Posted on 04/22/2010 8:47:11 AM PDT by ConservativeMind
Researchers have demonstrated how it is possible to use GSM (Global System for Mobile communications) data along with a few tools to track down a person’s mobile phone number and their location, and even listen in on calls and voicemail messages.
Independent researcher Nick DePetrillo and security consultant Don Bailey demonstrated their system at the SOURCE Boston security conference earlier this week. Using information from the GSM network they could identify a mobile phone user’s location, and they showed how they could easily create dossiers on people’s lives and their behavior and business dealings. They also demonstrated how they were able to identify a government contractor for the US Department of Homeland Security through analyzing phone numbers and caller IDs.
Bailey and DePetrillo’s demonstration showed up inherent weaknesses in the way mobile providers expose interfaces to each other to interoperate over the GSM infrastructure. They used the Home Location Registry (HLR) and GSM provider caller ID database, along with some of their own tools and voicemail-hacking techniques.
Their technique was to first obtain their victim’s mobile phone number from the ID database, and they used an open-source PBX program to automate phone calls to themselves, which triggered the system to force a name lookup. They could then associate the name information with the phone number in the caller ID database. Their next step was to match the phone number with the location using HLR, which logs the whereabouts of numbers to allow networks to hand calls off to each other. Individual phones are logged to a register of mobile switching centers within specific geographic regions. DePetrillo said he was even able to watch a phone number moving to a different mobile switching center, regardless of where in the world they were located.
The pair were even able to track a journalist who interviewed an informant in Serbia and then traveled back to Germany, and they also obtained the informant’s phone number. DePetrillo said it was also a simple matter to access voicemail without the phone ringing by making two almost simultaneous calls; the first disconnects before it is picked up, and the second goes into voicemail.
The researchers have not released details of the tools they developed, and have alerted the major GSM carriers about their results. Bailey said the carriers were “very concerned,” but mitigating these sorts of attacks would not be easy. In the meantime there is little mobile phone users can do to protect themselves short of turning off their phones. Indications of an attack might include the phone calling itself, or the phone suddenly calling someone by itself, but most attacks would produce no signs visible to the phone user.
DePetrillo said some of their research scared them, since they were able to track important people who were themselves protected by high security measures by tracking people close to them, such as congressional aides, who were not under high security. He also said the attacks they demonstrated could be made on corporations as well as individuals, and corporations would be well advised to look at the security policies they have in place, especially for their executives.
Bailey said their system is not illegal and does not breach the terms of service.
By the way, the biggest GSM carrier is AT&T, which has the iPhone.
You are not vulnerable if your network is CDMA, which Sprint and Verizon have. CDMA has inherently more transmission security, but that was not what was tested here.
GSM is much more popular around the world.
Very interesting that little bit.
How hard is it to encrypt digital?
>>Researchers have demonstrated how it is possible to use GSM (Global System for Mobile communications) data along with a few tools to track down a person’s mobile phone number and their location, and even listen in on calls and voicemail messages. <<
Maybe they can show me how to re-enable the GPS on my Verizon PDA...
Encryption adds overhead to the phone and tower. GSM is pretty straight-forward to overhear via a slightly modified radio scanner.
CDMA slices frequencies up in a way that makes it extremely complicated to overhear a conversation, and then you only hear one side.
CDMA doesn’t need to be encrypted to be effectively secure.
By the way, this hack didn’t require overhearing conversations. It’s apparently a failure at the core of the system in how it can be accessed.
Perhaps of interest.
This would help narrow down location, but Mobile Switching Center typically comprise many cells. So, this would put the user in an area or even give some simple vector as to travel direction.
This would help narrow down location, but Mobile Switching Center typically comprise many cells. So, this would put the user in an area or even give some simple vector as to travel direction.
If a couple of “amateurs” can suss this out, imagine what the spooks at the NSA, FBI, CIA etc can do.
Software is not written with security in mind, it is written with “Get it to market now!” in mind. Extremely few “managers” or “executives” of any company know or understand the technologies behind their products and they couldn’t give a damn. They want the “nerds” to produce something they can hype and sell.
“If a couple of “amateurs” can suss this out, imagine what the spooks at the NSA, FBI, CIA etc can do.”
These boys can go straight to the switch, and with that, everything that happens with any phone using it.
I wonder how many of these nerds are coopted by the spooks to put in back doors, or if that’s not even necessary?
“I wonder how many of these nerds are coopted by the spooks to put in back doors, or if that’s not even necessary?”
It is generally possible to force a particular phone to load a “special” version of software that enables easier tracking, or eavesdropping. With Smartphones - there’s probably “An App for that”.
Then again, there could easily be an App for determining if your phone was bugged, too - and just knowing that could give the bad guys a big advantage.
It’s truly a “brave new world.” Plenty for me to ponder, novel-wise.
No need to co-opt the nerds. The feds simply approach the companies and it is amazing how many execs are thrilled to cooperate, thinking that makes them some sort of spook themselves.
The CDMA network uses a similar HLR technique, but CDMA signals can be picked up by two or more towers at a given moment. The one with the best signal is used and a "soft handoff" is performed to the best tower as the mobile moves. GSM does a hard handoff. If it guesses wrong, you drop the call.
The attack to hit the voice mail only gets you to the point where you can try the password to access the account. If you don't have the password, that is the end of the attack.
This technique is useful for bad guys who want to track an individual and have the tools to do it. There are plenty of folks who happily run a Google app that uploads a constant GPS track of their location. It can track you on a Google map for all the world to observe...just like a GPS moving map display.
People who want to pursue this technology need access to a PBX PRI line and software that can "chat" with the Signaling System 7 protocol. It's available for sale and the reps are more than happy to sign you up for training classes.
No doubt. The execs probably get a secret decoder ring to seal the deal.
In my next book, the good guys will be using black market phones bought from a compliant cell phone salesmen. Returned phones that are still active, to be used for a short time and destroyed. They’ll keep them in foil pouches most of the time. Plausible?
What’s your actual objective there?
Is it trying to avoid any indication that they are in that area, or simply to prevent “eavesdropping”?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.