February 05, 2006

Threatwatch - tracking you, tracking me, tracking us all

We all know that cell-phones have been trackable to the tower point quite trivially, and even beyond that if the operator deigns to do some triangulation. That's how they - allegedly - tracked the London bomber through Italy.

But I admit to being surprised that the telco operators would *sell* this information. I suppose it is obvious, in hindsight, but what cojones!

I unplugged her phone and took it upstairs to register it on a website I had been told about. It looks as if the service is mainly for tracking stock and staff movements: the Guardian, rather sensibly, doesn't want me to tell you any more than that. I ticked the website's terms and conditions without reading them, put in my debit card details, and bought 25 GSM Credits for £5 plusvat.

Almost immediately, my girlfriend's phone vibrated with a new text message. "Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with 'LOCATE'". I sent the requested reply. The phone vibrated again. A second text arrived: "WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you." I deleted both these text messages.

On the website, I see the familiar number in my list of "GSM devices" and I click "locate". A map appears of the area in which we live, with a person-shaped blob in the middle, roughly 100 yards from our home. The phone doesn't go off at all. There is no trace of what I'm doing on her phone. I can't quite believe my eyes: I knew that the police could do this, and telecommunications companies, but not any old random person with five minutes access to someone else's phone. I can't find anything in her mobile that could possibly let her know that I'm checking her location. As devious systems go, it's foolproof. I set up the website to track her at regular intervals, take a snapshot of her whereabouts automatically, every half hour, and plot her path on the map, so that I can view it at my leisure. It felt, I have to say, exceedingly wrong.

Well, that basically means we all now have the tracking devices that we all were scared off. Never mind the bluster about warning messages, somehow we all slipped into the tracking society without even knowing it.

The tracking threat meter is now pegged hard ON. The response is likely to be IP telephony with bluetooth/802.11 bridging into the open network. Not because of the eavesdropping - that old silly worry about encryption - but because of the location searching. Eavesdropping is not an economic threat to most people most of the time, but tracking is. Tracking location can be used years afterwards, whereas nobody on the planet except the NSA has time to listen to 1000's of hours of chit chat with the spouse.

Meanwhile something that didn't surprise me was the Greek Prime Minister's affair:

Athens - Mobile phones belonging to top Greek military and government officials — including the Prime Minister — and the U.S. embassy were tapped for nearly a year beginning in the weeks before the 2004 Olympic games, the government said Thursday. .... Mr. Roussopoulos said the surveillance was carried out through spy software installed in the central system of Vodafone, the mobile telephony provider that served the targets. Calls were then diverted to mobile phones using pay-as-you-go services, which are difficult to trace.

So, someone connected into the switches and installed some diverts or conference shares. Cunningly, they diverted the conference sharing to pre-paid mobiles which were probably hacked to record.

Now, my experience in telcos doesn't go very far, having only worked twice for them, and then only peripherally to switches. But here's what I recall, FWIW (please, anyone with more uptodate info, chime in!) :

Switches have very basic security. They are all digital, these days. They are all centrally manageable. And the source code is secret. e.g., it's almost as bad as windows - you google around, download a few docs and programs, hack in and you're in. The only reason this is unknown is because switches just aren't that interesting. (Waddya gonna do - divert your mother's few phone calls? Download Paris Hilton's billing records? Roight... Phone phreaking disappeared the minute Internet came along because the net was more fun.)

Better, or worse, the security departments work hand in glove with the national authorities. The switches are after all built by very big companies, almost always "national champions." They are generally sold to other very big companies, who all used to be national champions back in the good old days, but these days are more likely to be wannabe champions with the same mindset.

So I would conclude that this is in the "of course" basket. Of course you - anyone - can do this, the challenge would be to show that you couldn't. More apropos would be to ask if this sort of capability is built into Cisco routers. Just in the "China specials" or all of them?

Cisco also released a statement recently aimed at dispelling the persistent rumor that it sold China custom hardware designed to make censorship simple. The company, it says , "has not designed or marketed products for any government to censor Internet content." Reporters without Borders disagrees - and they were the ones who had the Congressional ear today.

Or, to ask what the Greek counter-intelligence people are up to - what were they doing all these years letting their assets use unprotected mobile phones over unprotected and wide-open commercial telco networks? How dumb is that?

The list of about 100 people whose telephones were tapped included the ministers of foreign affairs, defence, public order and justice. Most of Greece's top military and police officers were also targeted, as were foreign ministry officials, a US embassy number and the prime minister's wife, Natasha.

My advise - if Natasha divorces the PM, she should name the chief of counter-intelligence agencies in the filing.

Greece reveals cellphone tap spy scandal
Thursday, February 2, 2006 Posted at 7:35 PM EST
Associated Press
Athens - Mobile phones belonging to top Greek military and government officials — including the Prime Minister — and the U.S. embassy were tapped for nearly a year beginning in the weeks before the 2004 Olympic games, the government said Thursday.
It was not known who was responsible for the taps, which numbered about 100 and included Greek Prime Minister Costas Caramanlis and his wife, and the ministers of foreign affairs, defence, public order and justice. Most of Greece's top military and police officers were also targeted, as were foreign ministry officials and a U.S. embassy number. Also tapped were some journalists and human rights activists.
The phone tapping “started before the 2004 Olympic Games and probably continued until March 2005, when it was discovered,” government spokesman Theodoros Roussopoulos said at a news conference.
Mr. Roussopoulos said it had not been possible to identify who was behind the tapping.

“It was an unknown individual, or individuals, who used high technology,” he said.
Mr. Roussopoulos said the surveillance was carried out through spy software installed in the central system of Vodafone, the mobile telephony provider that served the targets.
Calls were then diverted to mobile phones using pay-as-you-go services, which are difficult to trace.
An investigation showed that these mobiles had been used in a central Athens area where many foreign embassies are located, though Mr. Roussopoulos refused to speculate on whether foreign agencies might be involved.
“I estimate that no harm was caused to our national issues,” Mr. Roussopoulos said. “The prime minister does not just use one mobile phone.”
He said the government first heard of the tapping in March 2005, when it was tipped off by Vodafone Greece CEO Giorgos Koronias.
Vodafone — one of the country's four mobile telephony providers — discovered the tapping after receiving complaints from customers over problems operating their phones.
Mr. Koronias issued a statement saying the company removed the spyware immediately after it was located, and informed the competent state authorities.
Athens prosecutor Dimitris Papangelopoulos brought misdemeanor charges of breaching the privacy of phone calls against “unknown persons” earlier Thursday, the Justice Minister said.
The prosecutor will also investigate whether there are grounds for bringing criminal charges of espionage, the Minister said.
The government pledged the inquiry would be full and fair.

Posted by iang at February 5, 2006 08:49 AM | TrackBack

Apologies if this comment duplicates.

With respect to the system detailed in the Guardian article, the vendor should tweak it so that it sends a warning text to the phone owner at random periods say twice an hour. That would be irritating but bearable to someone who agrees to be tracked and would stop it being used for nefarious purposes.

Posted by: Jane Adams at February 5, 2006 02:03 PM


finally found it with google...


Still, technology marches on. If you ask us, the real future
is in *massively parallel peer-to-peer* elves. Take FLEET
ONLINE. This Dutch business-oriented service was introduced
a month ago to the UK. It's a pay-as-you-go site that lets
companies instantly locate their employees' mobile phones,
to a granularity of the nearest cell (ie 50m in urban
areas). Positioning costs 25p a shot. Here's the real
gimmick, though: you can sign up yourself, and then add any
mobile phone you'd like to be geolocated. Oh sure, your
victim will get an initial "Do you want to be tracked?"
opt-in message, and then another in two weeks. But think of
all the phones you can get physical access to long enough to
say yes to that original text. Friends! Spouses! Potential
stalking fodder! And what you could do in two weeks.
Supposing you're a burgling elf: you could nick that phone,
sign it up, give it back, find out where they live via the
geolocator. And then *find out when they're out*! It's a
RISKS Digest all of its own!

Posted by: fm at February 5, 2006 02:20 PM

oh and Google ads also gave:




Posted by: fm at February 5, 2006 02:20 PM

Since the services all charge per sms transaction for low volume usage - I see it as somewhat Utopian to expect them to do two transactions an hour just in case their customers are either unaware of what they, or their employers, have signed up to.

The onus should be on the employer to inform employees what they are doing rather than the service provider.

If you are using if for say tracking your kids, aged granny etc do you really want the kidnapper alerted to the fact that they have a tracking device within 15 mins of them disappearing? Would within 60 minutes be an acceptable risk or would you rather you could find them before the police got around to taking their absence seriously?

This is not a new risk - it has been around since May 2003, if you leave your phone unattended you run many risks, not including being geolocated by the state, which has been able to do it for a while.

So why is this the service comany's problem? This is a competitive market space - it is price sensitive, so no company is going to load their cost base by accusing customers of using them for illegal or immoral purposes.

If you really want to stop it happening get the phone companies to stop selling your data to other commercial operators without more consent than you acknowledging a text sms.


Posted by: fm at February 5, 2006 04:05 PM

Meanwhile, this was seen elsewhere:

Members of the US House of Representatives promised yesterday that they would "take fast action" to outlaw sales of telephone and mobile phone logs to third parties. This call to action comes in the wake of multiple media stories on phone log sales.


There is another aspect of the whole issue to consider. Science-fiction author David Brin has written that "Privacy is over. Get over it." He argues that our society actually has more to gain by the loss of privacy, as long as the information is made available to everybody, and not just an elite few. Are we ready for a world in which everything you do can be known by anyone who cares to find out? Some would say we are already there.

Copyright ¿ 1998-2005 Ars Technica, LLC

Posted by: Iang at February 6, 2006 04:30 AM

World Tracker turns anyone into a cellphone spy
Posted Jan 20th 2006 3:10PM by Marc Perton

Forget those piddly wiretaps. The next frontier in warrant-free surveillance is upon us, and it's open to everyone. A UK service called World Tracker apparently uses cell tower data (or GPS, when available) to track the location of just about any GSM cellphone. Just enter the number you want to track into the service's handy Google Maps-based interface, and you'll be able to zoom in on the device's location, with accuracy somewhere between 50 and 500 meters. The first time you try to track a phone, a text message is sent to the owner, who must reply in order to enable tracking (we'll leave it to you to figure out how to work around this if you need to track a spouse, kid or employee). The service is currently compatible with O2, Vodafone, Orange and T-Mobile in the UK, and has plans to expand to other markets including Germany, Spain, Norway and the US. If, that is, privacy advocates don't shut it down first.

All contents copyright ¿ 2005, Weblogs, Inc.

Posted by: World Tracker at February 7, 2006 05:03 AM

Peter Gutmann writes over on cryptography:

"Steven M. Bellovin" writes:

>>What makes this interesting is how it was done: software was installed on the
>>switch that diverted calls to a prepaid phone. Think about who could manage

Just in case people think the answer is "The MIB", it's actually "Any kid with a bit of technical knowledge". Susan Dreyfus' book "Underground", for example, documents hackers playing around inside cellular phone switches in Europe. So although the target list looks like a typical intelligence agency hitlist, it could also have been done by a joyriding teenager interested in listening in on what politicians, the military, and journalists were saying and hearing.

(Yes, I know the evidence points at the MIB, but that doesn't automatically mean it was them).


Posted by: The MIB recommends... at February 8, 2006 12:09 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.