[dsl]

> The first is what a cellular network does for tracking a user. It's not returning a set of GPS coordinates.

From the perspective of someone working on the RF side of cellular networks, you are absolutely correct.

Modern cellphone baseband chips however are required to implement MT-LR, which allows the network to request that the device respond with its latitude and longitude. In the US this is legally required to be accurate to within 300 meters, so it comes from GPS or AGPS. By sending LAWFUL_INTERCEPT_SERVICES as the client type in the request, the phone is required to not notify the user in any way or log the request.

There is a reason China has been caught with their hand in the US "lawful intercept" cookie jar at least three times.

[leonidasrup]

The good old lawful interception capabilities, like in the Greek wiretapping case of 2004–05, also referred to as Greek Watergate.

https://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2...

"involved the illegal tapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek government and top-ranking civil servants."

"In September 2011, new evidence emerged indicated the US Embassy in Athens was behind the telephone interceptions."

[bondarchuk]

>In the US this is legally required to be accurate to within 300 meters, so it comes from GPS or AGPS.

Does that mean GPS is used by the baseband chip even when I disable location services in the OS?

[dsl]

Yes. At this layer the OS has no say in the matter.

[albixa]

That doesn’t make much sense and seems quite nonsensical. Are you really sure about that?

And if so, wouldn’t this or how it’s possible differ greatly between phones were the GNSS and cellular radio are separate isolated components in contrast to ones where they are the same component running a unified firmware?

For example, on the most recent Google Pixels, gnss is provided by the Qualcomm baseband, with it and for example cellular implemented by separate separate sandboxed process on their rtos.

Could someone confirm if they do any non consensual data sharing?

But on the ones with Exynos modem, GNSS is a separate chip from a different company (Broadcom iirc). All the kernel drivers are open source. And the userspace gal blobs are sandboxed with selinux and other. And the modem and GNSS chip are isolated unprivileged components, like on most modern phones similar components are.

Surely if this what you said was the case that wouldn’t stand up to scrutiny, and it would be documented by all the major aosp based alternate os.

The Qualcomm modem pixels are sometimes stated as having security advantages, as Qualcomm does a better job hardening their firmware than Samsung, use a nice micro kernel. But it is difficult to find discussions of the potential for the different functionalities provided all in one chip as sandboxed processes to share data (like WiFi bt on these pixels also on same chip iirc) without consent of OS. If the threat model is you trust the soc, and want to rely on the Linux kernel and os to maintain separation instead of Qualcomm, don’t trust the baseband to not act maliciously, couldn’t this be considered potential downgrade ?

[kevin_nisbet]

I'm not an expert on the baseband implementations, but I have the same impression as the parent, that in the 3GPP protocols the devices location can be requested and it's processed without any OS level interaction.

How that maps into the hardware I don't know.

[kevin_nisbet]

Yup, sorry I didn't bring this side up because the article was mainly talking from the perspective of pulling the LAC/TAI from generating messages in the SS7/Diameter networks. If we want to include what a carrier can do or what lawful intercept can do it's a different story.