Security Now Episode 1052: Global Cellphone Tracking

Date: November 19, 2025
Host: Leo Laporte
Co-host: Steve Gibson

Episode Overview

In this episode of Security Now, Steve Gibson and Leo Laporte take a deep dive into the shocking reality of global cellphone tracking—revealing that with nothing more than your phone number, anyone can potentially follow your location without ever infecting your device. This isn’t about high-end malware like Pegasus, but rather longstanding vulnerabilities in global cellular infrastructure. Alongside the main theme, the episode covers Apple’s new digital ID, Google’s privacy moves on AI, a shakeup in Android developer requirements, Russia’s inventive approach to combating drone attacks, and listener feedback with helpful security tips.

Key Topics and Insights

1. Apple’s Digital ID in Wallet

Apple has rolled out a new digital ID feature, allowing users to add their US passport as government ID for use at TSA airport checkpoints and, in the future, for age verification and more.

• How It Works:

  • Uses the iPhone camera to scan the passport’s photo page.
  • Reads the RFID chip from the passport’s back cover.
  • Guides the user through a live facial verification (e.g., closing eyes, smiling, looking in different directions) to prove liveness.
  • ID can only exist on one device at a time.

• Notable Quotes:

  • “Apple… has added a new digital ID inside its wallet. You can even put your passport in there… getting closer and closer to secure age verification via Apple.” — Leo (00:00)
  • “It is far more pervasive [the cell tracking] than we have previously understood and it's available commercially as a service and it is having the crap abused out of it.” — Steve (02:36)

• Limitations:

  • Currently for TSA checkpoints at 250+ US airports.
  • Not valid for international travel.
  • Requires iOS 26+ and iPhone 11 or later.

• Privacy Notes:

  • Designed to only allow the device owner to use the ID.
  • Apple positions itself as a privacy-first company in this initiative.

Timestamps:
[13:00] Steve details setting up digital ID using passport
[41:00] Live demonstration and discussion of liveness checks

2. Refactoring Code & Coding Philosophy

Steve and Leo discuss the joy and necessity of code refactoring, drawing real-world analogies (e.g., rerouting a pipe around a sign), advocating for clean, readable, and maintainable source code.

• Notable Quotes:
  • “How bad must things become before you decide to stop and refactor the code?” — Steve (12:57)
  • “I code so that I can read it more than so the machine can read it.” — Steve (21:18)
  • “Coding is an art and it's a science, and it's just really enjoyable.” — Leo (23:01)

Timestamps:
[10:28] Picture of the week and code metaphor
[17:13] Steve’s recent refactoring experience

3. Checkout.com Refuses Ransom, Donates to Security

After a breach, Checkout.com refused to pay a ransom to Shiny Hunters and instead diverted the sum to support cybersecurity research.

• Key Insights:

  • Breach resulted from an old, improperly decommissioned third-party cloud storage.
  • No customer funds or card details were accessed.
  • The ransom sum was donated to university security research centers.

• Notable Quotes:

  • “This is the way to handle a data breach, you know, if there's any way to do so.” — Steve (47:57)

Timestamps:
[44:00] Discussion on Checkout.com’s response

4. Google’s Private AI Compute and Cloud-based AI Security

Google announced "Private AI Compute"—a platform for running robust Gemini AI models in the cloud while promising user data privacy.

• Technical Summary:

  • Touts high power, low latency computing for AI experiences.
  • Emphasis on “remote attestation,” hardware isolation (“titanium intelligence enclaves”), and zero access promises.

• Skepticism Raised:

  • Steve doubts true parity with on-device security, especially for sensitive or business-critical use cases. Advises sticking with reputable providers for cloud AI.
  • Leo points out Google’s stellar, essentially unblemished breach record.

• Notable Quotes:

  • “The question is, if it cannot be identical in security, can it be secure enough?” — Steve (57:43)
  • “Google… has a great track record. Whatever tensor processing units wrapped in titanium intelligence enclaves are. It all sounds really good.” — Steve (62:31)

Timestamps:
[51:57] Google’s Private AI Compute overview

5. Google Updates Android Developer Registration Demands

Google walks back its blanket mandate for all Android developers to register and pay, now introducing exemptions for students, hobbyists, and advanced users who accept the risk of unverified apps.

• Key Changes:

  • Dedicated account type for students/hobbyists with limited device deployment.
  • New “advanced flow” to allow power users to install unverified apps deliberately, with clear warnings and anti-coercion protections.

• Notable Quotes:

  • “Google has made a carve out for them too, explaining: 'While security is crucial, we've also heard from developers and power users…'” — Steve (74:08)

Timestamps:
[71:10] Google’s policy changes for app developers

6. Windows 11 Passkey API and Third-Party Integration

Windows 11 November Update introduces a new API allowing third-party password managers to deeply integrate and manage Passkeys across browsers and native applications.

• Key Points:

  • 1Password and Bitwarden natively support the API at launch.
  • Windows Hello (PIN, face, fingerprint) is leveraged for authentication.
  • Full passkey sync across Windows PCs, mobile devices.

• Notable Quotes:

  • “The two top password managers we're affiliated with are the two that are enough on the ball to be participating with Microsoft on this out of the gate.” — Steve (81:34)
  • “You'll be able to seamlessly sync and manage passkeys on Windows with 1Password as your credential manager.” — official 1Password press release, quoted by Steve (90:35)

Timestamps:
[80:34] Windows 11 Passkey API integration

7. Russia’s SIM Card Tracking to Foil Drone Attacks

Russia now temporarily blocks mobile data and SMS for phones re-entering the country or unused for 3+ days, hoping to reduce the use of Russian sim cards for guiding Ukrainian drones.

• Implications:

  • “Cooling off” period can confuse travelers but aims to decrease drone guidance.
  • Demonstrates how cell network manipulation has become a tool of modern warfare.

• Notable Quotes:

  • “Turns out is tracking. This is really kind of clever SIM card appearances within their borders as a means of thwarting their abuse for drone attacks.” — Steve (04:36)

Timestamps:
[94:15] Russia’s anti-drone SIM management

8. Global Cellphone Tracking: The SS7 Vulnerability Exposed

Main Segment:

How any phone can be tracked globally using legacy telecom protocols—without malware.

• The Investigation:

  • Lighthouse Reports uncovered a 1.5 million-row leaked data set from a company called First WAP, specializing in global cellphone tracking.
  • Their ATIMEDES tool leverages the insecure SS7 protocol to issue queries about the location of any phone number worldwide—no infection needed.

• Technical Mechanism:

  • SS7 is the backbone protocol for interconnected telecom systems, designed in the 1970s with zero thought for authentication or security.
  • Exploiters lease legitimate “global title” (GT) network access from operators (often in trusted jurisdictions like Liechtenstein).
  • A query to the network reveals the serving cell tower, which can be mapped to a street-level (or at least neighborhood-level) location.

• Consequences:

  • This has enabled widespread, covert surveillance, including spying on dissidents, journalists, and business leaders across the globe.
  • No amount of “phone hygiene” protects against location tracking performed at the network level.

• Notable Quotes:

  • “It is… the ability to track a phone number anywhere in the world without leaving a trace on the device.” — Steve, quoting the Altimedes promo (153:30)
  • “It was never designed with security in mind… The issue is… networks process commands such as location requests from other networks without being able to verify who is actually sending them and for what purpose.” — Steve, quoting the report (163:10)

• Personal Safety:

  • Only turning the phone fully off or using a burner phone can truly prevent tracking.

Timestamps:
[144:27] Global cell phone tracking investigation begins
[154:52] Technical breakdown of how First WAP abuses SS7
[163:09] “It was never designed with security in mind.” Exposé

Notable Quotes & Memorable Moments

• On the scope of tracking:

  “Without ever having to have any prior access to someone's cellular phone, and without any necessity of installing any sort of spyware or malware, once someone's cell phone number is known… it is then possible to track their global movements.” — Steve (173:54)

• On the future and unfixable nature of SS7:

  “Nothing can prevent it. It's part of the fabric of the cellular radio based system we all use today… It is the lowest common denominator. And one of our lessons of this podcast is these things never die.” — Steve (163:10)

• On defense:

  “Switching a phone to airplane mode or completely switching a phone's cellular radio off… is the only way to disappear.” — Steve (175:48)

Listener Feedback, Security Tips & Community Insights

• Checking Email Server Security:
  Matt recommends Dmarcly for free, weekly status checks on your domain’s deliverability/security setup.
  [113:05]
• Disabling Run Dialog on Windows to Avoid Phishing:
  Simon Zirafa offers a registry tweak to disable the Run dialog, thwarting certain social engineering attacks.
  [133:53]
• Legacy Technology Grumbles:
  Multiple listeners comment on the persistence (and looming deprecation) of XSLT and other aging web technologies.
• Fun Code Refactoring Parallels:
  The episode opens with a humorous “Picture of the Week” about code maintenance, setting the tone for why code (and infrastructure) decay leads to vulnerabilities like SS7.

Timestamps of Important Segments

| Time | Segment | |---------|-----------------------------------------------------------------------------------------| | 00:00 | Overview of topics, Apple Digital ID, main cell tracking discussion teased | | 10:28 | Picture of the week: Bad refactoring metaphor | | 13:00 | Steve’s hands-on experience with Apple digital ID | | 41:00 | Age verification, liveness checks in Apple ID live demo | | 44:00 | Checkout.com and ransomware refusal | | 51:57 | Google Private AI Compute and cloud AI security discussion | | 71:10 | Google’s adjustments to Android developer policies | | 80:34 | Windows 11 passkeys API integration with 1Password and Bitwarden | | 94:15 | Russia’s mobile SIM cooling-off for anti-drone defense | | 144:27 | Main Topic: Global Cell Phone Tracking, SS7 vulnerabilities | | 154:52 | Technical breakdown of how First WAP abuses SS7 | | 163:09 | “It was never designed with security in mind” – core architectural flaw | | 173:54 | Only total phone shutdown/burner mitigates tracking |

Episode Summary

Security Now #1052 pulls back the curtain on how cellular surveillance is deeply embedded in the world’s digital infrastructure—not through malware, but due to exploitation of decades-old, insecure protocols underpinning the global mobile network. Steve explains that anyone with a phone number can be tracked as long as their device is turned on, and that nothing—neither personal phone hygiene, platform security, nor end-user awareness—can close this loophole. The episode also covers Apple’s digital passport rollout, best practices for password management, Google’s new privacy assurances, and clever tricks being used by Russian authorities to disrupt cyber-physical warfare.

If you think mobile tracking is only about spyware, this thought-provoking episode will leave you with a new appreciation for unseen risks in the tech we use every day—and the importance of updating, refactoring, and remaining vigilant.

For show notes, links, and the transcript, visit: grc.com/securitynow