Recently, a whole host of sites have been appearing which allow you to trace a mobile phone, with the owner's permission of course. These sites are aimed at parents who want to be able to locate their children if they become lost, go down the pub during school lunch break, etc. These companies obviously pay a shit load of money to O2, Vodafone, Orange, etc. in order to have a 'back door' to their GSM networks in order to use triangulation from base stations to locate phones.
Anyhow, this got me thinking, with security in mind. Is it possible to abuse this? If you didn't require the owner's consent to locate their phone then that would be a pretty serious security issue, not to mention a total lack of privacy.
I was curious as to the whole logic behind the 'registration' of a mobile phone process. Obviously a parent would grab her child's phone, register on the website; add the phone, type in some sort of random PIN (or confirmation number) that was displayed/sent to confirm consent and job done. That's how things are done normally.
What I'm interested in is the random PIN (or confirmation number) - and more importantly, in what method is this sent? Is the number sent to the phone which you must reply to in a text message quoting it, or is it displayed on the website and you then write a text message quoting the number from your phone.
The way in which it is sent is of great importance, from an attack perspective.
If the random confirmation number is sent directly to the phone in the form of a text message then as an attacker, the only way I can see that number is to have the phone in front of me. That's how it should be done, as not only does this method imply you have the phone in front of you, but there is additional security added with having to reply from the phone too as confirmation (or consent).
Now, if the random confirmation number is displayed on the website after I select to 'add a phone' then this has every opportunity to be attacked. "Please text '8872N110' to 85518 from your phone to confirm you wish this phone to be added." Now, is it just me or does anyone else see the security implications of this? You may not see it straight away, but what if I had the ability of spoofing text messages? (see SMS spoofing article) Now do you see the problem?
If the confirmation number was sent via the first method (directly to the phone, which must be replied to), then there is no way as an attacker that I can see that number (or even reply) without having that phone in front of me. However, now that I have the confirmation number displayed on the website, added together with the ability to spoof text messages, it's all to play for. I can simply spoof a text message from my victim's number, input the relevant confirmation number and send to the phone tracking website's number, and bop, my victim's phone is added. The phone tracking website assumes that because the text message originated from the victim's number, and also, because it contains the random confirmation number, that they now have their consent to be tracked.
Mad stuff eh?
Anyhow, this got me thinking, with security in mind. Is it possible to abuse this? If you didn't require the owner's consent to locate their phone then that would be a pretty serious security issue, not to mention a total lack of privacy.
I was curious as to the whole logic behind the 'registration' of a mobile phone process. Obviously a parent would grab her child's phone, register on the website; add the phone, type in some sort of random PIN (or confirmation number) that was displayed/sent to confirm consent and job done. That's how things are done normally.
What I'm interested in is the random PIN (or confirmation number) - and more importantly, in what method is this sent? Is the number sent to the phone which you must reply to in a text message quoting it, or is it displayed on the website and you then write a text message quoting the number from your phone.
The way in which it is sent is of great importance, from an attack perspective.
If the random confirmation number is sent directly to the phone in the form of a text message then as an attacker, the only way I can see that number is to have the phone in front of me. That's how it should be done, as not only does this method imply you have the phone in front of you, but there is additional security added with having to reply from the phone too as confirmation (or consent).
Now, if the random confirmation number is displayed on the website after I select to 'add a phone' then this has every opportunity to be attacked. "Please text '8872N110' to 85518 from your phone to confirm you wish this phone to be added." Now, is it just me or does anyone else see the security implications of this? You may not see it straight away, but what if I had the ability of spoofing text messages? (see SMS spoofing article) Now do you see the problem?
If the confirmation number was sent via the first method (directly to the phone, which must be replied to), then there is no way as an attacker that I can see that number (or even reply) without having that phone in front of me. However, now that I have the confirmation number displayed on the website, added together with the ability to spoof text messages, it's all to play for. I can simply spoof a text message from my victim's number, input the relevant confirmation number and send to the phone tracking website's number, and bop, my victim's phone is added. The phone tracking website assumes that because the text message originated from the victim's number, and also, because it contains the random confirmation number, that they now have their consent to be tracked.
Mad stuff eh?