Cell Phone Spying Research May Force Policy Revisions
New research illustrating how attackers can uncover the geolocation of cellular phone users should prompt corporations to begin rethinking their approach to choosing cell phone providers.
At the Source Boston conference held April 21 to 23, Don Bailey, a security consultant with iSec Partners, and independent security researcher Nick DePetrillo demonstrated how to exploit weaknesses in the GSM infrastructure to pinpoint the location of a cell phone user as well as to break into voice mail and perform other acts likely to make security pros cringe.
"If you have just a normal cellular phone from a GSM provider, we've developed some techniques that allow us to determine [your location] down to pretty much what city ... you're located in right now, and we can track you as you move about the United States from city to city or state to state," DePetrillo said.
The presentation, which they said builds on findings by researcher Tobias Engel, has multiple stages. But perhaps the most interesting part involved using the HLR (Home Location Registry) -- a database of details about each mobile phone subscriber authorized to use the GSM core network -- to locate the MSC (mobile switching center) used by callers. MSCs are responsible for routing voice calls, SMS (Short Message Service) and other services.
By mapping the MSC numbers to caller ID information, attackers can get a general location of cell phone users as they move from place to place. Doing all this requires custom tools and an understanding of the GSM infrastructure, but is not out of reach for someone who knows how to program the tools necessary to do this en masse, Bailey said.
So what does this mean for your corporate policy? A couple of things; for starters, companies should request that providers hide caller ID information to prevent attackers from trolling the caller ID database for information associated with the company's phones, Bailey said.
"There are a lots of steps that can be taken simply by the CSO ... requesting the blocking of caller ID; second, ensuring that the provider you are going with does not leak location data; and, finally, ensuring that the provider you are going with does not allow specific provider-based attacks such as voice mail break-in," he said.
Some of the attacks the researchers uncovered are specific to certain providers, Bailey said without naming names. As a result, organizations should be sure to question providers to make certain they have protections in place against these attacks, he added.
"These provider-specific attacks such as voice mail penetration, SMS spoofing, SMS injection attacks, things of that nature, are all mitigatable," he said. "But typically they just are not due to the nature of some of these providers' networks."