We introduce LTrack, a new tracking attack on LTE that allows an attacker to
stealthily extract user devices’ (UEs) permanent identifiers (IMSI) and
locations. To remain stealthy, the localization of UEs in LTrack is fully
passive. It relies on our new uplink/downlink sniffer implementation, which
records both times of arrivals of LTE messages and contents of Timing Advance
commands, based on which LTrack calculates UE locations. LTrack is the first to
show the feasibility of passive UE’s localization through an implementation on
a software-defined radio.

Passive localization attacks reveal information about a UE’s locations but
can at best link these locations to a UE’s pseudonymous temporary identifier
(TMSI), making tracking in dense areas challenging. LTrack overcomes this
challenge by introducing and implementing a new type of IMSI Catcher named IMSI
Extractor. It extracts a UE’s permanent identifier (IMSI) and binds it to its
current TMSI. Instead of relying on fake base stations like existing IMSI
Catchers (which are detectable due to their output power), IMSI Extractor
relies on our uplink/downlink sniffer enhanced with surgical message
overshadowing. This makes our IMSI Extractor the stealthiest IMSI Catcher to

We evaluate LTrack through a series of experiments and show that in
line-of-sight conditions, the attacker can estimate the location of a phone
with less than 6m error in 90 of the cases. In addition, we successfully test
our IMSI Extractor against a set of 17 modern smartphones connected to an
industry-grade LTE testbed.

Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Kotuliak_M/0/1/0/all/0/1">Martin Kotuliak</a>, <a href="http://arxiv.org/find/cs/1/au:+Erni_S/0/1/0/all/0/1">Simon Erni</a>, <a href="http://arxiv.org/find/cs/1/au:+Leu_P/0/1/0/all/0/1">Patrick Leu</a>, <a href="http://arxiv.org/find/cs/1/au:+Roeschlin_M/0/1/0/all/0/1">Marc Roeschlin</a>, <a href="http://arxiv.org/find/cs/1/au:+Capkun_S/0/1/0/all/0/1">Srdjan Capkun</a>

By admin