Computer scientists have devised a low-cost way to surreptitiously tease out key location details of people carrying cellphones that are connected to older carrier networks.

The attack, described in a research paper (PDF) penned by members of the University of Minnesota's College of Science and Engineering, is most useful for determining whether a target is within a given geographic area as large as about 100 square kilometers (about 39 square miles) or as small as one square kilometer. It can also be used to pinpoint a target's location but only when the attacker already knows the city, or part of a city, the person is in.

The attack works by exploiting features in GSM, or Global System for Mobile Communications, cellular networks that transmit data sent between base stations and phones in clear text. By simply calling the target's mobile number and monitoring the network's radio signals as it locates the phone, the attacker can quickly confirm if the person is located in what's known as the LAC, or Location Area Code. Attackers can use the same technique to determine if the target is within close proximity to a given base station within the LAC.

"If the attacker happens to be a burglar and wants to test if a person is not home ... they can determine that the person is not in a particular location, such as their home, and decide that now is a good time to try to break in," Denis Foo Kune, a PhD student who worked on the project, said.

Private detectives or police and government agents who don't want to obtain a court order can also use the technique to confirm whether a person they're tracking is attending a particular demonstration or meeting, he added.

The exploit requires a feature cellphone and a laptop, running the open-source Osmocom GSM firmware and software respectively, along with a cable connecting the two devices. It also uses a separate cellphone and landline. The attackers use the landline to call the target's cellphone when it's located near the same LAC as the equipment and use the laptop output to monitor the broadcasts that immediately follow over the airwaves to page the target phone.

The pages include the mobile device's unique identifier, known as TMSI, or Temporary Mobile Subscriber Identity, and in rare cases IMSI, or International Mobile Subscriber Identity. By calling the target phone several times in short succession, attackers can map the target's phone number to the unique identifier. To keep their surveillance covert, they hang up five seconds after dialing. That's enough time to allow the towers to page the cellphone but not long enough for the mobile device to ring.

While the attack works only when targets are connected to GSM networks, iPhones and other smartphones that are configured to communicate over 2G networks are vulnerable.

Foo Kune said carriers could thwart the attack by doing a better job of obfuscating the location of the cellphones they communicate with. One possibility is for them to send pages to the three most recent LACs the target has traveled in, rather than only the latest LAC. Another is for the TMSI to change after each page is completed, so it's not possible for attackers to map a phone number to the unique identifier base stations assigned to each device. A third mitigation is to introduce random delays in the amount of time messages are sent to make it harder to perform accurate traffic analysis.

Foo Kune said his group has contacted both AT&T and Nokia with his findings. The paper, which was also authored by associate professors Nick Hopper and Yongdae Kim and undergraduate student John Koelndorfer, was presented at last week's 19th Annual Network & Distributed System Security Symposium in San Diego.