Feeds

Mobile network hack reveals sensitive cellphone data

Brad Pitt geo tracking made easy

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Researchers have demonstrated structural cracks in GSM mobile networks that make it easy to find the number of most US-based cellphone users and to track virtually any GSM-enabled handset across the globe.

The hack builds off research by Tobias Engel who in late 2008 showed how to track the whereabouts of cellphones by tapping into mobile network databases. At the Source Conference in Boston Wednesday, independent researcher Nick DePetrillo and Don Bailey of iSec Partners demonstrated how to use similar techniques to track an individual's location even when his number isn't known and to glean other details most users presume are untraceable.

"Now, we can even assign a name to a number and we can find someone's number," DePetrillo told The Register by phone shortly after his presentation. "The scary thing is that you can give me a random cellphone number and I can tell you, usually, who owns it. So if I want to find Brad Pitt's number I can dump all the cellular phone caller ID information out of California and hunt for his number."

The information disclosure hack works by tricking the GSM caller ID system into assembling what amounts to a white pages directory of virtually every cellphone number. To do that, DePetrillo and Bailey set up a voice over IP account that included caller ID. They then called the account over and over using huge blocks of spoofed numbers and logged the caller ID output of each one using an Asterisk server.

The cataloged lookup information allowed them to discover individuals associated with the numbers and vice versa. It also revealed large pools of numbers that belonged to private companies and government agencies.

The researchers then plugged the numbers they wanted to trace into the so-called HLR, or home location register. The database, and the larger SS7 protocol to which it belongs, in many respects is to mobile networks what TCP/IP is to the internet, allowing cellular carriers to locate the whereabouts of a handset so it can receive voice or text traffic.

The HLR also lists a subscriber's mobile carrier, allowing attackers to tailor exploits to vulnerabilities known to affect a particular network, DePetrillo said. He was able to access the database using commercial services offered by companies in Europe.

The techniques exploit functionality built into GSM networks to make sure calls can be routed reliably to a handset no matter where in the world it's located. As such, it won't be easy to fix the disclosure threat without breaking the networks.

"They've discovered some pretty scary stuff," said Chris Paget, who is chief hacker of reverse-engineering consultancy H4RDW4RE and has long exposed the insecurity of radio signals used by GSM networks. "Nick and Don looked behind the towers and found a whole other wrongness. You're literally down to the situation where you can't be secure unless you pull the battery out of your phone." ®

Remote control for virtualized desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.