Wouldn’t it be cool to geolocate mobile phones? The following article will show you possibilities and limits when it comes to accurately finding the location of a mobile phone.
Last week I published an article explaining how accurate the geolocation of IP addresses is. This time, I had a look a cellular data and how a mobile phone is registered while roaming as well. If you haven’t read last week’s article yet, go have a look before you continue here.
Today I decided to go on a little road trip, because I wanted to show you what kind of data your mobile phone produces while on the move. So, I’m inviting you to follow me on a short trip to Austria. Keep in mind, that all data you will see here is not only visible to me, but also to my provider and could be visible to law enforcement or intelligence services, should they choose to track me. However, this data is nothing that can be easily obtained by random individuals.
The starting and end point of my journey was the train station in Steinebach. If you dial *3001#12345#* on your iPhone, it will open a developer menu packed with cellular data, including the actual cell you are connected to and the signal strength for this connection (among other things). Unfortunately, I forgot to take a screenshot when I left the train station. I did, however, take a screenshot upon return. In any case, the same cell served my phone both when I left and when I returned. As you can see, my phone was connected to the Mobile Country Code (MCC) 262, which is the country code for Germany, and the Mobile Network Code (MNC) 3, which is the code for the provider O2/Telefonica. That’s the network this burner phone is running on.
The most relevant piece of information is the Physical Cell ID (PCI). This is the identifier for the actual cell my phone was registered to. The only problem here is that the developer menu on my iPhone doesn’t give me the ID of the cell tower (or eNodeB/ENB in an LTE network) this cell was actually broadcast from. Whenever I am dealing with cellular data, one of my go-to sites is CellMapper. Here I can browse through information on cell towers on a map or search for specific data. Let’s have a look at what we can find with the MCC, MNC and PCI from my phone. After adding the information I have to the search panel on the right, a new popup opens and displays all the cell towers in the German O2 network that use the PCI 422.
Rather than clicking through all these results, I just zoomed into the map manually (since I of course knew where I was) and clicked through the nearby towers until I found the tower that broadcasts the PCI 422. Cell 2 of eNB 100396 is the one my phone was connected to.
The train station is in the top right corner of the highlighted cell. Keep in mind, that the full extension or reach of the cell may not be accurately displayed here. So now you have seen how cellular information can be broken down to a rough physical location. I could narrow down this location even more, because my phone also knows which other cell towers are providing a signal in the area and it is constantly measuring the signal strength. So, if I know the location of these other cell towers and I know the signal strength to each tower, I could use that information to triangulate a more precise location. But let’s not go that far this time.
If I am connected to a UMTS or LTE network (3G or 4G), the cellular network will also allocate an IP address to my phone. The accuracy, or rather non-accuracy, was topic of the last blog article. Nonetheless, I would like to share the IP I had when I left the train station at around 09:00 o’clock, to show you what happens with this IP during my travel.
Above you can see the IP address and the result from a query on the Geo2IP Precision database from Maxmind. Maxmind is one of the leading IP geolocating companies worldwide. According to them, this IP address was located near Munich in a radius of 50km. Nothing wrong here, the train station in Steinebach is within that radius.
I decided to drive to Neuschwanstein (the inspiration for the Disney castle) near Füssen and from there quickly cross the boarder to Austria. During this drive, my phone would constantly reconnect to new cell towers and new cells whenever the signal in the current one was too weak. More on this topic can be read here:
Every once and while I completely lost signal. Now the interesting thing is that my phone kept the allocated IP address throughout the complete trip. Steinebach and Füssen are roughly 70km apart (beeline), I had multiple cell and cell tower handovers and thus my IP in Füssen was the same as when I left the train station in Steinebach. As the IP hadn’t changed, the Maxmind geolocation also hadn’t changed and was now clearly wrong. You could wonder why I wasn’t issued a new IP when my phone lost signal or connected to new cells or cells towers. For the cellular network there was no need to reissue a new IP address, because I technically never detached from the network. And why should the network go through the hassle of constantly issuing a new IP, when reconnects to cells and cell towers might occur every couple minutes? Getting a new IP in such a frequency clearly would cause some troubles for the user, if connected to a website or service continuously throughout the travels.
A new IP will be issued whenever you turn your phone off or put in in airplane mode and then turn it back on. Switching it off or using airplane mode sends a so-called “IMSI-detach” to the network, letting the network know you want to log off and thus won’t be needing service anymore. Temporary loss of signal won’t cause that command to be sent. If your phone is offline for a longer period of time, the network will automatically detach the IMSI (which is basically your main identifier in a cellular network) from the network. However, each provider might define a different time span before detaching.
At 12:10 o’clock, I was sitting at the McDonalds in Füssen and still had the same IP. Just to be sure, I checked it using a different browser, I didn’t want to risk cached data messing up my results.
Out of interest, I switched on the airplane mode and connected to the wifi hotspot while eating my McFlurry. Again, I checked this IP and looked it up on Maxmind.
The IP issued to me by my cell phone provider still had me located in Munich and the wifi hotspot came out over 400km away (in the middle of a lake in the center of Kassel). And once I reconnected to the cellular network, I received a new IP address, which according to Maxmind was still in a 50km radius of Munich.
So much for the accuracy of IP geolocations. The cellular data (MCC/MNC/PCI) put in me the correct location again.
I finished my ice cream and briefly crossed the border to Austria. Just enough to connect to an Austrian network. While the cell data put me in the right spot on CellMapper, the IP I then received from my provider placed me even further away than before. This time instead of Munich, the IP was supposedly in a 50km radius of Nuremberg.
The IP range was also different than any other IP address that O2 had given me in Germany, so I assume that O2 has an extra IP range reserved for roaming connections. I switched to a different Austrian provider and checked again.
Okay, now I’m confused. I went from Munich to Nuremberg to Stuttgart. On the other hand, the information I found here could prove to be relevant. If my provider uses a different IP range for phones located outside of the home network (in a foreign country) than the IP range using for phones ‘at home’, maybe other providers do so as well. This might enable finding out if a mobile phone is located in country or outside, similar to what a HLR lookup can provide (not gonna explain this time, just google it). Remember that the results shown here might differ in other countries and with other providers. But once more, the bottom line is that geolocation based on IPs is not as simple and accurate as some of us might think and geolocations based on cellular data could get you quite close to your actual target. That is, if you have access to this kind of data, which I assume most of my readers don’t.
And now you also know how I spend my Sundays. Combining road trips through the beautiful Bavarian alps with my passion for OSINT. In any case, the trip was totally worth it: new insight on cellular roaming and of course this amazing view:
MW-OSINT / 12.07.2020
Key Findings 