| |
| ▲ | jacquesm 7 hours ago | parent | next [-] | | Well, they did get caught. But for that to happen immediately would require a detection method that can point out the presence of a farm with only a few samples. SIMs don't know their 'physical location' and triangulation of signals in these bands in the urban environment is non trivial. Whoever did this likely isn't all that happy that their carefully created infra was used to harass officials, which most likely is the single reason this operation got uncovered in the first place. If it would have just been used for low level crime who knows how long they could have continued to do this. Note that these are not unique to NYC or even to the United States, they've been found in other countries as well, the UK has now criminalized possession or operation of these (but the fines are so low that I don't think it will make much difference). | | |
| ▲ | tbrownaw 7 hours ago | parent | next [-] | | > SIMs don't know their 'physical location' and triangulation of signals in these bands in the urban environment is non trivial. IIRC modern cell towers use cool tricks to send stuff for a particular phone to only where that phone is so they can send more total data. Can this not be turned into a precomputed map by taking a test phone everywhere and seeing what settings the tower picks to talk to it? | | |
| ▲ | jacquesm 7 hours ago | parent | next [-] | | Sure, so now you are at the front door of a quad of four 300 apartment highrises. What is your next move? | | |
| ▲ | iberator 6 hours ago | parent | next [-] | | With 5g and beamforming and mimo and decent bts software(Ericsson or Hua) you can pinpoint the given phone very accurately (within 20m in urban settings) - without any triangulation, as you know the cell tower sector :) Guess what: you can also measure the azimuth within 0.1 degree, so you could have SOME data at where to look. FYI: That was available back in 2022 as standard. Now it could be even better. :P | | |
| ▲ | jacquesm 6 hours ago | parent [-] | | I've already narrowed it down to four buildings for you, so we can consider that all of those methods worked. What is your next move? I'm not saying it can't be done, clearly it can be done otherwise this article wouldn't exist. But it is not quite as easy as pointing a magic wand (aka an antenna) at a highrise and saying '14th floor, apartment on the North-West corner', though that would obviously make for good cinema. | | |
| ▲ | pavel_lishin 6 hours ago | parent | next [-] | | > I've already narrowed it down to four buildings for you, so we can consider that all of those methods worked. What is your next move? Subpoena the power, water & gas company, and look at apartments that have unusual power usage, coupled with almost zero water & gas usage. Especially look at apartments that don't have a spike in power usage in the morning & evening that corresponds to people having a regular commute. I'm not sure how much power this equipment draws at idle - I'm assuming it's more idle at night, no need to send scammy SMS messages at 3am Eastern - but I'd wager you could track that. Granted, it's not fast, but depending on how quickly the companies bend over backward for such a request & how good your interns are at using Excel, you might be able to get this done before sundown. | | |
| ▲ | kube-system 2 hours ago | parent [-] | | Maybe in a city like NYC with old apartments you could do that. It’s common for newer LEED buildings to use heat pumps and collective water/sewer billing. Power maybe but WFH is common these days too. And then you’d have to convince a judge that you’ve got something narrow enough. |
| |
| ▲ | 2snakes 2 hours ago | parent | prev [-] | | There used to be a thing called Waterwitch in the NSA ANT catalog. Would that help? | | |
| ▲ | 12_throw_away 10 minutes ago | parent [-] | | This inspired me to find this catalog, thank you for mentioning it! For those who have not seen it before, Waterwitch is on page 43 of the 2013 catalog here [1], and is described as "Hand held finishing tool used for geolocating targeted handsets in the field". It did seem to require, if I'm reading right, that the target be connected to a malicious GSM router called "Typhon" (page 42). [1] https://www.cryptomuseum.com/covert/bugs/nsaant/files/NSA_AN... |
|
|
| |
| ▲ | delfinom 6 hours ago | parent | prev | next [-] | | A portable spectrum analyzer. A high concentration of phones like this would light up the spectrum when used with a directional wand. Portable spectrum analyzers are regularly used to identify interference in urban environments. Even a damaged cable coax line on the street can interfere with cellular signals. | |
| ▲ | CamperBob2 3 hours ago | parent | prev [-] | | If even a fraction of those antennas are transmitting at any given time, which you can arrange simply by having the network poll them, all you need to do is wander up and down the hall with a TinySA or something similar. It will be almost ridiculously obvious where all the RF racket is coming from. Even before doing that, a handheld Yagi in the parking lot will easily narrow it down to a couple of floors in a specific quadrant of the building. |
| |
| ▲ | avianlyric 5 hours ago | parent | prev [-] | | Yeah modern cellular and WiFi modems use multiple antenna and beam forming to allow multiple same frequency connections to occur, without interference. But when people think of beam forming as “pointing a beam at a phone” that’s kinda thinking of the problem backwards. Modems beam form by looking at the various bits of signal delay coming down multiple antenna, and computing a transform function that will effectively result in the signal it sends mimicking those delays and thus forming a beam pointing in the opposite direction of the incoming signal. But the modem has no idea what physical direction that beam is pointing in, and doesn’t care. It just know how to analyse an incoming signal to effectively mask the inputs from different antenna in order to extract a very weak signal, by taking advantage of constructive interference between a signal received on multiple antenna, and in turn invert that function to create an equivalently strong constructive interference pattern at the source of the signal when replying. Most important the modem has no idea what the actual signal path was, it could have bounced of several buildings, been channeled by some random bit of metal acting as a wave guide, or any other manner of funky interference that literally any physical object creates. All it knows is that is a viable signal path must exist (because it received something), and it can compute a function to send a return signal back down the same path. But it’s very hard to turn that abstract signal path function the modem understands, into an actual physical direction. Not without doing a load of extra calibration and sampling work to understand exactly how all the antenna the modem uses interact with each other, which nobody does, because that information won’t improve the cell towers performance. |
| |
| ▲ | huflungdung 7 hours ago | parent | prev [-] | | “Triangulation is non trivial” Uh. No it isn’t. SNR between 5 or so masts gives you the exact location of any cell device. This is how $oldemployer used to track them | | |
| ▲ | lozaning 6 hours ago | parent [-] | | What you're describing is trilateration , not triangulation | | |
| ▲ | jandrese an hour ago | parent [-] | | Sure, but when you say "triangulation" people know what you're talking about. |
|
|
| |
| ▲ | mschuster91 6 hours ago | parent | prev [-] | | > Since you seem to know about the subject, how are these not immediately found and shut down? Because - depending on cell tower coverage and the antennas installed on it - the degree of precision is far too low to be useful. In rural installations and the worst case, aka a tower with a dipole antenna on a mountaintop, at 900 MHz the coverage will be around 35 km. Segmented antennas just limit the section of the circle where the endpoints are. In suburban areas, coverage is usually 10-20 km, and urban areas it's 5km and less. Now you know which cell and cell section the user is in... but to actually pinpoint the user? That takes some more work. First, you need a few more towers that the user can reach for triangulation - the more the better - but if the operator of such a setup is even remotely clever and the hardware/firmware supports it, they will have locked the devices to only connect to a single tower (you can see a map at [1] that shows the IDs). If the operator didn't do that but the site is too remote to achieve triangulation, you might need to drive around in a van and use an IMSI catcher, aka a phone tower emulator, and hope that eventually the site's devices register at it. That, however, is a lot of awful work, and is often not legal for police authorities, only for secret services. Now you might ask yourself, what about 911, how can they locate callers precisely? The thing is... it depends. Landlines and VoIP lines are usually mapped to a specific address (which is why VoIP providers give you an explicit warning that, if you do not keep that record up to date, 911 calls will be misrouted!), so that's trivial. Mobile phone callers however, until a few years ago the degree of precision was exactly what I just described - it completely depended on celltower coverage, with the only caveat that a phone will connect to another operator if it shows a stronger signal for 911 calls. Only then, Android introduced Emergency Location Service [2] and Apple introduced Hybridized Emergency Location [3] - these work with the sensors on the phone, most notably GPS/GLONASS/Beidou, but also SSIDs of nearby WiFi APs and specific Bluetooth beacons. Downside of that is, of course, the 911 dispatch needs an integration with Apple and Google's services, users can disable it for privacy reasons, and older phones won't have anything - so in these cases, 911 dispatchers are straight out of luck and again reduced to the above range of precision. [1] https://opencellid.org/ [2] https://www.android.com/safety/emergency-help/emergency-loca... [3] https://www.apple.com/newsroom/2018/06/apple-ios-12-securely... |
|
| |
| ▲ | jacquesm 7 hours ago | parent | next [-] | | Clever! Also far more risky because it would require near constant attention. | | |
| ▲ | pavel_lishin 6 hours ago | parent | next [-] | | Plus, you can leave an apartment unattended - a van being driven has a big weak link in the chain that has to push the gas and brake pedals. | | |
| ▲ | avianlyric 5 hours ago | parent | next [-] | | Nothing stopping you from parking the van and just moving it every few hours. Put a some plumbing decals on the side and nobody will look twice at it. | | |
| ▲ | pavel_lishin 5 hours ago | parent [-] | | Sure, but again - you gotta have one of your low-level chumps stop by the van every so often, and that raises the chances of that chump getting caught and squeezed by the cops until names start coming out. |
| |
| ▲ | mschuster91 6 hours ago | parent | prev [-] | | An unattended apartment can raise red flags. A van however, in most jurisdictions even if you end up in a police checkpoint, they may not force you to reveal what is in your van. | | |
| ▲ | pavel_lishin 5 hours ago | parent [-] | | > An unattended apartment can raise red flags. The last three places I've lived, I'd never seen the residents of fully half the apartments on my floor. They could have been jam packed with SIM farms, or abandoned tigers, or dead hookers in chest freezers for all I or anyone else in the building knew or cared about. An apartment where nobody bothers their neighbors or the super, but keeps the rent checks coming, is the absolute best case scenario for everyone involved. And again - if an unattended apartment is raided, there's nobody there to drop names. You lose the investment, but that's likely a lesser problem than worrying about what Kasim is going to tell the cops once the handcuffs go on. |
|
| |
| ▲ | toast0 5 hours ago | parent | prev [-] | | Put the sim farm stuff in a non-metalic box, wired to the 12v system, earn some extra money while driving a delivery job. Assuming you have carrier diversity on your sims, you could likely manage good enough backhaul over the sims for the control layer. At least for grey market SMS; grey market voip might need more consistent networking. Grey market VPN, eh... variable conditions might help customer traffic be considered mobile. |
| |
| ▲ | monerozcash 4 hours ago | parent | prev [-] | | Sim farm or SMS blaster? SMS blaster in van would make more sense, detecting a moving sim farm would be easier than a stationary one. |
|
