GEO-tracking Mobile Phones

Thu, 18 Oct 2007 11:11:47 GMT
by pdp

For those of you who haven't got the time to catch up with some of the latest developments around all-mighty iPhone, I highly recommend H. D. Moore's Cracking the iPhone series where he explains how to crack open the device with the well known libtiff vulnerability that was affecting the Sony's PSP, but with a twist. In this post I am going to introduce you a technique for GEO-tracking the iPhone, or any other mobile phone, after successful exploitation. Keep in mind that all you are going to see is a general description of an attack scenario. I am still waiting for my iPhone, so I haven't coded anything for it yet.

Before we dive into the subject I would like to clarify what I mean by saying GEO-tracking. The prefix geo comes from the Greek word ge_, meaning Earth, ground or island. Therefore, _Geography (geo and graphia "writing") is the study of the features of the Earth. In that respect, _geo-_tracking is nothing more but the science behind tracking/mapping objects in motion on a map. Thus, in this post we are going to discuss a technique for pinpointing mobile phones in motion on a map and as such follow their owner's behavior.

The obvious way of tracking an already exploited phone is by means of GPS (Global Positioning System). Correct! However, given the fact that most mobile phones do not posses this feature, including the iPhone, we need to leave it for now and find something else that will give us to one degree or another a similar result. As you probably know, mobile phones are also known as cellulars, an old name (technology) which refers to circuit-switched voice telephone communication via cellular radio channels. Speaking generally, phones connect to cell phone towers. The density/availability of these towers affect the strength/availability of the signal your mobile phone gets. Keep in mind that I am very general here.

At any given moment your mobile phone has the geographical coordinates of the current cell phone tower it is connected to. These coordinates are represented by four numbers: cellid (The identifier of the cellular tower), lac (The Location Area Code), mnc (The Mobile Network Code) and mcc (The Mobile Country Code). You probably see where I am going with this.

When a mobile phone is in motion, it will switch between different cells and such ensuring continuous signal. The cellid, lac, mnc and mcc numbers will also change. If we record these numbers when a change occurs, we will have the history of the areas that phone has visited. These numbers can be translated into geographical coordinates by using any of the available public services. My personal free favorite is Yahoo's ZoneTag Cell Location API. A simple request to the service looks like this:


The above request will result into a XML document with information about the location of the cell phone tower. In my case, this is Hammersmith, London:

<rsp stat="ok">
        <Country cell="current" source="user">**United Kingdom**</Country>
        <Country cell="current" source="generic">**United Kingdom**</Country>
        <City cell="current" source="generic">**Hammersmith**</City>

Notice that the information is not very specific. Depending on the quality of the database, you will get more or less information about the cell. But you get the idea.

If the attacker continuously captures the information given from the cell phone towers, she will be able to tell the location of the mobile by guessing the area or doing some crazy computation geometry (triangulation) as described by this paper. This information can be placed on a map which tracks the mobile phone and predicts the direction. For that purpose, the attacker can use something like Google Maps API or preferably Microsoft's Live Maps Birds Eye 3D view as shown on the video bellow:

In some cases the attacker could combine the information obtained from the cell phone towers and the GPS (if there is any) in order to get even more accurate information about the current position of the mobile phone. This technique can be applied on any other phone and can be trivially automated for Blackberries using their development SDK.

Detection and Prevention

If you are not technically familiar with your phone, there is not much you can do to protect yourself from these kinds of stuff. However, you might be able to detect their behavior. If your mobile phone is constantly running out of power or it is always worm, this is a good indicator that something malicious is going on in the background. It is recommended that you inform your mobile phone provider about your observations and keep away from the device for a while even if this means that you cannot enjoy your brand new iPhone. Your privacy should be above all other things.

I hope that the post was interesting. Let me know if you have any other ideas or suggestions.

Archived Comments

I smell a new Payload :) Reverse Shell, Bind Shell, Geo-Tracker :)
This is how you do it on the iPhone:
nice one, so now all you need is a way to get this information out on a regular basis and you have a bug!
Adrian PastorAdrian Pastor
Definitely a payload worth it including on a exploit. However, I can also see legitimate purposes for this. For instance, why pay a commercial service to track you mobile (in case it gets stolen or you want your family to know where you are), when you can code a small application which retrieves the cell data and translates it to a geographical location using a web service? Just another application of this technique worth it considering.
Hello GNUcitizens, I enjoy a lot all your ideas and your work. Personally, I'd love to track my phone without the use of a GPS. I'd like to instantly see my track on gmaps on my mobile. I would also like to add exif data with the approx. coords. to the snapshots I take with it. Can you show us the way? Keep up the creativity and art flowing, Guillaume
There used to be a related hack for the Motorola E1 Rokr phone, involving a modified copy of iTunes. It knew which SIM was supposed to be in the phone; if the SIM changed (i.e. it was stolen, and the SIM replaced) it would start silently SMS'ing a user-definable list of numbers with the current cell tower details (and obviously its new phone number).
Here is a video that describes the same technique but in a bit more visual way, of course, without too much of tech information: