Project Carmen Sandiego can track down your cell phone and your whereabouts

Be prepared to be scared about your cell phone privacy. Two security researchers showed today how they can track down cell phone numbers, identify the person who owns the phone, and then track the whereabouts of that person. And they can do it with technology available to ordinary civilians.

That last part is the shocking part. Government investigators and police can do this. But Don Bailey and Nick DePetrillo (pictured) showed they were able to do it by collecting bits of information and then amassing them into a powerful tool that can invade your privacy. They showed off working code and other proof from Project Carmen Sandiego (named after a computer game where you tracked somebody down as part of a geography lesson) at the Black Hat security conference today in Las Vegas. (See our roundup of all Black Hat and Defcon stories).

“This is intelligence gathering for civilians,” said Bailey, speaking to a roomful of security researchers and hackers. “We can find out where you are, who you talk to, where you are most vulnerable.”

Bailey and DePetrillo joked that they could get actress Megan Fox’s cell phone number and sell it to the highest bidder. But they said the point of doing this isn’t to get the cell phone numbers of celebrities or executives like Apple’s Steve Jobs. They wanted to show how security should be stepped up for cell phones and how shockingly easy it is to do. If they could do it, they reasoned, then the bad guys with evil intent have probably already figured out how to do it. In effect, Bailey and DePetrillo said that they have enough information to put together a White Pages for cell phones, with home numbers for everybody’s cell phone.

Governments can pretty much afford the technology to do this now. But ordinary civilians can’t. One of the tools they exploit is a central database called a Home Location Register, which records the phone number of every SIM (subscriber identity module) authorized to use the cell phone network based on the GSM (Global System for Mobile communications) standard, which is the standard used in about 80 percent of the world’s phones. You can access HLR data through various third-party resources, Bailey said. You can cross reference that with Mobile Switching Center information that determines where you are, generally.

That data tells the researchers what city the user is in. They reverse engineered this data to get more information. In other countries, the MSC data has zip code data embedded in it, making it much easier to find someone’s location. U.S. data isn’t that easy to figure out. But the researchers say that can take a given MSC number and find out its location and its cell phone provider.

“That information should be privileged, but it isn’t,” Bailey said. “I shouldn’t know that you switched from AT&T to T-Mobile.”

You can buy CallerID information from companies such as Targus, which gets data from Verizon and other carriers. They add your name to the CallerID database with phone number data. If you buy a cell phone in the U.S., your name will wind up in a CallerID database. With this data, the researchers were able to reverse engineer the data to create a White Pages for mobile phones, which means they can put a name to a cell phone number. With the name and phone number together, the researchers can assemble other information.

“It’s extremely easy to build your own database,” DePetrillo said.

The databases are more expensive if you want to get the most current data, but older data is cheaper, costing only 0.0024 cents per name looked up. One of the things they can do with names is piece together who your co-workers are, because they will be using company-purchased phones with similar phone numbers.

Some of the techniques they use to glean information include backspoofing. But if you don’t want to do that, you can buy databases from Bulkcname.com for around $100 per 1,000 name lookups. The researchers say they can get 10,000 names identified for just $30. You can verify the data by cross referencing it with HLR data, which tells which carrier is associated with certain phone numbers.

During the talk, the researchers showed slides of text that showed phone numbers, names, locations and company affiliations. They can even make educated guesses about which banks of phone numbers are assigned to prepaid phones, which are phones bought at stores and can generally disguise their owners. The researchers say they can pinpoint people 99 percent of the time. With Google, Facebook and other tools, you can often then put a face to the name. You can find out if there are multiple phone numbers associated with one person.

“Our intent is to get people thinking about their actions and their vulnerabilities,” Bailey said. “You can target people. You can locate private individuals. You can locate groups of individuals. You can track where people are traveling. That’s a lot of information. It can be scary.”

Added DePetrillo, “This is simple stuff to understand. I have information I shouldn’t have. I didn’t do any crazy, insane hacker tricks. It requires very little intelligence.”