logo

How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market

Conference:  Defcon 27

2019-08-01

Summary

The presentation discusses the existence of a secret website called SirK1 that allows anyone to track the location of any phone number without the target's knowledge or consent. The website is being used by bounty hunters, stalkers, and domestic abusers, and the lack of security measures on the website makes it vulnerable to abuse.
  • SirK1 is a secret website that allows anyone to track the location of any phone number without the target's knowledge or consent
  • The website is being used by bounty hunters, stalkers, and domestic abusers
  • The lack of security measures on the website makes it vulnerable to abuse
  • The website is not enforcing its two-IP rule, and some administrators may be reselling access to the system on the black market
  • The website does not send any warning to the target device being tracked, and the target has no idea they're being tracked at all
The presentation includes a story of two bounty hunters who used SirK1 to track a fugitive from Minnesota to a car dealership in Texas. The bounty hunters lied to the dealership and said they were US law enforcement trying to apprehend someone dangerous. They waited for the fugitive to arrive and then apprehended him. This story illustrates how SirK1 can be used for illegal purposes and how it puts people's safety at risk.

Abstract

Major US telecommunications companies AT&T, T-Mobile, and Sprint have been quietly selling access to their customers’ real-time location data, including cell tower information as well as highly precise GPS data. Through a complex network of dodgy data aggregators and middlemen companies, this data access eventually trickled down to a slew of different industries, used car salesman, landlords, and hundreds of bounty hunters, likely without your knowledge or informed consent. In this talk, based on leaked documents, sources, and first hand experience, Joseph will explain how this data industry works, the players involved, and also how the data access is available on the black market, where it can be used in any way an attacker fancies: Joseph paid a source $300 to successfully locate a phone in New York.

Materials:

Tags:

Post a comment