Analysis of Methods for Mobile Device Tracking. David Nix Chief Scientific Advisor

Similar documents
Wireless LANs vs. Wireless WANs

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

Chapter 2 Wireless Settings and Security

communication over wireless link handling mobile user who changes point of attachment to network

Chapter 2 Configuring Your Wireless Network and Security Settings

Wireless Ethernet LAN (WLAN) General a/802.11b/802.11g FAQ

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

CS263: Wireless Communications and Sensor Networks

WI-FI VS. BLUETOOTH TWO OUTSTANDING RADIO TECHNOLOGIES FOR DEDICATED PAYMENT APPLICATION

Basic Network Design

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Introductory Concepts

How To Know If You Are Safe To Use An Antenna (Wired) Or Wireless (Wireless)

SmartDiagnostics Application Note Wireless Interference

GSM Risks and Countermeasures

10. Wireless Networks

CS6956: Wireless and Mobile Networks Lecture Notes: 2/11/2015. IEEE Wireless Local Area Networks (WLANs)

Guide for wireless environments

Testing a Wireless LAN

Chapter 3 Safeguarding Your Network

LoRaWAN. What is it? A technical overview of LoRa and LoRaWAN. Technical Marketing Workgroup 1.0

ROGUE ACCESS POINT DETECTION: AUTOMATICALLY DETECT AND MANAGE WIRELESS THREATS TO YOUR NETWORK

LTE Test: EE 4G Network Performance

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

High-Density Wi-Fi. Application Note

Virtual Access Points

Wireless Phone GSM tracking. Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim

Legacy Security

Computer Networks. Wireless and Mobile Networks. László Böszörményi Computer Networks Mobile - 1

Wireless Broadband Access

Cellular Analysis for Legal Professionals Larry E. Daniel Digital Forensic Examiner and Cellular Analyst EnCE, DFCP, BCE, ACE, CTNS, AME

CHAPTER 1 1 INTRODUCTION

Wireless Local Area Network Deployment and Security Practices

How To Make A Multi-User Communication Efficient

Top 10 Security Checklist for SOHO Wireless LANs

Chapter 3 Cellular Networks. Wireless Network and Mobile Computing Professor: Dr. Patrick D. Cerna

Wireless Networks. Reading: Sec5on 2.8. COS 461: Computer Networks Spring Mike Freedman

Connecting your Aiki phone to a network

Department of Public Safety and Correctional Services. Non-Jamming Cell Phone Pilot Summary

Site Survey and RF Design Validation

WLAN Positioning Technology White Paper

Canopy Wireless Internet Platform Frequently Asked Questions. August,

SPYTEC 3000 The system for GSM communication monitoring

Quick Start Guide v1.0. This Quick Start Guide is relevant to Laird s BT800, BT810 and BT820 Bluetooth modules.

Enterprise A Closer Look at Wireless Intrusion Detection:

The Wireless Network Road Trip

Subtitle. VoIP Trends. What to Expect in VoIP 2016 Compare Business Products

Environmental Monitoring: Guide to Selecting Wireless Communication Solutions

Demystifying Wi-Fi Roaming

Module 5. Broadcast Communication Networks. Version 2 CSE IIT, Kharagpur

Node A. Universal Multi-Band, Multi-Service, Software-Based Repeater Platform. So Flexible You Can Accommodate Just About Any Application Requirement

Crestron Best Practices for Installation and Setup of Crestron RF Products Reference Guide

TECHNICAL NOTE. GoFree WIFI-1 web interface settings. Revision Comment Author Date 0.0a First release James Zhang 10/09/2012

WiLink 8 Solutions. Coexistence Solution Highlights. Oct 2013

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

Top 10 Security Checklist for SOHO Wireless LANs

Wireless (Select Models Only) User Guide

VALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur

Optimizing Wireless Networks.

How To Improve Data Speeds On A Mobile Phone In Australia

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

Logitech Advanced 2.4 GHz Technology

LTE-Advanced Carrier Aggregation Optimization

White Paper. Wireless Network Considerations for Mobile Collaboration

DOCUMENT REFERENCE: SQ EN. SAMKNOWS SMARTPHONE-BASED TESTING SamKnows App for Android White Paper. May 2015

ECE/CS 372 introduction to computer networks. Lecture 13

Broadband Technology Clinic. Burlington Telecom Advisory Board

Alcatel-Lucent In-building Wireless Continuity Solution for Healthcare

Improving SCADA Operations Using Wireless Instrumentation

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

HOW W I R E L E S S T E C H N O L O G Y WORKS

COMPUTERS ARE YOUR FUTURE CHAPTER 8 WIRED & WIRELESS COMMUNICATION

The data can be transmitted through a variety of different communications platforms such as:

Scanning Delays in Networks

C Spire Indoor Cell Zone FAQs

Chapter 9A. Network Definition. The Uses of a Network. Network Basics

IMPROVING MOBILE SIGNAL

Wireless (Select Models Only) User Guide

Bluetooth wireless technology basics

Chapter 7 Low-Speed Wireless Local Area Networks

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

Wireless Network Policy

Wireless LAN advantages. Wireless LAN. Wireless LAN disadvantages. Wireless LAN disadvantages WLAN:

Municipal Mesh Network Design

Air Marshal. White Paper

DOCUMENT REFERENCE: SQ EN. SAMKNOWS SMARTPHONE-BASED TESTING SamKnows App for Android White Paper. March 2014

What is DECT? DECT stands for Digital Enhanced Cordless Telecommunications.

Bluetooth: Understanding the Technology, Its Vulnerabilities, and Security Recommendations

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

Transcription:

Analysis of Methods for Mobile Device Tracking David Nix Chief Scientific Advisor October 2013

Table of Contents 1. Document Purpose and Scope 3 2. Overview 3 2.1 Mobile Device Penetration 3 2.2 Mobile Device Tracking Options 3 3. Wireless Interfaces 4 3.1 3G/4G 4 3.1.1 Discoverability 4 3.1.2 Measurability 5 3.1.3 Identification 5 3.1.4 Viability 5 3.2 Bluetooth 5 3.2.1 Discoverability 5 3.2.2 Measurability 5 3.2.3 Identification 5 3.2.4 Viability 6 3.3 Wi-Fi 6 3.3.1 Discoverability 6 3.3.2 Measurability 6 3.3.3 Identification 6 3.3.4 Viability 6 4. Conclusions 6 5. References 7 October 2013 Page 2

1. Document Purpose and Scope This document describes the options for tracking mobile devices via their wireless interfaces, and ascertains the viability of each approach relative to a large indoor space, such as a retail store. 2. Overview 2.1 Mobile Device Penetration According to Pew Internet statistics from May of 2013, 91% of adults (18 years or older) in the United States own a mobile device. This number has steadily increased, most steeply amongst younger demographics. These mobile devices fall into roughly two categories: Feature phones. These phones refer to the original mobiles which specialize in voice calls only. The feature nomenclature stems from various features added by phone manufacturers to differentiate from competitor phones. These include built-in applications such as simple calendars, games, and texting services. Smartphones. These phones use hefty microprocessors and sophisticated operating systems that serve as a platform for an unlimited number of applications. The primary operating systems are Android, ios (Apple), and Windows. The ratio of smartphone ownership to feature phone ownership is approximately 2-to-1, meaning 61% of US adults own a smartphone, while 30% own a feature phone. Slightly more recent statistics from Nielsen show that smartphones make up 64% of the ownership. More importantly, smartphones comprised 80% of mobile devices sold in the three months prior to the report. The ownership percentages are highest amongst younger demographics. For example, 97% of 18 29 year olds own a mobile device, and 80% own a smartphone. The rising ownership of mobile devices combined with the steady increase of smartphones as a share of overall mobile devices, particularly amongst the young, signifies two things: The number of adults owning mobile devices in the U.S. will approach 100% over the next decade. The portion of that number who own smartphones will increase, eventually approaching 100% as feature phones are phased out due to market pressure from smartphone sales. The current split amongst smartphone operating systems is: Android: 53% ios (Apple): 40% Windows: 2% Other: 5% The Android share is growing fastest. 2.2 Mobile Device Tracking Options Mobile device penetration and share statistics are important to mobile device tracking when considering the differences between feature phones and smartphone relative to wireless interfaces. Mobile devices have a combination of up to three radio interfaces: October 2013 Page 3

3G/4G Bluetooth Wi-Fi (IEEE 802.11) The primary function of virtually all wireless devices is to provide cellular access to voice and data networks. In marketing lingo, this connectivity is referred to a 3G/4G. The 3G/4G radio can connect to cell towers up to several kilometers distant, where range is affected by the presence of obstacles such as walls, ceilings, buildings, and hills. Virtually all smartphones and most feature phones also incorporate Bluetooth radios. These are primarily used for wirelessly connecting to nearby, low bandwidth peripherals such as headsets and keyboards. The Bluetooth radios in most mobiles have an effective range of about 10 meters, with some connectivity up to 30 meters line-of-sight. Virtually all smartphones but very few feature phones also incorporate Wi-Fi radios. These are used for wirelessly connecting to data networks at higher effective bandwidths ranging from 5 Mbps to over 100 Mbps. The range of Wi-Fi radios on mobile devices varies from 50 meters to hundreds of meters, depending on the transmit power of Wi-Fi Access Points, the presence of obstacles such as walls and floors, and the presence of other RF interference. In theory, any one of the three wireless interfaces can be used for location tracking as long as it meets the following minimum criteria: Discoverability: The location tracking node can discover the presence of a mobile device using the particular wireless interface. In short, the location tracking node must be able to intercept mobile device transmissions or prompt mobile devices to transmit. Measurability: The complementary wireless interface on the location tracking node must be able to measure Received Signal Strength (RSS) of the transmitting device. Identification: The mobile device must expose a unique identifier in a detectable packet. The unique identifier must be unencrypted and must not vary from appearance to appearance. The remaining sections discuss the minimum criteria per interface. 3. Wireless Interfaces 3.1 3G/4G 3.1.1 Discoverability After power on, a GSM mobile scans RF channels for a Broadcast Control Channel (BCCH) with the strongest signal. The BCCH is emitted by the Base Station at a cell tower periodically at frequent intervals. The mobile listens passively until it is ready to register its location with the Base Station. At that time the mobile initiates a location update procedure where it requests association with Base Station. The update procedure, which includes authentication, is very brief no more than a few seconds. After successful location update, the mobile passively monitors the Base Station indefinitely. The mobile only emits signals under the following conditions: - The Base Station broadcasts a paging request for the particular mobile device because it has an incoming call or data for the device. Once connected, the mobile will continue transmitting for the duration of the call or data transfer. - The mobile wishes to initiate a call or transfer data, whereupon it issues a channel request to the Base Station to start the process. Once connected, the mobile will continue transmitting for the duration of the call or data transfer. In summary, the GSM mobile only transmits evidence of its presence when changing its location from one Base Station to another, and when it originates or receives a call. October 2013 Page 4

The competing CDMA protocol behaves much the same way for the same underlying reason: minimizing power by keeping the radio off most of the time. 3.1.2 Measurability GSM and CDMA radios can identify the RSSI of each signal and report this upstream. Some radios swallow the RSSI information in the firmware, while some pass the data up to the drivers. The behavior is vendor specific. 3.1.3 Identification GSM assigns unique numbers to each mobile device (IMEI) and each mobile subscriber (IMSI). For example, each mobile phone has a hardwired IMEI, and each SIM card stores an IMSI. Therefore, the Base Station can identify not only each unique phone, but the unique subscriber using the phone (e.g. which SIM card is installed in the phone). The competing CDMA protocol also uses the IMSI as a subscriber identifier. 3.1.4 Viability In terms of passively sniffing for the presence of mobile devices, GSM presents many difficulties. First and foremost, GSM mobile devices are effectively invisible unless actively involved in a call or during a period of data transfer. This results in an inability for a passive sniffer to deterministically track the presence of a GSM mobile. The only way to deterministically track the presence of a GSM phone is for the sniffer to masquerade as a Base Station whose signal strength is higher than those of surrounding cell towers. This would cause the mobile devices in the vicinity to attempt a location update with the sniffer. This practice has been used successfully by hackers and law enforcement. However, each sniffer would cost more than $1000 to construct. Worse, the service providers paid billions of dollars for the right to use the GSM spectrum, so FCC rules prohibit anyone other than the service providers from using the spectrum at GSM transmit levels. The construction of an active sniffer would undoubtedly bring down an army of attorneys from the service provider and stiff fines from the FCC. For this reason alone, an active GSM sniffer is not viable. The competing CDMA protocol faces similar obstacles: there is not enough information on air for passive sniffing, and active sniffers are expensive and illegal. 3.2 Bluetooth 3.2.1 Discoverability Passive discovery of Bluetooth devices is relatively straightforward because most Bluetooth devices periodically issue Inquiry or Page packets to discover or attempt association with other Bluetooth devices. However, a more deterministic mechanism for discovering other devices is for an active sniffer to issue frequent Inquiry packets on all channels. The sniffer would start with the first channel, issue an Inquiry packet, and listen for Inquiry responses for some number of milliseconds before repeating the process on the next channel. This works because Bluetooth devices are required to respond to Inquiry packets. Bluetooth radios in typical mobile devices are Class 2, meaning a theoretical range of 30 meters but a realistic range of about 10 meters. Class 1 radios work at up to 100 meters with realistic ranges of 30 meters. 3.2.2 Measurability Bluetooth radios can identify the RSSI of each signal and report this upstream. Some radios swallow the RSSI information in the firmware, while some pass the data up to the drivers. The behavior is vendor specific. 3.2.3 Identification Bluetooth Inquiries expose the MAC address of each radio. The MAC address is unique to each radio, so it can serve as a unique consumer identifier. October 2013 Page 5

3.2.4 Viability An active Bluetooth sniffer is inexpensive and simple to implement. In fact, Linux includes built-in sniffing support. Getting the RSSI might prove more challenging, but it is doable. Furthermore, Bluetooth operates in public spectrum, so active sniffers violate no FCC rules or laws. The primary drawback of Bluetooth as a tracking mechanism is the limited range. The common Class 2 Bluetooth radio is only reasonably detectable within 10 to 20 meters of the sniffer. A dense configuration of sniffers would be needed to track consumers throughout a retail area. 3.3 Wi-Fi 3.3.1 Discoverability Wi-Fi access points can be discovered simply by listening for beacons. However, because Access Points broadcast beacons approximately every 100 milliseconds, scanning all channels (as many as 60) may take multiple seconds. To make matters worse, client devices (non-access Points) do not beacon. Fortunately, Wi-Fi allows a mobile device to issue a Probe Request on a channel. Every Access Point and mobile device must respond to the Probe Request with identity information. As such, an active sniffer that sends Probe Requests on every channel can determine the presence of every other Wi-Fi device in range, and relatively quickly. In addition, the sniffer can infer the presence of hidden nodes and cloaked devices by intercepting other Wi-Fi packets. Most mobile devices issue Probe Requests instead of waiting for beacons to save power, making them even more visible to a sniffer. The range of Wi-Fi, typically 50 to several hundred meters even in enclosed spaces, allows a sniffer to detect devices in a large area. The primary drawback of Wi-Fi as a tracker is that it only works if the Wi-Fi radio is enabled on the mobile device. To save battery life, many users turn Wi-Fi off when not using it. However, the recent 4.3 Android release leaves the radio on in a reduced activity state even when the user has turned it off. The behavior can be overridden, but the typical user is unlikely to do so. In short, any Apple, Windows, or pre-4.3 Android phone with Wi-Fi turned off will not be detectable. Any other device will respond to Probe Requests or issue periodic Probe Requests or beacons. 3.3.2 Measurability Wi-Fi radios can identify the RSSI of each signal and report this upstream. Wi-Fi supports monitoring mode, which is implemented by a majority of vendor solutions. Monitoring mode allows the upstream drivers to obtain every received packet, while still supporting the ability to send Probe Requests. 3.3.3 Identification Wi-Fi Probe Responses expose the MAC address of each radio. The MAC address is unique to each radio, so it can serve as a unique consumer identifier. Other packets also expose MAC or related information, allowing the sniffer to also use other types of packets for identification. 3.3.4 Viability Given the existence of well-supported sniffer programs, inexpensive Wi-Fi hardware, and a protocol that allows the sniffer to quickly and comprehensively find mobile devices, Wi-Fi is an ideal method to locate subscribers. The long range of the signal allows for good coverage in a retail environment. Furthermore, Wi-Fi operates in public spectrum, so active sniffers violate no FCC rules or laws. 4. Conclusions In practice, 3G/4G tracking is not viable without the assistance of service providers. Such assistance is highly unlikely given service provider protectiveness of network equipment. Bluetooth tracking is limited due to the short range of the radios. Wi-Fi is the best of the available wireless interfaces when considering range, cost, and coverage of users. October 2013 Page 6

The coverage of Wi-Fi as a detection method is a function of the number of consumers with Wi-Fi enabled devices and the behavior of the consumer in terms of turning Wi-Fi on or off and carrying their Wi-Fi devices with them. As mentioned earlier, approximately 60% of consumers own a Wi-Fi capable device, and that number is growing. No study was found that measured consumer behavior regarding enabling/disabling Wi-Fi. However, over half of the smartphones are Android based and that segment is growing. New Android releases allow Wi-Fi to continue scanning and probing by default even when the consumer turns Wi-Fi off. Assuming Android continues this practice, the percentage of smartphones that are always detectable should increase over time. A possible improvement on Wi-Fi is Wi-Fi and Bluetooth working together. The primary drawback of using both simultaneously is that each radio reports a unique MAC address. Correlating a Wi-Fi signal and a Bluetooth signal as belonging to the same phone could be difficult. However, after multiple visits of the same consumer and through some logic of elimination, the sniffer system might be able to correlate the MAC addresses such that the presence of either radio is enough to recognize a consumer. In that case, the Bluetooth RSSI might be helpful in calculating locations that are nearby, while Wi-Fi RSSI is more suited to the wider area location. Also, Bluetooth would help discover consumers whose mobiles either did not support Wi-Fi or had Wi-Fi turned off. 5. References Brenner, Joanna. Pew Internet Commentary: Mobile. 18 September 2013. Taken from http://pewinternet.org/commentary/2012/february/pew-internet-mobile.aspx. Patterson, Sean. U.S. Smartphone Penetration Hits 64%, Young Lead the Way. 19 September 2013. Taken from http://www.webpronews.com/u-s-smartphone-penetration-hits-64-young-people-lead-the-way-2013-09. October 2013 Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information