Legal spying via the cell phone system
Researchers say they are able to access telco data to get information believed to be private--cell phone numbers and where they are being used.
Two researchers say they have found a way to exploit weaknesses in the mobile telecom system to legally spy on people by figuring out the private cell phone number of anyone they want, tracking their whereabouts, and listening to their voice mail.
Independent security researcher Nick DePetrillo and Don Bailey, a security consultant with iSec Partners, planned to provide details in a talk entitled "We Found Carmen San Diego" at the Source Boston security conference on Wednesday.
"There are a lot of fragile eggs in the telecom industry and they can be broken," Bailey said in an interview with CNET. "We assume the telecom industry protects our privacy. But we've been able to crack the eggs and piece them together."
The first part of the operation involves getting a target's cell phone number from a public database that links names to numbers for caller ID purposes. DePetrillo used open-source PBX software to spoof the outgoing caller ID and then automated phone calls to himself, triggering the system to force a name lookup.
"We log that information and associate it with a phone number in a (caller ID) database," DePetrillo said. "We created software that iterates through these numbers and can crawl the entire phone database in the U.S. within a couple of weeks... We have done whole cities and pulled thousands of records."
"It's not illegal, nor is it a breach of terms of service," Bailey said.
Next up is matching the phone number with a geographic location. The SS7 (Signaling System) public switched network routes calls around the world and uses what's called the Home Location Register to log the whereabouts of numbers so networks can hand calls off to one another, DePetrillo said. Individual phones are registered to mobile switching centers within specific geographic regions and they are logged in to that main register, he said.
Only telecom providers are supposed to have access to the location register, but small telcos in the EU are offering online access to it for a fee, mostly to companies using it for marketing data and cost projections, according to DePetrillo.
"Using previous research on the subject as a starting point, we've developed a way to map these mobile switching center numbers to caller ID information to determine what city and even what part of a city a phone number is in" at any given moment, he said. "I can watch a phone number travel to different mobile switching centers. If I know your phone number, I can track your whereabouts globally."
For instance, the researchers were able to track a German journalist talking to a confidential informant in Serbia and follow his travels back to Germany, as well as obtain the informant's phone number, Bailey said.
Bailey said he had contacted telecom providers with the information on how industry outsiders were able to get to information believed to be privileged to the providers, but said the hands of GSM providers in the U.S. are tied.
"The attack is based on the assumption of how the networks work worldwide," he said. "For interoperability and peer sake, the larger providers in the U.S. have to hand out the information to other providers."
Asked what cell phone users can do to protect themselves, Bailey said, "people are just going to have to be made aware of the threat."
It's also relatively easy to access other people's voice mail, a service that's been around for years from providers like SlyDial. They operate by making two nearly simultaneous calls to a target number, one of which disconnects before it is picked up and another that goes straight into voice mail because of the earlier call. This enables the caller to go directly to voice mail without the phone ringing. DePetrillo and Bailey re-created that functionality for purposes of their legal spying scenario.
"If I want to find Brad Pitt, I find his number using the caller ID database, use Home Location Register access to figure out what provider he has. T-Mobile is vulnerable to voice mail spoofing so I get into his voice mail and listen to his messages," said DePetrillo. "But I can also have the system tell me the numbers of the callers and I can take those numbers and look them up in the caller ID database and use the Home Location Register system to find their providers and break into their voice mail, and so on."
This can allow someone to make a social web of people, their cell numbers, the context of their voice mail, and their relationships to others, he said.
"These attack scenarios are applicable to corporations and individual users alike," DePetrillo said. "Corporations specifically should start to take a look at their security policies for executives as this can impact a business very hard, with insider trading, tracking of executives, etc."