Geolocating Mobile Phones With An IP5th July 2020
IP addresses feature prominently in digital investigations, but how useful are they for geolocation? The truth is that while IP addresses have many investigative uses, they can be quite unreliable as a precise geolocation method.
The limitations of IP addresses as geolocation tools are grounded in the technology itself. The current IPv4 protocol allows for the existence of just under 4.3 billion separate IP addresses. This was not an issue when the technology was designed in the early 1980s, but now the demand for IP addresses far exceeds supply.
To deal with this shortage, ISPs have developed several workarounds over the years. A reverse proxy server allows thousands of websites to share the same static IP address, for example.
Websites and services generally use IPs that are fixed, but if you’re reading this from your home internet connection then the chances are that you’ve been issued a dynamic IP address by your ISP. You might have the same IP address for a few hours or days, but ISPs constantly juggle and reallocate their IP addresses according to demand. The IP address you have today might be issued to someone else elsewhere in the country tomorrow.
With mobile IPs the IP shortage problem is even more pronounced. Whenever you connect to a 3G or 4G network, you are probably sharing that IP address with thousands of other users at the same time. Your IP address also changes very frequently on a cellular network, sometimes as often as every few seconds.
There is no real correlation between a physical location and a cellular IP address. IP addresses aren’t organised geographically in the way that old landline numbers used to be. It’s more accurate to think of them as being grouped by ISP and service type.
So what about IP geolocation services like Maxmind? A little digging into their own data accuracy reports will tell you that we need to be extremely cautious about how much weight you attach to the geolocation information that they provide.
For example in Germany, Maxmind state that 83% of their IP addresses are accurately linked to their location – but only to within a 50km radius, and even then only with fixed broadband lines:
When we look at cellular IPs, the accuracy drops significantly. Only 38% accuracy within 50km:
The more specific the location, the lower the confidence level. In Germany the confidence that an IP address is associated to a specific city is just 16%. In the USA this accuracy level is just 12%, with 73% of IPs regarded as incorrectly resolved. So how much weight should you really put on the accuracy of a geolocated cellular IP if even the world’s leading IP geolocation companies have such low confidence of it being accurate to within 50km, let alone a single city?
This is not a fault of the GeoIP service providers. It simply reflects the fact that ISPs have no need to allocate IP addresses by geographic area, but instead allocate them according to network demand.
Yet it is common knowledge that mobile phones can be geolocated. A mobile phone connects to a cell tower, and as a matter of fact to all of the surrounding cell towers as well (at least to monitor the signal strength). Each cell tower has a unique ID. This ID can be picked up by several means, whether it is intercepting the radio connection between the mobile phone and the tower or by collecting information on one of the backlinks to the network. If the physical locations of the cell towers are known, a rough geolocation of the phone can be performed if of course you have the cell IDs. However, this can only be done (legally) by law enforcement and/or intelligence services. But is it possible to geolocate a phone based on other information than the cell ID?
Most mobile phones nowadays are constantly connected to the internet. We browse the web, we send messages through services such as Signal or WhatsApp and we check our emails and reply with our smartphones. Each of these connections will transmit an IP-address that has been allocated to our phone. On my normal computer, I could look up my IP-address on sites such as IPLocation and it would show the approximate area I am located in. Of course, this only works if I am not using a proxy or VPN. Different databases might have slightly different locations, but as you can see in this example, I am located somewhere in the vicinity of Munich based on my IP-address.
Just to put these locations into perspective, I plotted them on the map. I was located somewhere on this map while writing this article. Not really that precise, right?
That’s the landline I used, what about geolocating a phone based on the IP-address? Getting the current IP-address of the phone is not as easy as it sounds. Even if I were to receive an email sent from my target’s phone, chances are high that this would not include the originating IP-address. Especially if sent from providers such as Gmail or Hotmail. How can we then obtain the actual IP-address of the phone?
Before you continue reading, a word of caution: The next step could be illegal in some countries and is very intrusive. It is definitely not something I would recommend as you have to actively engage your target. In this case I am just using the technique to prove my point.
I sent my target an email with a tracking pixel. Don’t worry, the target is one of my burner phones. I sent myself an email and opened it with my phone while connected to my provider on 4G (LTE). Tracking pixels, also known as web beacons, are used to figure out if a user has accessed content such as a webpage or an email. These trackers will provide information such as the access time and also the IP-address from which the content was accessed. I used the site GetNotify to get a tracking pixel. Then opened the email with my phone. Here is the result:
As you can see, the tracking pixel sends back the time the email was opened, the user agent string for the browser on my phone and an IP. It states that this IP-address is registered to Telefonica Germany, the provider this burner phone is running on. Let’s check the IPLocation site again:
Okay, we have Munich in there, but we also see other locations. Once more, I plotted them on the map.
I’m on here somewhere, but as you can see, two of the locations are quite a bit away from Munich. So apparently, the IP allocated to my phone by my provider seems to provide a very inaccurate location. One reason for this can be found in the 4G network structure.
The IP-address the mobile phone receives is a dynamic address allocated by the so-called Packet Data Network Gateway (P-GW). This is basically the exit node to the internet and the IP-address is chosen randomly, coming for a pool of addresses. Each time you reconnect with the network you will receive a new random address from this pool, even if you connect to the same cell (for LTE eNodeB) again. There is no direct link between the IP-addresses and any other element of the network, such as the cell tower (eNodeB). Often, outgoing traffic from the P-GW will assign multiple registered mobile phones the same IP-address. While connections from a mobile phone will likely be handled by a regional P-GW, in my case the one physically located in Munich, it could also be registered to a P-GW hundreds of kilometers away. I spent an hour trying to find a friend that uses Telefonica/O2 as well and asked them to help me out here. I sent her an email with a tracking pixel. Here’s what came back:
This IP-address is supposedly located in Munich as well, my friend lives near Passau. That’s 170km apart! Keep in mind, all of this was done without any proxies or VPNs. Using a VPN will of course alter the results. Here’s my burner phone on LTE running through a Belgian IP:
In conclusion, geolocating a phone through an IP might give you the general area (if you are lucky), but just as with any regular IP-address, it will not provide you pinpoint accuracy. I think geolocating landline IPs is actually more accurate than mobile phone IPs in most cases. Just keep this in mind for your future investigations.
Matthias Wilson & Nixintel 5th July 2020