For all those people who say the government cannot track people with their cell phones, two security researchers say it’s actually not that hard, and anyone can do it. What’s more, they claim it’s not even illegal.
Nick DePetrillo and Don Bailey of iSec Partners claim to have found found how to track someone with their cell phone. They don’t even need a phone number to start with in many cases, as they can use public databases on open source PBX software to match up names and numbers. In fact, they can match up caller IDs for the entire U.S. in just a few weeks of database processing time. Next, they use the SS7 public switched network routes and a few other available bits of data to pinpoint the location of a cell phone number and thus the phone/ owner. This includes the Home Location Register (HLR), which cellular networks use to determine phone location. According to CNET, the HLR is normally only available to telecoms but is now available for a few through a few European companies. (Note: This research piggybacks on something presented at the 25th Chaos Communications Congress in 2008. A document is available entitled Locating Mobile Phones using SS7 (PDF, 29 pages) from the conference.)
DePetrillo says that they’ve taken their location data and developed a way to map it down to city or part of a city that a phone is in, and can can thus track movement globally. An experiment conducted managed to track a journalist’s travel between two European countries, and as a result determine the phone number of an informant the journalist met with. It should be noted that vulnerabilities were found in GSM cellular networks, though that’s the most commonly used type in the world. These findings were revealed at the Source Conference in Boston this week.
On the one hand, I find this sort of thing fascinating. technically-speaking, and am to map data like a crow is to shiny things. On the other hand, it’s downright scary. The information available can be used track anyone, including public figures, celebrities, etc., even if their cell phone number is private — unless they have the phone registered under a different name. Furthermore, the researchers found that the T-Mobile and possibly other carriers have voice mail vulnerabilities and they could actually get into people’s messages, determine who called them and what their phone numbers are, then tie all this new info to the other data and have a whole new list of people to track. (Isn’t voice mail tampering illegal, considering snail mail tampering is?) It’s like the cellular network equivalent of a search engine bot crawling web pages to create an index, and brings about all sorts of security and privacy implications.
I’ve had this argument with numerous people: our governments do have the ability to track us, and these findings are more proof. Whether they use the ablilty or not is another question. Though given that U.S. federal agencies have previously used remote activation of cell phone mics to listen in on suspected criminals in ongoing investigations, what would stop them from just running cell phone tracking maps on an ongoing basis — other than processing power needed — and auto-filter location trails for a specific number when necessary? If more cell phones start to use NFC chips, it’ll be even easier to update exact locations in the future, provided the necessary checkpoint infrastructure exists.
Are you indifferent to revelations like this, do they worry you, or are you already resigned to this sort of potential lack of privacy in this ago of the Web and its equivalent mobile network?
Image via Flickr.