In cellular networks, it can become necessary for authorities to physically locate user devices for tracking criminals or illegal devices. While cellular operators can provide authorities with cell information the device is camping on, fine-grained localization is still required. Therefore, the authorized agents trace the device by monitoring its uplink signals. However, tracking the uplink signal source without its cooperation is challenging even for operators and authorities. Particularly, three challenges remain for fine-grained localization: i) localization works only if devices generate enough uplink traffic reliably over time, ii) the target device might generate its uplink traffic with significantly low power, and iii) cellular repeater may add too much noise to true uplink signals. While these challenges present practical hurdles for localization, they have been overlooked in prior works. In this work, we investigate the impact of these real-world challenges on cellular localization and propose an Uncooperative Multiangulation Attack (UMA) that addresses these challenges. UMA can 1) force a target device to transmit traffic continuously, 2) boost the target's signal strength to the maximum, and 3) uniquely distinguish traffic from the target and the repeaters. Notably, the UMA technique works without privilege on cellular operators or user devices, which makes it operate on any LTE network. Our evaluations show that UMA effectively resolves the challenges in real-world environments when devices are not cooperative for localization. Our approach exploits the current cellular design vulnerabilities, which we have responsibly disclosed to GSMA.

翻译：在蜂窝网络中，当局有时需要物理定位用户设备以追踪犯罪分子或非法设备。尽管蜂窝运营商可提供设备驻留的小区信息，但细粒度定位仍是必要条件。为此，授权机构通过监测设备的上行链路信号进行追踪。然而，即使在运营商和当局层面，对非合作的上行链路信号源进行追踪仍颇具挑战。具体而言，细粒度定位面临三大难题：i) 设备需持续稳定生成足够上行流量，定位方能生效；ii) 目标设备可能以极低功率发射上行信号；iii) 蜂窝中继器可能对真实上行信号引入过多噪声。尽管这些实际困难对定位构成阻碍，现有研究却普遍忽视此类问题。本文深入探究这些现实挑战对蜂窝定位的影响，并提出一种应对方案——非合作多点定位攻击（UMA）。该技术可实现：1）强制目标设备持续传输流量；2）将目标信号强度提升至最大值；3）唯一区分来自目标与中继器的流量。值得注意的是，UMA技术无需特权访问运营商或用户设备，可在任意LTE网络中运行。实验评估表明，在设备非合作定位的真实环境中，UMA能有效化解上述难题。本方案利用了当前蜂窝设计的脆弱性，且已向GSMA进行了负责任的披露。