Feeds

Mobile network hack reveals sensitive cellphone data

Brad Pitt geo tracking made easy

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Researchers have demonstrated structural cracks in GSM mobile networks that make it easy to find the number of most US-based cellphone users and to track virtually any GSM-enabled handset across the globe.

The hack builds off research by Tobias Engel who in late 2008 showed how to track the whereabouts of cellphones by tapping into mobile network databases. At the Source Conference in Boston Wednesday, independent researcher Nick DePetrillo and Don Bailey of iSec Partners demonstrated how to use similar techniques to track an individual's location even when his number isn't known and to glean other details most users presume are untraceable.

"Now, we can even assign a name to a number and we can find someone's number," DePetrillo told The Register by phone shortly after his presentation. "The scary thing is that you can give me a random cellphone number and I can tell you, usually, who owns it. So if I want to find Brad Pitt's number I can dump all the cellular phone caller ID information out of California and hunt for his number."

The information disclosure hack works by tricking the GSM caller ID system into assembling what amounts to a white pages directory of virtually every cellphone number. To do that, DePetrillo and Bailey set up a voice over IP account that included caller ID. They then called the account over and over using huge blocks of spoofed numbers and logged the caller ID output of each one using an Asterisk server.

The cataloged lookup information allowed them to discover individuals associated with the numbers and vice versa. It also revealed large pools of numbers that belonged to private companies and government agencies.

The researchers then plugged the numbers they wanted to trace into the so-called HLR, or home location register. The database, and the larger SS7 protocol to which it belongs, in many respects is to mobile networks what TCP/IP is to the internet, allowing cellular carriers to locate the whereabouts of a handset so it can receive voice or text traffic.

The HLR also lists a subscriber's mobile carrier, allowing attackers to tailor exploits to vulnerabilities known to affect a particular network, DePetrillo said. He was able to access the database using commercial services offered by companies in Europe.

The techniques exploit functionality built into GSM networks to make sure calls can be routed reliably to a handset no matter where in the world it's located. As such, it won't be easy to fix the disclosure threat without breaking the networks.

"They've discovered some pretty scary stuff," said Chris Paget, who is chief hacker of reverse-engineering consultancy H4RDW4RE and has long exposed the insecurity of radio signals used by GSM networks. "Nick and Don looked behind the towers and found a whole other wrongness. You're literally down to the situation where you can't be secure unless you pull the battery out of your phone." ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.