BOSTON -- One of the most anticipated talks at SOURCE Boston 2010 Wednesday did not disappoint as two security researchers revealed how they were able to correlate enough data on mobile phone users to track their locations, listen in on voicemail and build a database equivalent to a white pages for cellphones.
People can get far more creative than us can leverage this information in far more dangerous ways.
Don Bailey, Security Consultant iSec Partners
The consequences of such cell phone vulnerabilities are numerous for enterprises and even national security as this type of reconnaisance, social engineering and machinations around the GSM standard for mobile telephony could lead to corporate espionage or criminal activity against celebrities or political figures.
"The average hacker out there can do this; that's the scary thing," said Don Bailey, a security consultant at San Francisco, Calif.-based iSec Partners Inc. "People can get far more creative than us and can leverage this information in far more dangerous ways."
Bailey, along with independent researcher Nick DePetrillo exposed some weaknesses in how mobile networks are architected. In particular, they were able to access the caller ID database known as HLR (Home Location register) to match caller ID data with the phone's mobile provider. The HLR stores the international mobile subscriber identity (IMSI) that is attached to the SIM card in every cellphone. Hacker Thomas Engel had presented on HLR hacking at the recent Chaos Communication Conference, and his work was the basis for some of the work Bailey and DePetrillo did here. The pair were able to, from that data returned by the database, identify mobile users and could have targeted specific attacks based on known vulnerabilities in those provider networks.
From there they set their sights on geolocation data, and using the HLR and tools they developed, were able to track a mobile phone's whereabouts and build relationships around the user based on location and times of day in those locations.
"You can infer what set of towers a subscriber will land on and where the towers are in relation to the attacker and potential locations for a target handset," DePetrillo said. "The more intelligence you can get about an environment, the better the attack is."
Bailey and DePetrillo said they were also able to access voicemail messages using HLR data and a tool known as SlyDial, which makes two phone calls to a single number. The first call disconnects before it is answered, and the second goes to voicemail. Certain providers are vulnerable to voicemail spoofing attacks, which would enable an attacker to listen to voicemail and access the numbers of those who left the message. The whole process is then repeated against those numbers, further adding to their intelligence about a target and the people around them.
"It turns into a nice, big private intelligence-gathering operation," DePetrillo said. "You can use this for social engineering and profiling, opportunistic espionage based on pattern analysis, or information gathering on individuals that allows you to ascertain relationships about them, their families, co-workers and company executives."