Telephone Networks & Traffic Analysis


Geo-positioning is the act of determining where an object is located. Different methods of positioning have dramatically different accuracy ranges. Cellphones can be positioned with several different techniques. Most cell phones today have GPS capabilities, this allows for positioning with around thirty meters of accuracy. Cell phones with WiFi can be positioned with WPS, or WiFi Positioning System technology. This allows for accuracy of around ten meters. Cell phones can also be triangulated, this can result in accuracy of around one hundred meters.

Remotely positioning a targets phone can be accomplished by adversaries of all sorts. Federal agents in the USA are pushing for telecommunication companies to be required to keep geo-position records of cell phones. If this does not come to pass, they can obtain such records themselves by setting up their own antenna mesh networks. These networks can position phones using WPS or traditional cell signal triangulation. Agents can set up networks of WiFi antennas that analyze signal strength. When these signals are gathered by multiple antennas, the signal strength each antenna observes can be processed to determine the geospatial position of the cell phone the WiFi signals are coming from. This can also be used for positioning laptops, computers, PDA’s or any other device that broadcasts a WiFi signal.

Agents can position phones with out WiFi by analyzing cellular signals with a similar technique. They do not need the cell towers of the telecommunications provider, they can easily set up their own antennas. They do not need warrants to do this, nor will they likely need warrants to get positioning data directly from the telecommunication providers.

An adversary with the ability to gain unauthorized access to a cell phone, be they a hacker or an agent, can potentially remotely position a cell phone by using on board GPS. Some telecommunication providers already keep geo-positioning records of cell phones, these databases are potentially for sale to data miners.

Cellular geo-positioning can be used for various attacks depending on the accuracy of the positioning system used. Most individuals carry their cell phone with them at all times, this allows for a positioner to know the movements of a target over time. Passive attacks can be done scanning massive collections of geo-positioning data for stereotypical patterns. It is widely known that law enforcement associate excessive traffic to a dwelling with drug dealing. This is a stereotypical pattern of low and mid level drug dealers, multiple individuals enter their homes stay for a brief period of time and then leave.

If these individuals carry cell phones with them, this pattern can be detected passively with computers. There is no need for law enforcement to observe the stereotypical traffic patterns of drug dealing, a computer can analyze geo-positioning records of cell phones and detect this pattern with no adversarial human observation of the actual human traffic. The attack does not stop here. A mid or low level dealer often gets his drugs from a supplier before selling them to consumers. The adversary can scan the geo-positioning logs and use crowd reduction attacks to find what all cell phones the suspected dealers cell phone was near with regularity. Of course there will be many neutral third party cell phones near the dealers cell phone over a given stretch of time, but by removing cell phones that are not near the dealers cell phone with a pattern of frequency this chaff can be filtered out. Likely suppliers are what is left. By analyzing the geo-positioning information of the suspected suppliers cell phones, characteristics of a supplier may show. For example, perhaps one of the suspected suppliers geo-positioning information shows that he makes trips to a drug source state with a pattern of regularity.

The attack is still not done. By analyzing the geo-positioning records of the suspected supplier, the adversary can determine not only who all the supplier likely supplies, but they can determine the geospatial location of where he makes his purchases. Perhaps his cell phones geo-positioning records indicate that he has a pattern of going to a particular location in a drug source state before driving back to his home state. The location in the drug source state is likely the source of drugs, perhaps a grow house or the home of an importer.

This attack is not limited to going up a hierarchy of drug distribution, it can also go outwards. All of the dealers supplied by the supplier can have their geo-positioning records analyzed with a crowd reduction attack, and now all of the likely customers of this dealer are known. Simply by feeding all cell phone geo-positioning records into a super computer, the adversary can map out tremendous amounts of individuals involved with the drug trafficking business as well as their likely role in the networks they are involved with.

This is a threat to many drug supply networks that must be taken seriously. To get such results, positioning accuracy of cell phones must be pretty good. The less accurate the positioning records are, the less useful they are for network and traffic analysis. However, even with only one hundred meters of accuracy, a great deal can be learned about the suspected drug network nodes.

Protecting from geo-positioning attacks is simple. Do not carry a cell phone with you when you go to pick up drugs. Never sell drugs from a static location, this location can be quickly identified. Use different meet up spots to do deals. Do not carry a cell phone with you when you go to make a pick up from a supplier. Do not sell from where you produce.
Routing Information

Geo-positioning is not the only way to perform network analysis with cell phone networks. A more likely area of attack is in the actual communications routing. Telecommunications companies are able to see who you call and who calls you. Federal agents can get this information with no requirement for a warrant, as no communications are observed it does not count as a wiretap by law. It is likely that federal and intelligence agents are already doing this sort of attack.

When a node is compromised (a person is busted with drugs), law enforcement can gather the call records of this node. A single compromised node will not give them much information about a network. After several nodes of a drug network are busted, the attack becomes more deadly. Crowd reduction attacks can be performed on the routing data of all the busted nodes. This will remove chaff, such as phone calls to family members and friends who are not involved with the drug trade, which will not have ties to many nodes of a drug network. The more nodes that are compromised, the clearer the picture of the drug network becomes to the adversary.

Stereotypical behaviors are also exhibited in drug phone calls. They tend to be short, patterns of communications tend to fit into stereotyped frequency ranges. This information can be used to further the insight into a drug network, as well as to determine the likely roles of individual nodes. Even if phone calls are made from different locations every time, if the phone is the same the patterns can be detected.

This routing information will not be useful for evidence. There is nothing illegal with calling someone who is suspected of dealing drugs. There is a clear distinction between evidence and intelligence: intelligence leads to evidence. After a person is identified by telephone routing information as likely playing a given position in an identified drug network, physical surveillance can be done on this person. “Random” traffic stops can happen. This will likely lead to evidence.

Some groups attempt to minimize the risk of cell phone routing based traffic analysis by rotating through multiple disposable phones over a short period of time. This can be effective, but it may not be as effective as some people would like to think. FBI has in the past identified individuals who use multiple throw away cell phones simply by analyzing data routed to the phones of those these people communicate with. If Alice has a pattern of calling Bob and Carrol, but she uses a new throw away cell phone every week, it will be of limited effectiveness as her new phone can be identified simply by monitoring phones that route information to Bob and Carrol in the pattern known to be associated with Alice.

The best bet to avoid cell phone routing data leading to intelligence of your drug network, is to never use cell phones in conjunction with your drug network activity. Cell phones are too prone to network analysis, even if new disposable phones are used over time. The only place a disposable cell phone has in your operations are for single time operations. A single time operation is where the cell phone is used for a single activity that is not part of a larger pattern of activity associated with other static nodes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: