A few months ago, a friend of mine lost his iPhone in a movie theater. He noticed it was missing when he got home. At least he thought it was lost, until he noticed that someone was reading and deleting his emails. It seemed that the iPhone was found by someone, and that someone was using the iPhone.
He contacted AT&T for assistance. It should have been a pretty easy recovery. The iPhone, when turned on, must register on to the AT&T cellular network with its unique Electronic Serial Number (ESN) and Mobile Identification Number (MIN). AT&T should easily be able to find the cell tower covering the cell phone, right?
Well, technically AT&T can do that, but as a matter of policy, they don’t release this information without a subpoena. And that would need to come from the police.
Were there other options? Well, AT&T offered to turn off the service to the stolen iPhone and (for a fee) send him a new one. An offer that he took since he wanted to get into the mobile world.
Then, as luck would have it, the thief tried a test application on the iPhone call AirGraffiti. This app logs the GPS coordinates of the cell phone.
Here is a map showing some of the GPS coordinates reported for the cell phone.
Keep in mind that iPhones are both 3G and WiFi capable. So, when AT&T had turned off the stolen phone’s service, the thief just started using the WiFi service.
GPS map view
There were a couple of challenges in this case. Since the phone was stolen, the thief had no expectation of privacy. However, everyone else in the neighborhood still did! So, we needed to be able to search for the stolen phone only. Next, we wanted to make sure that we were passively listening, we did not want to generate traffic and try to cause the iPhone to respond. And we did not want to listen to content. We only wanted to look for the MAC address of the cell phone. The MAC addresses should be unique for each iPhone, and it is difficult to spoof the MAC address can be of an iPhone. These restrictions ruled out tools such as wireshark, netstumbler and kismet.
My company builds AP-Finder, software that can track the location of WiFi devices. Since the owner had the MAC address for the iPhone, all I needed to do was run AP-Finder. I searched for the iPhone’s MAC address and drove through the area reported by the GPS coordinates. Sure enough, I got a hit!
Using the results of this search, I contact the State Police and told them about the case and what I had. They came out to do the search using AP-Finder, and sure enough they also got a hit. Using the signal strength feature of AP-Finder, we were able to locate the house containing the cell phone. (Below is a sample of the AP-Finder’s search by MAC feature.
This technique has promise, but there is still more to do…
AP-Finder
The end result. The cell phone was recovered and the thief was charged with fourth degree theft, and third degree computer crime violations. All of this was done without issuing a subpoena to the cell phone carrier or ISP for information.
Filed under: forensics, wireless Tagged: | arrest, iphone, stolen, track
Very cool approach that you used to find the thief. I also put together some other security tips that will help your readers protect their iPhones.
http://informationsecurityhq.com/iphone-security-tips/
Regards
Mark
hello, my neighbor stole my iphone, and is logging in with my phone into my home wireless connection. my wireless router is on auto learn so i know when my phone comes on, can you please help me?
Hello,
If you can, please look at your wireless router and see if you can find your phone’s MAC address. That MAC address is a usually a number that looks like this: 0d:00:00:aa:bb:13.
That MAC address is the unique identifer for your phone’s wireless card. If you can get that, you can track your phone.
Where do I get the software to do it with?
We make AP-Finder software, so we are a little biased toward that! It is available at http://www.cyanline.com/catalog
Steven, this is great information. Thank you.
My iPhone was stolen recently but I never made note of the MAC. Neither my carrier nor Apple want to give me that info (I only have the serial number). The carrier may not have the info but I would assume Apple definitely does. Any suggestions on how to get it? I’ve filed a police report, and my next step would be to try to get a subpoena if at all possible. It’s the principle now more than the financial cost of the phone.