Your Phone Silently Sends GPS to Your Carrier — Here's How
RRLP and LPP protocols let carriers silently extract your precise GPS coordinates from your phone's baseband. No app permissions, no notification, no consent dialog. The protocol was designed for 911 — but that's not all it's used for.
Here's something that will ruin your morning: right now, your mobile carrier can send a silent command to your phone, and your phone will compute its exact GPS coordinates and send them back. No notification. No permission prompt. No indication whatsoever that it happened.
This isn't a bug. It isn't a hack. It's a feature — baked into the cellular protocol stack since the early 2000s, operating at a layer so deep that your phone's operating system doesn't even know it's happening.
The protocols are called RRLP (Radio Resource Location services Protocol) for 2G/3G networks, and LPP (LTE Positioning Protocol) for 4G/5G. Together, they form what's known as control-plane positioning — and they're the reason your carrier knows where you are with GPS-level precision, whether you want them to or not.
How It Actually Works
To understand why this is invisible, you need to understand how your phone's architecture is split. Every smartphone has two processors:
- The application processor (AP) — this runs iOS or Android, your apps, your location permissions
- The baseband processor (BP) — this runs the cellular modem firmware, handles radio communication, and talks directly to the cell tower
These two processors are largely isolated. The baseband is a black box — it runs its own RTOS (real-time operating system), has its own firmware, and handles its own protocol stack. When your carrier sends a location request, it goes to the baseband, not to Android or iOS.
Here's what the flow looks like:
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Carrier / │ │ Cell Tower │ │ Phone │
│ SMLC │────────▶│ (eNodeB) │────────▶│ Baseband │
│ │ LPP │ │ RRC │ Processor │
│ "Send me │ request │ │ │ │
│ your GPS" │ │ │ │ ┌────────┐ │
└──────────────┘ └──────────────┘ │ │ GPS │ │
│ │ chipset│ │
◀ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ │ └────────┘ │
GPS coordinates (lat, lon, accuracy) │ │
│ App CPU has │
│ NO IDEA this│
│ happened │
└──────────────┘The carrier's SMLC (Serving Mobile Location Centre) sends a positioning request over the control plane — the signaling channel used for call setup, handovers, and network management. This isn't user data. It's infrastructure-level signaling.
The baseband receives the request, activates the GPS chipset, computes coordinates, and sends them back. The application processor — the part that runs your apps and enforces location permissions — is never involved.
The Protocol Details
RRLP (defined in 3GPP TS 04.31) was designed for GSM and UMTS networks. It supports two positioning methods:
- MS-Assisted — the phone takes raw GPS measurements and sends them to the network, which computes the position
- MS-Based — the phone computes the full GPS fix itself and sends back finished coordinates
In MS-Based mode, the network first sends assistance data — satellite ephemeris, reference time, approximate position — to speed up the GPS fix. Then the phone does the math and returns a result. This is what a simplified RRLP message exchange looks like:
// RRLP Measure Position Request (Network → Phone)
{
methodType: "msBased", // phone computes position
positionMethod: "gps", // use GPS
responseTime: 8, // seconds to respond
accuracy: 20, // meters (requested)
assistanceData: {
referenceTime: 1706745600,
referenceLocation: {
lat: 28.6139, // approximate lat (Delhi)
lon: 77.2090 // approximate lon
},
navigationModel: { /* satellite ephemeris data */ }
}
}
// RRLP Measure Position Response (Phone → Network)
{
locationEstimate: {
lat: 28.614523,
lon: 77.209112,
altitude: 216,
uncertainty: 12 // meters
},
timestamp: 1706745608
}LPP (defined in 3GPP TS 36.355) is the 4G/5G successor. Same concept, more positioning methods — it adds OTDOA (Observed Time Difference of Arrival), ECID (Enhanced Cell ID), and in 5G Release 16+, NR positioning with sub-meter accuracy. But the core principle is identical: the network asks, the baseband answers, the OS never knows.
The critical detail: RRLP requires no authentication. The phone doesn't verify that the location request is legitimate, tied to an emergency call, or authorized by any legal process. The baseband just... responds. Harald Welte demonstrated this at HAR2009 back in 2009, proving that smartphones would hand over GPS coordinates to anyone who could send a properly formatted RRLP request via a rogue base station.
Who's Been Using This?
This capability was originally designed for E911 — the FCC mandate that mobile phones must be locatable when calling emergency services. Reasonable enough. But "designed for emergencies" and "restricted to emergencies" are very different things.
Law enforcement: The quiet tool
In 2006, the DEA was already using carrier-assisted GPS location to track suspects in real-time, according to documents obtained through FOIA requests. The process was straightforward: serve the carrier with a court order (or sometimes a subpoena, which has a lower legal bar than a warrant), and the carrier would trigger an RRLP/LPP request to ping the target's phone.
The Carpenter v. United States (2018) Supreme Court ruling established that historical cell-site location data requires a warrant. But real-time control-plane positioning exists in a legal gray area — some jurisdictions treat it as a pen register (lower standard), others require a full warrant. The legal framework hasn't caught up to the technical reality.
Israel's Shin Bet: Mass surveillance during COVID
During the COVID-19 pandemic, Israel's domestic intelligence agency Shin Bet used carrier location data to track the movements of infected individuals — and their contacts. This was done using the same control-plane positioning infrastructure, repurposed from counter-terrorism to public health surveillance. The Israeli Supreme Court eventually restricted the practice, but it demonstrated something important: the infrastructure exists and can be activated at scale with a policy decision, not a technical one.
Carriers selling location data
In 2019, reports revealed that major US carriers — T-Mobile, AT&T, Sprint — were selling real-time phone location data to third-party aggregators like LocationSmart and Zumigo, who then resold it to bail bond companies, bounty hunters, and others. The FCC eventually fined the carriers over $200 million. But the underlying capability that made this possible — the ability to silently query any phone's position — remains intact.
Why You Can't Opt Out
This is the part that frustrates developers: there's nothing you can do about this at the application layer.
- Airplane mode — works, but then you don't have a phone
- Location permissions (iOS/Android) — irrelevant. These control app access to GPS, not baseband access
- "Location Services" toggle — controls the OS-level location API, not the cellular control plane
- VPNs, firewalls, privacy apps — operate at the IP layer. Control-plane signaling bypasses all of this
The fundamental problem is architectural. The baseband processor is a separate computer running proprietary firmware from Qualcomm, MediaTek, or Samsung. It has direct hardware access to the GPS chipset. The application processor has no visibility into, or control over, what the baseband is doing with location data.
Your Privacy Controls
─────────────────────
Settings → Privacy → Location Services → OFF
↓
Controls: App-level GPS access (API layer)
Does NOT control: Baseband GPS responses
What actually happens:
Carrier → Control Plane → Baseband → GPS → Carrier
(Your OS is not in this loop)Apple's Fix — And Its Limits
Apple has quietly been working on this. With the iPhone 16e and its custom C1 modem (Apple's first in-house cellular modem), Apple now has the ability to intercept and manage control-plane location requests at a level they couldn't before.
In iOS 26 (currently in beta), Apple introduced a Location Privacy feature for devices with the C1 modem. The implementation does three things:
- Visibility — the OS is notified when a control-plane location request arrives
- User consent — the user can be prompted before the baseband responds with precise coordinates
- Downgrade option — instead of GPS, the phone can respond with a coarser cell-tower-based estimate
This is genuinely significant. For the first time, the application processor has a say in what the baseband reports for carrier location requests.
But here's what it doesn't do:
- It only works on the iPhone 16e (and presumably future iPhones with Apple's C1 modem). Every other iPhone still uses Qualcomm basebands where Apple has no control
- It can't fully block location responses — E911 regulations require that emergency calls provide location. Apple's feature distinguishes between emergency and non-emergency requests
- Android has no equivalent. Google doesn't make its own modem. Every Android phone uses a Qualcomm or MediaTek baseband, and those vendors have shown zero interest in giving the OS control over control-plane positioning
- It doesn't address historical data carriers have already collected using this technique
To be clear: Apple building their own modem wasn't primarily about privacy. It's about margins, supply chain control, and integration. But the privacy benefits are real and meaningful — even if they only reach a fraction of iPhone users today.
What Developers Should Know
If you're building apps that handle sensitive location data, or if you care about user privacy (you should), here's what this means for you:
1. Your location permissions are theater for this threat model
iOS and Android location permissions protect against app-level location access. They do absolutely nothing against carrier-level control-plane positioning. If your threat model includes government surveillance or carrier-side data collection, telling users to "turn off location services" is bad advice.
2. The baseband is the real attack surface
The baseband processor runs proprietary, unauditable firmware. It has direct hardware access to the GPS, microphone, and radio. Security researchers have found exploitable vulnerabilities in Qualcomm and Samsung baseband firmware repeatedly. This isn't theoretical — it's an active attack surface that most developers never think about.
// What you think happens when a user denies location
if (!navigator.geolocation) {
console.log("No location access — user is safe");
// WRONG. This only controls the browser/OS API.
// The baseband can still be queried directly by the carrier.
// Your code has zero visibility into this.
}3. Defense in depth means different things now
If you're building for privacy-sensitive users (journalists, activists, people in hostile environments), the honest advice is:
- A phone with a cellular connection is always trackable by the carrier
- The only reliable defense is physical: Faraday bags, removing SIMs, using Wi-Fi-only devices
- Apple's C1 modem is a step forward, but it's one phone model out of billions
TL;DR
- Your carrier can silently request your GPS coordinates via RRLP (2G/3G) and LPP (4G/5G) protocols
- This happens at the baseband level — below the OS, invisible to apps, immune to location permission toggles
- No authentication required — the phone just responds to any properly formatted request
- Used by law enforcement (DEA, 2006+), intelligence agencies (Shin Bet), and carriers selling data to third parties
- Apple's iOS 26 + C1 modem is the first real fix — but only on iPhone 16e, and Android has nothing equivalent
- You can't opt out at the software level. Location permissions don't touch the control plane. The only reliable defense is physical (airplane mode, Faraday bags)
The uncomfortable truth: every phone with a SIM card is a tracking device that happens to run apps. The cellular protocol stack was designed in an era where the network was trusted by default. Twenty-five years later, we're still living with that assumption baked into every phone on the planet.
Apple making their own modem is a crack in this wall. But it's one company, one phone, one modem. The other 6 billion mobile devices? Still answering silently.