Project Carmen Sandiego can track

down your cell phone and

your whereabouts

July 29, 2010 9:28 PM
Dean Takahashi
2

11

0

0

0

0
How can you leverage mobile to increase profitability for your company? Find out
at MobileBeat, VentureBeat's 7th annual event on the future of mobile, on July 8-9 in
San Francisco. There are only a few tickets left!

Be prepared to be scared about your cell phone privacy. Two security researchers
showed today how they can track down cell phone numbers, identify the person who
owns the phone, and then track the whereabouts of that person. And they can do it
with technology available to ordinary civilians.
That last part is the shocking part. Government investigators and police can do this.
But Don Bailey and Nick DePetrillo (pictured) showed they were able to do it by
collecting bits of information and then amassing them into a powerful tool that can
invade your privacy. They showed off working code and other proof from
ProjectCarmen Sandiego (named after a computer game where you tracked somebody
down as part of a geography lesson) at the Black Hat security conference today in Las
Vegas. (See our roundup of all Black Hat and Defcon stories).
This is intelligence gathering for civilians, said Bailey, speaking to a roomful of
security researchers and hackers. We can find out where you are, who you talk to,
where you are most vulnerable.
Bailey and DePetrillo joked that they could get actress Megan Foxs cell phone
number and sell it to the highest bidder. But they said the point of doing this isnt to
get the cell phone numbers of celebrities or executives like Apples Steve Jobs. They
wanted to show how security should be stepped up for cell phones and how
shockingly easy it is to do. If they could do it, they reasoned, then the bad guys with
evil intent have probably already figured out how to do it. In effect, Bailey and
DePetrillo said that they have enough information to put together a White Pages for
cell phones, with home numbers for everybodys cell phone.
Governments can pretty
much afford the technology to do this now. But ordinary civilians cant. One of the
tools they exploit is a central database called a Home Location Register, which
records the phone number of every SIM (subscriber identity module) authorized to
use the cell phone network based on the GSM (Global System for Mobile
communications) standard, which is the standard used in about 80 percent of the
worlds phones. You can access HLR data through various third-party resources,
Bailey said. You can cross reference that with Mobile Switching Center information
that determines where you are, generally.
That data tells the researchers what city the user is in. They reverse engineered this
data to get more information. In other countries, the MSC data has zip code data
embedded in it, making it much easier to find someones location. U.S. data isnt that
easy to figure out. But the researchers say that can take a given MSC number and find
out its location and its cell phone provider.
That information should be privileged, but it isnt, Bailey said. I shouldnt know
that you switched from AT&T to T-Mobile.
You can buy CallerID information from companies such as Targus, which gets data
from Verizon and other carriers. They add your name to the CallerID database with
phone number data. If you buy a cell phone in the U.S., your name will wind up in a
CallerID database. With this data, the researchers were able to reverse engineer the
data to create a White Pages for mobile phones, which means they can put a name to a
cell phone number. With the name and phone number together, the researchers can
assemble other information.
Its extremely easy to build your own database, DePetrillo said.
The databases are more expensive if you want to get the most current data, but older
data is cheaper, costing only 0.0024 cents per name looked up. One of the things they
can do with names is piece together who your co-workers are, because they will be
using company-purchased phones with similar phone numbers.
Some of the techniques
they use to glean information include backspoofing. But if you dont want to do that,
you can buy databases from Bulkcname.com for around $100 per 1,000 name
lookups. The researchers say they can get 10,000 names identified for just $30. You
can verify the data by cross referencing it with HLR data, which tells which carrier is
associated with certain phone numbers.
During the talk, the researchers showed slides of text that showed phone numbers,
names, locations and company affiliations. They can even make educated guesses
about which banks of phone numbers are assigned to prepaid phones, which are
phones bought at stores and can generally disguise their owners. The researchers say
they can pinpoint people 99 percent of the time. With Google, Facebook and other
tools, you can often then put a face to the name. You can find out if there are multiple
phone numbers associated with one person.
Our intent is to get people thinking about their actions and their vulnerabilities,
Bailey said. You can target people. You can locate private individuals. You can
locate groups of individuals. You can track where people are traveling. Thats a lot of
information. It can be scary.
Added DePetrillo, This is simple stuff to understand. I have information I shouldnt
have. I didnt do any crazy, insane hacker tricks. It requires very little intelligence.
From around the We