A few months ago, a friend of mine lost his iPhone in a movie theater. He noticed it was missing when he got home. At least he thought it was lost, until he noticed that someone was reading and deleting his emails. It seemed that the iPhone was found by someone, and that someone was using the iPhone.
He contacted AT&T for assistance. It should have been a pretty easy recovery. The iPhone, when turned on, must register on to the AT&T cellular network with its unique Electronic Serial Number (ESN) and Mobile Identification Number (MIN). AT&T should easily be able to find the cell tower covering the cell phone, right?
Well, technically AT&T can do that, but as a matter of policy, they don’t release this information without a subpoena. And that would need to come from the police.
Were there other options? Well, AT&T offered to turn off the service to the stolen iPhone and (for a fee) send him a new one. An offer that he took since he wanted to get into the mobile world.
Then, as luck would have it, the thief tried a test application on the iPhone call AirGraffiti. This app logs the GPS coordinates of the cell phone.
Here is a map showing some of the GPS coordinates reported for the cell phone.
Keep in mind that iPhones are both 3G and WiFi capable. So, when AT&T had turned off the stolen phone’s service, the thief just started using the WiFi service.
There were a couple of challenges in this case. Since the phone was stolen, the thief had no expectation of privacy. However, everyone else in the neighborhood still did! So, we needed to be able to search for the stolen phone only. Next, we wanted to make sure that we were passively listening, we did not want to generate traffic and try to cause the iPhone to respond. And we did not want to listen to content. We only wanted to look for the MAC address of the cell phone. The MAC addresses should be unique for each iPhone, and it is difficult to spoof the MAC address can be of an iPhone. These restrictions ruled out tools such as wireshark, netstumbler and kismet.
My company builds AP-Finder, software that can track the location of WiFi devices. Since the owner had the MAC address for the iPhone, all I needed to do was run AP-Finder. I searched for the iPhone’s MAC address and drove through the area reported by the GPS coordinates. Sure enough, I got a hit!
Using the results of this search, I contact the State Police and told them about the case and what I had. They came out to do the search using AP-Finder, and sure enough they also got a hit. Using the signal strength feature of AP-Finder, we were able to locate the house containing the cell phone. (Below is a sample of the AP-Finder’s search by MAC feature.
This technique has promise, but there is still more to do…
The end result. The cell phone was recovered and the thief was charged with fourth degree theft, and third degree computer crime violations. All of this was done without issuing a subpoena to the cell phone carrier or ISP for information.