They call non-smartphones 'feature phones' and unlike 3g network phones, they all have gps as part of the CDR. LTE has it as well, only 3g doesn't. 3g network stuff uses old PPoE because phone companies are lazy.
No, it doesn't work that way -- it's actually rather ingenious. It turns out that a cell phone system can determine a phone's position with reasonable accuracy by comparing its arrival times at different cell towers.
With two towers receiving a cell phone's signal, the phone can be located along a line. With three towers, it can be located as a point. It's all to do with the cell signal's arrival time, and it's sort of like radar in reverse.
No GPS needed. A GPS-equipped phone provides more accurate positions, but the passive cell-towers method is suitable for many applications.
Sure, and for 911 that's one thing. But the poster said GPS is saved in the CDRs, which is something I had not heard of. Otherwise it'd be best-of triangulation if needed. And I was under the impression that was only done for Phase 2 Wireless 911 calls. (And with far less accuracy than GPS.)
Even without GPS, the cell phone position can often be triangulated by the tower itself.
That even has a compelling public safety justification (911 calls) so it wouldn't surprise me if phone companies were already doing that as a matter of course.
> Even without GPS, the cell phone position can often be triangulated by the tower itself.
Towers, not tower. With two towers receiving a cell phone's signal, the phone can be located along a line, with three towers, it can be located as a point -- not as accurate as GPS, but reasonably accurate.
Or if you have a van and work with Verizon Wireless, once you know its general location near one tower, you can drive around with a high-powered femtocell, hijack the phone's tower connection and close in on its exact location.
If you're a GSM user you don't need to update the phone's PRL list to hijack its tower connection, so you could do something similar yourself with an OpenBTS setup (though without the tower information to correlate, you'd be doing a lot more driving)
There is no 'gps' in CDR, there is the ID of the tower, which can be mapped to a geolocation. Especially in urban environments, the location of the tower is pretty tightly correlated with the location of the phone. Looking at CDRs over time, you can get an even better idea.
3G is not immune from this. There is a record of which tower the phone was registered at.
The GPs solution is good, but it requires a lot of phones and SIMs, as well as very good discipline, to properly mask your activities.
The definition of CDR, even though there's a standard, isn't really standardized between companies, networks, or hardware. The switches actually puke a huge blob of semi-trustworthy data in a long record and internally we called it something other than a CDR, though other companies may call it that. Then we had a bunch of other nicknames for different subsets of the data, the smallest one was referred to internally to the lab as a CDR. The full data record we pulled from the feature phone included any GPS reported. We couldn't get the exact same field from a 3g phone because that network was designed so the switch was kind of brainless about location, other than the direction from the base station. I think it was, at the time the network was built, the laziest possible way to achieve tolerable TCP/IP traffic throughput so that's what they did. Literally PPPoE.
The method described by multiple people in response to my post is how they attempt to triangulate 3g phones for law enforcement, and if a local sheriff from Cracker Barrel, Arkansas or something requests the data that's what they get: the subset of the call record and the estimated location along with a big disclaimer "THIS MAY NOT EVEN BE ACCURATE TO WITHIN 2KM!" We did constant hands-on tests trying to refine it. Statistically it seems like a good idea but when research tried it on specific people (ourselves) we ended up with no confidence it would work accurately even 3/5 times. We tested it in suburbs, cities, rural, all have different weird factors and significant problems associated with the technique. As a basic example you can be near a cell tower, which have directional antennae, standing at a specific angle to a couple tall buildings and the reflected signal will appear to have you standing in two places at once, or even teleporting between two locations on a minute by minute basis, at which point the data is useless. In theory we can model what highway you're driving on, in reality it's a coin flip what area code you're in.
I think this is also critical if you're thinking of law enforcement applications of this: the base station switches do not report the data back instantly or even in the order they receive it. So our fastest estimate if everything worked perfectly was a 3-4 hour turnaround. Sometimes one of the relevant CDRs for triangulation comes back THREE DAYS after the call is made. Incidentally this is the same data that would be collected by the NSA under the Snowden thing, so military applications would also be limited at best. I mean, if they were dumb enough to try to use it that way they might end up hitting schoolbuses or weddings with cruise missiles or something, and no one wants that.
The result of this was a heavy focus on femtocells, which have such a small area they know where you are because you can't possibly be outside the Starbucks or whatever. It turned out to have other smaller problems: femtocells get overpowered by nearby base stations all the time. I don't know how they were trying to use the one in the van when they caught those boston bombers but I expect the idea was the phone only knows to jump to the strongest signal and that way they could just stop any calls they made. In a neighborhood with a close base station this would be a lot less effective even if the femtocell was massively overpowered, the base station stuff is just this blast of signal and it reflects everywhere, the guy would get through or not randomly.
I think the most damning thing here is that no one who participated in the research would ever testify in a court that the method in question definitely places the phone in question at 123 Cherry Lane, or on the same block as Cherry Lane, or in Cherry Village, or if there was a car involved even in Cherry County. On the other hand, when your shiny new LTE phone is reporting back its gps on a millisecond basis with every call and tons of http headers, things will get a lot easier. For them. I won't be doing that kind of work again.
