This paper addresses location privacy threats arising from the open broadcast nature of wireless communications by proposing a novel passive localization attack. The method pioneers the use of deep learning-based modulation classification to parse downlink MCS tables, enabling construction of a “pseudo-ranging ring” that narrows the spatial search space; it further integrates multi-feature geometric modeling of uplink channels to achieve precise line-of-sight (LoS) user localization. Key contributions include: (1) the first modulation-recognition-driven passive localization paradigm; (2) the pseudo-ranging ring mechanism, drastically reducing reliance on specialized hardware and prior knowledge; and (3) a scalable localization framework compatible with digital twin maps. Evaluated on Release 16–20 cellular and WiFi systems, the approach achieves sub-hundred-meter accuracy for LoS users, exposing a pervasive privacy vulnerability across standardized wireless protocols.

The broadcast nature of the wireless medium and openness of wireless standards, e.g., 3GPP releases 16-20, invite adversaries to launch various active and passive attacks on cellular and other wireless networks. This work identifies one such loose end of wireless standards and presents a novel passive attack method enabling an eavesdropper (Eve) to localize a line of sight wireless user (Bob) who is communicating with a base station or WiFi access point (Alice). The proposed attack involves two phases. In the first phase, Eve performs modulation classification by intercepting the downlink channel between Alice and Bob. This enables Eve to utilize the publicly available modulation and coding scheme (MCS) tables to do pesudo-ranging, i.e., the Eve determines the ring within which Bob is located, which drastically reduces the search space. In the second phase, Eve sniffs the uplink channel, and employs multiple strategies to further refine Bob's location within the ring. Towards the end, we present our thoughts on how this attack can be extended to non-line-of-sight scenarios, and how this attack could act as a scaffolding to construct a malicious digital twin map.