Can Android phone running without SIM card be tracked (localized) by police?
I am running an Android phone without a SIM card. I am using it for web surfing. Can the police localize my phone using the cell towers (BTS)?
In other words, I know Android phones emit radiations even if there is no SIM inserted. Can the service provider use these radiations to detecte where my phone is?
Well i don't know the answer but the GSM protocol permits emergency calls without sim card. Doesn't that mean that in someway you're connected to the cells?!
I don't really know if what I'm saying is a myth or not but i would like to learn :). It's possible for the Service Operator to call back an emergency call using IMEI? If it is how can they do it if the phone is passive?! Or the GSM callback is only possible if you have a sim Card?
A SIM identifies you with your network operator; it is necessary to be able to receive calls and to bill you for calls you make. Without a SIM, a phone is mostly useless as a phone, but it can still make emergency calls (in most countries). Without a SIM, your cell phone will not normally transmit data to local base stations, but if you make an emergency call, it will identify itself with the cell tower by sending its IMEI. So there is some information identifying your phone that can travel on the cell phone network, but only at your own behest. I don't know how easily the police can access this information.
If you've turned off GSM altogether and are only connected through wifi, it's a different matter. The wifi access point knows your phone's MAC address. Whether (or how easily) the police has access to that depends on who owns the access point.
Beyond that, your internet traffic does not inherently contain information that identifies your phone, but there is a lot of indirect information. Your IP address will pinpoint at least the access point's ISP and your general location, and with the cooperation of the access point owner your access can be tracked back to the access point by someone who is trying to trace your traffic. The content of your traffic may or may not identify you or your phone, for example through browser fingerprinting, or simply because you logged in to some online account.
If someone is in the vicinity of the access point, they can physically locate your phone by measuring its radio signal.
I don't have the GSM specification at hand to verify, but why should a cell phone without a SIM "ping" (whatever you mean by that) local base stations? If you try to make an emergency call, the cell phone will request such a connection from the nearest base station, but there is no need for the cell phone to communicate with the network prior to that.
@jarnbjo I thought the handset periodically checked what bands are available in its location. Does this not happen in emergency mode? Or is it passive? I am by no means a GSM expert, if you know better please correct me.
The handset will scan the GSM bands to find the BCCHs (broadcast control channels) of the available base stations. On these channels, the base station transmits all necessary data required by the handset to contact the network, in particular the RACH (random access channel) used by the handset to initially contact the base station. If the handset is not interested in registering itself with the network (for which a SIM is required), it remains passive. If you try to make an emergency call, the handset will request this on the most suitable RACH.