DEV Community

sudheer singh
sudheer singh

Posted on • Originally published at fumics.in

Your Phone Silently Sends GPS to Your Carrier — Here's How

#security #mobile #networking #privacy

Here's something that will ruin your morning: right now, your mobile carrier can send a silent command to your phone, and your phone will compute its exact GPS coordinates and send them back. No notification. No permission prompt. No indication whatsoever that it happened.

This isn't a bug. It isn't a hack. It's a feature — baked into the cellular protocol stack since the early 2000s, operating at a layer so deep that your phone's operating system doesn't even know it's happening.

The protocols are called RRLP (Radio Resource Location services Protocol) for 2G/3G networks, and LPP (LTE Positioning Protocol) for 4G/5G. Together, they form what's known as control-plane positioning — and they're the reason your carrier knows where you are with GPS-level precision, whether you want them to or not.

How It Actually Works

Every smartphone has two processors:

  • The application processor (AP) — runs iOS or Android, your apps, your location permissions
  • The baseband processor (BP) — runs the cellular modem firmware, handles radio communication, talks directly to the cell tower

These two processors are largely isolated. The baseband is a black box. When your carrier sends a location request, it goes to the baseband, not to Android or iOS.

The carrier's SMLC sends a positioning request over the control plane. The baseband receives it, activates the GPS chipset, computes coordinates, and sends them back. The application processor is never involved.

The Protocol Details

RRLP (3GPP TS 04.31) was designed for GSM/UMTS. LPP (3GPP TS 36.355) is the 4G/5G successor. Both support MS-Assisted and MS-Based positioning.

The critical detail: RRLP requires no authentication. The phone doesn't verify that the location request is legitimate. The baseband just responds.

Who's Been Using This?

  • Law enforcement: The DEA was using carrier-assisted GPS tracking by 2006
  • Israel's Shin Bet: Used carrier location data for COVID contact tracing at scale
  • Carriers selling data: T-Mobile, AT&T, Sprint sold real-time location data to third parties (FCC fined them $200M+)

Why You Can't Opt Out

  • Airplane mode — works, but no phone
  • Location permissions — irrelevant, controls app access not baseband
  • Location Services toggle — OS-level only
  • VPNs/firewalls — operate at IP layer, control-plane bypasses all of it

Apple's Fix — And Its Limits

iPhone 16e with Apple's C1 modem + iOS 26 introduces Location Privacy:

  1. OS is notified of control-plane location requests
  2. User consent before responding
  3. Option to downgrade to coarse cell-tower estimate

But only works on C1 modem devices. Android has no equivalent.

What Developers Should Know

  1. Location permissions are theater for this threat model
  2. The baseband is the real attack surface
  3. A phone with cellular = always trackable by carrier

Originally published at fumics.in

Top comments (0)