His is my research notes into is it possible to get a phone to spit out the address of a cellphone using the E911 service built into every phone, (speculation: i think this is what sting ray's use to track people not totally sure if that is part of the service.)

network topology of E911

Key things of Interest:

  • protocol is unencrypted!
  • location can be sent to non emergency services (im thinking hackers!) (off by default :/ sad face)
  • By default, this selection is usually turned off, to protect privacy. In areas such as tunnels and buildings, or anywhere else that GPS is not available or reliable, wireless carriers can deploy enhanced location determination solutions such as Co-Pilot Beacon for CDMA networks and LMU's for GSM networks.
  • AMI numbers are what 911 uses to look up a database of phone customers addresses

                    this database is managed using software from these companies Bandwidth (company) - Wikipedia, Intrado, and TeleCommunication Systems, Inc

Possible information gathering: https://www.bandwidth.com/careers/openings/

It has been hacked before!

Harald Welte proved at HAR2009[3] that many high-end smart-phones submit their GPS location to the mobile operator when requested. This happened without any sort of authentication.

The dude who did it!

Harald Welte
Landreiterweg 34a

12353 Berlin


+49-30-24033902 (NOTE: Phone calls are generally not answered, unless scheduled in advance via email or Fax)

The guys website

Here is the E911's protocol for sending these location data requests

Radio resource location services protocol - Wikipedia

Where to find the protocol specifications:


Raw link to latest pdf of protocol spec as of 20210821


general information about E911 from the FCC

911 and E911 Services
The Nation’s 911 System 9-1-1 service is a vital part of our nation’s emergency response and disaster preparedness system. In October 1999, the Wireless Communications and Public Safety Act of 1999 (9-1-1 Act) took effect with the purpose of improving public safety by encouraging and facilitating th…

Stuff to look at within the protocol

Radio resource location services protocol

Radio resource location services protocol - Wikipedia

Things of interest

`MS basedThe MS (mobile phone) performs E-OTD or GPS measurements, and successively performs the complete computation of the geolocation inside the phone. The result of this computation is then sent back to the carrier network.

In this mode, the network typically needs to send so-called assistance data to the phone.`

this mode will send location data to my hacked system!

Another possible vector is a sql injection using the address

rubbing hands together emoji