Researchers have demonstrated structural cracks in GSM mobile networks that make it easy to find the number of most US-based cellphone users and to track virtually any GSM-enabled handset across the globe.
The hack builds off research by Tobias Engel who in late 2008 showed how to track the whereabouts of cellphones by tapping into mobile network databases. At the Source Conference in Boston Wednesday, independent researcher Nick DePetrillo and Don Bailey of iSec Partners demonstrated how to use similar techniques to track an individual's location even when his number isn't known and to glean other details most users presume are untraceable.
"Now, we can even assign a name to a number and we can find someone's number," DePetrillo told The Register by phone shortly after his presentation. "The scary thing is that you can give me a random cellphone number and I can tell you, usually, who owns it. So if I want to find Brad Pitt's number I can dump all the cellular phone caller ID information out of California and hunt for his number."
The information disclosure hack works by tricking the GSM caller ID system into assembling what amounts to a white pages directory of virtually every cellphone number. To do that, DePetrillo and Bailey set up a voice over IP account that included caller ID. They then called the account over and over using huge blocks of spoofed numbers and logged the caller ID output of each one using an Asterisk server.
The cataloged lookup information allowed them to discover individuals associated with the numbers and vice versa. It also revealed large pools of numbers that belonged to private companies and government agencies.
The researchers then plugged the numbers they wanted to trace into the so-called HLR, or home location register. The database, and the larger SS7 protocol to which it belongs, in many respects is to mobile networks what TCP/IP is to the internet, allowing cellular carriers to locate the whereabouts of a handset so it can receive voice or text traffic.
The HLR also lists a subscriber's mobile carrier, allowing attackers to tailor exploits to vulnerabilities known to affect a particular network, DePetrillo said. He was able to access the database using commercial services offered by companies in Europe.
The techniques exploit functionality built into GSM networks to make sure calls can be routed reliably to a handset no matter where in the world it's located. As such, it won't be easy to fix the disclosure threat without breaking the networks.
"They've discovered some pretty scary stuff," said Chris Paget, who is chief hacker of reverse-engineering consultancy H4RDW4RE and has long exposed the insecurity of radio signals used by GSM networks. "Nick and Don looked behind the towers and found a whole other wrongness. You're literally down to the situation where you can't be secure unless you pull the battery out of your phone." ®