Rob Sloan - 11th October 2013
A client approached us this week with an interesting issue: several members of their staff were being tracked online and their location, the country at least, was being posted online every 12 hours. The members of staff had prominent roles in the organisation and with a little bit of effort it was not impossible to find their names and mobile numbers, but how was their location being leaked and what other data did the attackers have access to?
Firstly, it is worth giving some background on the requirement. The client works in a sector which occasionally attracts online activism, and the website concerned is no stranger to controversy either. For the protection of the innocent I will not name either. However, a page on the website provides tracking data for 19 individuals in the same industry, showing which country the individual was in at 11am and 11pm each day. Some targets have been tracked since 2011 giving an impressive picture of their movements around the world. The aim of the tracking appears to be highlighting when companies were being represented in what some might consider repressive regimes, and not all of the individuals are still being tracked. Our client was keen to know how this was being done and what should be done about it. Their first thoughts had been that the phones were bugged and there was a clue in the leaked data to support this: when no location data could be provided the entry read ‘phone is currently not logged into the network (e.g. switched off)’.
Our first thought was also that all of the users must have had their phones compromised with a mobile Trojan. Most probably all of the users had the same type of vulnerable phone and the malware was giving an operator access to their locations via GPS. Problem solved. The obvious solution for our client would be to have the phone forensically analysed to better understand how the device had been compromised, try to attribute the attack and provide advice to protect these users in particular and others with vulnerable devices.
But something wasn’t quite right. The location wasn’t accurate to GPS. Sure, the trackers could have sanitised the data to show a reduced accuracy, but that is not the style of the website where the locations are listed. If GPS data had been available, the movements would have been plotted on a map and various sites or buildings that the user had visited would have been published in order for crowd-sourcing to identify the relevance. Also, if the attackers had access to the extra wealth of information on a smart phone that would also have been collected and published – emails, contact lists, SMS messages, web-browsing history. Malware was not the answer.
The next thought we had was that users were perhaps not the ones who were compromised – not directly anyway. All of the individuals on the target list travelled regularly – hence the interest in their location! Most of them travelled, at least occasionally, to places which are not exactly holiday destinations, could it be that they all subscribed to a common service? Perhaps a travel safety service where their locations were intentionally logged in case there was an emergency and they had to be ‘rescued’. Lots of large companies provide their travelling staff this sort of protection as part of a duty of care. If all of our targets had the same app installed and that was passing back regular location data to a compromised server, there would be a ready source of location data coming from phones, perhaps not even GPS – perhaps provided by the user ahead of trips.
But again, this didn’t quite fit. If an attacker had compromised a tracking server, why pick out only these 19 targets? And why the differing start and end dates? No offense to our targets, but there must be more interesting people who subscribe to those services. Where was the data from VIPs, celebrities and those in other industries? And if an attacker had a compromise such as that, why risk being discovered by publishing relatively low value data?
So what could it be? We assumed the attackers had no access to data on the phone, or GPS data. We assumed that there was no technology in common between all targets. We assumed that targets had started to be tracked as their numbers were identified, rather than all being present in the same dataset, and given the timestamps of the locations were fairly static to within a few seconds over a long period of time we were looking at an automated system.
A bit of head scratching followed before we hit upon what we feel is probably the right answer. Probably. We believe that the trackers were using (abusing) a feature of the GSM telecoms network called the ‘Home Location Register’. The HLR is a central database containing every unique phone number and is used to store, among other things, the location of phones according to the country of the network it is logged onto. This seemed to fit with the data being published. But how is it accessed?
Unsurprisingly, there’s an app for that. A quick Google of ‘HLR lookup service’ presents plenty of companies who offer mass querying of the HLR for fractions of a penny or a Euro cent. You simply enter the number of the phone you would like to query, and the lookup returns a dataset including the country location. This can then be automated to provide an effective [albeit basic] tracking service.
The hardest part of many engagements is offering advice as to how best to protect against the attack being used, and this proved to be no different. Swapping the handset doesn’t work as your mobile number stays the same. Swapping your number would work, but for anyone involved in sales or at a senior level changing mobile numbers is not without trauma. In any case, it would only be an effective fix until the attackers got hold of your new number. The ‘attackers’, as far as we understand, are not breaking any laws, assuming they are exploiting HLR data, so legal recourse against the website would only risk the Streisand Effect. The only good advice is that if you are going to a country which has the potential to embarrass either individual or employer, regardless of whether the purpose for the visit is the same as that perceived by the attackers, leave the phone at home. Redirect it to another number or leave a forwarding number in the voicemail message.
The lesson to be learnt? The most obvious answer is not always the right one. In dealing with IT security incidents organisations need to be able to call upon a broad range of skills and experience. Questioning whether there are other ways of achieving the same outcome and putting yourself in the shoes of an attacker who usually wants to take the easiest (laziest) and least risky path to the result they want.