US ISPs Handed Out GPS Coordinates of Customers to Man Who Asked

How hard is it to get ISPs to hand over American’s GPS coordinates? Apparently, it’s as hard as simply asking politely.

Many ISP customers like to think that their information is at least safe with them. After all, if providers sell cell phone service, they should know a thing or two about them, right? Well, you might be surprised how often ISPs are the target of those with malicious intent. In some rare cases, those with malicious intent actually do succeed.

In a story published on The Register, it seems that it can be surprisingly easy to get the GPS coordinates of someone. The story suggests that it was as easy as simply asking politely:

A bounty hunter was able to get the live location of a number of different individuals from American cellphone networks through a single phone call, it is claimed.

Matthew Marre was charged [PDF] last month with allegedly obtaining “confidential phone record information … by making false and fraudulent statements and representations.” It is claimed he called a hotline run by various mobile networks, and asked for the GPS location of specific cellphones – all of which belonged to people that were wanted for skipping bail.

The ruse was apparently extremely successful, according to Colorado federal court documents that have subsequently been restricted from public view. The paperwork, submitted by prosecutors, alleged that, last year, he successfully persuaded T-Mobile USA to hand over location data for six phone numbers, and as a result he collared three people who were using the numbers.

In one extraordinary tale, Marre allegedly contacted the police when he believed one person he was tracking was breaking into a house. The cops turned up but were unable to find the suspect, so Marre returned to his laptop, updated the GPS tracking on the suspect’s phone, and apparently found the person hiding in bushes at the back of the property.

The same ruse also seemingly worked with Verizon and Sprint, leaving only AT&T as a company that did not hand over highly confidential information on the basis of a single phone call – and that may only be because none of the people Marre was tracking used AT&T. The now-restricted court filing was noticed and discussed publicly earlier today by terrorism expert and PACER-whisperer Seamus Hughes.

The idea that anyone was even successful in obtaining such information through a single phone call is easily concerning. One can easily think about people who are the victims of stalking, domestic abuse, threats of violence, and who knows what else. What could go through the minds of people like that who see a story like this?

There are two possibilities at play that we can think of. One possibility is that this person could be highly skilled at vishing. The effectiveness of Vishing, in the hands of an expert, can be scary. A great example is this video from Defcon in 2016 where a woman was able to gain access to someones account at his ISP and change pretty much everything – some steps being accomplished within seconds:

(YouTube Link)

The other possibility is that this was a fluke isolated incident. That, of course, is mildly comforting, though still worrying that someone was successful in getting such information in the first place.

Whatever security gaps were found, a lot of Americans are no doubt hopeful that those gaps have been plugged at this point.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: