Hi Yanis,
I'm CCing the OsmoconBB list who could perhaps help setup a MSC-GPS data collector.
On Feb 22, 2010, at 8:09 PM, Yanis Pavlidis wrote:
Hi all,
not exactly related to airprobe itself, but I am sure people on this list could answer my question. So, after reading Tobias Engels' presentation on 25c3 ( http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-m... ), I found out you can perform an HLR lookup and come up with the current MSC number that "controls" the connection of the subscriber, for any subscriber.
Yes, every telco company and VoIP provider with SS7 access in the world always knows where you are. Scary.
My question is, is this MSC number, visible from the mobile phone side? If yes, somebody could actually wardrive, to get the MSC number-to-location mapping? Can airprobe, or OpenBTS help?
Creating the {MSC -> location} mapping database would be a very worthwhile exercise. The data collection would have to happen from phones. Either we create an application for one of the popular phone platforms (Symbian, Android, iPhone). Anybody on the list knows if these phones expose the MSC number to application software?
Alternative, the Osmocon project could probably expose the MSC information easily. The project is still in early stages and it will take a few months until a collector software could be running. I wonder if any of the supported Motorola phones have GPS?
Forgive my ignorance on all-things-gsm, I am just beginning exploring!
Thanks for bringing up the topic!
Thanks all, Yanis
Cheers,
-Karsten
On Thursday 25 February 2010 20:50:54 Karsten Nohl wrote:
Creating the {MSC -> location} mapping database would be a very worthwhile exercise. The data collection would have to happen from phones. Either we create an application for one of the popular phone platforms (Symbian, Android, iPhone). Anybody on the list knows if these phones expose the MSC number to application software?
Alternative, the Osmocon project could probably expose the MSC information easily. The project is still in early stages and it will take a few months until a collector software could be running. I wonder if any of the supported Motorola phones have GPS?
Hi,
I'm not aware of any GSM 04.08 message containing information about the MSC (besides GMM Error Message MSC not reachable).
The only thing that is available is the Location Area Code and that is broadcasted in the System Information Type. So I assume you are meaning this one? In GSM it is possible to page you by LAC so that is the closest you get by without more advanced messages.
Did you mean this? In that case we would be at a state where we could easily write such a scanner application. It would scan the ARFCNs, get the SIs write out the LAC, continue..
am I off?
z.
Hi Karsten, all,
On Thu, 25 Feb 2010 20:50:54 +0100 Karsten Nohl nohl@virginia.edu wrote:
My question is, is this MSC number, visible from the mobile phone side? If yes, somebody could actually wardrive, to get the MSC number-to-location mapping? Can airprobe, or OpenBTS help?
Creating the {MSC -> location} mapping database would be a very worthwhile exercise. The data collection would have to happen from phones. Either we create an application for one of the popular phone platforms (Symbian, Android, iPhone). Anybody on the list knows if these phones expose the MSC number to application software?
Yes, the answer is: No. The phone does not know about this.
It would have to be a service that incorporates a user or mobile phone software based part that knows about the location and a network based part that can perform a SMS routing request. Both of these would have to be correlated.
The implementation of this in a way that honors privacy as well as security is left as an exercise to the reader.
This is most certainly not a task within the scope of osmocom-bb.
cheers, nibbler
p.s. the relevant cell specific information that is known to the phone can be found in the first seven fields e.g. here: http://www.nobbi.com/btsdb.php?netw=all&type=c&search=__L447L
On Thu, Feb 25, 2010 at 08:50:54PM +0100, Karsten Nohl wrote:
My question is, is this MSC number, visible from the mobile phone side? If yes, somebody could actually wardrive, to get the MSC number-to-location mapping? Can airprobe, or OpenBTS help?
Creating the {MSC -> location} mapping database would be a very worthwhile exercise. The data collection would have to happen from phones. Either we create an application for one of the popular phone platforms (Symbian, Android, iPhone). Anybody on the list knows if these phones expose the MSC number to application software?
Sorry, the phones have no idea about this, as the current MSN number is an attribute of the core GSM network.
You can only collect this information in the core network by means of some form of access to the SS7 roming network (GSM MAP).
On Thursday 25 February 2010 20:50:54 Karsten Nohl wrote:
Yes, every telco company and VoIP provider with SS7 access in the world always knows where you are. Scary.
A small OT with this (maybe stupid and privacy-unaware) question:
- Why would telco companies be interested in your location with an accuracy of hundreds (or even thousands) sq. Kilometers? (note that most of the MSC datasheets declare to support millions of subscribers)
Creating the {MSC -> location} mapping database would be a very worthwhile exercise. The data collection would have to happen from phones. Either we create an application for one of the popular phone platforms (Symbian, Android, iPhone). Anybody on the list knows if these phones expose the MSC number to application software?
Assuming you have access to the SS7, you can get MSC areas by just picking up hundreds of telephone number from city X and see with which MSC the network responds for most of them. There was something like this in the ppt from Tobias Engel.
Dan
baseband-devel@lists.osmocom.org
-
Harald Welte -
Holger Hans Peter Freyther -
Karsten Nohl -
nibbler -
Valerio, Danilo