IT blog

Background

If you have ever watched any spy films you might have wondered how did the government agencies or police located somebody’s cellular phone. Despite the fact that it usually takes a magical 60 seconds, it is possible to get the location of a mobile phone with quite a good accuracy. In the real word it requires cooperation with the mobile network operator (which such agencies of course have :>). Getting back on topic, the question is How much does your operator know about your location?

In this post I will focus on GSM communication, which still is the most popular technology. There are several GSM operating frequency bands, i.e. P-GSM 900, E-GSM 900, DCS 1800 and PCS 1900 (these are the most popular). One important thing is that there are always two sub-bands – one for uplink (toward BTS) and one for downlink (toward mobile phone). Example: P-GSM’s uplink band is 890-915 MHz and downlink is 935-960 MHz.

When you switch on your mobile…

Upon switch-on your mobile phone attempts to perform a Location Registration on the registered mobile network. Then, whenever a mobile network is selected, it searches a suitable cell to camp on. The mobile searches some of the strongest RF channels in descending order of received signal level. There is also a check if the particular cell is not barred (the operator may decide not to allow to camp on some cells). At this phase your cellular phone knows which BTSs are in its range.

Hey, I’m still here!

Once you are successfully connected with the mobile network, your mobile is either in active (while actively communicating) or idle state. In idle, the mobile phone is periodically notifying to the network its availability (Location Update). This is controlled by the timer called T3212, with a range of 0-255 minutes (0 for infinity). This parameter is cell specific. Polish operators usually use values 120-180. The timer is restarted after each Location Update procedure or each radio connection release.

During the Location Update procedure, your cellular phone sends to the network several pieces of information i.e. signal strength and quality of the serving cell and information about up to 6 best neighbour cells. In the active state such information is sent each 480 or 960 ms. This is used for ensuring roaming in the network.

I see you…

So your mobile phone is reporting the network information about what it “sees” around. As mentioned earlier, this is used for roaming (i.e. there is no need to break a call while driving). But it can be also used for locating a mobile. The network now knows which cell you are camping on and what cells are in your neighbourhood (up to 6). It also knows the signal strength (reported by your mobile).

Taking into account the fact that the locations of BTSs are known (also publicly) the network operator can estimate the location of your mobile phone using triangulation. To increase the accuracy of the estimation, the mobile network operator can also take terrain characteristics into account, because signal propagation in certain circumstances can differ.

With all this data it is possible to estimate your location with quite a good accuracy – in urban areas, where there are many BTSs, even down to 10-20 meters. So it can be comparable even with GPS, but can work inside buildings, where GPS-enabled mobile phones are helpless.

Mobile network operators have really much information about how you use your mobile phone SIM card and where you use it. They also know which mobile phone you are using (by IMEI number), so whatever you are doing you should do with caution.

P.S. If you have an Android-powered smartphone you can check the information about the current cell and neighbour cell(s).  To do this type *#*#info#*#* (*#*#4636#*#*) and tap on “Phone information”.