Feeds

Mobile network hack reveals sensitive cellphone data

Brad Pitt geo tracking made easy

  • alert
  • submit to reddit

The essential guide to IT transformation

Researchers have demonstrated structural cracks in GSM mobile networks that make it easy to find the number of most US-based cellphone users and to track virtually any GSM-enabled handset across the globe.

The hack builds off research by Tobias Engel who in late 2008 showed how to track the whereabouts of cellphones by tapping into mobile network databases. At the Source Conference in Boston Wednesday, independent researcher Nick DePetrillo and Don Bailey of iSec Partners demonstrated how to use similar techniques to track an individual's location even when his number isn't known and to glean other details most users presume are untraceable.

"Now, we can even assign a name to a number and we can find someone's number," DePetrillo told The Register by phone shortly after his presentation. "The scary thing is that you can give me a random cellphone number and I can tell you, usually, who owns it. So if I want to find Brad Pitt's number I can dump all the cellular phone caller ID information out of California and hunt for his number."

The information disclosure hack works by tricking the GSM caller ID system into assembling what amounts to a white pages directory of virtually every cellphone number. To do that, DePetrillo and Bailey set up a voice over IP account that included caller ID. They then called the account over and over using huge blocks of spoofed numbers and logged the caller ID output of each one using an Asterisk server.

The cataloged lookup information allowed them to discover individuals associated with the numbers and vice versa. It also revealed large pools of numbers that belonged to private companies and government agencies.

The researchers then plugged the numbers they wanted to trace into the so-called HLR, or home location register. The database, and the larger SS7 protocol to which it belongs, in many respects is to mobile networks what TCP/IP is to the internet, allowing cellular carriers to locate the whereabouts of a handset so it can receive voice or text traffic.

The HLR also lists a subscriber's mobile carrier, allowing attackers to tailor exploits to vulnerabilities known to affect a particular network, DePetrillo said. He was able to access the database using commercial services offered by companies in Europe.

The techniques exploit functionality built into GSM networks to make sure calls can be routed reliably to a handset no matter where in the world it's located. As such, it won't be easy to fix the disclosure threat without breaking the networks.

"They've discovered some pretty scary stuff," said Chris Paget, who is chief hacker of reverse-engineering consultancy H4RDW4RE and has long exposed the insecurity of radio signals used by GSM networks. "Nick and Don looked behind the towers and found a whole other wrongness. You're literally down to the situation where you can't be secure unless you pull the battery out of your phone." ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.