CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Smart Phone + Mail Server = Location Tracking

My last two posts have touched on the privacy perspective in relation tomobile applications. This post continues on with that privacy theme, howeverlooking at the smart phone itself and how the constant polling to a mail servercan reveal your location and activity.

I was looking through my mail server logs for a specific entry, glancing over the usual brute force login attempts and those from successful users when it dawned on me how useful this information is. Forget what I was looking for initially, this is much more interesting.

So smart phones, you got to love them. They allow you to grab your e-mail from anywhere. Most mail settings are setup to "fetch" (or poll) IMAP/POP3 mail servers every 5-15 minutes. This polling reminds me of an infected host calling home to a botnet command and control server reporting its IP address. Now what is interesting about this is when you think of the polling element and its potential for tracking purposes. A smart phone is usually always on you so reflects where you are. Forget "Find my iPhone" and all that for a moment - that requires permission. Although the geo-location way of tracking people's locations that I'm about to discuss is not new, I'm looking at it from another perspective – a mobile one.

It is possible to use mail server logs and polling from a smart phone to determine a user's activity and ultimately track their location.

11480_bb1678ec-867e-4315-9c08-c2606935ea47

 

Let me give you some background.

When you access data from your smart phone over a cellular network you use your mobile network operator as a gateway. For example, if I access my webserver from my phone right now (using 3G) then 86.176.X.X will show up in the log files. This IP address belongs to "O2Online" which would make sense, as my mobile operator is O2.

Makes sense right?

Now most people have their smart phones jump on their wireless network when they get home, namely to save on data usage and because it's faster. If I now reload my web server's page on my smart phone my broadband IP address is shown - 86.140.X.X for the purposes of this post. My ISP British Telecom (BT) owns this IP address (BT-CENTRAL-PLUS).

So in my case, when the phone is out of the house it uses O2, when at home, BT. I also have a whole bag of preferred wireless networks which my smart phone could jump onto (karmameta sploit… but that's another story).

Now where in the world am I going with this?

Recall back to the start of this post where I stated smart phone mail clients would poll typically every 5-15 minutes to check for new messages. If I am able to read mail server log files (either through a compromise or malicious system administrator) then I can determine movements and ultimately a user's location. I look up all the IP addresses that the user is connecting from and can easily see which is the cellular IP and which is the broadband IP. Now I can tell whether the user is at home or not. I can also add to these locations based on additional wireless access points the smart phone connects to.

Let me show you a case study I carried out. The results are quite interesting.

A user, let's call him Winston, is followed over roughly a 5 day period, purely from analysing mail logs. Here is a snippet of his entries from/var/log/maillog. Beside each of them I have determined if he is at home or not(e.g. = HOME/NOT HOME) based on the IP address owner.

Sep 16 11:52:21 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 11:52:54 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 12:23:40 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 13:24:38 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 13:25:13 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 14:27:37 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 15:39:58 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 16:40:32 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 17:42:23 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 18:47:08 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 18:47:42 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 19:48:13 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 21:51:16 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 21:51:51 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 22:52:30 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 23:53:05 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 23:53:48 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 17 08:13:55 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

---CUT FOR BREVITY---

Let's look at the graph below, as it is more interesting than a load of log entries. I am aware it looks like piano keys, but bear with me.

12227_e0accdb0-04a4-4c25-bf22-9237b6b1ce50

 

(A) On 16th September you can see the smart phone check in from the user's broadband and mobile network. This is a Sunday so no doubt Winston was going about his leisurely business.

(B) On 17th September, a Monday no less, you can see that Winston is at work due to not being at home between the hours of 9-5. However, he appears to be running a little late as he is still at home at 09.06. Winston walks through his front door at 17:04.

(C) At 19:59 his smart phone checks e-mail from a pub's wireless hotspot– this is highlighted as number 2 on the graph. It flicks between the mobile network and the wireless (pub/not home) during his time there. I'm guessing caused by going out of the wireless hotspot range – cigarette breaks? At 23:34 he is back home.

(D) The same happens again on Tuesday 18th September – he is out most of the day, as you'd expect for a working week. However, Winston leaves the house a little earlier this time at 08:08. Home again at 17:02, like clockwork.

(E) Wednesday 19th September, 07:42 leaves home. 17:06 back home.

(F) Thursday 20th September, 08:05 leaves home. 16:40 back home, an early one!

Your mail server logs reveal a wealth of information about you. So do web server logs also, right? However, the constant predictable polling (fetch) that mobile mail clients carry out make it possible to get constant updates of activity/location unlike the odd web server request. I'm also not able to track you as easily through web server logs, whereas you supply a username when you log into the mail server so I know right away.

Not keen on your activity/location being tracked via your mail server? Turn off wireless on your smart phone so that mail is always accessed over your mobile network operator's gateway. A little extreme some may say, but if you value your privacy then this is something to explore. One would hope that employers are behaving ethically and wouldn't use this type of information to the detriment of employees.

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More