How to Geolocate Mobile Phones (or not)

Wouldn’t it be cool to geolocate mobile phones? The following article will show you possibilities and limits when it comes to accurately finding the location of a mobile phone.

Last week I published an article explaining how accurate the geolocation of IP addresses is. This time, I had a look a cellular data and how a mobile phone is registered while roaming as well. If you haven’t read last week’s article yet, go have a look before you continue here.

Today I decided to go on a little road trip, because I wanted to show you what kind of data your mobile phone produces while on the move. So, I’m inviting you to follow me on a short trip to Austria. Keep in mind, that all data you will see here is not only visible to me, but also to my provider and could be visible to law enforcement or intelligence services, should they choose to track me. However, this data is nothing that can be easily obtained by random individuals.

The starting and end point of my journey was the train station in Steinebach. If you dial *3001#12345#* on your iPhone, it will open a developer menu packed with cellular data, including the actual cell you are connected to and the signal strength for this connection (among other things). Unfortunately, I forgot to take a screenshot when I left the train station. I did, however, take a screenshot upon return. In any case, the same cell served my phone both when I left and when I returned. As you can see, my phone was connected to the Mobile Country Code (MCC) 262, which is the country code for Germany, and the Mobile Network Code (MNC) 3, which is the code for the provider O2/Telefonica. That’s the network this burner phone is running on.

The most relevant piece of information is the Physical Cell ID (PCI). This is the identifier for the actual cell my phone was registered to. The only problem here is that the developer menu on my iPhone doesn’t give me the ID of the cell tower (or eNodeB/ENB in an LTE network) this cell was actually broadcast from. Whenever I am dealing with cellular data, one of my go-to sites is CellMapper. Here I can browse through information on cell towers on a map or search for specific data. Let’s have a look at what we can find with the MCC, MNC and PCI from my phone. After adding the information I have to the search panel on the right, a new popup opens and displays all the cell towers in the German O2 network that use the PCI 422.

Rather than clicking through all these results, I just zoomed into the map manually (since I of course knew where I was) and clicked through the nearby towers until I found the tower that broadcasts the PCI 422. Cell 2 of eNB 100396 is the one my phone was connected to.

The train station is in the top right corner of the highlighted cell. Keep in mind, that the full extension or reach of the cell may not be accurately displayed here. So now you have seen how cellular information can be broken down to a rough physical location. I could narrow down this location even more, because my phone also knows which other cell towers are providing a signal in the area and it is constantly measuring the signal strength. So, if I know the location of these other cell towers and I know the signal strength to each tower, I could use that information to triangulate a more precise location. But let’s not go that far this time.

If I am connected to a UMTS or LTE network (3G or 4G), the cellular network will also allocate an IP address to my phone. The accuracy, or rather non-accuracy, was topic of the last blog article. Nonetheless, I would like to share the IP I had when I left the train station at around 09:00 o’clock, to show you what happens with this IP during my travel.

Above you can see the IP address and the result from a query on the Geo2IP Precision database from Maxmind. Maxmind is one of the leading IP geolocating companies worldwide. According to them, this IP address was located near Munich in a radius of 50km. Nothing wrong here, the train station in Steinebach is within that radius.

I decided to drive to Neuschwanstein (the inspiration for the Disney castle) near Füssen and from there quickly cross the boarder to Austria. During this drive, my phone would constantly reconnect to new cell towers and new cells whenever the signal in the current one was too weak. More on this topic can be read here:

https://www.netmanias.com/en/post/techdocs/6224/emm-handover-lte/emm-procedure-6-handover-without-tau-part-1-overview-of-lte-handover

Every once and while I completely lost signal. Now the interesting thing is that my phone kept the allocated IP address throughout the complete trip. Steinebach and Füssen are roughly 70km apart (beeline), I had multiple cell and cell tower handovers and thus my IP in Füssen was the same as when I left the train station in Steinebach. As the IP hadn’t changed, the Maxmind geolocation also hadn’t changed and was now clearly wrong. You could wonder why I wasn’t issued a new IP when my phone lost signal or connected to new cells or cells towers. For the cellular network there was no need to reissue a new IP address, because I technically never detached from the network. And why should the network go through the hassle of constantly issuing a new IP, when reconnects to cells and cell towers might occur every couple minutes? Getting a new IP in such a frequency clearly would cause some troubles for the user, if connected to a website or service continuously throughout the travels.

A new IP will be issued whenever you turn your phone off or put in in airplane mode and then turn it back on. Switching it off or using airplane mode sends a so-called “IMSI-detach” to the network, letting the network know you want to log off and thus won’t be needing service anymore. Temporary loss of signal won’t cause that command to be sent. If your phone is offline for a longer period of time, the network will automatically detach the IMSI (which is basically your main identifier in a cellular network) from the network. However, each provider might define a different time span before detaching.

At 12:10 o’clock, I was sitting at the McDonalds in Füssen and still had the same IP. Just to be sure, I checked it using a different browser, I didn’t want to risk cached data messing up my results.

Out of interest, I switched on the airplane mode and connected to the wifi hotspot while eating my McFlurry. Again, I checked this IP and looked it up on Maxmind.

The IP issued to me by my cell phone provider still had me located in Munich and the wifi hotspot came out over 400km away (in the middle of a lake in the center of Kassel). And once I reconnected to the cellular network, I received a new IP address, which according to Maxmind was still in a 50km radius of Munich.

So much for the accuracy of IP geolocations. The cellular data (MCC/MNC/PCI) put in me the correct location again.

I finished my ice cream and briefly crossed the border to Austria. Just enough to connect to an Austrian network. While the cell data put me in the right spot on CellMapper, the IP I then received from my provider placed me even further away than before. This time instead of Munich, the IP was supposedly in a 50km radius of Nuremberg.

The IP range was also different than any other IP address that O2 had given me in Germany, so I assume that O2 has an extra IP range reserved for roaming connections. I switched to a different Austrian provider and checked again.

Okay, now I’m confused. I went from Munich to Nuremberg to Stuttgart. On the other hand, the information I found here could prove to be relevant. If my provider uses a different IP range for phones located outside of the home network (in a foreign country) than the IP range using for phones ‘at home’, maybe other providers do so as well. This might enable finding out if a mobile phone is located in country or outside, similar to what a HLR lookup can provide (not gonna explain this time, just google it). Remember that the results shown here might differ in other countries and with other providers. But once more, the bottom line is that geolocation based on IPs is not as simple and accurate as some of us might think and geolocations based on cellular data could get you quite close to your actual target. That is, if you have access to this kind of data, which I assume most of my readers don’t.

And now you also know how I spend my Sundays. Combining road trips through the beautiful Bavarian alps with my passion for OSINT. In any case, the trip was totally worth it: new insight on cellular roaming and of course this amazing view:

Neuschwanstein

MW-OSINT / 12.07.2020

Geolocating Mobile Phones based on IPs

This article was written together with Nixintel and was published on Nixintel.info as well.

IP addresses feature prominently in digital investigations, but how useful are they for geolocation? The truth is that while IP addresses have many investigative uses, they can be quite unreliable as a precise geolocation method.

The limitations of IP addresses as geolocation tools are grounded in the technology itself. The current IPv4 protocol allows for the existence of just under 4.3 billion separate IP addresses. This was not an issue when the technology was designed in the early 1980s, but now the demand for IP addresses far exceeds supply.

To deal with this shortage, ISPs have developed several workarounds over the years. A reverse proxy server allows thousands of websites to share the same static IP address, for example.

Websites and services generally use IPs that are fixed, but if you’re reading this from your home internet connection then the chances are that you’ve been issued a dynamic IP address by your ISP. You might have the same IP address for a few hours or days, but ISPs constantly juggle and reallocate their IP addresses according to demand. The IP address you have today might be issued to someone else elsewhere in the country tomorrow.

With mobile IPs the IP shortage problem is even more pronounced. Whenever you connect to a 3G or 4G network, you are probably sharing that IP address with thousands of other users at the same time. Your IP address also changes very frequently on a cellular network, sometimes as often as every few seconds.

There is no real correlation between a physical location and a cellular IP address. IP addresses aren’t organised geographically in the way that old landline numbers used to be. It’s more accurate to think of them as being grouped by ISP and service type.

For more detailed information on this subject matter I recommend reading these research papers:

So what about IP geolocation services like Maxmind A little digging into their own data accuracy reports will tell you that we need to be extremely cautious about how much weight you attach to the geolocation information that they provide.

For example in Germany, Maxmind state that 83% of their IP addresses are accurately linked to their location – but only to within a 50km radius, and even then only with fixed broadband lines:

When we look at cellular IPs, the accuracy drops significantly. Only 38% accuracy within 50km:

The more specific the location, the lower confidence level. In Germany the confidence that a specific IP address is associated to a specific city is just 16%. In the USA this accuracy level is just 12%, with 73% of IPs being incorrectly resolved. So how much weight should you really put on the accuracy of a geolocated cellular IP if even the world’s leading IP geolocation companies have such low confidence of it being accurate to within 50km, let alone a single city?

This is not a fault of the GeoIP service providers. It simply reflects the fact that ISPs have no need to allocate IP addresses by geographic area, but instead allocate them according to network demand.

Yet it is common knowledge that mobile phones can be geolocated. A mobile phone connects to a cell tower, and as a matter of fact to all of the surrounding cell towers as well (at least to monitor the signal strength). Each cell tower has a unique ID. This ID can be picked up by several means, whether it is intercepting the radio connection between the mobile phone and the tower or by collecting information on one of the backlinks to the network. If the physical locations of the cell towers are known, a rough geolocation of the phone can be performed if of course you have the cell IDs. However, this can only be done (legally) by law enforcement and/or intelligence services. But is it possible to geolocate a phone based on other information than the cell ID?

Most mobile phones nowadays are constantly connected to the internet. We browse the web, we send messages through services such as Signal or WhatsApp and we check our emails and reply with our smartphones. Each of these connections will transmit an IP-address that has been allocated to our phone. On my normal computer, I could look up my IP address on sites such as IPLocation and it would show the approximate area I am located in. Of course, this only works if I am not using a proxy or VPN. Different databases might have slightly different locations, but as you can see in this example, I am located somewhere in the vicinity of Munich based on my IP address.

Just to put these locations into perspective, I plotted them on the map. I was located somewhere on this map while writing this article. Not really that precise, right?

That’s the landline I used, what about geolocating a phone based on the IP address? Getting the current IP address of the phone is not as easy as it sounds. Even if I were to receive an email sent from my target’s phone, chances are high that this would not include the originating IP address. Especially if sent from providers such as Gmail or Hotmail. How can we then obtain the actual IP of the phone?

Before you continue reading, a word of caution: The next step could be illegal in some countries and is very intrusive. It is definitely not something I would recommend as you have to actively engage your target. In this case I am just using the technique to prove my point.

I sent my target an email with a tracking pixel. Don’t worry, the target is one of my burner phones. I sent myself an email and opened it with my phone while connected to my provider on 4G (LTE). Tracking pixels, also known as web beacons, are used to figure out if a user has accessed content such as a webpage or an email. These trackers will provide information such as the access time and also the IP address from which the content was accessed. I used the site GetNotify to get a tracking pixel. Then opened the email with my phone. Here is the result:

As you can see, the tracking pixel sends back the time the email was opened, the user agent string for the browser on my phone and an IP. It states that this IP address is registered to Telefonica Germany, the provider this burner phone is running on. Let’s check the IPLocation site again:

Okay, we have Munich in there, but we also see other locations. Once more, I plotted them on the map.

I’m on here somewhere, but as you can see, two of the locations are quite a bit away from Munich. So apparently, the IP allocated to my phone by my provider seems to provide a very inaccurate location. One reason for this can be found in the 4G network infrastructure.

The IP address the mobile phone receives is a dynamic address allocated by the so-called Packet Data Network Gateway (P-GW). This is basically the exit node to the internet and the IP address is chosen randomly, coming for a pool of addresses. Each time you reconnect with the network you will receive a new random address from this pool, even if you connect to the same cell (for LTE eNodeB) again. There is no direct link between the IP and any other element of the network, such as the cell tower (eNodeB). Often, outgoing traffic from the P-GW will assign multiple registered mobile phones the same IP-address. While connections from a mobile phone will likely be handled by a regional P-GW, in my case the one physically located in Munich, it could also be registered to a P-GW hundreds of kilometers away. I spent an hour trying to find a friend that uses Telefonica/O2 as well and asked them to help me out here. I sent her an email with a tracking pixel. Here’s what came back:

This IP-address is supposedly located in Munich as well, my friend lives near Passau. That’s 170km apart! Keep in mind, all of this was done without any proxies or VPNs. Using a VPN will of course alter the results. Here’s my burner phone on LTE running through a Belgian IP:

In conclusion, geolocating a phone through an IP might give you the general area (if you are lucky), but just as with any regular IP address, it will not provide you pinpoint accuracy. I think geolocating landline IPs is actually more accurate than mobile phone IPs in most cases. Just keep this in mind for your future investigations.

Nixintel & MW-OSINT / 05.07.2020

Be careful what you OSINT with

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with several helpful elves (to be honest, they did most of the work) and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower. The company itself was registered in February 2019 and the CEO and sole shareholder is Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its back end in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

While this was being done, more OSINT research revealed a person named Andrey Skhomenko. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

So far, this was just a gut feeling. Could anymore evidence be found that would link these two products and thus Norsi Trans and Data Tower? You bet? We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok.

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there is still plenty to be discovered, I think we have proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption for domestic services.

Maybe Lampyre is Norsi Trans’ attempt to sell their software in the western world, maybe it is a rogue operation by a Norsi Trans employee (or a few). Although, I personally have doubts about that second theory. The software is quite powerful and receives regular updates. To create something like this, you’d surely need more than one person and having a rogue team within a company try to pull this off would surely not go unnoticed. What I find most interesting, is the fact that Andrey stated he had worked for the FSB. To put it in the words of one of my former colleagues: You don’t leave Russian intelligence services, you just change your cover and continue working for them.

MW-OSINT / 23.03.2020