How Police Listen to You Part 2:

E911 Phone Tracking and How to Troll It

Thibault Serlet

What Are E911 Pings?

Modern Enhanced 911 emergency systems (E911) systems automatically track the locations of people who call 911. This technology saves lives, as it allows emergency services to know the precise locations of callers. Like most technology, E911 also has a sinister side. Using a tactic called E911 pings, police can make reverse 911 calls to determine the locations of any cell phone built after 1999.

Many telephone companies maintain Automatic Location Information (ALI) databases which log the location of any cell phone that uses a specific tower to access AGPS coordinates. ALI databases tie phone numbers to customer addresses and logged locations.

Whenever a modern cell phone queries satellites for GPS locations, the ALI database quietly takes note. Police and other authorities can indirectly search ALI’s data by making reverse 911 calls which aren’t visible on the target phone.

AGPS- E911’s Soft Underbelly

[Note: This method for spoofing E911 pings is purely hypothetical and is a felony. The writers of this blog seek to educate, not to encourage illegal activities. The purpose of this article is to explain how these technologies work for the curiosity of readers, not teach users how be felons. ]

AGPS vulnerabilities can probably be exploited so that any police attempting to track cell phones can be fed imaginary locations. Not only might this potential export prevent a phone from being tracked, but it could also be used to lead police astray. Moderately sophisticated groups such as organized crime, terrorists, or cartels could easily exploit these vulnerabilities.

All cell phones built after 1999 are mandated by the FCC to have AGPS capabilities so that they can be tracked by 911 operators. Unfortunately (or fortunately?) AGPS suffers from serious vulnerabilities which could be used to send spoofed GPS locations to police using E911 pings.

In traditional GPS triangulation, a GPS receiver picks up the frequency of 3 different satellites. The time it takes for the signal to travel between the satellite and the receiver is used to calculate distance. The 3 distances between the receiver and satellites are calculated, and a 2D geographical location is derived. If coordinates of a 3d dimension are needed, such as altitude, a 4th satellite is pinged.

Cell phones don’t use “real” GPS, as traditional GPS receivers are expensive and slow.



Instead, cell phones use AGPS. In AGPS, a cell phone pings cell towers which then in turn ping the satellites. The cell phone towers are in turn equipped with actual GPS receivers. This results in a faster triangulation time, but leaves more room for exploits and bugs.

Most cell phones have a single antenna. To execute AGPS triangulation, the phone’s antenna is converted into a GPS receiver for 0.1 seconds to ping all nearby cell phone towers. Using the phone’s clock, the phone collects and logs its distance from the cell towers. The phone sends this data to the cell towers, which process the data using BSS computers. BSS computers return a GPS location, and the data is sent both to the original cell phone and the ALI database.

When police use E911 pinging to track cellphones, they get the phone’s location from the ALI databases. Data is entered into the ALI databases when the cell tower AGPS servers connect to GPS satellites. The achilles heel of E911 tracking is the connection between cell phones and their cell towers.



GPS Spoofing 101- Hi-Jacking Your Own Signal Recall that the method of distance calculation in both GPS and AGPS relies on using time to calculate distance. Several years ago, an app which altered the phone’s internal clocks was created and allowed to spoof GPS locations. Since then, many ALI databases have created several countermeasures to prevent AGPS spoofing.

Considering that the calculation in step 2 (as pictured above) is calculated locally on the phone, it would, at least initially, appear that there is a severe vulnerability.

Most countermeasures revolve around verifying that the times used by the satellites and cell towers synchronize with the times used by the phone. If there are any discrepancies between the raw location data (step 3) and the processed data (step 6), red flags are raised.

Ironically, one of many tools which can be used to misdirect AGPS is a piece of common police equipment: an IMSI-Catcher. Although far from the most cost-efficient signal hi-jacker, I explained how they work in this article. IMSI-Catchers can be used in a wide variety of electronic warfare applications such as tracking, listening, intercepting, and signal jamming.

Commercially available IMSI-Catchers can be used to “hi-jack” any frequencies. To spoof cell phone signals, the IMSI-Catcher can broadcast using the same frequency as a cell phone. Because the IMSI-Catcher will have a stronger signal, it will overwrite the cell phone’s transmission. Although both the phone and the IMSI-catcher reach the tower, the tower ignores the weaker signal. Please note that unauthorized signal hi-jacking is currently against FCC rules and illegal in the United States.

Once the cell phone’s transmissions have been hi-jacked, there is one last major problem. The raw location data sent from the smartphone to the cell tower is complex and hard to artificially falsify.

In order to send convincing data to the cell tower, it will be necessary to pre-gather large amounts of GPS data. The easiest way to do this is to use a cheap burner phone with the same AGPS protocol as the phone to be obfuscated. Although this step won’t be detailed here, instructions on how to do so can be easily found elsewhere.

Lastly, all that is necessary is precise timing; there is only a 0.1 second margin of error.

To solve the timing problem, a tiny application which tracks the activation of the phone’s GPS and then immediately activates the signal spoofer will be necessary.

While it may seem that managing to get the IMSI-Catcher to broadcast at precisely the right time sounds difficult, it is important to keep in mind that failure to time the broadcast properly has little consequences. There are many sources of distortion, environmental and otherwise, so cell towers usually reject unusable data.

So here’s a brief recap. E911 works by notifying police of the last GPS location recorded in the ALI database, not by actually activating the phone’s GPS. This means that if the database’s most recent entries can be replaced with an alternate location, the users of a E911-like system would be tricked into believing the call originated from the alternate location.

To do this, a signal spoofer can hi-jack cell phone signals and broadcast raw location data harvested earlier by a burner phone.

Here is the diagram of it all put together:



Such a hack has not been tested and would be difficult, costly, dangerous, and easily patched. Once cell phone companies catch on, they’ll release a simple software patch which will make this and similar countermeasures detectable. For example, if cell phone towers receive a standard-strength signal accompanied by an exceptionally strong one, they could automatically notify the ALI Database.

Regardless of whether such a hack is implementable or not, that is besides the point.

There is a very simple legal way of blocking E911 pings: inexpensive commercially available signal proof phone cases. Much more important is that E911 is very weak, and suffers from numerous technological vulnerabilities.

Stay safe. If you’re interested, have a compelling reason why this might or might not work, or want to learn about my project, http://cryptocom.pw , drop me a line: TSerlet@CryptoCom.pw