Independent security researcher Nick DePetrillo and Don Bailey, a security consultant with isec, planned to provide details in a talk entitled "WeFound Carmen San Diego" at the boston security conference on Wednesday.
"There are a lot of fragile eggs in the telecom industry and they can be broken," Bailey said in an interview with CNET. "Weassume the telecom industry protects our privacy. But we've been able to crack the eggs and piece them together."
The first part of the operation involves getting a target's cell phone number from apublic database that links names to numbers for caller ID purposes. DePetrillo used open-source PBX software to spoof the outgoing caller ID and then automated phone calls to himself, triggering the systemto force a name lookup.
"We log that information and associate it with a phone number in a (caller ID) database," DePetrillo said. "We created software that iterates through these numbers and cancrawl the entire phone database in the U.S. within a couple of weeks... We have done whole cities and pulled thousands of records."
"It's not illegal, nor is it a breach of terms of service," Baileysaid.
Next up is matching the phone number with a geographic location. The SS7 (Signaling System) public switched network routes calls around the world and uses what's called the Home Location Registerto log the whereabouts of numbers so networks can hand calls off to one another, DePetrillo said. Individual phones are registered to mobile switching centers within specific geographic regions andthey are logged in to that main register, he said.
Only telecom providers are supposed to have access to the location register, but small telcos in the EU are offering online access to it for a fee,...