This article is also available in:
Deutsch: [Polizei setzt häufig Stille SMS zur Ortung Verdächtiger ein |]

One issue that came out during the 28th Chaos Communication Congress held in
Berlin between 27 and 30 December 2011, was the use of the so called “Silent
SMS” by the police in Germany to track down suspects.

The Silent SMS, also called Flash-SMS is a SMS allowing the user to send a
message to another mobile phone without the knowledge of the recipient.
“The message is rejected by the recipient mobile, and leaves no trace. In
return, the sender gets a message from a mobile operator confirming that the
Silent SMS has been received,” as it is explained by the developers from the
Silent Services, company who created some of the first software necessary to
send such SMSs.

Mobile security expert Karsten Nohl and his colleague Luca Melette,
announced during their presentation at the Congress, that in Germany, in
2010, the police sent thousands of Silent SMS meant to locate suspects.

Silent SMS were initially meant to allow operators to acknowledge whether a
mobile phone was switched on and test the network without advising the
users. However, they have proven useful for the tracking down of suspects by
the police in several countries. Silent SMS allow the precise location of a
mobile phone by using the GSM network.

“We can locate a user by identifying the three antennas closest to his
mobile, then triangulating the distance according to the speed it takes for
a signal to make a return trip. A mobile phone updates its presence on the
network regularly, but when the person moves, the information is not updated
immediately. By sending a Silent SMS, the location of the mobile is
instantly updated. This is very useful because it allows you to locate
someone at a given time, depending on the airwaves” explained Karsten Nohl.

According to Mathias Monroy, a journalist with Heise Online, this
surveillance technology is largely used because it falls in a gray area
from the legal point of view, the law being unclear whether a Silent SMS can
be considered as communication. “The state found that it was not one, since
there is no content. This is useful, because if it is not a communication,
it does not fall under the framework of the inviolability of
telecommunications described in Article 10 of the German Constitution.”

On 6 December 2011, the German Interior Minister Hans-Peter Friedrich
announced that German police and intelligence have sent about 440 000 Silent
SMS a year.

Although no official recognition was offered by French officials, police and
intelligence services work with Deveryware, a “geolocation operator” which
combines cellular localization, GPS, and other “real-time location”
techniques. The company was evasive when questioned by on whether
Silent SMS were one of these techniques: “Regretfully we are unable to
provide an answer, given the confidentiality imposed on us by legal
requisitions. Deveryware’s applications enable investigators to map and
compile a history of a suspect’s movements.”

In the Netherlands the police has been used the technique since 2006. During
a case in February 2011 when 11 Somalian people were arrested for terrorism,
the public prosecutor admitted, for the e-zine Webwereld, that the practice
was a normal part of the wiretap process in drug cases, organised crime,
people trafficking and possible suicide. There is no need for a separate
court order as the technique implies only location data.

When the question was raised in the Dutch Parliament in March 2011, the
Minister of Justice answered that this “investigation means has been applied
for a long time in a number of criminal investigation cases. This means is
only being applied when there is already a wiretap on that telephone
number.” He also added that Silent SMS has been used in several cases and
the judge has always found this means lawful.

Nohl showed during his presentation at the 28th Chaos Communication Congress
that the technique together with easily procurable tools can be used by
attackers to make a mobile phone initiate phone calls and send text
messages. He noted that some users have already received bills of thousands
of euros for calls and texts to Caribbean premium rate services. The
researcher also called on the mobile network operators, network equipment
suppliers and device manufacturers to implement techniques to improve GSM
encryption mechanisms in order to give protection against such kind of
attacks. The techniques are already available but are not used.

Getting the Message? Police Track Phones with Silent SMS (30.01.2012)

28C3: New attacks on GSM mobiles and security measures shown

28c3: Defending mobile phones (28.12.2011)

Each quarter a million Silent SMS (only in German, 22.11.2011)

Custom, Federal Police and Protection of the Constitution sent more than
440,000 SMSs in 2010 (only in German, 13.12.2011)

Investigation used very often Stealth SMS (only in Dutch, 4.02.2011)