Feeds

Mobile network hack reveals sensitive cellphone data

Brad Pitt geo tracking made easy

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Researchers have demonstrated structural cracks in GSM mobile networks that make it easy to find the number of most US-based cellphone users and to track virtually any GSM-enabled handset across the globe.

The hack builds off research by Tobias Engel who in late 2008 showed how to track the whereabouts of cellphones by tapping into mobile network databases. At the Source Conference in Boston Wednesday, independent researcher Nick DePetrillo and Don Bailey of iSec Partners demonstrated how to use similar techniques to track an individual's location even when his number isn't known and to glean other details most users presume are untraceable.

"Now, we can even assign a name to a number and we can find someone's number," DePetrillo told The Register by phone shortly after his presentation. "The scary thing is that you can give me a random cellphone number and I can tell you, usually, who owns it. So if I want to find Brad Pitt's number I can dump all the cellular phone caller ID information out of California and hunt for his number."

The information disclosure hack works by tricking the GSM caller ID system into assembling what amounts to a white pages directory of virtually every cellphone number. To do that, DePetrillo and Bailey set up a voice over IP account that included caller ID. They then called the account over and over using huge blocks of spoofed numbers and logged the caller ID output of each one using an Asterisk server.

The cataloged lookup information allowed them to discover individuals associated with the numbers and vice versa. It also revealed large pools of numbers that belonged to private companies and government agencies.

The researchers then plugged the numbers they wanted to trace into the so-called HLR, or home location register. The database, and the larger SS7 protocol to which it belongs, in many respects is to mobile networks what TCP/IP is to the internet, allowing cellular carriers to locate the whereabouts of a handset so it can receive voice or text traffic.

The HLR also lists a subscriber's mobile carrier, allowing attackers to tailor exploits to vulnerabilities known to affect a particular network, DePetrillo said. He was able to access the database using commercial services offered by companies in Europe.

The techniques exploit functionality built into GSM networks to make sure calls can be routed reliably to a handset no matter where in the world it's located. As such, it won't be easy to fix the disclosure threat without breaking the networks.

"They've discovered some pretty scary stuff," said Chris Paget, who is chief hacker of reverse-engineering consultancy H4RDW4RE and has long exposed the insecurity of radio signals used by GSM networks. "Nick and Don looked behind the towers and found a whole other wrongness. You're literally down to the situation where you can't be secure unless you pull the battery out of your phone." ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.