updated 2/22/2012 10:45:39 AM ET 2012-02-22T15:45:39

Using data put out by cellphone towers, a hacker could track the location of a phone to within a few city blocks, University of Minnesota researchers say.

GSM (Global System for Mobile Communications) cellular towers broadcast data to track, connect calls and more efficiently serve their customers. The researchers showed the other side of this ostensibly helpful general location tracking ; they were able to skim portions of that data to determine a person's physical location in a way cell providers never intended.

"With a combination of readily available hardware and open source software, we demonstrated practical location test attacks that include circumventing the temporary identifier designed to protect the identity of the end user," researchers Denis Foo Kune, John Koelndorfer, Nicholas Hopper and Yongdae Kim wrote in their paper, titled, "Location Leaks on the GSM Air Interface."

The researchers demonstrated their proof-of-concept exploit on the T-Mobile GSM network in the greater Minneapolis area. They showed how a hacker could intercept part of the signal sent to a person's phone when he or she receives a call. The hacker, they said, could remotely hang up a person's phone after the signal is sent out but before the phone rings, enabling the "passing adversary" to obtain the person's location.

"We show that although GSM was designed to attempt to obfuscate the identity of the end devices with temporary IDs, it is possible to map the phone number to its temporary ID," the researchers explained. They couldn't trace a phone's location to an exact building, they said, "but we can tell if the user is within a dozen city blocks."

Though it's only a proof-of-concept hack, the vulnerability could have serious consequences if it fell in the hands of malicious parties.

"The motivation for attackers to obtain pieces of location information of victims include anyone who would get an advantage from such data," the researchers wrote. "For example, agents from an oppressive regime may no longer require cooperation from reluctant service providers to determine if dissidents are at a protest location."

"Insurgents" could also use this vulnerability to determine the location of a prominent figure, and "cause physical harm for political gain," the researcher said. In the same way location-based services  such as Foursquare can be exploited, the researchers said an attacker could take advantage of this security loophole to determine if a specific target was away from their home.

T-Mobile USA and AT&T Mobility are among the U.S. cellular carriers that use GSM technology. Other carriers, such as Verizon Wireless, Sprint Nextel, MetroPCS and U.S. Cellular, use the CDMA standard, which the Minnesota researchers did not test.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments