His is my research notes into is it possible to get a phone to spit out the address of a cellphone using the E911 service built into every phone, (speculation: i think this is what sting ray's use to track people not totally sure if that is part of the service.)
Key things of Interest:
- protocol is unencrypted!
- location can be sent to non emergency services (im thinking hackers!) (off by default :/ sad face)
By default, this selection is usually turned off, to protect privacy. In areas such as tunnels and buildings, or anywhere else that GPS is not available or reliable, wireless carriers can deploy enhanced location determination solutions such as Co-Pilot Beacon for CDMA networks and LMU's for GSM networks.
- AMI numbers are what 911 uses to look up a database of phone customers addresses
this database is managed using software from these companies Bandwidth (company) - Wikipedia, Intrado, and TeleCommunication Systems, Inc
Possible information gathering: https://www.bandwidth.com/careers/openings/
It has been hacked before!
Harald Welte proved at HAR2009 that many high-end smart-phones submit their GPS location to the mobile operator when requested. This happened without any sort of authentication.
The dude who did it!
Harald Welte Landreiterweg 34a 12353 Berlin GERMANY Phone +49-30-24033902 (NOTE: Phone calls are generally not answered, unless scheduled in advance via email or Fax) Fax +49-30-24033904 Email email@example.com
The guys website
Here is the E911's protocol for sending these location data requests
Where to find the protocol specifications:
Raw link to latest pdf of protocol spec as of 20210821
general information about E911 from the FCC
Stuff to look at within the protocol
Radio resource location services protocol
Things of interest
`MS basedThe MS (mobile phone) performs E-OTD or GPS measurements, and successively performs the complete computation of the geolocation inside the phone. The result of this computation is then sent back to the carrier network.
In this mode, the network typically needs to send so-called assistance data to the phone.`
this mode will send location data to my hacked system!