For the first proof of concept test, I picked a random user in the "Near me" list of my actual location.
The person I picked is called "Clara".
For trilateration to be useful, I need a tool that can visualize it for me. I could write a tool like this myself but why should I when https://www.gpsvisualizer.com/ exists? This website allows to import an .xlsx file and make it into a circle map using this formatting:
To determine a location, you need at least 3 sets of data. I could either move there myself in the real world, or let my computer do the work for me. By using an emulated Android device, I can spoof my GPS location and make Telegram think I am at another location. I will be using Nox for this. (https://www.bignox.com/)
Nox Allows me to move my GPS location by simply using an embedded Google Maps.
It will also show us the exact coordinates we moved to which we will use for our trilateration.
The steps for locating a specific person are rather easy:
- Guess their general location, let's say a city for example.
- Place your GPS marker to a random location around that area.
- Please Note: Telegram has ratelimiting on how quickly you can change your coordinates. The cooldown seemed to be +-10 minutes when I tried this.
- Repeat above untill you see the user in the list.
- Note your exact coordinates and the distance to that user.
- Repeat the above at least 2 more times by moving around the expected area.
- Keep about 5-6 km between your testing coordinates.
- Note them in an Excel sheet as in the example.
- Upload your Excel sheet to https://www.gpsvisualizer.com/
- Find where all the circles intersect each other, this is the location of the user.
These are the results Test 1:
Judge the results for yourself...
Since asking a stranger "Hey, is this where you currently stay?" to confirm our findings seems… You know… Odd? I re-did this experiment with a friend of mine. He was currently staying at a random (For me) unknown location in Nijmegen.
Me: Also, I want to do an experiment, can you enable your Telegram location for me, tell me which city you are in, and let me see if I can pinpoint you?
Him:
I enabled it, I am in Nijmegen
I have a Dr. Pepper can as profile picture
And as name Wesley X / @\<username\>
Finding him was not very difficult:
After I found him, I conducted the same test as on the previous example using the exact same steps. This resulted in the following dataset:
After creating this dataset, I rendered a map using GPS Visualizer and collected the results. I replaced the background tiles with a texture instead of the actual map to give my friend some privacy.
(By hosting a local webserver and redirecting all tile requests of Mapbox to localhost and hosting 1 single image there, for the curious people)
The purple dot marks the real location of my friend which I got later. I think this confirms this proof of concept is viable and should be taken seriously as an exploitable way of stalking people.
Of course, I had to confirm my calculations were correct by asking him if I was right.
Me: Am I right?
Him: Red and blue intersect literally on top of my head
Me: HAHAHHA
Him: *Gives his actual current location as confirmation*