6

I am a student in network engineering, and I have a technical essay due on November 18th. I can choose the topic of the essay myself. I have a conceptual idea of a network that could help obfuscate the geolocation of a mobile device. If you could give me some quick feedback on my ideas, that would be much appreciated. To narrow the scope of my essay, I am not going to consider the legal aspects of my scheme, but I am well aware of the issue.

Suppose you have a distributed, nationwide network of nodes that have the ability to act as mobile stations. These nodes know the secret key of your SIM card, Ki, and your IMSI. Whenever you complete some active session with your phone, your phone will "power off" to the ISP's network, and tell the nodes in the network to start acting as your own phone. The nodes will take turns to connect to the network with your Ki and send gibberish data packets. To the eyes of the ISP, it will appear as if you teleport around the country, making it hard to pinpoint your real location.

For this to have a chance at working, I can see that at least the following assumptions must be met:

  • The nodes need to physically move around, or else they would be mapped to a static location and blacklisted by the ISP.
  • Your phone needs to "power off" between every active session. No keep-alive packets, no status updates, no compliance to unsolicited base station requests in general. I'm aware that this will be detrimental to QoS.
  • Communication between your phone and the nodes must be sent through a channel that protects the confidentiality, integrity and authenticity of your data, the TOR network etc..
  • All data sent from your phone must be encrypted. This makes it much harder for the ISP to discern legitimate data from your real phone from gibberish data sent from network nodes.

There are probably several other, necessary assumptions that I have not considered.

A glaring problem with this scheme that I am aware of, is that the ISP could simply terminate the service of any subscriber that showed this sort of behaviour. But besides that issue, are you able to see any other obvious drawbacks to this idea that I need to consider in my essay?

Magnus
  • 377
  • 2
  • 10

1 Answers1

5

The "data footprint" of your actual session will probably be fairly easily distinguished from your decoy points from an attacker who can dedicate any amount of time to the problem.

a) Let's say that on Monday, your packets originate from Lesotho, Seattle, and Moscow. On Tuesday, they are from London, Mexico city, and Seattle. On Wednesday, they come from Seattle, Tokyo, and DC. On Thursday, they come from Quebec, Kathmandu, and Seattle...

b) "Gibberish" data would be pretty easy to recognize from data with a purpose. Even it is encrypted, the patterns of the metadata would stand out.

c) Your control messages (power off true location, power on decoys, vice versa) need to be sent out of band and securely or they will give the whole thing away.

Who are you trying to hide from, and what level of resources do they have? That's a good question to think about.

J Kimball
  • 2,137
  • 1
  • 13
  • 19
  • What if the nodes were all in the target city? i.e, if someone attempted to track you, they would see erratic movement patterns in the city itself. I've built a little GSM Arduino box, I suppose it could be used for that purpose. – Athena Nov 07 '16 at 15:46
  • Over time, the commonality of your actual location will emerge. In this case, it is clear that you are in Seattle. If your nodes are limited to a single city, then in time, it will be clear which neighborhood you are actually in. The obvious way to obscure this is to "not use the phone in your actual location", ie, head to a safe place outside your area. But then you wouldn't need the elaborate web of decoy stations either, would you? – J Kimball Nov 07 '16 at 15:55
  • 1
    It seems like buying a dozen disposable phones, snapping them after every use and picking neighborhoods via dartboard is cheaper and a much safer bet. – Athena Nov 07 '16 at 16:00
  • a) I don't quite see what point you make here. I'm sorry, but could you elaborate? b) By "gibberish" data, you can assume real requests to legitimate websites through legitimate TOR servers. I would believe these would be indistinguishable from data sent by the real phone. c) True. When powering off the real phone, this message could simply be sent at the end of an active session, handing the identity over to the decoys. When powering ON the real phone, it becomes harder. It could be achieved with some timing schedule, giving the real phone an opportunity to reconnect every 10 min., etc. – Magnus Nov 07 '16 at 16:07
  • After reading the comments that were written in the meanwhile, I understand what you meant by point a). The idea with *moving* nodes, was long-distance movement. Imagine that nodes are attached to long distance transport vehicles. EDIT: NVM. I got your point now. Legit drawback. – Magnus Nov 07 '16 at 16:17
  • 1
    Ok, let's say the decoys are on trucks. The problem is not finding them, the problem is distinguishing them from your true phone. Can we determine which of N phones are NOT on trucks? Probably, given time. Unless you and your phone are also on a truck, putting them on a mobile platform does not help. – J Kimball Nov 07 '16 at 16:19
  • I was not quick enough to edit my previous comment before you answered me again. But yes, that is a legit drawback. Thank you for pointing it out. – Magnus Nov 07 '16 at 16:22
  • 1
    This is the first problem I detected with this idea as well. It's not going to hide your online profile or data pattern. As best it will make your geolocation "spotty" but not invisible. As soon as your real node is online your location will be known. – John Keates Nov 07 '16 at 17:28