Being able to track the location of your target is a valuable goal for espionage operations. Imagine the ability of a foreign country to track the exact location of their surveillance target without the need to physically monitor his movement.
When a MAP anyTimeInterrogation message is sent to the subscriber’s HLR it triggers a provideSubscriberInfo (PSI) message that is then sent to the VLR/MSC to which the subscriber is connected. This returns the cell identifier (Cell-ID) of the subscriber among other information. The attacker can use this message to acquire the cell-ID. The cell-ID can then be mapped to an actual location up to the street level using publically available mapping information.
Location Tracking – provideSubscriberInfo (PSI)
In case the ATI message has been filtered, the attacker can still send the provideSubscriberInfo message directly to the MSC/VLR that the subscriber is on. The attacker will first need to find out the IMSI and address of the MSC using a message like sendRoutingInfoForSM that returns the Global Title (GT) address of the MSC.
Location Tracking – provideSubscriberLocation
The provideSubscriberLocation (PSL) is legitimately used by the Gateway Mobile Location Center (GMLC) to provide the location of a subscriber. The MSC has no capability to authenticate a GMLC server but verifies its sender GT address.Unfortunately the attacker can still spoof the GMLC address and use it to send the PSL message.