Don Bailey, a security consultant with iSec Partners, teamed up with security researcher Nick DePetrillo to conduct the research, which they claim is entirely legal. They used an open source PBX to force a targeted cell phone to call their number, and used caller ID to identify the owner of that number. They then used custom software to index the names and numbers of entire cities in just a couple of weeks.
The attack then involved matching that data against SS7, a set of telephony signaling protocols that are used to route public switched network telephone calls. The system uses a home location register to identify the physical location of a phone number. The researchers said that some service providers offer access to that information to advertisers, and after obtaining that data, they were able to geographically map it.
The researchers demonstrated the attack by tracking a German reporter as he traveled to Serbia to meet a confidential informant, according to reports, which added that they were also able to obtain the informant's cell phone number. Perhaps the biggest threat posed by this attack is that the researchers were able to build up a dossier of a subject's activities over time, inferring things about their behavior from their calls and movements.
According to press reports, they were able to identify a government contractor by analyzing caller ID and phone number information that they traced to the US Department of Homeland Security. Attacks would be mostly transparent to the victim, the researchers said, adding that they could also be tracked via the people who are traveling with them, as a further means of cloaking an attacker's activity.