Category Archives: TRACKING

Mobile phone tracking firm exposed millions of Americans’ real-time locations. Is Australia in the loop??

The bug allowed one Carnegie Mellon researcher to track anybodies mobile cell phone in real time

A bug allowed anyone to skip a consent requirement in a cell phone location tracking site. (Image: ZDNet)

A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located — without obtaining their consent.

Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you’ve mare than likely never heard of before.

Read also: Evidence of stingrays found in DC, Homeland Security says

The company, LocationSmart, is a data aggregator and claims to have “direct connections” to cell carriers to obtain locations from nearby cell towers. The site had its own “try-before-you-buy” page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.

But that website had a bug that allowed anyone to track someone’s location covertly without their permission.

“Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location,” said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone conversation.

“The implication of this is that LocationSmart never needed consent in the first place,” he said. “There seems to be no security oversight here.”

The “try” website was pulled offline after Xiao discreetly disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon.

US cell carriers are selling access to your real-time phone location data

The company embroiled in a privacy row has “direct connections” to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint — and Canadian cell networks, too.

Read More

Xiao said the bug could have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart’s website following ZDNet’s report this week, which followed a story from The New York Times that revealed how a former police sheriff snooped on phone location data from Securus, a customer of LocationSmart, & not having a warrant.

The sheriff has pleaded not guilty to charges of unlawful surveillance.

Xiao said one of the APIs used in the “try” page that allowed users to try the location feature out was not validating the consent response properly. Xiao said it was “trivially easy” to skip the part where the API sends the text message to the user to obtain their consent.

“It’s a surprisingly simple bug,” he said.

Xiao showed ZDNet a video of a script he built exploiting the bug in the company’s API.

LocationSmart did not promptly respond to a request for comment.

Xiao verified the bug with a few people he knew. Brian Krebs, who first reported the story earlier today, also verified the bug with a number of people who allowed him to test the bug.

“None of them got any notification that their location was being tracked,” he said.

“I had a friend who was driving around Hawaii and [with permission] pinged the location and I could watch the marker move around the island,” he said. “It’s the kind of thing that sends eirrie chills down your spine.”

Read also: Stingray spying: 5G will protect you against surveillance

Sen. Ron Wyden (D-OR), who last week called on the cell carriers to stop exchanging data with third parties, offered a statement.

“This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security,” said Wyden.

“It represents a clear and current danger, not just to privacy but to the financial and personal security of every American individual. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone,” he said.

Wyden said the dangers from LocationSmart and other companies “are boundless.”

“If the FCC refuses to act after this revelation then future crimes against Americans will be the commissioners’ heads,” he said.

We reached out to the cell providers — AT&T, Verizon, and Sprint — which all said they were investigating. T-Mobile did not respond to a request for a reaction.

But this recently disclosed bug shows the carriers are yet to cut off any access — if at all.

www.freephonelink.net

www.ispysite.com

Henry Sapiecha

Government’s plan to spy on all Australians exposed in leaked letters

It may shortly be far easier for government spies to access your private data. Photo source: Pixabay

We’re constantly being advised to protect our data and information online, but it turns out there may be even a greater threat & cause for concern.

An exclusive report by The Sunday Telegraph reveals our online data may not even be safe from the Australian Government. Australian citizens may soon be subjected to secret digital monitoring by the top cyber spy agency in the country with no warrant rerquired for accessing all your info when they feel like it.

This means everything from text messages to emails and even bank statements could be accessed in secret under the radical new proposed plan. The Sunday Telegraph viewed the secret letters between the heads of Department of Home Affairs and Defence. The letters detail possible new powers for the Australian Signals Directorate (ASD).

As the current rules stand, intelligence is not to be produced on Australian citizens. Having said that, the Australian Federal Police and domestic spy agency ASIO can investigate people with a warrant and also seek help from the ASD if needed in what are deemed to be extreme cases.

If the proposal is passed, it would be up to Defence Minister Marise Payne and Home Affairs Minister Peter Dutton to allow spying to occur. Furthermore, they could approve cases without Australia’s top law officers being aware of it.

The Sunday Telegraph believes Dutton hasn’t yet presented Payne with any formal proposals for changes to the legislation. If passed though, spies would be given permission to secretly access information relating to an Australian citizens’ financial data, health information and phone records. A change in law would mean it’s also illegal for government agencies and private businesses to hold back any information that could hinder the security measures.

The Sunday Telegraph believes the reason for the data crackdown would be to stop terrorism, child exploitation and other serious crimes being conducted both here in Australia and overseas.

Several times in recent months online data and its safety has made headlines. Earlier this year, Facebook came under fire for breaching privacy data rules. As it stands, anything you share or access online remains there, even if you delete it.

This means any photos, emails, website history, online comments and videos you upload or view are stored away somewhere in cyberspace. Worryingly, any information shared on a social media platform such as Facebook will remain with the company, even if your profile is deleted.

What are your thoughts? Have you concerns that your private information could be secretly accessed by spies and the government? Do you think it’s really to protect Australians, or just another feeble excuse for the government to gain more information about us? Big brother is going too far this time one would think. Write to your MP.

Henry Sapiecha

New USA Federal Requirements On Cellphone Surveillance

WASHINGTON (AP) — Federal law enforcement officials will be routinely required to get a search warrant before using secretive and intrusive cellphone-tracking technology under a new Justice Department policy announced Thursday.

The policy represents the first effort to create a uniform legal standard for federal authorities using equipment known as cell-site simulators, which tracks cellphones used by suspects.

It comes amid concerns from privacy groups and lawmakers that the technology, which is now widely used by local police departments, is infringing on privacy rights and is being used without proper accountability.

“The policy is really designed to address our practices, and to really try to promote transparency and consistency and accountability — all while being mindful of the public’s privacy interest,” Deputy Attorney General Sally Yates told reporters in announcing the policy change.

The policy applies only to federal agencies within the Justice Department and not, as some privacy advocates had hoped, to state and local law enforcement whose use of the equipment has stirred particular concern and scrutiny from local judges.

The technology — also known as a Stingray, a suitcase-sized device — can sweep up basic cellphone data from a neighborhood by tricking phones in the area to believe that it’s a cell tower, allowing it to identify unique subscriber numbers. The data is then transmitted to the police, helping them determine the location of a phone without the user even making a call or sending a text message.

The equipment used by the Justice Department does not collect the content of communications.

Even as federal law enforcement officials tout the technology as a vital tool to catch fugitives and kidnapping suspects, privacy groups have raised alarms about the secrecy surrounding its use and the collection of cellphone information of innocent bystanders who happen to be in a particular neighborhood or location.

In creating the new policy the Justice Department was mindful of those concerns and also sought to address inconsistent practices among different federal agencies and offices, Yates said.

“We understand that people have a concern about their private information, and particularly folks who are not the subjects or targets of investigations,” Yates said.

The new policy requires a warrant in most cases, except for emergencies like an immediate national security threat, as well as unspecified “exceptional circumstances.” The warrant applications are to set out how the technology will be used.

In addition, authorities will be required to delete data that’s been collected once they have the information they need, and are expected to provide training to employees.

The policy could act as a blueprint for state and local law enforcement agencies in developing their own regulations. But it’s unclear how broad an impact Thursday’s announcement will have, since it does not directly affect local police agencies unless they’re working alongside federal authorities on a case or relying on their assistance.

Use of the technology has spread widely among local police departments, who have been largely mum about their use of the technology and hesitant to disclose details — often withholding materials or heavily censoring documents that they do provide.

Local departments have faced scrutiny from judges about how they deploy the equipment, though agencies have often insisted that non-disclosure agreements with the FBI limit what they can say.

The FBI has said that while specific capabilities of the equipment are considered sensitive, it did not intend for the agreements to prevent the police from disclosing to a court that the equipment was used in a particular case. Yates said she expected the FBI to revise any such agreements to be more transparent.

The American Civil Liberties Union called the policy a good first step, but expressed disappointment that it did not cover federal agencies outside the Justice Department or local police who use federal funds to purchase the surveillance equipment. It called on the Justice Department to close remaining loopholes, such as the one allowing for warrantless surveillance under undefined “exceptional circumstances.”

“After decades of secrecy in which the government hid this surveillance technology from courts, defense lawyers, and the American public, we are happy to see that the Justice Department is now willing to openly discuss its policies,” ACLU lawyer Nathan Freed Wessler said in a statement.

Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, a privacy group, praised the policy as an important step, though he said he suspected Justice Department attorneys saw “the writing on the wall” and recognized that judges would increasingly begin requiring warrants.

Though the policy does not require local police to follow the lead of federal agencies, “this is going to let the air out of state law enforcement’s argument that a warrant shouldn’t be required.”

“We think that given the power of cell-site simulators and the sort of information that they can collect — not just from the target but from every innocent cellphone user in the area — a warrant based on probable cause is required by the Fourth Amendment,” Cardozo said.

Henry Sapiecha

NYPD Has Used Cell Tracking Technology around 1,000 Times Since 2008

The New York Police Department has used secretive cellphone tracking technology more than 1,000 times since 2008, according to data released Thursday by the New York Civil Liberties Union.

A cell-site simulator, also known as a Stingray, is a suitcase-sized device that can sweep up basic cellphone data from a neighborhood by tricking phones into believing it’s a cell tower, allowing it to identify unique subscriber numbers. The data are then transmitted to the police, helping them determine the location of a phone without the user even making a call or sending a text message.

Police records show the technology has helped catch suspects in kidnappings, rapes, robberies, assaults and murders. Missing people have been discovered. In some cases, no arrest was made or the phone was located but had been ditched. Officers with warrant squads, robbery squads and homicide units all used the technology, according to the records.

Federal law enforcement in September said it would be routinely required to get a search warrant before using the technology — a first effort to create a uniform legal standard for federal authorities. But the policy applies only to federal agencies within the Justice Department and not, as some privacy advocates had hoped, to state and local law enforcement whose use of the equipment has stirred particular concern and scrutiny from local judges. The NYPD would be required to get a warrant if the investigation was a joint effort with federal officials.

The NYPD said it has no written policy for use of the technology, according to the records released by the NYCLU, but general practice is to obtain a “pen register order” — a court order with a lower standard than a warrant.

Larry Byrne, the deputy commissioner of the police department’s legal bureau, said police only use the Stingray technology to retrieve cellphone numbers of calls to and from a particular phone, not the content of those communications. He said it was used only after a detective, appearing alongside an assistant district attorney, persuaded a state judge to grant the court order.

The civil liberties union urged the department to create a strict policy on use of the technology and to obtain a warrant.

“New Yorkers have very real concerns about the NYPD’s adoption of intrusive surveillance technology,” NYCLU Senior Staff Attorney Mariko Hirose said in a statement. “The NYPD should at minimum obtain warrants before using Stingrays to protect the privacy of innocent people.”

The police have already been adhering to the higher legal standard used by federal law enforcement when applying for a court order, even though state law requires the police present less, said Byrne, who added his office would put the policy in writing.

“Our practice is consistent with what the FBI and the other federal agencies now do,” he said.

The NYCLU requested documents under the Freedom of Information Law and received the first round of information that it asked for in November. Last year, the NYCLU released records showing the Erie County sheriff’s office used Stingrays 47 times in the past four years and indicating that the office obtained a pen register order only once, the agency said.

www.crimefiles.net

www.policesearch.net

www.freephonelink.net

Henry Sapiecha

Surveillance system being supplied which can track all & any mobile phones anywhere in the world

tracking your phone footprints at any time image www.freephonelink.net

Illustration: Michael Mucci

Makers of surveillance systems are offering governments across the world the ability to track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent.

The technology works by exploiting an essential fact of all mobile phone networks: They must keep detailed, up-to-the-minute records on the locations of their customers to deliver calls and other services to them. Surveillance systems are secretly collecting these records to map people’s travels over days, weeks or longer, according to company marketing documents and experts in surveillance technology.

The world’s most powerful intelligence services, such as the National Security Agency in the US and Britain’s GCHQ, have long used mobile phone data to track targets around the globe. But experts say these new systems allow less technically advanced governments to track people in any nation with relative ease and precision.

Users of such technology type a phone number into a computer portal, which then collects information from the location databases maintained by mobile phone carriers, company documents show. In this way, the surveillance system learns which tower a target is currently using, revealing his or her location to within a few blocks in an urban area or a few kilometres in a rural one.

It is unclear which governments have acquired these tracking systems, but one industry official, speaking on the condition of anonymity to share sensitive trade information, said that dozens of countries have bought or leased such technology in recent years. This rapid spread underscores how the burgeoning, multibillion-dollar surveillance industry makes advanced spying technology available worldwide.

“Any tin-pot dictator with enough money to buy the system could spy on people anywhere in the world,” said Eric King, deputy director for Privacy International, a London-based activist group that warns about abuse of surveillance technology. “This is a huge problem.”

Security experts say hackers, sophisticated criminal gangs and nations under sanctions also could use this tracking technology, which operates in a legal grey area. It is illegal in many countries to track people without their consent or a court order, but there is no clear international legal standard for secretly tracking people in other countries, nor is there a global entity with the authority to police potential abuses.

In response to questions from The Washington Post this month, the US Federal Communications Commission said it would investigate possible misuse of tracking technology that collects location data from carrier databases. The United States restricts the export of some surveillance technology, but with multiple suppliers based overseas, there are few practical limits on the sale or use of these systems internationally.

“If this is technically possible, why couldn’t anybody do this anywhere?” said Jon Peha, a former White House scientific adviser and chief technologist for the FCC who is now an engineering professor at Carnegie Mellon University. He was one of several telecommunications experts who reviewed the marketing documents at The Washington Post’s request.

“I’m worried about foreign governments, and I’m even more worried about non-governments,” Peha said. “Which is not to say I’d be happy about the NSA using this method to collect location data. But better them than the Iranians.”

Location tracking is an increasingly common part of modern life. Apps that help you navigate through a city or find the nearest coffee shop need to know your location. Many people keep tabs on their teenage children – or their spouses – through tracking apps on smartphones. But these forms of tracking require consent; mobile devices typically allow these location features to be blocked if users desire.

Tracking systems built for intelligence services or police, however, are inherently stealthy and difficult – if not impossible – to block. Private surveillance vendors offer government agencies several such technologies, including systems that collect cellular signals from nearby phones and others that use malicious software to trick phones into revealing their locations.

Governments also have long had the ability to compel carriers to provide tracking data on their own customers, especially within their own countries. The National Security Agency, meanwhile, taps into telecommunication-system cables to collect mobile phone location data on a mass, global scale.

But tracking systems that access carrier location databases are unusual in their ability to allow virtually any government to track people across borders, with any type of cellular phone, across a wide range of carriers – without the carriers even knowing. These systems also can be used in tandem with other technologies that, when the general location of a person is already known, can intercept calls and internet traffic, activate microphones, and access contact lists, photos and other documents.

Companies that make and sell surveillance technology seek to limit public information about their systems’ capabilities and client lists, typically marketing their technology directly to law enforcement and intelligence services through international conferences that are closed to journalists and other members of the public.

Yet marketing documents obtained by The Washington Post show that companies are offering powerful systems that are designed to evade detection while plotting movements of surveillance targets on computerised maps. The documents claim system success rates of more than 70 per cent.

A 24-page marketing brochure for SkyLock, a cellular tracking system sold by Verint, a maker of analytics systems based in New York, carries the subtitle “Locate. Track. Manipulate”. The document, dated January 2013 and labelled “Commercially Confidential,” said the system offers government agencies “a cost-effective, new approach to obtaining global location information concerning known targets.”

The brochure includes screen shots of maps depicting location tracking in what appears to be Mexico, Nigeria, South Africa, Brazil, Congo, the United Arab Emirates, Zimbabwe and several other countries. Verint says on its website that it is “a global leader in Actionable Intelligence solutions for customer engagement optimisation, security intelligence, and fraud, risk and compliance” with clients in “more than 10,000 organisations in over 180 countries”.

(Privacy International has collected several marketing brochures on cellular surveillance systems, including one that refers briefly to SkyLock, and posted them on its website. The 24-page SkyLock brochure and other material was independently provided to The Washington Post by people concerned that such systems are being abused.)

Verint, which also has substantial operations in Israel, declined to comment for this story. It said in the marketing brochure that it does not use SkyLock against US or Israeli phones, which could violate national laws. But several similar systems, marketed in recent years by companies based in Switzerland, Ukraine and elsewhere, likely are free of such limitations.

At The Washington Post‘s request, telecommunications security researcher Tobias Engel used the techniques described by the marketing documents to determine the location of a Post employee who used an AT&T phone and consented to the tracking. Based only on her phone number, Engel found the Post employee’s location, in downtown Washington DC, to within a city block – a typical level of precision when such systems are used in urban areas.

“You’re obviously trackable from all over the planet if you have a cellphone with you, as long as it’s turned on,” said Engel, who is based in Berlin. “It’s possible for almost anyone to track you as long as they are willing to spend some money on it.”

AT&T declined to comment for this story.

The tracking technology takes advantage of the lax security of SS7, a global network that carriers use to communicate with one another when directing calls, texts and internet data.

The system was built decades ago when only a few large carriers controlled the bulk of global phone traffic. Now thousands of companies use SS7 to provide services to billions of phones and other mobile devices, security experts say. All of these companies have access to the network and can send queries to other companies on the SS7 system, making the entire network more vulnerable to exploitation. Any one of these companies could share their access with others, including makers of surveillance systems.

The tracking systems use queries sent over the SS7 network to ask carriers what tower a customer has used most recently. Carriers configure their systems to transmit such information only to trusted companies that need it to direct calls or other telecommunications services to customers. But the protections against unintended access are weak and easily defeated, said Engel and other researchers.

By repeatedly collecting this location data, the tracking systems can show whether a person is walking down a city street or driving down a highway, or whether the person has recently taken a flight to a new city or country.

“We don’t have a monopoly on the use of this and probably can be sure that other governments are doing this to us in reverse,” said lawyer Albert Gidari Jr., a partner at Perkins Coie who specialises in privacy and technology.

Carriers can attempt to block these SS7 queries but rarely do so successfully, experts say, amid the massive data exchanges coursing through global telecommunications networks. P1 Security, a research firm in Paris, has been testing one query commonly used for surveillance, called an “Any Time Interrogation” query, that prompts a carrier to report the location of an individual customer. Of the carriers tested so far, 75 per cent responded to “Any Time Interrogation” queries by providing location data on their customers.

“People don’t understand how easy it is to spy on them,” said Philippe Langlois, chief executive of P1 Security.

The Washington Post

Henry Sapiecha

GOOGLE KNOWS WHERE YOU’VE BEEN. SEE THIS VIDEO & VIEW MAPS HERE

Published on Aug 13, 2014

Sign up for location services on an Android phone and you’re leaving a accessible trace of your movements.

If you have an Android or Apple smartphone or tablet, there’s a good chance Google has a fairly comprehensive idea of what you do and where you go every day.

Assuming you have the location history and location reporting settings activated — which you likely will if you regularly use apps like Google Maps, Facebook or Foursquare — and are logged on to a Google account, the various points of reference being recorded can be taken together to reveal a map of your movements.

Using a little-known Google site, you can actually view the data the firm has accumulated about your activities and see it expressed as a shockingly detailed map. Here’s how:

google tracking a cell phone over a month map image www.intejagencies.com

A month’s worth of Google location data collected from my phone shows a somewhat depressingly consistent loop between the inner west, where I live, and Pyrmont, where I work.

First, make sure you’re signed in to the same account you use on your phone, then go to this Google website. The default view shows your movements from today.

The calendar on the left allows you to look at a specific day and view your movements. Selecting a greater range of dates (up to a month) lets you spot patterns in your movements. You can zoom in or out as you like and even shift into Google Maps’ “satellite” mode for a better view of the surroundings. There’s also an option to delete the data.

Apple collects this type of data from its users too, sparking controversy in 2011 when it was found its phone was collecting data from location services even when they were switched off. A similar claim was made against Android shortly after.

days tracking by google of a mobile phone map image www.intelagencies.com

My data from today, showing Google’s 11 points of reference between home and work.

Both companies say they compile such information to offer “smart” suggestions and helpful tips tailored to you through Google Now and Apple’s “Frequent Locations” introduced in iOS7.

As you can see from the images, my personal map not only clues Google in to the fact I often take the train to work and the light rail home again, but also displays the minutia of my exploration through the city on the weekend, or the different routes I might take to the park near my house when walking the dog.

What does your Google location history say about you?

Henry Sapiecha

flashing-bright-blue-line-300x5