Online Marketing

Joseph Cox – How You Can Buy ATT TMobile and Sprint Real Time Location Data – DEF CON 27 Conference

I ’ m Joseph Cox. A journalist I ’ ll elaborate on Uh my affiliations in a bit, But I ’ m, going to be talking about how You can buy AT and T T-Mobile Sprint and in some cases, Verizon data um on the black Market So one day I just wake. Up – and I get this rather ominous message – And I ’ ve kind of put it Verbatim so there are some typos And stuff but “ there is a new bail bond database company that Is geo tracking people, People Are reselling to the wrong people Call me.

, ” And obviously I ’ ve redacted the source: ’ s! Um! Phone number cause: they ’ re, an anonymous source Um. We hear About government surveillance, Geolo uh geo, location, tracking or that sort of stuff all the Time Here this is a private Company selling a similar capability to private Individuals Uh a particular Focus of mine And, of course, reselling to the wrong people. I Want to know um what this is.

This all says that in or around the bounty, hunting, industry and They ’ re, clearly quite familiar With how this technology works, So we start talking Uh, they Only really wan na discuss it on The phone They say, many people – ’ s, uh rights are being Violated As we strike up a Conversation, he ’ s using terms like phone ping, Which are some Of you may know a sort of law Enforcement or industry power lense for geolocation, a phone Um the source even offers, if You give me a phone number uh.

He will be able to locate it. That is a pretty wild claim. Uh And I was obviously very skeptical at first But hell Why not Um? So I get a US phone Number of someone that I know would give consent to be Tracked Uh with their Permission obviously Uh, but then they say if you are paying The 300 dollars Now this is the Price that a phone ping is going on the black market at the time, We ’ ll, go into other prices, a Little bit later, Uh and I say yeah I give the phone number Again, I ’ ve redacted that uh and When do you think it will be doable Uh just before a kind Of a carry on rant, we normally Don’t pay sources for information Because if you Start paying someone they ’ re.

Going to give you stuff kind of, irrespective of whether it ’ s, True or not, irrespective of It ’ s uh veracity, so you don, ’ t wan na! Do that as a journalist, You only wan na do stuff that ’ s, In the public interest, But here we want to see, explore or prove Whether this is even possible, You know I mean we could talk to three four five people here: Who says yes? But we want to Actually see it and we want to actually geo locate the phone Because if I can do that – and I ’ m Not a bounty hunter, I ’ m, not a cop uh.

I ’ m a journalist that Shouldn, ’ t be possible. Theoretically, So that ’ s why we um took that extra step, Uh and He says yeah, I ’ ll. I ’. Ll figure. It out and get back to you Shortly after I get sent a Google Maps uh interface, This Isn: ’ t the exact phone ping uh. I ’ m going to show you genuine real Phone locations uh from bounty Hunting bounty hunter services later This is um similar to The one we got Uh it geolocated To Queens New York Uh to where the person was, who agreed to be Tracked, Uh and, as you can see, It ’ s, something like five six blocks, um diameter Uh, but it Was pretty accurate So that ’ s The main story: we ’ re – going to focus on and it will it will develop.

From there, But just to Elaborate a bit I ’ m, a journalist from Motherboard Which is like the technology and Science, section of VICE, I cover the dish line diagrams cyber Security, hacking uh and this Kind of um you know, brings all of those together And right up. Top, if you have more information, About location data that ’ s, my signal number and I will put it Uh at the end as well So just a Layout of sort of what I ’ m going to be talking about, Obviously, First, it ’ s going to be how my Source actually managed to get that data and how he managed to Track a phone um to Queens New York, The supply chain of that location data is not as simple As me, just going to T-Mobile Buying the data and then getting it there, There are various Organizations, companies in sort Of a trickle down effect um of how this industry actually Works And then I ’ m, going to Show that it ’ s, it wasn, ’ t just one off for us Like we didn’t Get lucky and like oh, this is One instance of abuse: it is uh, an endemic problem, Uh and Leaked documents that we got From one company, specifically marketing uh to bounty hunters, To geolocate phones, kinda shows The like wider breadth of this um issue, But then there ’ s like A short part at the end, which Shows how you can still do it today with a different method.

Including for Verizon data um as Well – And it is worryingly simple to actually get a hold of That data, So what actually is The information that ’ s being sold, I mean, as the vast Majority of you will know your Cell phones are constantly phoning home uh to cell phone Towers nearby, so T-Mobile or Whoever can say hey, this is where to root the text, messages Or where to root um the phone Calls And the byproduct of that has caused the general physical Location depending on you know, How close you are to the cell towers and that sort of thing In the one we got, it was a few Blocks Um in these ones.

These are real phone pings from bounty, Hunter services, The one on the Left is quite broad, Like that’s, not super helpful. The one on The right is, I mean that ’ s more Than five or six blocks right, That is a section of a city Uh But if you ’ re, a bounty hunter Or if you’re, trying to stalk someone uh or anything really That can still be useful. Information, So it really really does vary The quality of The data, But it is not just Cell phone tower data There: ’ s, also assisted GPS or A-GPS data.

Of course, this runs from the GPS Chip in your phone And it ’ s typically reserved for um Emergency responders Or 911 Where they need to locate you uh, for whatever reason It it if There, ’ s an incident: this is much More precise It: ’ s not really blocks it. ’ s! More! Double! Digit! Figures, you know under 20 Meters, sometimes Uh, and sometimes it can show where Someone is inside a building, Again, this is a real phone ping, It doesn, ’ t show where they Are in the building, They could Be in the backyard or in the living room or whatever, But They ’ re clearly in that Building And um I did blur the outer edge of it because I ’ m.

Actually not sure if this is a Fugitive or if it ’ s, someone who ’ s, the victim of stalking or Abuse Uh and that ’ s actually Sort of an issue of reporting this cause – you can ’ t, always tell Unless you manage to actually Talk to a um, a victim which is uh difficult, So how the hell Did um did the person actually Manage to locate that phone in Queens New York, Which is of Course the first question I I Kind of wanted to answer – I ’ m, going to give like a skeleton or a Template of how it works in General but then drill down to the um specifics.

So obviously It starts with the carriers AT And T T-Mobile, whoever Who they have this data anyway, They Give it to law enforcement if They need it or if they do an overbroad warrant or whatever Um but one day the carriers Decided that we can also sell this data uh for various Purposes They then, rather than Just selling it straight to people uh, which would be Logistically difficult there Would be a lot of infrastructure involved? They ’ d, have to you.

Know set up their own customer Support or whatever they sell, um access to that data to Location aggregators And I Should just say it: ’ s not like there. ’ s, a sequel, dump that ’ s! Being sold from T-Mobile to Location aggregators, then someone else It ’ s more, like They ’ re selling the capability. To look up that data via an API or whatever it may be, Um and Then, when you want the data You ’ ll, look it up it! ’ s, not like um, a single dump of information.

But location aggregators, yeah They act as this bottleneck And there ’ s. There were three: I Think there ’ s two now and they Purely focus on location data, So they may say we wan na prevent Fraud with banks uh, we we ’ ll, Be able to check the hey if this person is logging in from I don ’ t, know the Philippines or Something but their phone is actually in the UK There. ’ s some Sort of weird discrepancy there And maybe we can block the transaction And there ’ s, lots of Use uh uses for location data But what they do is the bottleneck, then kind of expands.

Out, like an hourglass and that Data access is sold to data brokers. Now these guys don, ’ t Focus just on location data, They may do address lookups, maybe phone subscriber Information, So you give it a Phone, maybe you ’ ll, get the IMEI and you know the name and Address of the person who? ’ s: Using it, uh sometimes license plate information And they will Cater to all sorts of um Industries Who uh whoever it may be, And then you have the End user clients who are Actually, okay, I ’ m going to do this.

Look up and now I ’ m, going to find The location of a um, a T-Mobile Phone And this is where a bounty hunter: ’ s going to be or uh a Property salesman or a used car Salesman, who also have had access to um this sort of data So the phone we tracked uh it Just happened to be on the T-Mobile network When I was Talking to my source uh, they Said that you can basically do any phone except Verizon, So Yeah we found a T-Mobile device.

And sent that number over And then the way we figured this out. Was obviously that source was Very knowledgeable about the uh industry. I ended up speaking to The location aggregators to Other people who have used the company other people that have Used similar tools And there ’ s – Even PDF, ’ s online that are just sitting out there. This story, Has kind of been out there in The open um, but it kind of required the source proving it Could happen to kind of bring it All together, T-Mobile sold the access to Zumigo, which is one Of the two location, aggregators Uh, they ’ re, the one that primarily focuses on you know.

We want to prevent fraud and That sort of thing, But to give an idea of sort of companies That we ’ re dealing with this is A presentation that the FC sorry that Zumigo gave to the Fcc, the Federal Communications Commission a few years ago, This PDF was just online on the FCC Website And you ’ ll – see the top It says wi they ’ re lobbying to remove the consent requirement. Of stating the information That ’ s being released by the carrier When phone carriers Sell this information they do It under the prerequisite that whoever is using it is going to Um seek consent, So you ’ ll, push A text message: you, ’ ll, push a phone call saying: Hi, you ’ re! About to be tracked by, I don ’ t Know uh AA Roadside Assistance, something like that Is that Okay, Uh, you ex, hopefully Explicitly opt in uh and then they can get your location Here Zumigo is trying to get Rid of that, so you ’ d – have to opt out of um having your location.

Tracked at any time by any of The companies in the supply chain – They weren, ’ t successful. In that, but it does give you an Indication of what sort of companies um we ’ re, dealing with. Here Then, under that there ’ s a Date, a data broker called microbilt Um and again, as I Mentioned the data brokers Don, ’ t just sell location data. These were doing address. Lookups They weren, ’ t doing License plate uh, I seem to remember but also sort of uh um Useful information, you might Want, if you ’ re tracking someone Um so after the source told me About microbilt, I look around I go on their website.

I find this nice little PDF about a Project called Mobile Device Verify Um, which sounds more innocuous than it actually is Because then, when you drill down It ’ s like the geolocation lat long coordinates of the phone The estimated location accuracy The proximity of the location um to another, one That would be Comparing it to an address, Something like that Um and then I did something else that we Don, ’ t normally do As well as Paying the source to locate the phone, I also made to be honest: A very crap undercover identity, Pretending to be a bounty hunter Just made a new email, Address and contacted microbilt Saying hi, I ’ m interested in your mobile tracking product And I explicitly said I am a Bail bondsman – and I want it for this purpose.

They handily Replied with a nice little price, List – And here you can see there – ’ s the location, Verification Which just be you Pay $ 4.95 uh. If you ’ re, looking between one and 250 phones, I Think that ’ s per lookup uh but I ’ d have to double check, But then underneath there ’ s the Monitoring per device service So microbilt doesn, ’ t do just individual pings, but you could Pay to track a phone hourly uh Daily weekly, um and potentially more granular than that, if you Just pay a little bit more Money Uh, I can ’ t think of many legitimate uses of a private Company selling to private Individuals, a constant monitoring service, The Individual ping is almost Defensible, I don ’ t quite see uh the legitimate use case for it.

Monitoring per device And as You see it, ’ s like $ 12.95 there, so it ’ s like exceedingly cheap To buy this data from these um From these companies – And it ’ s not just bounty hunters, So as I Said microbilt caters to all These different industries, but specifically with the mobile Tracking product, they ’ re, doing Motor vehicle sea uh sales, which will be used car salesmen, Car dealerships that sort of Thing Um, maybe if they ’ re, doing a background check on someone Who? ’ s? Buying a very expensive Car, Or I think uh definite use case is if someone is behind on Their payments and they need to Repossess the vehicle: well, we ’ ll, track their phone and then We ’ ll, find out where they are And then we will get a repo man to go.

Get the um the car from Them Uh and then they ’ re. Also Doing for property managers Uh, you know just people, landlords, Who are renting out um their Buildings Um: I ’ m, not entirely sure on how that data is Actually, uh used by them, but Microbilt were explicitly advertising to that market and It was explicitly the phone Tracking product, as well as the other ones as well [ speaker Sniffs ] And then you get to the Bottom of the chain, Um and allegedly the end user, was Bail.

Integrity Solutions, I say: Allegedly because I don ’ t know They weren, ’ t my source, It ’ s. Only after our reporting Microbilt did an internal investigation and they found That the the phone lookup was Allegedly from Bail Integrity Solutions There, ’ s an ongoing Lawsuit there you can go, look At the public court documents and that ’ s who they name um as The sort of bail, bondsman or Bounty hunter firm that was um getting access to this data.

Now I ’ m, not in that supply. Chain, and neither is my source obviously So. This is, where sort Of the legitimate trade quote, Unquote, legitimate trade ends and the black market begins Um Bail Integrity Solutions then Gave that phone ping to Google Map interface to my source, who Gave it to me Uh or another way, To put it is that I Motherboard gave the phone Number to my source, who gave The phone number to Bail Integrity Solutions who then Triggered a lookup via the Microbilt API, which goes up through Zumigo to to to T-Mobile grabs the current Location brings it back down and then it gets um sent to me.

Uh and just to stress, obviously I ’ ve set this higher up, but I should not have been able to get This data As sketchy as bounty Hunters getting it it! ’ s even worse. If I a completely Unauthorized party was able to Buy and obtain and use this data uh on the black market. [ speaker Sniffs ], So that was the one case. Um that, as I said, is not an isolated incident, So there ’ s a Website online CerCareOne, uh Dot com: I think You can go look it up now.

It is still There, When you visit it, looks Like a normal placeholder, Thank you for visiting our site, it ’ s! Under construction, okay, There, ’ s there! ’ s, nothing really to look at here, But you go to a Specific section of the site and It has a login portal Um that red bit is just my IP address: um That I uh redacted for for just Making these screenshots Uh and email address password, you Log in You, ’ ll, you ’ ll notice.

That there ’ s no registration option. I ’ m, not exactly sure how People join this website, Invite Only uh maybe apply some other way um, but you can ’ t just go and Sign up for this site, which is Because this is a secret website and secret company only for Serving bounty hunters Um, we Haven, ’ t published these before and I [ speaking with laughter ] Appreciate they are heavily Redacted Uh, but I did of course, wan na show you some stuff that We haven, ’ t been able to publish Before So, my source, as well as uh looking up the phone provided, Me with a cache of documents, Various files from inside CerCareOne From what we can Determine these screenshots Were taken with an administrator account of CerCareOne, So you Log in with an admin account and You can see a list of all of the users uh who are on this Website In all, it was around 250 bounty hunter companies which had their own accounts on This website So that ’ s 250 bail, Integrity solutions who may be looking up for their own Purposes for professional Reasons, Maybe their staff fancy looking up their girlfriends Location which I have um been Told happens in this industry And it ’ s also 250 people who may Resell that access to people who Aren, ’ t supposed to have it like me, Um and then it it ’ s.

Just Like a normal functioning Pretty basic website, You have numbers that you would click That would show obviously the Phone numbers, someone: ’ s, looked up; um the activity which I Think actually may show the Phone pings – I ’ m, not entirely sure on that one And then the Billing you just top up your Account with maybe 1,000 dollars and then we can start pinging Some phones, It ’ s, really really.

That simple, So you go and you click on the numbers and um Including the data there was Obviously, a list of the phone numbers that people have been Geolocating Uh on the left, Those are the numbers I had to redact them slightly. Then you Have the date and the time of The lookup To the right of that you have the IP addresses which Will become a bit more important, Later Uh, whether it was found or not, And the sort of data That was obtained right at the End the cell phone tower data or the A-GPS data that I Mentioned up top I mean, as you Can see again, it does vary wildly The top one um a Diameter of 582 meters Right Down at the bottom, to like three and a half kilometers, So it ’ s.

Not super reliable, but if you Are a bounty hunter just trying to find if someone ’ s in, I don ’ t Know Minnesota or then a Particular city, or even like a district of a city, this is still Going to be um pretty helpful And Then you can see the A-GPS stuff right down to, as I said, double Digit, uh, proximity or or Accuracy, Just 13 meters uh, you might be able to find someone So I mentioned that this was a Secret website um, of course I ’ m, not talking about any sort of Official classification – I just Means that, in the terms and conditions of the site that I Also got a copy of um, it says That, if you are using this service, you need to never reveal The website or the companies Existence to anyone Um.

Obviously, someone broke that Those terms of use Uh, thank you. For doing that, But it it just goes to show you what pains they Went to really really keep this Under wraps, As well as the hidden login portal uh and the Lack of registration and the Fact that they ’ re, telling people to keep it uh quiet. So I Mentioned the IP addresses And They tell you when you sign up give to us CerCareOne two IP: ’ s! That we can whitelist That way.

You know we ’ ll, minimize abuse and we ’ ll, be able to. You know. Keep on top of privacy, uh and All that sort of thing – And they also tell you to be careful if You ’ re using a password cause. Obviously this is very sensitive data And you go through the Information Again, the phone Numbers the dates and the IP ’ s There. ’ s more than two IP! ’ s! There 64 dot 71 dot, 131 87 Um clearly, the two IP rule is not really enforced at Cercareone Uh leading one of my Sources um to stipulate And then some supporting evidence as Well that this particular Administrator at CerCareOne was potentially reselling their Access to the system on the Black market to other people who would want it, Obviously we saw Ip! ’ s from the US, as you probably Would expect, but there were connections from Israel uh for Lithuania, various other places Now, obviously, some of those could be VPN.

’ s! Vps! ’ s! Whatever! But it still goes to show that Sort of lack the lack of security measures uh on this Website And just indicative of This sort of secondary market that is going on underneath This And I didn ’ t mention this Earlier when I introduced the website, but when you use Cercareone there is no text, Message there is no phone call, there is no warning to the Target device uh being pushed So the target has no idea um, they ’ re, being tracked At all.

Uh, and that was according to two Sources, familiar um with how the system works and who had used It And then it some of it is Just a normal, you know payment website, People are signing up, With their personal gmail Addresses This isn: ’ t! You know at legit, bail, bonds, dot, com, It ’ s, just some blokes personal Gmail Uh and you can top it up with um a couple: a grand of Credit and you can go and locate Some phones as well, So we have, we ’ ve, never shown this before This is uh a nearly full Screenshot of the CerCareOne um system in action: This is what You will see when you will log In You will look up a phone number and then this is what it Will present you Um so Obviously you the there will be the phone number the address.

Of what the ping is, the lat Long uh, the type of data in this case A-GPS the time And Then the very nice pay per ping Balance at the bottom for 206 uh 226 dollars left Um, the name at The top Dan Grable uh, I Believe he was this administrator of the um of the Site Uh of three admins who ran Cercareone, he runs a sort of um. They they sell telephone Services to businesses and that Sort of thing – and it appears that he was one of the accounts – That may have been reselling Access because there are all of these different IP – ’ s connecting Through his um account Uh, he Hasn, ’ t responded to request for comment, but if he wants to chat I ’ m happy to This and and And this particular ping has um a sort of story behind it, So in May 2017 two bounty hunters are Trying to track a fugitive from Minnesota, They track him.

Somehow, to this Nissan Dealership just off the highway in Texas, The bounty hunters go In They lie to the dealership, And say: hi: we ’ re um, US law enforcement. We ’ re trying to Apprehend someone dangerous Can We wait here for the guy to turn up The dealership, not wanting To you know, interfere with a Apparent law enforcement investigation says yes, sure, Uh The fugitive comes back, They Confront him weapons drawn Uh, all three men are armed There.

’ s! A brief scuffle Uh, the Fugitive, ’ s: gun falls out of his belt. Onto a desk, Goes to grab It and then in about six seconds 20, shots are fired from all three guns at each other, Uh and All three men die very soon: After that, Um a family uh of young children or with young Children run away people Scream you can go, read the uh, the footage on YouTube Um, but Then very strangely, just Shortly after um those killings and the deaths, someone starts Using CerCareOne to look up the Location of their bounty hunter: ’ s! Phones, And that ’ s! What This ping is, I don, ’ t think it.

’ s. A coincidence that two bounty hunters are out on a job and Someone starts tracking their Phones And then just before this lookup, the same account According to the data is used, To look up the location of a phone from Minnesota, Which is Where the fugitive was on the Run from We couldn, ’ t determine you know using various tools. Like people dot come or various Ocentures we couldn’t determine who that phone belonged to Because it looked like it, didn ’ t Really have any registration information, It seemed to be a Relatively new phone – And you Can maybe infer from that what you will, but we only publish What we can know right So we We say we we weren, ’ t able to identify that, apart from it, Being a Minnesota phone and it Was before um the shooting Very shortly before multiple pings Uh before that – And it was also Located after the shootings as well, so that we can ’ t really Explain, Um, and even if this is Not a case of um, oh, we ’ re.

Looking up the location, Necessarily of a fugitive, it is Still, indicative of the sort of people who are connected to this Market of phone location data That it ’ s, two bounty hunters who went in they didn, ’ t take their Body armor that was allegedly in Their vehicle, they lied about being US law enforcement. They Then go on a shootout that Endangers a family of young children, they die and they Killed someone as well Um, it Just shows the sort of people that are connected to this um This industry, So we had Microbilt, which was the one I bought the ping from And then Awhile before we had the Cercareone example, I just gave Uh and then just before that and Kind of also overlapping, with Cercareone we had a service called locate your cell dot com, That ’ s still online, you can go Look it up And it appears this is one of the earliest examples.

Of um private individuals, Selling the capability to look up: um phones, So this isn – ’ t Marketed to bounty, hunters or Roadside assistance, it ’ s, marketed to people who lost Their cell phone – and they want To find it Or it ’ s marketed to people who maybe their their Kid went to the park and they Haven, ’ t come back and they want to check they. ’ re, okay Or maybe Their senior relative of Dementia, who ’ s a bit confused and they they didn? ’ t gum, come Home or something like that, Um The owner of this website, who, when you actually look into some Of the who is this, who, who his History and various other connecters is also uh, linked to Cercareone Uh a guy called um Frank Rabito He is quoted in like some obscure local media Report from years and years ago, Boasting about how he used his company to help a woman find her Phone that she left in the Supermarket car park, Which is clearly not a uh law enforcement, Use or really a legitimate use, Of um data or capability that is um, this powerful, The the System, isn, ’ t online right now.

But as I said, you can go to the website and you can. I think you Can even create an account, I Believe I tried to um be contacts you use to lookup at The moment because CerCareOne um Was shut down it? ’ s not exactly clear how And it appears this Shared the same access or at Least, similar access Um, so this is no longer in operation or Live just at the moment, [ speaker swigs, drink ], So you may be wondering where Verizon is in All of this, The microbilt Example, where we pinged a phone, as I mentioned, It was only AT And T Sprint and T-Mobile Um And then, from from what I understand, Verizon has taken a Much stronger stance against This than the other tel co – ’ s, Um [, speaker, voice, strain ], one Bounty hunter told me or sorry One bounty hunter and one other source told me that Verizon has Enforced it so that consent text Or that consent call that ’ s supposed to be pushed when you Locate a phone they ’ re.

Now Enforcing that at the carrier level, So they ’ re, not delegating That responsibility to the Location aggregators or the data brokers or the end users They ’ re, like we, ’ ll handle it. We will push the text out when you make an API request and then We will only release it um when We get the confirmation of consent, Which of course, is a Good thing, But I wan na stress Something that has kind of been lost in our coverage, Verizon is Not innocent in this at all Um Last year, uh Senator Ron, Wyden, ’ s office and the New York Times.

Did this sort of uh current Investigation to uh parallel an investigation. I ’ m, not entirely Sure but it was showing how all Of the major carriers were selling the real time location, Data access to a company called Securus, Which would give it to low level law enforcement like Prison guards and officials Without a warrant They would log in to a Securus portal. Upload a PDF of some sort of Document that kind of looked legit and then they would just Let them um do the request and Pull the data Um, they could do that without a warrant.

They Could do that without a Subpoena They could do that without any sort of court order. Um and Ron Wyden described it as Sort of a pinky promise of ensuring this data was actually Being requested properly So There ’ s that Securus case as well, But then we also found one Earlier before that, And this Is kind of in between secure CerCareOne and Securus, they all Have these really similar names? In between that Um and as you can see right there, there ’ s Verizon Instantly look up the Phone uh location of basically any phone in the United States, Uh again it ’ s cell phone tower; Triangulation and it uh GPS data.

If available, You get a Nice little Google maps Interface and it ’ s, only seven pounds, uh, seven dollars: 50 um, a Lookup And if it doesn ’ t work, You don’t have to pay It. ’ s all good, So this was explicitly Marketing to bounty hunters as Well – And I actually published this last year – sh uh shortly After the Ron Wyden one And Nobody uh, I uh. I it it didn, ’ t it. Nobody really paid.

Attention to it I mean I was Glad we got it out because I had never heard about this before But it didn, ’ t uh it didn. ’ t get Much attention, But this is the story that actually triggered The main phone pinging source at The top of the talk to come forward and say: hey there, ’ s a Company that ’ s still doing this And this isn ’ t just a US problem Uh. I know a lot of uh My articles, especially and other People who may maybe talked about they ’ re.

Quite US focused But this is, I mean it: ’ s, not Global but it is in other countries, So this is a Screenshot from a map that Someone sent me uh from a company called, I think it. ’ s. Telesign Uh I may have or Telesigns But they provide, you, know two FA solutions. So if You want to implement some sort, Of turn, key solution for I need to have SMS to appear on my Website these guys will help You, as far as I know, Uh they have like Salesforce um as Clients that sort of thing And Then you go on their website.

You look up their capabilities. And their coverage and then About half way down there, phone ID current location plus, Which Isn: ’ t exactly subtle in what it Does Obviously, it provides the current location of the phone Um and in blue are the places Where they have services available United States, Canada, India, uh and then coming Soon, the Philippines, So when uh a source sent me this, of course, I contacted Telesign like so Where ’ d, you get this data That that that ’ s that ’ s pretty Interesting Uh, they immediately Took the map offline and replied, we don ’ t sell that Data I don ’ t know why you have A a map online advertising, this data, if you don, ’ t, sell it or you Don, ’ t have any clients, But um That ’ s allegedly uh what they say Um.

So after we did the Phone pinging story, where we Geolocated the phone um AT and T T-Mobile and Sprint said they Were going to stop the sale of Location data to all third parties Um and as far as we Know that went into effect for All of them in May Uh, as I said, Verizon, who had already Done it, But now all the major Tel co: ’ s are not selling uh, that particular uh supply chain of Location data um to anyone, Uh It seems, But obviously that is not the end.

As I said, there is Another section um on how this Data uh can still be obtained uh today. So let ’ s say you. ’ re an Attacker and you wan na get hold Of some real time location data from a tel co., All you really Need to do is pose as law Enforcement, you phone up the carrier, you send them an email, And you get the location data Obviously this is a massive over-simplification, So uh to Give a more concrete um example: There was an uh a case.

A few years ago, a guy called John Edens He is a a debt Collector, When someone ’ s behind, they, ’ re payments on their cars. He ’ s tasked by an insurance Company or a dealership or whatever So can you goo Please go find the person, so we Can repossess this vehicle Um? He has a history of domestic Violence and stalking Uh Beating his wife, various other um charges and prosecutions, He Had a habit of posing as um US Marshals Um, he would make some spoof email addresses.

I think He would spoof phone numbers as Well And he would contact in particular, T-Mobile, Um and Then, with that T-Mobile would Handily uh reply with the location data of a number of his Choosing Um he didn, ’ t have to Provide you know warrants or anything like that and obviously He can’t because he ’ s, not Actually, law enforcement, But he would provide fake exigent Circumstances requests And this Is where um law enforcement think there is? You know there Is a threat of life and it ’ s too.

Urgent to go through the normal process of going to a magistrate, Judge getting a warrant Getting that back and then we get the data It ’ s like a child. Has been kidnapped, we need this Um this data immediately because you know there: ’ s an Imminent risk of harm, The FBI, Have used this um in various other ways, uh in a slight Different way to do you know, Deploy malware against um child abusers and that sort of thing So he would contact T-Mobile Pretending to be US Marshals, He would do it on certain days or Certain times of the day, um so Particular people were working, He would build a rapport with Them you know normal social Engineering, Wouldn, ’ t contact them when it would be um.

You Know maybe there ’ s, someone Who? ’ s quite strict and they ’ re not going to give out the data he Would try to avoid them Um, but He would get through to the right person And then so you See they would eventually Eventually, reply with the with the lat, the long uh and uh the Handy Google Maps interface So This is a uh, I mean this is a screenshot from one of the Documents in his court case He Was caught, he was prosecuted um.

I think he ’ s out now. Um the DHA Redacted the phone number but They did not redact the GPS coordinates, so I ’ ve done that. Because I think that ’ s quite Wild to put a victim of abuse: ’ s: GPS coordinates in a court. Document But there you go Um You can see that the data – ’ s, 2014, so that ’ s, obviously a long time. Ago but someone else was Indicted either two or three months ago for doing the same to Verizon To doing to to AT and T And T-Mobile um, I think And potentially Sprint as well, but Basically, a selection of the Large tel co: ’ s, including Verizon, as far as I know, Um and people Are doing this approach now? Today and they they may do it for their own purpose.

They may Do it like John Edens, did where I need to find this person. I need to track where their car is And repossess it Sure Whatever, But there are people who will do this as a service And then they will sell that Data um on the black market – And these are text messages, uh Between two people doing just That So um on the left hand side is the person selling the Phone pings On the right hand, Side is the um debt collector the skip tracer saying: hey Here, ’ s! The phone number could You look it up And I think this is on telegram And you can just See how casual it is It? ’ s! Hey! Here: ’ s the phone numbers for right now; here: ’ s; another phone! Number They reply with the lat Long um and the diameter of the lookup And then thank you, Smiley face Um, they may do Another one but the powers, the allegedly the phone: ’ s turned off.

So maybe they didn ’ t get a Reading Um and then you also see on the second screenshot on The right hand side on the you Know the second message down: it says for 11 PM PST. Obviously If you ’ re, a bounty hunter, you Don’t necessarily want to have a lookup um straight away If Someone, ’ s in bed, say at five. Am that ’ s going to be a pretty good time to get there real time? Location data Or because then Of course, you can go, maybe kick down the door or apprehend them.

When they ’ re, um least expecting It From what I understand, this person was selling legitimate Real genuine phone pings Through that scamming system outlined reselling them, But Then, when they um, they lost Their capability – somehow I don ’ t, know if the tel co. ’ s. Caught on or uh, maybe there was A new staff member at the tel co: ’ s! Something like that: Um They wouldn, ’ t able they weren.

’ t Able to um do that any longer, so they started scamming um people And saying that they would take Numbers they would allegedoo le allegedly do lookups and Then just send some cord Coordinates and still take on the 300 500 dollars, And this Has caused um a lot of issues in The bounty hunting industry with people scamming each other And After our coverage, where the tel Co, ’ s stopped selling it um.

We ’ ve, seen a spike of scams where um People will do you know quite Good looking Here, ’ s an auto form, a PDF. We ’ re. It Consultants and we will do a Lookup for you um in India, in the US as well um, but they are Scammers, It ’ s similar to how You know there: ’ s, almost the unicorn of criminal first Service SS7 access, which does Happen but when someone says or someone reports here, ’ s a toll.

Hidden service, you give em 500 Bucks and you get SS7 lookup it. ’ s, probably going to be a fake Right, And that seems to be the Case here, But among the fakes there are people who are people, Who are still genuinely doing? This um, and if you have the right contact, you can do Whatever you want with that, Data You, you can stalk someone, you can trace your Boyfriend, your girlfriend Whoever The person uh, one of the clients with Securus, was Doing it to look up the position, Of a judge Uh, I know people who have uh allegedly done it to Their ex wives, Uh and again John Eden, ’ s had a history of domestic violence and when he Would track someone he would Turn up at that house uh be very violent, be very intimidating.

And just the risk of abuse here, Is um so great So that ’ s everything uh! I wanted to Present Again, if you know Anything about location data who ’ s, buying it, who ’ s, selling It um any sort of capability. There Uh, of course it ’ s, not just phone carriers, it ’ s, apps, as Well, If anyone can buy that Data that ’ s my signal, my Wickr, my Jabber, my email And um. I Think I actually rushed through That so, if anyone has any questions, I ’ m happy to ask If Not uh, if you don, ’ t want to talk.

To me, an investigative journalist in front of a crowd Of a load of hackers uh, you can Send me a signal message and we can meet later And thank you so Much I appreciate it. [ audience. Applause: ]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.