Your phone is almost always in your pocket, and even when you're not making a call or browsing the web, it's quietly listening for the network to reach out. This background process, called paging, is how your carrier notifies your device of an incoming call, text, or app notification. It's invisible, automatic, and without proper protections, can be exploited.
Paging attacks have been known for years, but in 2019 a team of researchers from Purdue University and the University of Iowa led by Prof. Syed Hussain presented a research paper demonstrating a new family of vulnerabilities. With a few silent phone calls and around $200 of hardware, an attacker in your vicinity can confirm your location with nearly 100% accuracy.
For users on a typical carrier, these attacks are serious and largely unaddressed. Cape's IMSI rotation mitigates these attacks, and this post explains how.
How Paging Works, and Why It Reveals Location
To save battery, your phone powers down most of its radio circuitry and only wakes up at precise, predetermined intervals to check for incoming messages. These wake-up moments are called paging occasions, and their timing is computed deterministically from your International Mobile Subscriber Identifier, or IMSI, using a public formula in the 4G and 5G standards. Most mobile carriers give you one IMSI that you keep forever, and thus your paging timeslot never changes.
Anyone with your phone number can trigger a paging message and observe which timeslot your phone wakes up in. In fact, anything that triggers a message to your phone would trigger a paging message; if you have push notifications enabled from social media, the attacker can just send you a DM. A single observation isn't usually enough to isolate you from the crowd, since real network traffic from other users creates noise. But by repeating this a handful of times, a nearby attacker with a radio sniffer can confirm your presence in the vicinity without leaving any trace on your device.
Once an attacker knows your paging timeslot, then at any later time they can check if you are in the vicinity: simply re-run the trigger and observe if there’s a paging signal in your timeslot.
The attack works on both 4G and 5G, requires no cooperation from the carrier, and leaves no trace on the victim's device. In 5G, the paging occasion formula is nearly identical to 4G with one minor addition: a public PF_offset parameter. The same PFI-aware assignment logic applies, and the fix below covers both generations.
On a typical carrier, your IMSI never changes, and so neither does your paging timeslot. This makes it a fixed, easily determinable identifier to an attacker with the right hardware. Cape’s IMSI rotation changes your paging timeslot regularly, so the attacker is no longer able to confirm your location long-term.
From Location to Identity
This paging attack becomes a stepping stone for a more serious attack which can link your phone number directly to your IMSI.
The researchers discovered that some carriers, contrary to 3GPP recommendations, fall back to broadcasting your raw IMSI in paging messages under certain failure conditions. Once an attacker knows your paging timeslot using the method above, they can deliberately trigger this fallback. The attacker deploys a fake cell tower to hijack your paging channel and silently block the network's paging messages from reaching your phone. After two failed delivery attempts, the carrier sends your IMSI over the air and the attacker captures it directly. A single silent phone call is all it takes once the setup is in place. The researchers validated this attack against one major US carrier and operators in several other countries.
Once attackers have your IMSI, they can carry out more sophisticated attacks to track your location or even intercept or block your calls and texts.
Cape’s IMSI Rotation
For most mobile carriers, your IMSI is a permanent identifier. Once an attacker has it, it enables a range of further attacks that previously required law enforcement-level access.
Cape's IMSI rotation significantly mitigates this attack. As a Cape user, your IMSI cycles regularly and any IMSI an attacker manages to harvest has a short shelf life. Since your paging timeslot is determined by your IMSI, this means that you are regularly getting moved around in the paging timeline, throwing off any potential attackers who have logged your paging info.
Conclusion
Paging attacks like these are a reminder that privacy vulnerabilities don't always look like traditional exploits. There's no malware, no compromised server, and no brute-forced password. Just a careful reading of a public protocol specification and a few hundred dollars of hardware. The paging system was designed for efficiency, not privacy, and its idle communication can reveal more than you think.
