project carmen sandiego can track down your cell phone and your

8/12/2019 Project Carmen Sandiego Can Track Down Your Cell Phone and Your

1/5

Project Carmen Sandiego can track

down your cell phone andyour whereabouts

July 29, 2010 9:28 PMDean Takahashi

2

11

0

0

0

0

How can you leverage mobile to increase profitability for your company? Find out

atMobileBeat,VentureBeat's 7th annual event on the future of mobile, on July 8-9 in

San Francisco.There are only a few tickets left!
http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/#commentshttp://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/#commentshttp://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://events.venturebeat.com/event/mobilebeat2014/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://events.venturebeat.com/event/mobilebeat2014/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://events.venturebeat.com/event/mobilebeat2014/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://events.venturebeat.com/event/mobilebeat2014/registration/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://events.venturebeat.com/event/mobilebeat2014/registration/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://events.venturebeat.com/event/mobilebeat2014/registration/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://events.venturebeat.com/event/mobilebeat2014/registration/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://events.venturebeat.com/event/mobilebeat2014/?utm_source=venturebeat&utm_medium=boilerplate&utm_content=top&utm_term=&utm_campaign=mobilebeat2014http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/#commentshttp://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/http://venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/


2/5

Be prepared to be scared about your cell phone privacy. Two security researchers

showed today how they can track down cell phone numbers, identify the person who

owns the phone, and then track the whereabouts of that person. And they can do it

with technology available to ordinary civilians.

That last part is the shocking part. Government investigators and police can do this.

But Don Bailey and Nick DePetrillo (pictured) showed they were able to do it by

collecting bits of information and then amassing them into a powerful tool that can

invade your privacy. They showed off working code and other proof from

ProjectCarmen Sandiego(named after a computer game where you tracked somebody

down as part of a geography lesson) at theBlack Hatsecurity conference today in Las

Vegas. (See ourroundup of all Black Hat and Defconstories).

This is intelligence gathering for civilians, said Bailey, speaking to a roomful of

security researchers and hackers. We can find out where you are, who you talk to,

where you are most vulnerable.

Bailey and DePetrillo joked that they could get actress Megan Foxs cell phone

number and sell it to the highest bidder. But they said the point of doing this isnt to

get the cell phone numbers of celebrities or executives like Apples Steve Jobs. They

wanted to show how security should be stepped up for cell phones and how

shockingly easy it is to do. If they could do it, they reasoned, then the bad guys with

evil intent have probably already figured out how to do it. In effect, Bailey and

DePetrillo said that they have enough information to put together a White Pages for

cell phones, with home numbers for everybodys cell phone.
http://en.wikipedia.org/wiki/Carmen_Sandiegohttp://en.wikipedia.org/wiki/Carmen_Sandiegohttp://en.wikipedia.org/wiki/Carmen_Sandiegohttp://www.blackhat.com/http://www.blackhat.com/http://www.blackhat.com/http://venturebeat.com/2010/07/29/2010/08/01/roundup-a-week-of-hacker-news-from-black-hat-and-defcon/http://venturebeat.com/2010/07/29/2010/08/01/roundup-a-week-of-hacker-news-from-black-hat-and-defcon/http://venturebeat.com/2010/07/29/2010/08/01/roundup-a-week-of-hacker-news-from-black-hat-and-defcon/http://venturebeat.com/2010/07/29/2010/08/01/roundup-a-week-of-hacker-news-from-black-hat-and-defcon/http://www.blackhat.com/http://en.wikipedia.org/wiki/Carmen_Sandiego


3/5

Governments can prettymuch afford the technology to do this now. But ordinary civilians cant. One of the

tools they exploit is a central database called aHome Location Register,which

records the phone number of everySIM(subscriber identity module) authorized to

use the cell phone network based on theGSM(Global System for Mobile

communications) standard, which is the standard used in about 80 percent of the

worlds phones. You can access HLR data through various third-party resources,

Bailey said. You can cross reference that withMobile Switching Centerinformation

that determines where you are, generally.

That data tells the researchers what city the user is in. They reverse engineered this

data to get more information. In other countries, the MSC data has zip code data

embedded in it, making it much easier to find someones location. U.S. data isnt that

easy to figure out. But the researchers say that can take a given MSC number and find

out its location and its cell phone provider.

That information should be privileged, but it isnt, Bailey said. I shouldnt know

that you switched from AT&T to T-Mobile.

You can buy CallerID information from companies such as Targus, which gets data

from Verizon and other carriers. They add your name to the CallerID database with

phone number data. If you buy a cell phone in the U.S., your name will wind up in a

CallerID database. With this data, the researchers were able to reverse engineer the

data to create a White Pages for mobile phones, which means they can put a name to a

cell phone number. With the name and phone number together, the researchers can

assemble other information.
http://en.wikipedia.org/wiki/Network_switching_subsystemhttp://en.wikipedia.org/wiki/Network_switching_subsystemhttp://en.wikipedia.org/wiki/Network_switching_subsystemhttp://www.google.com/url?sa=t&source=web&cd=2&ved=0CCMQFjAB&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSubscriber_Identity_Module&ei=BktSTLP_FsyhnQf6ga23Aw&usg=AFQjCNEWMAjZmuYdrwtO4DVvDIxk8l0bgghttp://www.google.com/url?sa=t&source=web&cd=2&ved=0CCMQFjAB&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSubscriber_Identity_Module&ei=BktSTLP_FsyhnQf6ga23Aw&usg=AFQjCNEWMAjZmuYdrwtO4DVvDIxk8l0bgghttp://www.google.com/url?sa=t&source=web&cd=2&ved=0CCMQFjAB&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSubscriber_Identity_Module&ei=BktSTLP_FsyhnQf6ga23Aw&usg=AFQjCNEWMAjZmuYdrwtO4DVvDIxk8l0bgghttp://www.google.com/url?sa=t&source=web&cd=1&ved=0CCUQFjAA&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGSM&ei=oUtSTLHsMaPhnQfziLX-Ag&usg=AFQjCNEAT4uM1GQqsIwGPFGWQDUhDP4ioghttp://www.google.com/url?sa=t&source=web&cd=1&ved=0CCUQFjAA&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGSM&ei=oUtSTLHsMaPhnQfziLX-Ag&usg=AFQjCNEAT4uM1GQqsIwGPFGWQDUhDP4ioghttp://www.google.com/url?sa=t&source=web&cd=1&ved=0CCUQFjAA&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGSM&ei=oUtSTLHsMaPhnQfziLX-Ag&usg=AFQjCNEAT4uM1GQqsIwGPFGWQDUhDP4ioghttp://www.google.com/url?sa=t&source=web&cd=2&ved=0CCAQFjAB&url=http%3A%2F%2Fwww.electronics-manufacturers.com%2Fproducts%2Fwireless-communication%2Fmobile-switching-center%2F&rct=j&q=msc%20cell%20phone&ei=mUxSTOe2GtKKnQfK_JD0Aw&usg=AFQjCNEhK2WRchb2SZ_ixXj60NsVFl0hoAhttp://www.google.com/url?sa=t&source=web&cd=2&ved=0CCAQFjAB&url=http%3A%2F%2Fwww.electronics-manufacturers.com%2Fproducts%2Fwireless-communication%2Fmobile-switching-center%2F&rct=j&q=msc%20cell%20phone&ei=mUxSTOe2GtKKnQfK_JD0Aw&usg=AFQjCNEhK2WRchb2SZ_ixXj60NsVFl0hoAhttp://www.google.com/url?sa=t&source=web&cd=2&ved=0CCAQFjAB&url=http%3A%2F%2Fwww.electronics-manufacturers.com%2Fproducts%2Fwireless-communication%2Fmobile-switching-center%2F&rct=j&q=msc%20cell%20phone&ei=mUxSTOe2GtKKnQfK_JD0Aw&usg=AFQjCNEhK2WRchb2SZ_ixXj60NsVFl0hoAhttp://mobile.venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/carmen-sandiego-2/http://www.google.com/url?sa=t&source=web&cd=2&ved=0CCAQFjAB&url=http%3A%2F%2Fwww.electronics-manufacturers.com%2Fproducts%2Fwireless-communication%2Fmobile-switching-center%2F&rct=j&q=msc%20cell%20phone&ei=mUxSTOe2GtKKnQfK_JD0Aw&usg=AFQjCNEhK2WRchb2SZ_ixXj60NsVFl0hoAhttp://www.google.com/url?sa=t&source=web&cd=1&ved=0CCUQFjAA&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGSM&ei=oUtSTLHsMaPhnQfziLX-Ag&usg=AFQjCNEAT4uM1GQqsIwGPFGWQDUhDP4ioghttp://www.google.com/url?sa=t&source=web&cd=2&ved=0CCMQFjAB&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSubscriber_Identity_Module&ei=BktSTLP_FsyhnQf6ga23Aw&usg=AFQjCNEWMAjZmuYdrwtO4DVvDIxk8l0bgghttp://en.wikipedia.org/wiki/Network_switching_subsystem


4/5

Its extremely easy to build your own database, DePetrillo said.

The databases are more expensive if you want to get the most current data, but older

data is cheaper, costing only 0.0024 cents per name looked up. One of the things theycan do with names is piece together who your co-workers are, because they will be

using company-purchased phones with similar phone numbers.

Some of the techniques

they use to glean information include backspoofing. But if you dont want to do that,you can buy databases from Bulkcname.com for around $100 per 1,000 name

lookups. The researchers say they can get 10,000 names identified for just $30. You

can verify the data by cross referencing it with HLR data, which tells which carrier is

associated with certain phone numbers.

During the talk, the researchers showed slides of text that showed phone numbers,

names, locations and company affiliations. They can even make educated guesses

about which banks of phone numbers are assigned to prepaid phones, which are

phones bought at stores and can generally disguise their owners. The researchers say

they can pinpoint people 99 percent of the time. With Google, Facebook and other

tools, you can often then put a face to the name. You can find out if there are multiple

phone numbers associated with one person.

Our intent is to get people thinking about their actions and their vulnerabilities,

Bailey said. You can target people. You can locate private individuals. You can

locate groups of individuals. You can track where people are traveling. Thats a lot of

information. It can be scary.
http://mobile.venturebeat.com/2010/07/29/project-carmen-sandiego-can-track-down-your-cell-phone-and-your-whereabouts/carmen-sandiego-3/


5/5

Added DePetrillo, This is simple stuff to understand. I have information I shouldnt

have. I didnt do any crazy, insane hacker tricks. It requires very little intelligence.

From around the We

project carmen sandiego can track down your cell phone and your

Documents