Criminal IMSI catchers are pretty much dead, but with the aid of carriers law enforcement can still use similar technology even with full standalone 5G networks. I don't know how often unauthorized IMSI catchers are used in the wild, but I doubt it's a relevant percentage of the total amount of IMSI catchers out there.
Thanks to mmWave and beam forming, 5G allows operators to practically track you down to the exact centimeter in 3D space. Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
Basically, who needs IMSI catchers when you can just see all of the information you'd get from them remotely on a computer screen on the other side of the country?
Of course this is great to protect against criminals that are looking to find your personal phone number or whatever by showing up to your doorstep, but for the vast majority of cases, IMSI catchers are defeated because they're no longer necessary.
5G beamforming is not that accurate a proxy signal, and mmWave is phone vaporware, instead only significantly used for point-to-point connections. Line-of-sight requirements make it dead in the water for anything else.
"5G UW" is good service, but it's not usually mmWave. It's primarily mid-band stuff, usually Band n77 (3.7ghz C-Band)
It's usually good, but that's primarily because Verizon is going a good-ish job (in Michigan, at least) of deploying it densely in smaller neighborhood/urban cell sites (2x to 3x site density over traditional PCS-spaced cell towers). It's basically Verizon's version of what Clear was supposed to be doing with WiMax.
Notably, C-Band is not mmWave. mmWave bands start at like the 24.2ghz+, way way higher up the spectrum band.
If your phone reads "5G UW", there's like a 95% chance you aren't on mmWave, you are on n77 / C-Band / 'mid-band'.
I regularly see it in Atlanta in the big tech business areas (Buckhead, Midtown, etc) but it is hilariously bad.
Whenever I notice my cellular data has regressed to 3G speeds and reliability, I look up at the network status and see “5G UW”.
I don’t know if they deployed it without enough bandwidth on the trunk to handle all of the users or something else but I generally have to toggle airplane mode to drop back into 5G or LTE to get off of it.
"5G UW" is marketing bullshit by Verizon that they force cellphone makers to display. Basically it originally meant "mmWave" but was later revised to "mmWave or mid-band". You are probably seeing the mid-band due to the limitations of mmWave.
What about convention centers, subway platforms, and other places where you have a lot of people packed together outside the reach of exterior towers? They stick microcells on the ceilings of these — wouldn't it make sense for those to be mmWave?
Not really, because many cheaper phones don't have mmWave antennas. Nor do some international iPhones.
Aside from that, mmWave's biggest application is high-speed connections, not necessarily large client capacity per cell (although there is correlation). For subways I'd probably want the lowest band 4G or 5G cells for maximum penetration.
Convention centers are not really a good application for micro cells, as you have ample time to do a professional WiFi setup. Something like 5000 people should be serviceable by a 10Gb/s backhaul.
I could see stadiums being a good application for mmWave. Scant few foreigners visit American sports games, media wants/needs lot of backhaul, peaks of 30 000 visitors is definitely very hard to manage with WiFi.
mmWave in American cities is a horrible application though. Americans love building vertically, which greatly hampers mmWave viability.
Nokia is also currently rolling out Europe’s first 5G standalone mmWave Radio Access Network in Italy. More to the point though, it could be integral in how we deal with NTN - particularly LEO D2C provisioning
It never worked unless you were walking on the street. Expensive too, I heard $20 per antenna. Millimeter is good for fixed antenna and delivering internet last mile to homes. Verizon bought into it millimeter while TMobile focused on mid bands, why T-Mobile is faster on average than Verizon. People use their phones indoors.
Stadiums are pretty much the only place where mmWave in phones makes sense. For the other 99.99% of usage, it's an expensive power-hungry extra radio that doesn't work. mmWave 5G is mostly a sunk cost for Verizon, and largely irrelevant to everyone else.
>it's an expensive power-hungry extra radio that doesn't work
Yes, it requires more power.
You have to consider power and the time the radio needs to be on to accomplish the task.
If using mmWave you can transfer data at 2,000Mbps and using midband you achieve 500Mbps the baseband will be on for 4x the time with midband, and it will need to use less than 1/4th the power of mmWave to break even.
Midband does not require 1/4th the power of mmWave. Closer to 1/2th.
On 11/27/22 at 5:13pm I was in the St. Louis airport and ran a speed test on my iPhone 12 Pro Max. I was probably one of the first non-diagnostic users of their mmWave infrastructure and I must have been the only user at the time because I achieved a damn-near-practical-maximum of 3938Mbps down. The only reason I ran the speed test at all was that a notoriously sluggish web application I was using was performing spectacularly.
Since then I have been running speed tests at concerts, sporting events, traffic jams, airports, shopping centers, and the Rennaissance Faire. All locations where, prior to 5G, cellular coverage was useless.
On 10/13/24 at 1:14pm I was in a crowded terminal at Chicago O'Hare and ran a speed test on an iPhone 15 Pro Max. Connected via mmWave I achieved 1869Mbps down.
> Stadiums are pretty much the only place where mmWave in phones makes sense.
And Airports, and Parks, and Ampitheateaters, and Malls, and Theme Parks...
mmWave isn't a general solution, sure. But mmWave is great for anywhere crowded enough to benefit from a DAS setup, and there are a lot of DAS setups around.
In any case it was a much better solution than band 46 license assisted access LTE-A/NR-U which used unlicensed 5Ghz spectrum shared with wifi. If we want to talk about vaporware/abandoned stuff, this was among the most controversial and least deployed solutions to those areas before mmwave became a thing.
Neither did LTE (or VoLTE) work well at the start.
WiMAX didn't get the funding and backing primarily because it didn't integrate well with existing systems. Hilariously it fit the criteria as 4G before LTE did. I guess there was a strong vendor push to include LTE into 4G.
I had one of the few laptop models with WiMAX built-in, and I tried it several times. The only time it worked was on the Brighton Beach boardwalk, surprising me completely. But even then, the connection speed was lower than of my 3G USB modem.
They did - it was an atypically awful engineering decision that caused them to bungle their 5G rollout and cede market share to TMobile.
It only makes sense as a cable tv displacement that’s easier to deploy (and cuts out their unions) in cities. But to my knowledge, they haven’t done that. They dtoppef hundreds of poles in my city that aren’t even active.
> Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
It should be feasible for an operator to issue a command to the (e)UICC (SIM) in the phone to fetch the current location from the modem and send it back via SMS. At least this was the case for a relatively long time.
Not that it _really_ matters because most people willfully give away their location information to Google anyways. There's a reason why Google has the best Wi-Fi AP -> Location database that they provide commercially. Send them a list of Wi-Fi BSSID's and their associated RSSI's and you'll get a fairly accurate location.
In comparison, using Cell ID's for geolocationing is finicky. In dense urban environments, you're likely looking at ~500 m radius of accuracy - at least based on the commercially available options.
The reason Google has the best Wi-Fi AP location database is because they knowingly violated wiretapping laws, when they rolled out Streetview, and they were only fined a cool 13 million for it.
They were ordered to destroy any data related to the collection from Streetview, and they did it seems, but they may not have deleted any of the data that had already been copied/integrated to other separate services like GiS, where they may have simply just moved that wiretapping to the edge devices to facilitate geo-location similar to how Apple uses Wi-Fi points as landmarks as a plausible (we aren't wiretapping), while still physically mapping based on radio signal, and also indirectly on calls through AI.
The only learned lesson they had seemed to be that you don't make a public-facing API that allows searches of locations based on BSSID, or MAC address to the general public (which is what they had for Streetview).
They have a geolocation API that allows searches of locations based on BSSID's and RSSI's and cell towers. It is "public" but you need to pay <y> $ per <x> requests.
> depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware
Do you know if (at least some) basebands actually limit network-side location requests to emergency call/text situations only?
All I know is that some don't. I don't know brands or if there are even common modems that are filtering for this.
If you don't have a Faraday cage and cell site equipment, you're going to have a hard time verifying any of this. The modem is closed source, the SIM card is closed source, and various firmware blobs to make phones work are all closed source. I believe Qualcomm has debug interfaces on some chipsets, which might catch these messages, but verifying that they catch all use cases is impossible unless you have knowledge of the actual mechanism used (or usable) to activate the modem.
This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones), but it only takes a small group of Linux enthusiasts to actually catch the phone network in the act.
Of course, the trouble is that you'll need to be the target of government surveillance to be even at risk of any of this. If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you, and whatever criminal enterprise hacked its way into the carrier network won't either. If you are being tracked by either of those, I think developing open source modem firmware is probably the least of your concerns.
I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
It's all rather pointless anyway when 5G and to an extend 4G can geolocate you about as well as GPS can, barring reflections and such.
> If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you
If there's one thing we know for certain about the US and domestic spying it's that they're targeting literally everyone. They were caught copying all internet traffic going over the AT&T backbone in the early 2000s and decades later Snowden showed us they never stopped pointing their secret spying equipment at us. The best you can hope for is that if you don't become an activist or commit enough crimes they won't pay much attention to the massive and ever-growing troves of data they have on you personally.
Agreed – it's not really a personal concern I have (I have no illusions about the chances that none of the apps I grant location access to are selling it to the highest bidder), but I'm still curious. I can also imagine some legitimate use cases, such as pinging the location of somebody that had an accident and is possibly unable to call 911 themselves.
And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
> And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
They are technical standards designed to ensure interoperability (though not always successfully — cough VoLTE cough) rather than exhaustive guides on how to implement features. They have been developed over a long period of time and have become quite complicated to read, especially if you are not familiar with the specific nomenclature. However, with enough time and willpower you can make sense of them quite quickly.
PS. The software behind these standards is probably the most complex we have in the world. At least I am not aware of anything else that is as complicated.
> This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones) [...]
This is very unlikely to happen, primarily because certifying these modems is extremely expensive. I doubt any commercial vendor (e.g., a phone manufacturer) would commit the necessary resources to support them. Modern modems are also highly complex; they not only support various radio technologies but also incorporate numerous offloading mechanisms and a range of proprietary communication methods with telecom operators (e.g., VoLTE). Furthermore, the firmware must be carefully optimized for the hardware, so unless you have access to the complete package, this will likely remain confined to amateur circles.
> I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
The standard is written to accommodate the most prevalent use cases. Given the ongoing efforts to improve security and address known vulnerabilities, I highly doubt it was written with bad intentions. However, that does not mean they will catch everything, nor does it guarantee that they will always prioritize stronger security over better usability - whether for network operators or end users.
Also worth noting that if the carrier is cooperating then you can do better than static snapshots. Tracking signal strength of a target moving between towers will give you quite a precise historic path (within a few seconds or minutes depending on velocity).
Is this a US-centric view? Presumably crossing national borders, as noted in the article, it would be more effective to catch IMSIs. When there are lots of countries clustered together in a smaller geographical space, ie, not the USA, it might be relevant.
It's common to discover IMSI-catchers in national capitals around the world. There are many interesting targets.
Washington, D.C. mobile traffic is probably the most spied in the world. Especially now when it's run by technological cavemen and overly confident techbros. Israeli, Russians, Chinese, French and everyone.
Back in the mid-80s, it was an open secret that some AMPS transmissions could be received on ordinary TV tuners which were capable up to Channel 83 or so.
My father being a DXer and installer of a home-built Yagi and rotator system, I discovered this fairly easily. All he told me was to just guard the privacy of these people I was snooping on, because they were supposed to be private conversations after all. I never heard anything of substance anyway. It was one of the more boring surveillance activities of my misspent youth.
The Soviet/Russian station in San Francisco was heavily involved in SIGINT back in the days of microwave radio trunks and analog mobile phones, and I would imagine the Chinese have taken the throne from them today.
To see news related to them, search "Fake Base Stations" or "SMS Blaster", as this is how they're commonly referred to in the media now.
Other notable highlights from the last few years include: the news from Paris a few years ago where police detonated a car with an imsi-catcher in it because they thought it was a bomb, but actually the driver was being paid to send out sms spam via 2g downgrade attacks: https://commsrisk.com/paris-imsi-catcher-mistaken-for-bomb-w.... Also the attempt to disrupt the federal elections in the Phillippines using a kind of "SMS blaster" that takes advantage of unauthenticated emergency alert messages, so a step beyond the "classic" imsi catching attack that we haven't seen used in the wild before.
Thanks to mmWave and beam forming, 5G allows operators to practically track you down to the exact centimeter in 3D space. Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
Basically, who needs IMSI catchers when you can just see all of the information you'd get from them remotely on a computer screen on the other side of the country?
Of course this is great to protect against criminals that are looking to find your personal phone number or whatever by showing up to your doorstep, but for the vast majority of cases, IMSI catchers are defeated because they're no longer necessary.