
Unaccountable system for cellphone tracking often abused by police - anigbrowl
https://boingboing.net/2018/05/12/extraordinary-access.html
======
dang
Discussed at
[https://news.ycombinator.com/item?id=17046632](https://news.ycombinator.com/item?id=17046632)

------
zkms
Try out
[https://www.locationsmart.com/try/](https://www.locationsmart.com/try/) , you
can find the current location of a phone (not just with cell tower info, it
can force AGPS to operate on your phone) with just _its phone number_ ; the
demo site requires you reply to an SMS but there's no technical requirement
against that. There's no subscriber-accessible opt-out, at least on T-Mobile,
that prevents this from working.

Note that this is all aboveboard, "Locationsmart" openly flaunts their
agreement with the main four (soon to be three) PLMN operators in US; this is
not a case of someone abusing ill-gotten SS7 access.

~~~
kevcampb
This has been the case since around 2004 at least. I reported it to the press
at the time, without much fanfare.

Things to note with the SMS opt-in.

* You can abuse the opt-in message of "Real Name wants to track..” by registering with a real name of 160 blank letters (depends on provider) so the recipient only gets a blank SMS

* You can spoof the reply opt-in as th confirmation as they all use is a fixed string. Spoofing SMS sender is mostly trivial.

* Few services appeared to implement the regular notification to the tracked party

* As I understand it, implementation of opt-in was the responsibility of the service provider, not the telco, and the telcos did not seem to audit this in any way.

If anyone cares to investigate further, happy to give more details.

~~~
zkms
> If anyone cares to investigate further, happy to give more details.

I'm quite interested in looking into this further; any details you have would
be much appreciated.

~~~
kevcampb
Have a look at
[https://www.theguardian.com/technology/2006/feb/01/news.g2](https://www.theguardian.com/technology/2006/feb/01/news.g2)

This news article was about a year later than the original once, from what I
remember. It misses the part that you can replace the name and spoof the SMS
though. The SMS quoted in the article does demonstrate the vulnerabilities
mentioned though

"Ben Goldacre has requested to add you to their Buddy List! To accept, simply
reply to this message with 'LOCATE'"

Interesting to re-discover this now, I had no idea who Ben Goldacre was at the
time.

If you find services still vulnerable, let me know. I'm still friends with the
journalist who initially spoke to Vodafone before publishing in the first
place. I remember them not being too pleased, but as I say, it never got
fixed.

