User equipment geolocation depended on long-term evolution signal-level measurements and timing advance

A new approach is described for investigating the accuracy of positioning active long-term evolution (LTE) users. The explored approach is a network-based method and depends on signal level measurements as well as the coverage of the serving cell. In a two-dimensional coordinate system, the algorithm simultaneously applies LTE measured data with a combination of a basic prediction model to locate the mobile device’s user. Furthermore, we introduce a unique method that combines timing advance (TA) and the measured signal level to narrow the search region and improve accuracy. The developed method is assessed by comparing the predicted results from the proposed algorithm with satellite measurements from the global positioning system (GPS) in various scenarios calculated via the number of cells that user equipment concurrently reports. This work separates seven different cases starting from a single reported cell to five reported cells from up to 3 sites. For analysis, the root mean square error (RMSE) is computed to obtain the validation for the proposed approach. The study case demonstrates location accuracy based on the numbers of registered cells with the mean RMSE improved using TA to approximately 70-191 m for the range of scenarios

Location Privacy in LTE: A Case Study on Exploiting the Cellular Signaling Plane's Timing Advance

Location privacy is an oft-overlooked, but exceedingly important niche of the overall privacy macrocosm. An ambition of this work is to raise awareness of concerns relating to location privacy in cellular networks. To this end, we will demonstrate how user location information is leaked through a vulnerability, viz. the timing advance (TA) parameter, in the Long Term Evolution (LTE) signaling plane and how the position estimate that results from that parameter can be refined through a previously introduced method called Cellular Synchronization Assisted Refinement (CeSAR) [1]. With CeSAR, positioning accuracies that meet or exceed the FCC’s E-911 mandate are possible making CeSAR simultaneously a candidate technology for meeting the FCC’s wireless localization requirements and a demonstration of the alarming level of location information sent over the air. We also introduce a geographically diverse data set of TAs collected from actual LTE network implementations utilizing different cell phone chipsets. With this data set we show the appropriateness of modeling the error associated with a TA as normally distributed.

Location Privacy in LTE: A Case Study on Exploiting the Cellular Signaling Plane\u27s Timing Advance

Location privacy is an oft-overlooked, but exceedingly important niche of the overall privacy macrocosm. An ambition of this work is to raise awareness of concerns relating to location privacy in cellular networks. To this end, we will demonstrate how user location information is leaked through a vulnerability, viz. the timing advance (TA) parameter, in the Long Term Evolution (LTE) signaling plane and how the position estimate that results from that parameter can be refined through a previously introduced method called Cellular Synchronization Assisted Refinement (CeSAR) [1]. With CeSAR, positioning accuracies that meet or exceed the FCC’s E-911 mandate are possible making CeSAR simultaneously a candidate technology for meeting the FCC’s wireless localization requirements and a demonstration of the alarming level of location information sent over the air. We also introduce a geographically diverse data set of TAs collected from actual LTE network implementations utilizing different cell phone chipsets. With this data set we show the appropriateness of modeling the error associated with a TA as normally distributed.

Investigations of 5G localization with positioning reference signals

TDOA is an user-assisted or network-assisted technique, in which the user equipment calculates the time of arrival of precise positioning reference signals conveyed by mobile base stations and provides information about the measured time of arrival estimates in the direction of the position server. Using multilateration grounded on the TDOA measurements of the PRS received from at least three base stations and known location of these base stations, the location server determines the position of the user equipment. Different types of factors are responsible for the positioning accuracy in TDOA method, such as the sample rate, the bandwidth, network deployment, the properties of PRS, signal propagation condition, etc. About 50 meters positioning is good for the 4G/LTE users, whereas 5G requires an accuracy less than a meter for outdoor and indoor users. Noteworthy improvements in positioning accuracy can be achievable with the help of redesigning the PRS in 5G technology. The accuracy for the localization has been studied for different sampling rates along with different algorithms. High accuracy TDOA with 5G positioning reference signal (PRS) for sample rate and bandwidth hasn’t been taken into consideration yet. The key goal of the thesis is to compare and assess the impact of different sampling rates and different bandwidths of PRS on the 5G positioning accuracy. By performing analysis with variable bandwidths of PRS in resource blocks and comparing all the analyses with different bandwidths of PRS in resource blocks, it is undeniable that there is a meaningful decrease in the RMSE and significant growth in the SNR. The higher bandwidth of PRS in resource blocks brings higher SNR while the RMSE of positioning errors also decreases with higher bandwidth. Also, the number of PRS in resource blocks provides lower SNR with higher RMSE values. The analysis with different bandwidths of PRS in resource blocks reveals keeping the RMSE value lower than a meter each time with different statistics is a positivity of the research. The positioning accuracy also analyzed with different sample sizes. With an increased sample size, a decrease in the root mean square error and a crucial increase in the SNR was observed. From this thesis investigation, it is inevitable to accomplish that two different analyses (sample size and bandwidth) done in a different way with the targeted output. A bandwidth of 38.4 MHz and sample size N = 700 required to achieve below 1m accuracy with SNR of 47.04 dB

Improvement of mobile trilateration accuracy with modified geo-location techniques.

Masters Degree. University of KwaZulu-Natal, Durban.Abstract available in pdf

IMPLICATIONS FOR LOCATION PRIVACY IN 5G

As cellular technology continues to advance, Fifth Generation (5G) delivers a network capacity and speed to mobile devices unmatched by its predecessors. This heterogeneous network has improved efficiency that connects multiple platforms to create a new experience for its users. The new improvements introduced by 5G also include the increased bands into mmWave and beamforming capabilities that significantly improve the efficiency of 5G. With these improvements, location-based services are more accurate, but also lead to increased vulnerabilities. Location-based attacks via the uplink timing management commands have been studied in previous networks and are susceptible in 5G due to the nearly unchanged timing management structure and increased location accuracy. This thesis comprehensively analyzes cellular positioning, which leverages the 5G timing advance and beamforming for the end user's location. We evaluated the efficiency of varying remote radio heads in an environment to find the most precise location error with the new addition of beamforming. Additionally, we demonstrate how architectural density affects the position estimate in the 5G environment.Lieutenant, United States NavyApproved for public release. Distribution is unlimited

ROLAX: LOCATION DETERMINATION TECHNIQUES IN 4G NETWORKS

In this dissertation, ROLAX location determination system in 4G networks is presented. ROLAX provides two primary solutions for the location determination in the 4G networks. First, it provides techniques to detect the error-prone wireless conditions in geometric approaches of Time of Arrival (ToA) and Time Difference of Arrival (TDoA). ROLAX provides techniques for a Mobile Station (MS) to determine the Dominant Line-of-Sight Path (DLP) condition given the measurements of the downlink signals from the Base Station (BS). Second, robust RF fingerprinting techniques for the 4G networks are designed. The causes for the signal measurement variation are identified, and the system is designed taking those into account, leading to a significant improvement in accuracy. ROLAX is organized in two phases: offline and online phases. During the offline phase, the radiomap is constructed by wardriving. In order to provide the portability of the techniques, standard radio measurements such as Received Signal Strength Indication (RSSI) and Carrier to Interference Noise Ratio(CINR) are used in constructing the radiomap. During the online phase, a MS performs the DLP condition test for each BS it can observe. If the number of the BSs under DLP is small, the MS attempts to determine its location by using the RF fingerprinting. In ROLAX, the DLP condition is determined from the RSSI, CINR, and RTD (Round Trip Delay) measurements. Features generated from the RSSI difference between two antennas of the MS were also used. The features, including the variance, the level crossing rate, the correlation between the RSSI and RTD, and Kullback-Leibler Divergence, were successfully used in detecting the DLP condition. We note that, compared to using a single feature, appropriately combined multiple features lead to a very accurate DLP condition detection. A number of pattern matching techniques are evaluated for the purpose of the DLP condition detection. Artificial neural networks, instance-based learning, and Rotation Forest are particularly used in the DLP detection. When the Rotation Forest is used, a detection accuracy of 94.8\% was achieved in the live 4G networks. It has been noted that features designed in the DLP detection can be useful in the RF fingerprinting. In ROLAX, in addition to the DLP detection features, mean of RSSI and mean of CINR are used to create unique RF fingerprints. ROLAX RF fingerprinting techniques include: (1) a number of gridding techniques, including overlapped gridding; (2) an automatic radiomap generation technique by the Delaunay triangulation-based interpolation; (3) the filtering of measurements based upon the power-capture relationship between BSs; and (4) algorithms dealing with the missing data. In this work, software was developed using the interfaces provided by Beceem/Broadcom chip-set based software. Signals were collected from both the home network (MAXWell 4G network) and the foreign network (Clear 4G network). By combining the techniques in ROLAX, a distance error in the order of 4 meters was achieved in the live 4G networks

Real-Time Localization Using Software Defined Radio

Service providers make use of cost-effective wireless solutions to identify, localize, and possibly track users using their carried MDs to support added services, such as geo-advertisement, security, and management. Indoor and outdoor hotspot areas play a significant role for such services. However, GPS does not work in many of these areas. To solve this problem, service providers leverage available indoor radio technologies, such as WiFi, GSM, and LTE, to identify and localize users. We focus our research on passive services provided by third parties, which are responsible for (i) data acquisition and (ii) processing, and network-based services, where (i) and (ii) are done inside the serving network. For better understanding of parameters that affect indoor localization, we investigate several factors that affect indoor signal propagation for both Bluetooth and WiFi technologies. For GSM-based passive services, we developed first a data acquisition module: a GSM receiver that can overhear GSM uplink messages transmitted by MDs while being invisible. A set of optimizations were made for the receiver components to support wideband capturing of the GSM spectrum while operating in real-time. Processing the wide-spectrum of the GSM is possible using a proposed distributed processing approach over an IP network. Then, to overcome the lack of information about tracked devices’ radio settings, we developed two novel localization algorithms that rely on proximity-based solutions to estimate in real environments devices’ locations. Given the challenging indoor environment on radio signals, such as NLOS reception and multipath propagation, we developed an original algorithm to detect and remove contaminated radio signals before being fed to the localization algorithm. To improve the localization algorithm, we extended our work with a hybrid based approach that uses both WiFi and GSM interfaces to localize users. For network-based services, we used a software implementation of a LTE base station to develop our algorithms, which characterize the indoor environment before applying the localization algorithm. Experiments were conducted without any special hardware, any prior knowledge of the indoor layout or any offline calibration of the system

Synchronization in Cognitive Overlay Systems

The primary purpose of this thesis is to study the effect of synchronization problems in cognitive radio based overlay systems. In such systems the secondary transmitter should know the transmission timing of the primary transmitter for cooperation to take place between the two systems. The thesis also investigates the effect of relaying in overlay systems. By splitting the secondary transmission power into two parts by a ratio alpha, the secondary transmitter can relay the primary transmission while transmitting its own message. Another aim of the thesis is to study the effects of time and frequency offsets in the primary and the secondary systems. Hence, time and frequency synchronization issues are investigated for DVB-T and LTE systems individually. Cell search and selection procedures are also studied for LTE systems. Two N200 Universal Software Radio Peripherals (USRPs) were used to transmit and receive the signal using the Gnu Radio platform and the captured signals were post processed in Matlab to study the effects of time offset and frequency offset of the devices. Moreover, a Matlab simulation was used to investigate the effect of timing offset between primary and secondary transmitters in overlay systems. From the investigation of the overlay scenario with relay, we have found out that the relaying introduce a multi-path effect at the secondary receiver. If there is a delay between the primary and the secondary receivers, the components of the multi-path signal might be added-up in such a way that it is impossible to separate the primary and the secondary signals at the secondary receiver. Hence, we have implemented synchronization and equalization algorithms to estimate the delay and frequency offsets. We observed that the performance of the equalizer at the secondary receiver deteriorates for high delays and low alpha values