In cellular networks, it can become necessary for authorities to physically locate user devices for tracking criminals or illegal devices. While cellular operators can provide authorities with cell information the device is camping on, fine-grained localization is still required. Therefore, the authorized agents trace the device by monitoring its uplink signals. However, tracking the uplink signal source without its cooperation is challenging even for operators and authorities. Particularly, three challenges remain for fine-grained localization: i) localization works only if devices generate enough uplink traffic reliably over time, ii) the target device might generate its uplink traffic with significantly low power, and iii) cellular repeater may add too much noise to true uplink signals. While these challenges present practical hurdles for localization, they have been overlooked in prior works. In this work, we investigate the impact of these real-world challenges on cellular localization and propose an Uncooperative Multiangulation Attack (UMA) that addresses these challenges. UMA can 1) force a target device to transmit traffic continuously, 2) boost the target's signal strength to the maximum, and 3) uniquely distinguish traffic from the target and the repeaters. Notably, the UMA technique works without privilege on cellular operators or user devices, which makes it operate on any LTE network. Our evaluations show that UMA effectively resolves the challenges in real-world environments when devices are not cooperative for localization. Our approach exploits the current cellular design vulnerabilities, which we have responsibly disclosed to GSMA.

翻译：在蜂窝网络中，当局可能需要物理定位用户设备以追踪犯罪分子或非法设备。虽然蜂窝运营商能向当局提供设备驻留的小区信息，但仍需实现细粒度定位。因此，授权机构通过监控设备的上行链路信号进行追踪。然而，即使对运营商和当局而言，在非协作条件下追踪上行链路信号源也极具挑战性。细粒度定位面临三大挑战：i) 定位仅当设备能随时间稳定产生足够上行流量时有效；ii) 目标设备可能以极低功率发射上行流量；iii) 蜂窝中继器可能对真实上行信号引入过多噪声。尽管这些挑战给实际定位带来障碍，但此前研究对此关注不足。本文探究了这些现实挑战对蜂窝定位的影响，并提出了一种应对这些挑战的非协作多点定位攻击方法（UMA）。UMA能：1) 强制目标设备持续发射流量；2) 将目标信号强度提升至最大值；3) 唯一区分来自目标与中继器的流量。值得注意的是，UMA技术无需蜂窝运营商或用户设备的特权，可在任意LTE网络中运行。实验表明，UMA能有效解决设备非协作定位场景下的现实环境挑战。该方法利用了当前蜂窝设计漏洞，我们已向GSMA进行负责任的披露。