Turns out you don't even need a GPS to track a mobile phone user's
whereabouts and glean her movements and interactions: Researchers
have discovered a way to use information from the GSM mobile
infrastructure to track down someone and even listen in on her
voicemail messages and calls.
Don Bailey, security consultant with iSec Partners, and independent
researcher Nick DePetrillo demonstrated at the SOURCE Boston
conference how they were able to use a combination of available GSM
data plus their own handmade tools to glean someone's cell phone
number, pinpoint where she was located physically, and determine
what she was doing, as well as gather intelligence about her
relationships -- business or otherwise.
"We create a dossier about someone's life over a period of time,"
Bailey says. "We're able to infer things about an individual's
behavior and interactions with the company they work for [as
well]," he says.
The researchers gathered information from the GSM network
infrastructure itself: "We're using information we can gather from
the GSM network to infer your location. And we've taken GSM
geolocation a few steps forward, combined with some tools we
developed," DePetrillo says. "This is new and novel and really,
really scary."
The research has chilling implications for businesses, as well as
the individuals themselves. Bailey and DePetrillo say they were
able to glean the identity of a government contractor by sifting
through caller IDs and phone numbers they traced to the U.S.
Department of Homeland Security, for example.
Bottom line is it demonstrates inherent weaknesses in the way
mobile providers interoperate over the GSM infrastructure. "There
is a soft underbelly in the cell phone network...it's an
interoperability thing," Bailey says. "We are taking advantage of
the way these companies are exposing interfaces to each other.
That's where it becomes a serious problem."
Tyler Shields -- a senior researcher for Veracode who recently
released proof-of-concept code for a spyware app for the BlackBerry
that can track the victim's physical location via GPS and grab
sensitive information -- says Bailey and DePetrillo's research is
novel in that it attacks the GSM infrastructure itself.
"That's akin to attacking the Internet at the router level,"
Shields says. "This attacks at the infrastructure level versus the
application level. If you can compromise the infrastructure's
underlying building blocks, the rest of it will tumble. That's what
makes their [research] so interesting."
The researchers used the GSM provider caller ID database, the Home
Location Registry (HLR), and some voicemail-hacking techniques,
along with their own tools. They reverse-engineered the mobile
phone caller ID database by scanning blocks of cell phone numbers,
creating a white pages of sorts of these numbers. "It comes back
with the name of the organization that owns it," DePetrillo says.
They also were able to determine the cell number's cell provider,
even if that number had been ported to a new provider, he says.
They then leveraged the HLR, a central repository of information
mobile phone subscribers, to locate cell phone towers and regional
locations, among other information. "We [used] the mobile switching
center number, which corresponds with all cell phone towers in a
region and calls back to the switching center where data is
routed," Bailey says.
The researchers were able to combine this data, as well as from
social networks, to glean a victim's comings and goings. "We can
make connections between the movements and 50 or so candidates and
whittle it down to one or two," for example, he says.
They then sifted through voicemail or grabbed phone records of who
the victim had been speaking with. "We can take those numbers and
get you and the other phone to call each other" and conference in
to listen in on the conversation to grab more intelligence, he
says.
With a little caller ID spoofing, they can extract other
information about the victim by hacking into voicemail, for
instance. "We can call someone's phone with a spoofed caller ID.
Then we can enter the voicemail box without a PIN," DePetrillo
says. "That's not new, but combined with other techniques, it lets
us get directly into their voicemail without ringing the
phone."
The researchers -- who did not release the tools they created --
have alerted major GSM carriers in the U.S. about their findings.
"They are very concerned," Bailey says. Some are looking at how to
better mitigate these types of attacks, but it won't be easy.