Slashdot Mirror

← Back to Stories (view on slashdot.org)

All GSM Phones Open To Attack, Tracking

Posted by Soulskill on from the now-where'd-that-tinfoil-hat-go dept.

Trailrunner7 writes "A pair of security researchers has discovered a number of new attack vectors that give them the ability not only to locate any GSM mobile handset anywhere in the world, but also to find the name of the subscriber associated with virtually any cellular phone number, raising serious privacy and security concerns for customers of all of the major mobile providers. The research builds upon earlier work on geolocation of GSM handsets and exposes a number of fundamental weaknesses in the architecture of mobile providers' networks. However, these are not software or hardware vulnerabilities that can be patched or mitigated with workarounds. Rather, they are features and functionality built into the networks and back-end systems that Bailey and DePetrillo have found ways to abuse in order to discover information that most cell users assume is private and known only to the cell provider."

19 of 119 comments (clear)

  1. Cue the standard industry response in 321.... by ravenspear · · Score: 5, Insightful

    Our attorneys will be contacting you shortly for exposing these methods and invalidating our security through obscurity SOP.

    Because you just couldn't allow these methods to remain hidden, you are now responsible for any attacks that take place as a result.

    We take our customers security very seriously. As an example, we've ensured these holes have stayed well hidden. Now, you've ruined that. You idiot.

    1. Re:Cue the standard industry response in 321.... by poetmatt · · Score: 3, Interesting

      Sadly, I could absolutely agree that such a message is very likely.

      I love how all of it hides the fact that if this is public information, obviously the government and other groups which people are concerned even more about, know this information as well.

    2. Re:Cue the standard industry response in 321.... by sznupi · · Score: 3, Informative

      Or it was one of the compromises, hidden...remember, some countries participating in the creation of GSM wanted it be more safe, some wanted less safety.

      Anyway, at least one part of what TFS says is obviously bullshit - my network doesn't even know my name (prepaid in a place where registration is not required...so nobody does it; not because of some paranoia but because it's the most straightforward thing to (not) do)

      --
      One that hath name thou can not otter
    3. Re:Cue the standard industry response in 321.... by sznupi · · Score: 2, Informative

      That would be paranoia for you right there... And not something simply under "name" position in mobile carrier profile.

      BTW, as is typical you missed the most straightforward method...tracing web of contacts. A phone is usually used to communicate with people, you know.

      --
      One that hath name thou can not otter
  2. Sounds like a lot of BS by kju · · Score: 3, Informative

    The article does not sound credible but like a lot of Bullshit. For example they claim that they are able to lookup the customer name for a given mobile number ("also find the name of the subscriber associated with virtually any cellular phone number"). But they don't explain how they do this. The article just states: "At the heart of the work the pair did is their ability to access the caller ID database mobile providers use to match the names of subscribers to mobile numbers. Then they claim: "This is the same database that contains the subscriber information for landlines", which is simply untrue for many mobile operators who do not even operate landlines. They somewhat suggest that the database in question is the Home Location Register HLR ("Once they accessed the database, known as the Home Location Register (HLR),"), but as you can easily lookup, the HLR does NOT contain the name of a subscriber: http://en.wikipedia.org/wiki/Network_switching_subsystem#Home_Location_Register_.28HLR.29 Now there might be networks where you can lookup the name of a customer given the number, but this is not standard, so claiming they can find the subscribe for "virtually any cellular phone number" is just BS on a great scale. The whole article is loads of gibberish making no much sense. I don't believe any of their sensational claims.

    1. Re:Sounds like a lot of BS by kju · · Score: 4, Informative

      So what? The claims are still untrue for at least most GSM networks in the world. This is not FUD but a fact.

      The HLR can not be used to lookup the name of a subscriber. Also while the HLR can be queried by operators around the world (as this is needed for roaming), they query it by using the IMSI of the SIM-Card. Wikipedia claims that the MSISDN is another lookup key, but there is no need to make a lookup by MSISDN possible to other operators. When they handle a roaming customer, all they have is their IMSI and they use this to contact the HLR of the operator in charge.

      So STFU.

    2. Re:Sounds like a lot of BS by religious+freak · · Score: 2, Informative

      Well, I didn't read this article, but I did read the article LAST week when /. posted this same story. My understanding was these folks spoof the number in question and use that to access 'xyz' database with the name info. Once you've got the name and phone number info, you can use the small European telcos to use the location service and determine roughly where someone is.

      It all makes total sense to me, and as a tech person is actually one of those things I figured was probably the case (the routing protocol HAS to know where to send the phone call, and your phone must poll every once in a while to let the service know where it is), but like much in this modern age, I gave a big, huge meh to it. I feel fortunate enough to just understand how this crap can screw you, unlike my non-tech friends who are either completely ignorant or completely paranoid.

      --
      If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
    3. Re:Sounds like a lot of BS by kju · · Score: 2, Insightful

      Actually it's pretty clear in other articles (and this one) that it's just the CallerID database that they're using to get the Cell numbers and the person associated with the cell number.

      Their sensational claim is that they are able to "also find the name of the subscriber associated with virtually any cellular phone number". This is a strong claim and it is a false one. They can find the name of the subscriber if such a CallerID database exists for the network in question and is available for access. This is simply not the case for many many networks around the world, so they are far from beeing able to do this for "virtually any cellular phone number". Also it is not very surprising that you can make a lookup if such a lookup service is available.

    4. Re:Sounds like a lot of BS by kju · · Score: 4, Informative

      Why i have such a big problem with this? Because the article makes the reader believe that this is a problem for any GSM user around the world, while it is apparently restricted to countries/networks where such a accessible database exists. The title of the slashdot article also claims "All GSM Phone" which is untrue given this additional information.

  3. I Have AT&T - Joke's On Them by sexconker · · Score: 5, Funny

    My network isn't vulnerable because it's never fucking working.

  4. Re:Scary shit by bugi · · Score: 5, Insightful

    Raise your hand if you think this wasn't already known to and in use by one or more government agencies.

  5. Obviously *someone* has to know this stuff by DutchUncle · · Score: 4, Interesting

    >>>This is a correlation that most mobile subscribers think isn't possible because there isn't a public white pages directory of mobile numbers.

    I think even the average user understands that the providers have and share such information to manage calls themselves, whether or not it's easily available. And security through obscurity that worked just fine in a landline-only era is wide open when you can listen to the challenge-response over the air. The only question is why anyone other than a telco can get to the databases; OTOH since anyone can be a telco nowadays, that wouldn't help much.

    This does demonstrate how a difference of degree becomes a difference of kind, as is so often the case with data mining. When there was noticeable cost to get each piece of information and/or to correlate one set of information against another, it was only worthwhile for a targeted attack. Now when one can get millions of pieces of information and correlate them with minimal effort, scattershot attacks are economically productive. It was never worthwhile to just dial numbers sequentially, because you had to pay living people to do it, until robodialers were created (and permitted to be attached to the phone lines); then suddenly it became an industry.

  6. Re:I told you they've been tracking me by Monkeedude1212 · · Score: 5, Insightful

    Let this be a lesson to all you would-be "in-the-know"ers out there. Tin foil hats do not cut it anymore. As soon as that became public knowledge, they started putting carbon-nano-fiber-tube-microphones inside any and all newly manufactured tin foil. Here is what you have to do:

    Step 1: Throw away your cell phone. That thing is useless.

    Step 2: Steal a friend's cell phone. Put tape over any cameras, and take out the battery, and for good measure, disassemble the audio input.

    Step 3: Grab a Pickaxe if you have one, but if not, don't sweat it. Don't go out and buy one, that will only leave a trail for them to find you.

    Step 4: Start driving to the mountains. Your newly acquired cell phone will let you know once you are out of the 3G network, secretly known as the Government Geological Guidance network. They will think it is your friend visitting the mountains. Only then will you know that they cannot track you.

    Step 5: If you don't have a pickaxe, fashion one out of stone and wood. Start mining. Keep going until you get a rather large amount of Nickel. You can go into town to eat and make shipments of nickel. You'll need about 1.6 KG if you're about 6 feet tall.

    Step 6: Go and take your nickel to the local blacksmith. He can be trusted, he didn't upgrade like the rest of the world. Have him help you smelt the Nickel. Submerge yourself in liquid Nickel in order to create a faraday cage around yourself.

    And there you go, they won't be able to track you anymore.

  7. Re:Wasn't it a GSM provider in the US requiring SS by tgd · · Score: 2, Informative

    How in the world did you get from "here's how caller ID maps numbers to name" to "they're transmitting SSNs over the network"?

    "Insightful"? Did the moderators not read the story either?

  8. Re:Scary shit by PPH · · Score: 3, Funny

    Sorry. My hand is busy a the moment.

    By government agencies, you mean both domestic and foreign. Right? If you think the Russians, Chinese, and North Koreans don't have a complete and up to date list of all cell phones that regularly contact certain towers in Langley, Virginia, please turn in your low Slashdot UIDs.

    --
    Have gnu, will travel.
  9. Re:Wasn't it a GSM provider in the US requiring SS by AndrewNeo · · Score: 4, Funny

    You must be ne..

    tgd (2822)

    Er. You must not come around very often.

  10. Re:GSM != iDEN by Christophotron · · Score: 3, Informative

    The Nextel portion of Sprint is actually GSM.

    Wrong again.. Nextel is actually iDEN, which is yet another different technology that happens to use a SIM card. Having a SIM card does not make it GSM.

  11. Re:I told you they've been tracking me by $RANDOMLUSER · · Score: 2, Funny

    I'm not trying to be funny, I'm trying to warn everyone about the real danger that Goo

    ^%$&^#$&^%$&^% NO CARRIER

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  12. Re:CDMA by matty619 · · Score: 2, Informative

    In my experience, 3G GSM phones don't do the crazy speaker thing you speak of.