A flaw in the way in which 3G-enabled mobile phones and other devices deal with 3G protocol logic means that a third party could track a device at any time, according to security researchers.
Researchers from the University of Birmingham, who were later joined in the research by a team from the Technical University of Berlin, said that standard off-the-shelf equipment, such as femtocells, could be used to exploit the flaw, allowing the physical location of devices to be revealed.
Any device would be vulnerable, they said, as the problems are hard-wired into the design of the 3G system itself.
"The attacker does not need to know any keys, nor perform any cryptographic operation... [These] kind of vulnerabilities usually look trivial once uncovered but often remain unnoticed for [a] long time, since they do not involve fancy cryptography but are caused by errors in the protocol logic," the researchers wrote in the paper (PDF).
This protocol logic specifies which devices deal with the rules for network requests and the passing of information, meaning the problem isn't with one particular network or device, but the standards that 3G is based upon.
The 3G standard specifies that it should provide user identity confidentiality preventing the user's permanent identity (International Mobile Subscriber Identity - IMSI) from being revealed.
"The attacker does not need to know any keys, nor perform any cryptographic operation"
In order to help obscure the real identity on the network, temporary identities (Temporary Mobile Subscriber Identity - TMSI) are assigned to devices, and these are regularly updated. 3G networks should also make it impossible for a user to be traced even if an intruder was eavesdropping on the radio link.
However, the researchers found that both these requirements, previously found to be vulnerable in the past, can be circumvented reasonably easily.
The researchers say that by spoofing an IMSI paging request, an individual device can be pin-point located. An IMSI paging request is used by mobile networks to locate a device and provide service to it. However, when the permanent identity is not known, the network also allows for the temporary identity to be used.
"The possibility of triggering a paging request for a speciﬁc IMSI allows an attacker to check a speciﬁc area for the presence of mobile stations of whom he knows the identity, and to correlate their IMSI and TMSI," the researchers say.
Another vulnerability, the researchers said, lay in the Authentication and Key Agreement (AKA) protocol, which is used to provide authentication between a device and a network by providing secure shared session keys.
This "secret long-term key" (K IMSI) can be identified by sniffing the AKA request and then relaying that to all devices within a certain area. Every device except the target would return an authentication failure, thereby identifying the individual. Again, this could then be used to track location.
"The captured authentication request can now be replayed by the adversary each time he wants to check the presence of [the device] in a particular area. In fact, thanks to the error messages, the adversary can distinguish any mobile station from the one the authentication request was originally sent to," the researchers wrote.
The researchers tested the theories on a range of networks (Vodafone, SFR, O2, and T-Mobile) but said they would work on any network that adheres to the 3GPP industry body's "widely-deployed" 3G protocol.
Exploiting either of these vulnerabilities would only require some off-the-shelf equipment, such as femtocells, which may or may not need to be rooted, and some level of technical knowledge. It's not inconceivable that hacking tools that automate the process of that technical knowledge could appear in the future, making it possible for almost anyone to spy on your whereabouts.
However, the researchers said there are ways to mitigate the attacks, based around symmetric and public key-based cryptography.