual signal path was, it could have bounced of several buildings, been channeled by some random bit of metal acting as a wave guide, or any other manner of funky interference that literally any physical object creates. All it knows is that is a viable signal path must exist (because it received something), and it can compute a function to send a return signal back down the same path. But it’s very hard to turn that abstract signal path function the modem understands, into an actual physical direction. Not without doing a load of extra calibration and sampling work to understand exactly how all the antenna the modem uses interact with each other, which nobody does, because that information won’t improve the cell towers performance.
3 replies →
Yes, but they don't know physical location, just a complex number matrix of how each receiver perceives each transmitter, which is inverted to determine how to transmit to optimize that receiver's reception. They don't first determine location and then optimise based on location - they optimise based directly on how the radio waves propagate.
“Triangulation is non trivial”
Uh. No it isn’t. SNR between 5 or so masts gives you the exact location of any cell device. This is how $oldemployer used to track them
What you're describing is trilateration , not triangulation
2 replies →
They could probably be quickly found if someone is looking for them, but carriers don't necessarily care that much about these. Add a couple layers of indirection with MVNOs and there's a lot of meh to spread around.
If the reporting around this is accurate, sounds like someone(s) was swatting through these, which brought the attention needed to find this group.
> Since you seem to know about the subject, how are these not immediately found and shut down?
Because - depending on cell tower coverage and the antennas installed on it - the degree of precision is far too low to be useful. In rural installations and the worst case, aka a tower with a dipole antenna on a mountaintop, at 900 MHz the coverage will be around 35 km. Segmented antennas just limit the section of the circle where the endpoints are. In suburban areas, coverage is usually 10-20 km, and urban areas it's 5km and less.
Now you know which cell and cell section the user is in... but to actually pinpoint the user? That takes some more work. First, you need a few more towers that the user can reach for triangulation - the more the better - but if the operator of such a setup is even remotely clever and the hardware/firmware supports it, they will have locked the devices to only connect to a single tower (you can see a map at [1] that shows the IDs). If the operator didn't do that but the site is too remote to achieve triangulation, you might need to drive around in a van and use an IMSI catcher, aka a phone tower emulator, and hope that eventually the site's devices register at it. That, however, is a lot of awful work, and is often not legal for police authorities, only for secret services.
Now you might ask yourself, what about 911, how can they locate callers precisely? The thing is... it depends. Landlines and VoIP lines are usually mapped to a specific address (which is why VoIP providers give you an explicit warning that, if you do not keep that record up to date, 911 calls will be misrouted!), so that's trivial. Mobile phone callers however, until a few years ago the degree of precision was exactly what I just described - it completely depended on celltower coverage, with the only caveat that a phone will connect to another operator if it shows a stronger signal for 911 calls. Only then, Android introduced Emergency Location Service [2] and Apple introduced Hybridized Emergency Location [3] - these work with the sensors on the phone, most notably GPS/GLONASS/Beidou, but also SSIDs of nearby WiFi APs and specific Bluetooth beacons. Downside of that is, of course, the 911 dispatch needs an integration with Apple and Google's services, users can disable it for privacy reasons, and older phones won't have anything - so in these cases, 911 dispatchers are straight out of luck and again reduced to the above range of precision.
[1] https://opencellid.org/
[2] https://www.android.com/safety/emergency-help/emergency-loca...
[3] https://www.apple.com/newsroom/2018/06/apple-ios-12-securely...