Researchers Hijack Cell Phone Data, GSM Locations

A pair of security researchers has discovered a number of new attack vectors that give them the ability to not only locate any GSM mobile handset anywhere in the world, but also find the name of the subscriber associated with virtually any cellular phone number, raising serious privacy and security concerns for customers of all of the major mobile providers.

A pair of security researchers has discovered a number of new attack vectors that give them the ability to not only locate any GSM mobile handset anywhere in the world, but also find the name of the subscriber associated with virtually any cellular phone number, raising serious privacy and security concerns for customers of all of the major mobile providers.  

The research, which Don Bailey of iSec Partners and idndependent security researcher Nick DePetrillo will present at the SOURCE conference in Boston today, builds upon earlier work on geolocation of GSM handsets and exposes a number of fundamental weaknesses in the architecture of mobile providers’ networks. However, these are not software or hardware vulnerabilities that can be patched or mitigated with workarounds. Rather, they are features and functionality built into the networks and back-end systems that Bailey and DePetrillo have found ways to abuse in order to discover information that most cell users assume is private and known only to the cell provider.

“I haven’t seen anything out there anywhere on this. Who owns a cell number isn’t private,” DePetrillo said. “If you go through entire number ranges and blocks, you’ll get numbers for celebrities, executives, anyone. You can then track them easily using the geolocation information.”

At the heart of the work the pair did is their ability to access the caller ID database mobile providers use to match the names of subscribers to mobile numbers. This is the same database that contains the subscriber information for landlines, but most mobile users don’t realize that their data is entered into this repository, Bailey said.

“A lot of this isn’t terribly secret, but it’s not that well-known,” Bailey said. “To find information on users, that was our goal. These pieces of information come from all over. The caller ID database provides a lot of information about people and companies. One thing we found is that we could go through the provider network in a given city and determine which numbers have been allocated to a given company. Using that information, you can leverage some of our attacks and target specific handsets owned by company executives.”

A bill that would make caller ID spoofing illegal passed the House of Representatives just last week, but Bailey said the change would not affect their attacks because they’re not using the spoofing techniques for anything illegal or deceptive.

Once they accessed the database, known as the Home Location Register (HLR), the researchers are able to determine which mobile provider a given subscriber uses, and then combine that with the caller ID data, giving them a profile of the subscriber. This is a correlation that most mobile subscribers think isn’t possible because there isn’t a public white pages directory of mobile numbers. Using that information, Bailey and DePetrillo have the ability to tailor specific attacks to the user’s handset.  

For example, during their research, Bailey and DePetrillo scanned a number block in Washington, D.C., and identified a large block of numbers allocated to a defense contractor. They pulled the HLR record for one of the numbers and found that the company was using T-Mobile. Using that information, they could select specific attacks that they know work on the T-Mobile network and direct them against the contractor’s handsets, if they chose.  

“There are different models for each provider because they expose APIs in different ways and peer with one another in different ways,” Bailey said. “If I know who peers with whom, and I can spoof that traffic to one of their peers, I know I’ll have a higher success rate.”

Once they had the ability to match names with numbers, Bailey and DePetrillo combined that information with an existing technique for dialing a mobile number and being connected directly to the handset’s voice mail rather than having it ring the phone. They can spoof someone’s mobile number, dial that same number using this dialing technique, and in many cases a call to a handset from that handset’s number that goes to voice mail will bypass the voice-mail authentication mechanism.  

From there, the researchers could dump the handset’s voice mail messages, including the mobile numbers of the callers, which could then use to identify the numbers’ owners. This technique can then be extended to each of those mobile subscribers, and so on, creating an ever-expanding network of users. The researchers can use the geolocation data they have to then track the movements of the members of this network of users, gaining information on their habits, relationships and call patterns. This could provide valuable data on the users’ personal and professional activities.  

Bailey and DePetrillo said that the mobile providers are aware of their research, but there’s not much they can do about it.

“They can do little if anything about this,” Bailey said. “The providers can stop putting subscriber information into the database, but it’s not likely. The providers might be making money in other ways from it. They may not want to get rid of it. They can’t restrict it much. The HLR is just part of the GSM abd telephony protocols as a whole. The information is exported worldwide. If you have access to the network, you can see it anywhere.”

Suggested articles

Discussion

  • Anonymous on

    How exactly did they get access to the HLR? These aren't publicly accessible AFAIK...

  • Mark Petersen on

    Well the problem is the Telecom sector has been blindly protectet by ther closed network
    now that they are starting find out that security must be taken seriusly, atleast the law is now pointing them in the right direction

    when you look at it preventing spoofing is a shared task, but relativ simpel
    you just have to validate that the A number belong to the caller's account, you have the information already for matching B number on incomming calls

    if all the providers do this spoofing is then virtual imposible, and would requre the help form a rouge TSP

  • Reow on

    Correct me if I'm wrong, but they only have access to the US' HLR, hence far from the ability to "locate any GSM mobile handset anywhere in the world".

  • Jason on

    The HLR is pretty much publicly accessible.  It needs to be in order to route calls.  So, all you need is a connection to a GSM clearing house, and you're good to go.  As evidenced by the amount of SMS spam with fake carrier information in it, it's pretty easy to get access.

  • /me on

    Surely there'd be some way to honour the "need to know" restriction?  Or layering a set of "need to know" restrictions in the directory?

  • Theodore on

    This is like having authorized access to a bank account database and saying that there is a major flow in the bank system.

  • Anonymous on

    Gee, you just have to wonder if the NSA is already doing the kind of tracking described here

  • Anonymous on

    10:54am: no you don't have to wonder if the NSA is doing this, of course they are!

  • Anonymous on

    There's nothing new. Most of the events that happen in the GSM network requires to use HLR. Before every mobie terminated call is set up, switch that serves originating party has to perform HLR enquiry to locate and set up a path to terminating party switch. All signalling exchange is done over an unencrypted connection, but also over a mobile provider private network (mostly wired). As for determining provider - each and every mobile subscriber has a SIM card inside the mobile with IMSI number (International Mobile Subscriber Identity) associated with it and stored on a SIM. In particular cases this number can be sent over the air to base station. IMSI consists of 15 digits, the first three is a Mobile Country Code (MCC), the second two (sometimes three) is a Mobile Network Code (MNC). See Wikipedia for detailed list. Konwing IMSI number is not hard to determine mobile provider it belongs to.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.