Risk
4/21/2010
12:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Hack Pinpoints Cell Phone User's Location, Personal And Business Relationships

Researchers demonstrate a technique that exploits the cell phone infrastructure to compromise cell user's privacy

Turns out you don't even need a GPS to track a mobile phone user's whereabouts and glean her movements and interactions: Researchers have discovered a way to use information from the GSM mobile infrastructure to track down someone and even listen in on her voicemail messages and calls.

Click here for more of Dark Reading's Black Hat articles.
Don Bailey, security consultant with iSec Partners, and independent researcher Nick DePetrillo today at the SOURCE Boston conference demonstrated how they were able to use a combination of available GSM data plus their own handmade tools to glean someone's cell phone number, pinpoint where she was located physically, and determine what she was doing, as well as gather intelligence about her relationships -- business or otherwise.

"We create a dossier about someone's life over a period of time," Bailey says. "We're able to infer things about an individual's behavior and interactions with the company they work for [as well]," he says.

The researchers gathered information from the GSM network infrastructure itself: "We're using information we can gather from the GSM network to infer your location. And we've taken GSM geolocation a few steps forward, combined with some tools we developed," DePetrillo says. "This is new and novel and really, really scary."

The research has chilling implications for businesses, as well as the individuals themselves. Bailey and DePetrillo say they were able to glean the identity of a government contractor by sifting through caller IDs and phone numbers they traced to the U.S. Department of Homeland Security, for example.

Bottom line is it demonstrates inherent weaknesses in the way mobile providers interoperate over the GSM infrastructure. "There is a soft underbelly in the cell phone network...it's an interoperability thing," Bailey says. "We are taking advantage of the way these companies are exposing interfaces to each other. That's where it becomes a serious problem."

Tyler Shields -- a senior researcher for Veracode who recently released proof-of-concept code for a spyware app for the BlackBerry that can track the victim's physical location via GPS and grab sensitive information -- says Bailey and DePetrillo's research is novel in that it attacks the GSM infrastructure itself.

"That's akin to attacking the Internet at the router level," Shields says. "This attacks at the infrastructure level versus the application level. If you can compromise the infrastructure's underlying building blocks, the rest of it will tumble. That's what makes their [research] so interesting."

The researchers used the GSM provider caller ID database, the Home Location Registry (HLR), and some voicemail-hacking techniques, along with their own tools. They reverse-engineered the mobile phone caller ID database by scanning blocks of cell phone numbers, creating a white pages of sorts of these numbers. "It comes back with the name of the organization that owns it," DePetrillo says. They also were able to determine the cell number's cell provider, even if that number had been ported to a new provider, he says.

They then leveraged the HLR, a central repository of information mobile phone subscribers, to locate cell phone towers and regional locations, among other information. "We [used] the mobile switching center number, which corresponds with all cell phone towers in a region and calls back to the switching center where data is routed," Bailey says.

The researchers were able to combine this data, as well as from social networks, to glean a victim's comings and goings. "We can make connections between the movements and 50 or so candidates and whittle it down to one or two," for example, he says.

They then sifted through voicemail or grabbed phone records of who the victim had been speaking with. "We can take those numbers and get you and the other phone to call each other" and conference in to listen in on the conversation to grab more intelligence, he says.

With a little caller ID spoofing, they can extract other information about the victim by hacking into voicemail, for instance. "We can call someone's phone with a spoofed caller ID. Then we can enter the voicemail box without a PIN," DePetrillo says. "That's not new, but combined with other techniques, it lets us get directly into their voicemail without ringing the phone."

The researchers -- who did not release the tools they created -- have alerted major GSM carriers in the U.S. about their findings. "They are very concerned," Bailey says. Some are looking at how to better mitigate these types of attacks, but it won't be easy.

How can a mobile phone user protect herself from this in the meantime? Short of shutting off her phone, not much, according to the researchers.

There are a few possible red flags that could indicate an attack, but it's mainly a silent one. "If you have a particular missed call, or something strange happens, like you got a phone call from yourself, or your [phone] is suddenly calling someone [itself], those could be telltale signs of an attack."

But most of these attacks would be transparent to the victim. There's only about a 10 to 15 percent chance he would see something awry, Bailey says, because the phone won't ring, for instance.

The researchers say some of their work actually scared them. "The Washington, D.C., area is pretty insecure," DePetrillo says. "I came up with a scenario where you can track very important individuals wherever they are...you don't have to track a government official under high security, just the people who travel with him [via their phones], a lot of whom are not under high security, such as congressional aides."

"So if want to find out where Steve Jobs, Brad Pitt, or Tiger Woods is hiding out, you could [potentially] do that with our techniques," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/14/2014 | 6:11:59 PM
Re: Better privacy in Windows phones
Interesting...I didn't know that about Windows smartphones. Android definitely has the most security/privacy issues right now, and its popularity will obviously mean even more threats/issues to come.
speedo1456
50%
50%
speedo1456,
User Rank: Apprentice
7/13/2014 | 10:02:56 PM
Better privacy in Windows phones
The privacy in windows phones can be secured much better than android phones. Windows phones have the possibility to make calls through Skype with the possibility to hide the IP address and therefore hide your location.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4233
Published: 2015-07-02
SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuu54037.

CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report