I came across this article. It is a great synopsis of how easy it is to track the location of someone using thier own mobile phone. Third party companies are popping up to offer services like this. How do they do it? It is easy since some service providers are selling location data to anyone that wants it. What interested me about the article is it highlights how security analysis is changing. If you look at many of the current research papers and projects they involve using statistical data to determine patterns and what a particular user or group of users is up to. This removes the need for signatures, and also can yield useful information even if encryption is present.
Some key statements in the article that caught my attention:
- Anyone can, for instance, sign up – at £29.99 a year – to mapAmobile.com (‘you’ll always know where your loved ones are’), which allows you to follow the movements of your ‘family and friends’ on a computer screen
- That this sort of enterprising solution is possible is the result of the major networks – in the UK, Vodafone, Orange, O2 and T-Mobile – having decided, in around 2002, to sell their location data to any company willing to pay for it.
- the information your phone provides is out there anyway. It doesn’t belong to you, and anyone with the required resources can do with it what they will.
- Everyone on a network, he said, is part of a group; most groups talk to other groups, creating a spider’s web of interactions.
- The remaining groups ranged in size from two to 142 subscribers. Members of these groups only ever called each other – clear evidence of antisocial behaviour – and, in one extreme case, a group was identified in which all the subscribers only ever called a single number at the centre of the web. This section of the ThorpeGlen presentation ended with one word: ‘WHY??’
- It also sells ‘profiling’ systems, which measure the behaviour pattern of an individual subscriber and, using statistical analysis, determine whether that same pattern is now appearing from another source.
A recent example of this type of research is the Switzerland project which is currently in alpha at the time of this post. This is an open source project designed to detect when service providers modify or change subscriber packets before letting them continue on in the network.
Another research project was able to detect what movie you were watching via a Slingbox even though it was encrypted.
