Further to this, here is an example of some paging traffic I captured over a live UMTS network (Telstra NextG, in Australia), using nothing more than a USRP with 900MHz daughterboard, and some custom Matlab code. The message has been unpacked from ASN.1 format to XML, but it clearly shows IMSI and TMSI in plaintext.
File is here.
This shows the flaw is definitely not GSM only.
The concepts here are not necessarily specific to the GSM Um link. The same concepts used by the authors equally apply for UMTS and LTE, and most other cellular systems.
ALL of those systems page out phones based on some temporary (but plaintext) identifier when an incoming call needs to be routed and there is no active RRC (radio) connection. All of those systems try to mitigate this exact problem by using a temporary ID (the TMSI), rather than the permanent ID (the IMSI). The TMSI is re-allocated over a ciphered connection.
The TMSI rotation policy is up to the operator. It can in theory be rotated each connection, but few operators do this - too much signalling load on the core network. Most operators will hold the TMSI until the next periodic (i.e. after a certain number of hours - operator defined), or aperiodic (when the phone moves into a different paging domain [location area]), or when the phone is power cycled (which implicitly does a type of location update anyway).
One solution for future versions of the standard might be to encrypt the paging message (along with a random nonce to give uniqueness to each paging message) with the last known ciphering key, but this may not be known by the network entities in the new location areas.
I don't know how this myth keeps getting propagated. It is absolutely not true, for both the GSM and UMTS systems.
You don't need to have a background in cellular engineering to understand that if you want to use a service in near real-time (i.e. SMS), it is going to have to consume resources then and now.
Your phone is not using control channels constantly. This is for good reason - the control channels are extremely limited in capacity, and using them frequently would consume your battery as well.
Your phone is only using control channels typically when moving between cells or locations areas. You can easily see this on GSM phones if you have an old radio nearby; you will know when the phone is transmitting and it most certainly isn't often.
So if you want to write an SMS, and send it now. a radio connection must be established. In GSM, this requires an SDCCH (Standalone dedicated control channel). This is a finite network resource (even if you are using it for 5 seconds or so, it is still a finite resource). In most cells, a static reservation of 8 SDCCHes exists only. Also, setting up this SDCCH involves other temporary channels - it occupies capacity on the AGCH (access grant channel) and RACH (random access channel - to establish the request in the first place). If it is an incoming SMS, it additionally requires capacity on the PCH (paging channel). All of these latter channels have particularly finite resources.
In UMTS ("3G"), the scenario is similar. SMS is typically delivered over the FACH (forward access channel) mapped to the S-CCPCH. The S-CCPCH has very limited capacity in most networks, and is being shared between other requests to establish channels, mobility updates from phones moving about, etc etc etc.
The point is SMS does consume finite network resources, and they are more finite than you think. Your assumption/myth might be valid if you can piggy back SMS onto the back of the (typical) hourly location updates that occur, but who wants their SMSes to all be buffered once an hour?
The IMEI is usually sent over an encrypted channel, after the CIPHERING MODE COMMAND has been sent in GSM (although the specifications do not mandate this).
It is not possible to track your long term movements. GSM and UMTS use what is known as the TMSI - the Temporary Mobile Subscriber Identity, which is a 32-bit temporary identifier which may not persist more than a few hours at a time.
Your IMSI (international mobile subscriber identity) is only ever sent over the air in clear text in 'recovery' situations, where your mobility context cannot be retrieved from the previous VLR. Otherwise, new TMSIs are allocated over an encrypted channel, so it is extremely difficult to establish a chain of TMSIs.
So in short, it is not possible to establish your long term visiting trends, but it is possible to establish the length of time you spend in a shopping centre (as phones periodically re-register themselves with the network, even in the same location area), if your phone is otherwise idle.
Our meters already do a spot empty check to clear existing funds out of the meter when someone leaves.
This is a serious dick move. Seriously. Just a dick move.
Agreed. The meter is paid, who cares who paid for it? Stop double dipping.
Though on the topic of dick moves, the US has it pretty easy. Look for these vermin (The Melbourne City Council) are up to:
http://www.melbourne.vic.gov.au/AboutCouncil/MediaReleases/Pages/NewparkingtechnologyforCityofMelbourne.aspx
In ground sensors - a device that records when a vehicle moves in and out of a parking bay. A five minute grace period will be built in and once a vehicle has overstayed the limit a signal will be sent to the nearest parking officer’s hand-held device. The in ground sensors will be progressively rolled out to 4,619 single marked bays across the CBD from 1 July to 30 October.
Licence plate recognition systems – image processing technology used to identify a vehicle via its number plate in some residential areas. The system consists of a high speed digital camera, integrated GPS system and optical character recognition software. Two systems will be in operation in Flemington, Kensington, North Melbourne and Carlton. The license plate recognition technology will be on the road from 1 July.
This is simply a myth. The sending of text messages consumes network resources that cost money. How much they cost is a different question - and I am not disagreeing with you that the markup may be exhorbitant, but I do have to correct your claim.
In GSM, sending a text message still predominantly operates over an SDCCH (standalone dedicated control channel), which requires a full paging (for network originated) or random access cycle, encryption setup messages, authentication messages. The whole process can take around 5 seconds (don't believe me? put your phone on top of an old radio so you can hear the radio transmission activity..)
Where your claim is correct is during a call - the SMS uses the SACCH (slow associated CCH) which places minimal additional load on the network, but the majority of SMSes occur when the phone is not in a call.
Some GSM networks allow the text message to be send as a packet of data over GPRS/EDGE which greatly reduces radio-link (Um link) signalling burden.
Prepare for tomorrow -- get ready. -- Edith Keeler, "The City On the Edge of Forever", stardate unknown