A pair of security researchers has discovered a number of new attack vectors that give them the ability to not only locate any GSM mobile handset anywhere in the world, but also find the name of the subscriber associated with virtually any cellular phone number, raising serious privacy and security concerns for customers of all of the major mobile providers.
The research, which Don Bailey of iSec Partners and idndependent security researcher Nick DePetrillo will present at the SOURCE conference in Boston today, builds upon earlier work on geolocation of GSM handsets and exposes a number of fundamental weaknesses in the architecture of mobile providers' networks. However, these are not software or hardware vulnerabilities that can be patched or mitigated with workarounds. Rather, they are features and functionality built into the networks and back-end systems that Bailey and DePetrillo have found ways to abuse in order to discover information that most cell users assume is private and known only to the cell provider.
"I haven't seen anything out there anywhere on this. Who owns a cell number isn't private," DePetrillo said. "If you go through entire number ranges and blocks, you'll get numbers for celebrities, executives, anyone. You can then track them easily using the geolocation information."
At the heart of the work the pair did is their ability to access the caller ID database mobile providers use to match the names of subscribers to mobile numbers. This is the same database that contains the subscriber information for landlines, but most mobile users don't realize that their data is entered into this repository, Bailey said.
"A lot of this isn't terribly secret, but it's not that well-known," Bailey said. "To find information on users, that was our goal. These pieces of information come from all over. The caller ID database provides a lot of information about people and companies. One thing we found is that we could go through the provider network in a given city and determine which numbers have been allocated to a given company. Using that information, you can leverage some of our attacks and target specific handsets owned by company executives."
A bill that would make caller ID spoofing illegal passed the House of Representatives just last week, but Bailey said the change would not affect their attacks because they're not using the spoofing techniques for anything illegal or deceptive.
Once they accessed the database, known as the Home Location Register (HLR), the researchers are able to determine which mobile provider a given subscriber uses, and then combine that with the caller ID data, giving them a profile of the subscriber. This is a correlation that most mobile subscribers think isn't possible because there isn't a public white pages directory of mobile numbers. Using that information, Bailey and DePetrillo have the ability to tailor specific attacks to the user's handset.
According to sources at the conference, DePetrillo said the following during their talk...
[The] White House should reconsider policy on personal cell phones on Air Force One.