R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Tuesday, 21st October 2014 @ 17:39:35 GMT 
Reports | Locate almost anyone in the UK without their permission
{7th Feb 2006}
By using one of the many mobile phone location tracking services aimed at businesses or concerned parents, and some trickery it is possibly to get almost anyone's mobile phone position without their agreement. All that is required is their mobile phone number, and carrier.

Over the past year a number sites have popped up offering web based mobile phone tracking services. To use their services you purchase a monthly subscription or set number of credits, and enter in the targets phone number. The target then receives an SMS message asking them to confirm they consent to the tracking. After the target replies, the tracker can then request their position online and receive a street address, post code, and map of their location with an accuracy of around 250 meters.

As recently publicised by The Guardian, and The Register a simple / reasonably covert attack (assuming you have physical access to the target phone) would be to just reply to the confirmation message, and delete all evidence afterwards. For the attack described as follows physical access to the device is not required significantly lowering the bar for successfully activating the tracking service.

At first sight the system may seem secure due to the challenge (target receives SMS) - response (target replies to SMS) authentication method, however the required response is always the same and the SMS message from field is used to identify the target that agreed to the tracking. The problem arises since the SMS from field (similar to caller ID on a phone) is spoofable as previously reported.

This obviously raises a number of privacy concerns.

Rootsecure.net used the location tracking services of FleetOnline with a Virgin Mobile SIM card for the tracker, and an Orange SIM card for the target. The trackers SIM was required for the site registration process.

The process:
  1. Disable any popup blockers and visit FleetOnline, then click to register for a new account.
  2. Select your country.
  3. Enter your mobile phone number, and network operator.
  4. Enter a company name (username), your email address, postcode, a password, and the access code (case sensitive) which was sent to the phone number entered in step 3.
  5. Reply to the confirmation text message with "T2Y" to 07950-081-259 (it may be necessary to generate a new message rather than using the phone's reply functionality).
  6. Check you can successfully login to the account.
  7. Purchase a transaction bundle for £10 which will give you 22 position locations (actual price £11.90 after World Pay take their cut).
  8. After login in select "Add Members" on the left hand side menu, type in the target's phone number, select their network, and enter a nickname to identify them. The target is then sent a message similar to the following via SMS "[username] 44[phonenumber] wants to locate your mobile from now on using FleetOnline. Text 'T2Y' to 004479580081259 to agree."
  9. SMS spoof a text message with the body text T2Y" from your targets phone number (in international format) to 447950081259 using one of the many SMS spoofing providers or a bulk wholesaler such as Clickatell.
  10. After the SMS arrives at its location the targets phone will change from being greyed out in the "Select Member" panel. Select the "Get Position" link, choose the phone, then select "Get Position" and the phones position should show up on the map along with a street address / postcode.
  11. The target will receive an SMS similar to "Here is your FleetOnline password: HTWNXU Please make sure you keep your password in a safe place. Thank you for using FleetOnline!" welcoming them to the service.
Mitigating factors:

- Although it is possible to get the location of a phone the target will receive the various SMS confirmation messages, alerting them to the fact they are being tracked.
- Malicious use can be traced back to the tracker via credit card records / the trackers registered phone.

The attack can be relatively easily prevented by the use of a random challenge response string.

Rootsecure.net tested the service in the UK. According to the website it is also available in Germany, Belgium, Netherlands, Norway, and Spain, but only on certain networks. Clickatell was used to send the spoofed SMS message. All phones used in the proof of concept were the authors.

The original idea for this article came from Jonathan Pamplin "How to Track Any UK GSM Mobile Phone" published in 2600 Magazine Volume Twenty-Two, Number Four.

2005-02-19 Update: Jaap Groot, CEO Teydo Holding Inc which operates FleetOnline has issued Rootsecure.net with the following statement:

...the opt in no longer is standard T2Y but a random code. This was always applied for Vodafone due to network regulations and has now been turned on for the other networks too.

This was verified using the same Orange mobile phone as before by removing and re-adding it into the FleetOnline members list twice. Each time a different random code was requested, and entering the wrong code resulted in a "User [username] has sent a wrong code to enable tracking." warning message.

Arbitrarily locating anyone in the UK is no longer possible using FleetOnline and SMS verification spoofing.