General security

iPhone App Exposes Pontentially Anyone’s Social Security Number.

November 3, 2010 by Keatron Evans

There has been web sites around for a while that allows one to listen in on certain police, fire department, and other public service radio bands. Now this has been ported into an Iphone app. Basically, you install the app, then instantly you’re able to tune into hundreds of thousands of police and fire radio bands world wide. Just this morning I tuned in to one large cities PD band. I won’t say which city, but I will say it’s one of the top 4 largest cities in the US. Here’s a snippet of what I heard.

I heard first a domestic disturbance call. Then an assault call. Then next I heard an assault on a police officer call. Next there was an apparent stabbing, then trespass, and many other things. One thing I also heard was an elderly person who apparently had fallen and broken her hip.

What did all these calls have in common? I heard address, date of birth and social security number for every individual in question in these calls. My initial thoughts were this is cool. But of course within seconds, the security dude in me jumped out and said WTH!

Here’s what I imagined.

What if I had targeted an individual for identity theft or something worse. Let’s say I turned on my tuner app, tuned into the target person’s local PD band; Next I made a 911 call and said “This person at 555 northlake lane has was at my house last night drunk. He bragged about being wanted in another state for robbery and he’s also got a huge stash of marked 100 dollar bills in his garage. He has also been trying to sell weed to me and other neighbors the community. Please be advised he has many guns in the house and said if the police ever came he’d go down shooting. He also said he’s going to kill his wife today. He bragged about killing his wife when he lived in another state and getting away with it, while collecting lots of insurance money”.

That should be enough to send 3 or 4 squad cars screeching to this guys house. When they get there he of course acts as if he has no clue what they’re talking about. But what’s the PD typical protocol? What are they going to do first? Get his ID, call in his DL and social, make sure he doesn’t have history, warrants etc. And what am I doing? Sitting on my scanner waiting for that call to come through so I can get his social, DOB, and all the other info that goes across. I then use this info to get credit cards, or whatever else I want in his name.

One of the more shocking things I heard come across this band was “be careful Adam1, she is reported to be HIV positive”. Wonder what the HIPPA folks would have to say about that? Isn’t public service prohibited from giving out personal and health information about individuals? At least publicly? I see this as now becoming a truly “passive” and undetectable way to grab as many socials, DOB, DL Numbers, and Addresses as you want without anybody ever knowing. There’s no website to visit to look it up, there’s no google hacking; Just turn it on and listen.


You can find the scanner obviously on itunes

Or from your iPhone or iPad just go to your apps app and search for police scanner.

Posted: November 3, 2010
Keatron Evans
View Profile

Keatron Evans is a cybersecurity and workforce development expert with over 17 years of experience in penetration testing, incident response and information security management for federal agencies and Fortune 500 organizations. He is Principal Cybersecurity Advisor at Infosec, where he empowers the human side of cybersecurity with cyber knowledge and skills to outsmart cybercrime. Keatron is an established researcher, instructor and speaker — and lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish. He regularly speaks at major industry events like RSA and serves as a cybersecurity subject matter expert for major media outlets like CNN, Fox News, Information Security Magazine and more. Keatron holds a Bachelor of Science in Business Information Systems and dozens of cybersecurity certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP) and Licensed Penetration Tester (LTP). When not teaching, speaking or managing his incident response business, KM Cyber Security LLC, Keatron enjoys practicing various martial arts styles, playing piano and bass guitar, and spending time with his family.