In article <199801012054.PAA25297@users.invweb.net>, "William H. Geiger III" <whgiii@invweb.net> writes:

It is my understanding that they can still track you with the cell phone turned off so long as there is power going to the box (most auto cell phones are hardwired into the cars electrical system).

This is the funniest thing I have read in some time. Assuming you watch the show, I think you may have watched too many episodes of the X-Files (TM). When the subscriber unit (SU a.k.a. the cellular phone) is turned off, "they" can't track you. Now, it is possible that some cars have built-in SUs that automatically power-on whenever the car is started. In this case, the SU is clearly turned on and the user knows it. Analog cellular phone systems in the U.S. only force the SU to transmit when they need too. As someone else already mentioned, from the perspective of cellular system operators, bandwidth is in short supply. The cellular system operators wouldn't stand for a bunch of unneeded transmissions "just to track location". Based upon my own personal informal study [1] and some past knowledge of cellular-type systems [2], in general, I believe the following about analog cellular systems fielded in the U.S.: 1) "They" might be able to get a location reading at power-on time. The SU will check to see if it is being powered on within a different cell than it was last registered. If the cell is different, then the SU transmits a message on the cell's control channel to reregister. If the SU believes it is in the same cell, then it doesn't transmit anything at power-on time. If the SU transmits, it will be a very short burst. This would allow an attacker to see your location at power-on time. 2) When your SU is on, "they" can track your cell-to-cell movements. Cells are on the order of 1-10 miles in diameter. The more populated the area (actually, the more likely the system is to be used in an area), the smaller the cell size. "They" will only get a reading when you move between cells. The system uses a form of hysteresis so your SU doesn't flip back and forth between two cells while you are on the "edge" between cell. Actually, there are no real edges to the cells in an RF cellular system. There is a bit of overlap between cells and the cell boundaries actually move over time due to environmental factors. I.e. your SU might be stationary and yet decide to move to a different cell due to a stronger signal being seen from a different cell at a particular point in time. 3) "They" can track your fine-grain movement while you are engaged in a call or call setup. This is because an SU transmits the entire time these activities take place. Note that call setup can be for either incoming or outgoing calls. The above appear to be the only times an SU will transmit in a properly functioning analog cellular system. Now, if we change the rules to allow an active "spoof" attack or participation by the service provider, I speculate that specific attacks against one or a few people (well, actually against their SUs) could be waged to track their fine-grain movement: 4) Continuously inform the SU that an incoming call is waiting. The user would get an indication of this attack since the phone would "ring" to signal an incoming call. OTOH, perhaps, there is a way to inform the SU that an incoming call is waiting without allowing the phone to enter the final state where it begins to "ring". A detailed study of the air interface and SU implementations would be required to understand if the silent attack is possible. This attack could target one SU. Even if direct indications were not seen by the user, battery life would be shortened somewhat. 5) Continuously force the SU to "see" a different cell code, thus forcing it to continuously reregister. The user would get no direct indication during the attack. However, battery life would be shortened somewhat. There may be protection in the SU to ensure a minimum time period between reregistrations. However, this would just limit the fineness of the tracking. Again, detailed study would be required. This attack would appear to target multiple SUs in a given area. If you assume your attacker is capable of (4), (5) and similar tricks and you have something to hide, then I suppose turning your SU off and on is a wise course of action. However, the coarse-grain (pin-point location but only at widely dispersed points in time) tracking afforded by (1) and (2) seem like minimal threats. If you are concerned by (3), then please remind me why you are using the analog cellular phone system. Regards, Loren [1] My informal study was conducted with a Motorola Micro TAC Lite SU and an HP 2.9 GHz Spectrum Analyzer on 1/5/98 and 1/6/98. My analog cellular service provider is Ameritech in the Chicagoland area. [2] Disclaimer: I personally work on research related to the iDEN system (which is an advanced form of digital cellular with dispatch services and packet data) being rolled out nationwide in the U.S. by Nextel along with other local and international operators. Motorola recently shipped the millionth SU for iDEN. I am only speaking for myself. I have never worked on analog cellular systems nor read its specification. -- Loren J. Rittle (rittle@comm.mot.com) PGP KeyIDs: 1024/B98B3249 2048/ADCE34A5 Systems Technology Research (IL02/2240) FP1024:6810D8AB3029874DD7065BC52067EAFD Motorola, Inc. FP2048:FDC0292446937F2A240BC07D42763672 (847) 576-7794 Call for verification of fingerprints.

Loren J. Rittle wrote:

If you assume your attacker is capable of (4), (5) and similar tricks and you have something to hide, then I suppose turning your SU off and on is a wise course of action.

Another attack that was recently described to me by someone in the industry is to setup a three-way conversation, which basically is a cellular phone tap. The conversation could be split within the cell network to a silent party more interested in your communications than your location. --David Miller