Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enabling Physical Localization of Uncooperative Cellular Devices

Taekkyung Oh, Sangwook Bae, Junho Ahn, Yonghwa Lee, Tuan Dinh Hoang, Min Suk Kang, Nils Ole Tippenhauer, Yongdae Kim

TL;DR

This work tackles the problem of locating uncooperative cellular devices with high precision in real-world LTE networks. It introduces UMA, a universal, end-to-end attack that combines scheduling manipulation to force continuous uplink transmissions and power boosting to maximize signal strength, enabling AoA-based localization even when signals are weak or relayed by repeaters. The authors demonstrate end-to-end feasibility in lab and commercial testbeds, achieving approximately $1.7$ m distance accuracy in about five minutes per target and distinguishing target signals from repeaters through power-response differences. The results underscore practical security risks in current LTE designs and motivate both short-term mitigations and long-term spec-level protections for future networks (5G/6G).

Abstract

In cellular networks, authorities may need to physically locate user devices to track criminals or illegal equipment. This process involves authorized agents tracing devices by monitoring uplink signals with cellular operator assistance. However, tracking uncooperative uplink signal sources remains challenging, even for operators and authorities. Three key challenges persist for fine-grained localization: i) devices must generate sufficient, consistent uplink traffic over time, ii) target devices may transmit uplink signals at very low power, and iii) signals from cellular repeaters may hinder localization of the target device. While these challenges pose significant practical obstacles to localization, they have been largely overlooked in existing research. This work examines the impact of these real-world challenges on cellular localization and introduces the Uncooperative Multiangulation Attack (UMA) to address them. UMA can 1) force a target device to transmit traffic continuously, 2) boost the target's signal strength to maximum levels, and 3) uniquely differentiate between signals from the target and repeaters. Importantly, UMA operates without requiring privileged access to cellular operators or user devices, making it applicable to any LTE network. Our evaluations demonstrate that UMA effectively overcomes practical challenges in physical localization when devices are uncooperative.

Enabling Physical Localization of Uncooperative Cellular Devices

TL;DR

This work tackles the problem of locating uncooperative cellular devices with high precision in real-world LTE networks. It introduces UMA, a universal, end-to-end attack that combines scheduling manipulation to force continuous uplink transmissions and power boosting to maximize signal strength, enabling AoA-based localization even when signals are weak or relayed by repeaters. The authors demonstrate end-to-end feasibility in lab and commercial testbeds, achieving approximately m distance accuracy in about five minutes per target and distinguishing target signals from repeaters through power-response differences. The results underscore practical security risks in current LTE designs and motivate both short-term mitigations and long-term spec-level protections for future networks (5G/6G).

Abstract

In cellular networks, authorities may need to physically locate user devices to track criminals or illegal equipment. This process involves authorized agents tracing devices by monitoring uplink signals with cellular operator assistance. However, tracking uncooperative uplink signal sources remains challenging, even for operators and authorities. Three key challenges persist for fine-grained localization: i) devices must generate sufficient, consistent uplink traffic over time, ii) target devices may transmit uplink signals at very low power, and iii) signals from cellular repeaters may hinder localization of the target device. While these challenges pose significant practical obstacles to localization, they have been largely overlooked in existing research. This work examines the impact of these real-world challenges on cellular localization and introduces the Uncooperative Multiangulation Attack (UMA) to address them. UMA can 1) force a target device to transmit traffic continuously, 2) boost the target's signal strength to maximum levels, and 3) uniquely differentiate between signals from the target and repeaters. Importantly, UMA operates without requiring privileged access to cellular operators or user devices, making it applicable to any LTE network. Our evaluations demonstrate that UMA effectively overcomes practical challenges in physical localization when devices are uncooperative.
Paper Structure (30 sections, 6 figures, 7 tables)

This paper contains 30 sections, 6 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Attack Model
  4. Motivation
  5. Threat Model
  6. Challenges
  7. Approach: UMA
  8. Design of UMA
  9. From Online Identity to Radio Identifier
  10. Manipulating Uplink Scheduling
  11. Uplink Scheduling Procedure
  12. Design of Scheduling Manipulation Attack
  13. Boosting Victim's Uplink Signal
  14. Transmit Power Control
  15. Design of Power Boosting Attack
  16. ...and 15 more sections

Figures (6)

  • Figure 1: Idealized view vs. real-world view.
  • Figure 2: Impact of cellular repeater in localization.
  • Figure 3: Overview of UMA.
  • Figure 4: Procedure of scheduling manipulation attack.
  • Figure 5: Experimental setup for e2e evaluation.
  • ...and 1 more figures