| |
| ▲ | jacquesm 7 hours ago | parent | next [-] | | Sure, so now you are at the front door of a quad of four 300 apartment highrises. What is your next move? | | |
| ▲ | iberator 7 hours ago | parent | next [-] | | With 5g and beamforming and mimo and decent bts software(Ericsson or Hua) you can pinpoint the given phone very accurately (within 20m in urban settings) - without any triangulation, as you know the cell tower sector :) Guess what: you can also measure the azimuth within 0.1 degree, so you could have SOME data at where to look. FYI: That was available back in 2022 as standard. Now it could be even better. :P | | |
| ▲ | jacquesm 6 hours ago | parent [-] | | I've already narrowed it down to four buildings for you, so we can consider that all of those methods worked. What is your next move? I'm not saying it can't be done, clearly it can be done otherwise this article wouldn't exist. But it is not quite as easy as pointing a magic wand (aka an antenna) at a highrise and saying '14th floor, apartment on the North-West corner', though that would obviously make for good cinema. | | |
| ▲ | pavel_lishin 6 hours ago | parent | next [-] | | > I've already narrowed it down to four buildings for you, so we can consider that all of those methods worked. What is your next move? Subpoena the power, water & gas company, and look at apartments that have unusual power usage, coupled with almost zero water & gas usage. Especially look at apartments that don't have a spike in power usage in the morning & evening that corresponds to people having a regular commute. I'm not sure how much power this equipment draws at idle - I'm assuming it's more idle at night, no need to send scammy SMS messages at 3am Eastern - but I'd wager you could track that. Granted, it's not fast, but depending on how quickly the companies bend over backward for such a request & how good your interns are at using Excel, you might be able to get this done before sundown. | | |
| ▲ | kube-system 2 hours ago | parent [-] | | Maybe in a city like NYC with old apartments you could do that. It’s common for newer LEED buildings to use heat pumps and collective water/sewer billing. Power maybe but WFH is common these days too. And then you’d have to convince a judge that you’ve got something narrow enough. |
| |
| ▲ | 2snakes 2 hours ago | parent | prev [-] | | There used to be a thing called Waterwitch in the NSA ANT catalog. Would that help? | | |
| ▲ | 12_throw_away 16 minutes ago | parent [-] | | This inspired me to find this catalog, thank you for mentioning it! For those who have not seen it before, Waterwitch is on page 43 of the 2013 catalog here [1], and is described as "Hand held finishing tool used for geolocating targeted handsets in the field". It did seem to require, if I'm reading right, that the target be connected to a malicious GSM router called "Typhon" (page 42). [1] https://www.cryptomuseum.com/covert/bugs/nsaant/files/NSA_AN... |
|
|
| |
| ▲ | delfinom 6 hours ago | parent | prev | next [-] | | A portable spectrum analyzer. A high concentration of phones like this would light up the spectrum when used with a directional wand. Portable spectrum analyzers are regularly used to identify interference in urban environments. Even a damaged cable coax line on the street can interfere with cellular signals. | |
| ▲ | CamperBob2 3 hours ago | parent | prev [-] | | If even a fraction of those antennas are transmitting at any given time, which you can arrange simply by having the network poll them, all you need to do is wander up and down the hall with a TinySA or something similar. It will be almost ridiculously obvious where all the RF racket is coming from. Even before doing that, a handheld Yagi in the parking lot will easily narrow it down to a couple of floors in a specific quadrant of the building. |
| |
| ▲ | avianlyric 6 hours ago | parent | prev [-] | | Yeah modern cellular and WiFi modems use multiple antenna and beam forming to allow multiple same frequency connections to occur, without interference. But when people think of beam forming as “pointing a beam at a phone” that’s kinda thinking of the problem backwards. Modems beam form by looking at the various bits of signal delay coming down multiple antenna, and computing a transform function that will effectively result in the signal it sends mimicking those delays and thus forming a beam pointing in the opposite direction of the incoming signal. But the modem has no idea what physical direction that beam is pointing in, and doesn’t care. It just know how to analyse an incoming signal to effectively mask the inputs from different antenna in order to extract a very weak signal, by taking advantage of constructive interference between a signal received on multiple antenna, and in turn invert that function to create an equivalently strong constructive interference pattern at the source of the signal when replying. Most important the modem has no idea what the actual signal path was, it could have bounced of several buildings, been channeled by some random bit of metal acting as a wave guide, or any other manner of funky interference that literally any physical object creates. All it knows is that is a viable signal path must exist (because it received something), and it can compute a function to send a return signal back down the same path. But it’s very hard to turn that abstract signal path function the modem understands, into an actual physical direction. Not without doing a load of extra calibration and sampling work to understand exactly how all the antenna the modem uses interact with each other, which nobody does, because that information won’t improve the cell towers performance. |
|
