LTrack: Stealthy Tracking of Mobile Phones in LTE

We introduce LTrack, a new tracking attack on LTE that allows an attacker to stealthily extract user devices' (UEs) permanent identifiers (IMSI) and locations. To remain stealthy, the localization of UEs in LTrack is fully passive. It relies on our new uplink/downlink sniffer implementation, which records both times of arrivals of LTE messages and contents of Timing Advance commands, based on which LTrack calculates UE locations. LTrack is the first to show the feasibility of passive UE's localization through an implementation on a software-defined radio. Passive localization attacks reveal information about a UE's locations but can at best link these locations to a UE's pseudonymous temporary identifier (TMSI), making tracking in dense areas challenging. LTrack overcomes this challenge by introducing and implementing a new type of IMSI Catcher named IMSI Extractor. It extracts a UE's permanent identifier (IMSI) and binds it to its current TMSI. Instead of relying on fake base stations like existing IMSI Catchers (which are detectable due to their output power), IMSI Extractor relies on our uplink/downlink sniffer enhanced with surgical message overshadowing. This makes our IMSI Extractor the stealthiest IMSI Catcher to date. We evaluate LTrack through a series of experiments and show that in line-of-sight conditions, the attacker can estimate the location of a phone with less than 6m error in 90 of the cases. In addition, we successfully test our IMSI Extractor against a set of 17 modern smartphones connected to an industry-grade LTE testbed.